WO2021233358A1 - 通信方法及装置 - Google Patents
通信方法及装置 Download PDFInfo
- Publication number
- WO2021233358A1 WO2021233358A1 PCT/CN2021/094751 CN2021094751W WO2021233358A1 WO 2021233358 A1 WO2021233358 A1 WO 2021233358A1 CN 2021094751 W CN2021094751 W CN 2021094751W WO 2021233358 A1 WO2021233358 A1 WO 2021233358A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal
- layer
- new key
- indication
- key
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/19—Connection re-establishment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/047—Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
- H04W12/0471—Key exchange
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/20—Manipulation of established connections
- H04W76/23—Manipulation of direct-mode connections
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/30—Connection release
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/14—Direct-mode setup
Definitions
- the embodiments of the present application relate to the field of communication technologies, and in particular, to communication methods and devices.
- V2X vehicle to everthing
- Telematics generally refer to information provided by the vehicle sensors in the car load, car terminal, etc., to achieve a vehicle to the vehicle (vehicle to vehicle, V2V), vehicle-to-infrastructure (vehicle to infrastructure, V2I), the vehicle network (vehicle to Network, V2N) and a communication network for mutual communication between vehicles to pedestrians (V2P).
- V2V vehicle to vehicle
- V2I vehicle-to-infrastructure
- V2N vehicle network
- V2P vehicle to Network
- the communication link for direct communication between a terminal and other terminals can be called a side link or a side link (sidelink, SL), and the SL interface can be called a PC5 port.
- the embodiments of the present application provide communication methods and devices to ensure correct communication between terminals.
- an embodiment of the present application provides a communication method, including: the first terminal performs integrity protection check on the received RRC message; when the integrity protection check fails, the RRC layer of the first terminal reports to the first terminal
- the application layer sends a first instruction and an identifier of the second terminal, where the first instruction and the identifier of the second terminal are used by the application layer to disconnect the unicast connection between the first terminal and the second terminal.
- the RRC layer of the first terminal can report the first indication and the identification of the second terminal to the application layer to trigger the application layer to disconnect Unicast connection between the first terminal and the second terminal.
- the reason for the failure to perform integrity protection verification on the received message is generally that the attacker has tampered with some information in the RRC message. Therefore, this method can ensure communication security by disconnecting the unicast connection between the two terminals. .
- the RRC layer of the first terminal disconnects the RRC connection between the first terminal and the second terminal; then the first indication is an RRC connection disconnection indication, which is used to indicate the The RRC connection between the first terminal and the second terminal has been disconnected.
- the RRC layer of the first terminal first disconnects the RRC connection between the first terminal and the second terminal, and reports the result of the disconnection to the application layer, thereby triggering the application layer to disconnect the first terminal from the second terminal.
- the unicast connection between the terminals helps to achieve correct communication between the first terminal and the second terminal.
- the first indication is an integrity protection check failure indication, which is used to indicate that the first terminal fails the integrity protection check of the received RRC message from the second terminal .
- the first terminal reports the failure of the integrity protection check to the application layer, thereby triggering the application layer to disconnect the unicast connection between the first terminal and the second terminal, which helps to realize the first terminal and the second terminal. Correct communication between the two terminals.
- the application layer of the first terminal updates the layer 2 identifier of the first terminal.
- the first terminal uses the new key to re-establish the unicast connection with the second terminal.
- the first terminal sends sidelink information to the network device, where the sidelink information includes a second indication and an identifier of the second terminal, and the second indication is used to indicate
- the unicast connection between the first terminal and the second terminal has a radio link failure, and the reason for the failure is that the integrity protection check of the received RRC message from the second terminal fails.
- the first terminal may report the second indication and the identification of the second terminal to the network device.
- the network device can troubleshoot the unicast connection failure between the first terminal and the second terminal based on the reported information. Ensure correct communication between the second terminal and the first terminal.
- an embodiment of the present application provides a communication method, including: a first terminal performs integrity protection verification on a received RRC message; when the integrity protection verification fails, the first terminal sends a message to the network device.
- Uplink information the side link information includes a second indication and an identifier of the second terminal, the second indication is used to indicate that the unicast connection between the first terminal and the second terminal has a radio link failure and the reason for the failure It is that the integrity protection check of the received RRC message from the second terminal fails.
- the first terminal may report the second indication and the identification of the second terminal to the network device.
- the network device can troubleshoot the unicast connection failure between the first terminal and the second terminal based on the reported information. Ensure correct communication between the second terminal and the first terminal.
- an embodiment of the present application provides a communication method, including: after a first terminal determines a new key, the application layer of the first terminal sends a first instruction to the access layer of the first terminal, It is used to instruct to re-establish the PDCP entity for receiving data or to instruct the PDCP layer to be able to use the new key to process the received data on the unicast connection, and the new key is used for the first terminal and the first terminal.
- the PDCP entity for receiving data is associated with the unicast connection; after the first terminal receives the information encrypted using the new key, The application layer of the first terminal sends a second instruction to the access layer of the first terminal for instructing to re-establish the PDCP entity for sending data or for instructing the PDCP layer to be able to use the new key processing
- the PDCP entity for sending data is associated with the unicast connection.
- the application layer of the terminal can notify the access layer at the corresponding point in time that it can start to use the new key to decrypt the received data, and at the corresponding point in time, notify the access layer that it can start using the new key.
- the key encrypts the data to be sent, so that the correct communication between the first terminal and the second terminal can be guaranteed.
- the application layer of the first terminal sends a first instruction to the access layer of the first terminal, including: After a terminal determines the new key and sends a security mode command message to the second terminal, the application layer of the first terminal sends the first instruction to the access layer of the first terminal Or, after the first terminal determines the new key and determines that the new key can be used to process the received data on the unicast connection, the application layer of the first terminal sends the The access layer of the first terminal sends the first instruction.
- the application layer of the first terminal sends the second terminal to the access layer of the first terminal.
- the instruction includes: after the first terminal receives the security mode completion message encrypted with the new key, the application layer of the first terminal sends the second terminal to the access layer of the first terminal. Indication; or, after the first terminal receives the information encrypted using the new key and determines that the new key can be used to process the data sent on the unicast connection, the first terminal The application layer of sends the second instruction to the access layer of the first terminal.
- the access layer is the PDCP layer; the application layer of the first terminal sends a first instruction to the access layer of the first terminal, including: the first terminal The application layer sends the first instruction to the PDCP layer of the first terminal; the application layer of the first terminal sends a second instruction to the access layer of the first terminal, including: The application layer of the first terminal sends the second indication to the PDCP layer of the first terminal.
- the access layer is an RRC layer; the application layer of the first terminal sends a first instruction to the access layer of the first terminal, including: The application layer sends the first instruction to the PDCP layer of the first terminal through the RRC layer; the application layer of the first terminal sends a second instruction to the access layer of the first terminal Including: the application layer of the first terminal sends the second indication to the PDCP layer of the first terminal through the RRC layer.
- an embodiment of the present application provides a communication method, including: a first terminal receives a first data packet from a second terminal, the first data packet carries a key identifier, and the key identifier corresponds to the key Used for unicast connection communication between the first terminal and the second terminal; if the key security context corresponding to the key identifier is not stored in the first terminal, the first terminal The first data packet is discarded.
- the first terminal After the first terminal receives the first data packet carrying the key identifier, if the first terminal does not store the key security context corresponding to the key identifier, the first terminal discards the first data packet, and now In some technologies, the parsing error is discovered after the first data packet is parsed and transmitted to the IP layer, and then the first data packet is discarded. It can be seen that the above-mentioned solution of the present application can discard data packets that cannot be resolved in advance, thus ensuring correct communication between the terminal and other terminals, and at the same time can save resource overhead.
- an embodiment of the present application provides a communication device, which may be a first terminal or a chip for the first terminal.
- the device has the function of implementing the methods of the first aspect to the fourth aspect, and any of the possible implementation methods of the first aspect to the fourth aspect.
- This function can be realized by hardware, or by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above-mentioned functions.
- an embodiment of the present application provides a communication device including a processor and a memory; the memory is used to store computer execution instructions, and when the device is running, the processor executes the computer execution instructions stored in the memory to enable The device executes any of the above-mentioned methods of the first aspect to the fourth aspect, and each of the possible implementation methods of the first aspect to the fourth aspect.
- an embodiment of the present application provides a communication device, including a method for executing the methods of the first aspect to the fourth aspect, and each step of any of the possible implementation methods of the first aspect to the fourth aspect Unit or means (means).
- an embodiment of the present application provides a communication device, including a processor and an interface circuit.
- the processor is configured to communicate with other devices through the interface circuit and execute the methods of the first to fourth aspects.
- the first aspect To any of the possible implementation methods of the fourth aspect.
- the processor includes one or more.
- an embodiment of the present application provides a communication device, including a processor, configured to be connected to a memory, and configured to call a program stored in the memory to execute the methods of the first aspect to the fourth aspect, the first Aspect to any of the possible implementation methods of the fourth aspect.
- the memory can be located inside the device or outside the device.
- the processor includes one or more.
- an embodiment of the present application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium, which when run on a computer, causes a processor to execute the first to fourth aspects above , Any of the possible implementation methods of the first aspect to the fourth aspect.
- an embodiment of the present application also provides a computer program product, the computer product including a computer program, when the computer program runs, the method of the first aspect to the fourth aspect, the method of the first aspect to the fourth aspect Any of the possible implementation methods is executed.
- an embodiment of the present application further provides a chip system, including a processor, configured to execute the methods of the first aspect to the fourth aspect, among the possible implementation methods of the first aspect to the fourth aspect Any method.
- FIG. 1 is a schematic diagram of a network architecture to which an embodiment of the application is applicable;
- FIG. 2 is a schematic diagram of a protocol stack provided by an embodiment of the application.
- Figure 3 is a schematic diagram of a key update process between two unicast connected terminals
- FIG. 4 is a schematic diagram of a communication method provided by an embodiment of this application.
- FIG. 5 is a schematic diagram of another communication method provided by an embodiment of this application.
- FIG. 6 is a schematic diagram of another communication method provided by an embodiment of this application.
- FIG. 7 is a schematic diagram of another communication method provided by an embodiment of this application.
- FIG. 8 is a schematic diagram of a terminal provided by an embodiment of the application.
- a schematic diagram of a network architecture to which the embodiments of this application are applied includes at least two terminals and at least one network device.
- the terminal can communicate with the network device through a wireless interface (such as a Uu port).
- the terminals can communicate through network equipment or direct communication, for example, through the PC5 interface between the terminals.
- the link between the terminals may be called a side link, or a side link, or a side link, or a PC5 interface link, or an inter-terminal link.
- a terminal is a device with wireless transceiver function. It can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air (such as airplanes). , Balloons and satellites etc.).
- the terminal may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in, self-driving (self-driving), wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety, Wireless terminals in a smart city (smart city), wireless terminals in a smart home (smart home), user equipment (UE), etc.
- the terminal and the terminal support direct communication, and the direct communication between the terminal and the terminal may also be referred to as D2D communication.
- Network equipment is a device that provides wireless communication functions for terminals.
- Network equipment includes, but is not limited to: the next generation base station (gnodeB, gNB) in the fifth generation (5G) and evolved node B (evolved node) B, eNB), radio network controller (RNC), node B (node B, NB), base station controller (BSC), base transceiver station (BTS), home base station (For example, home evolved nodeB, or home node B, HNB), baseband unit (baseBand unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (TP), mobile switching center, etc.
- gnodeB, gNB next generation base station
- gNB next generation base station
- 5G fifth generation
- eNode B evolved node B
- RNC radio network controller
- node B node B
- BSC base station controller
- BTS base transceiver station
- home base station Form, home evolved nodeB, or home node B, HNB
- the logical system of network equipment can adopt a centralized unit (CU) and distributed unit (DU) separation mode.
- the CU-DU logic system can be divided into two types, namely the CU-DU separation architecture and the CU-DU fusion architecture.
- the functions of the protocol stack can be dynamically configured and divided, some of which are implemented in the CU, and the remaining functions are implemented in the DU.
- 3rd generation partnership project 3rd generation partnership project, 3GPP
- the NR V2X standard already supports three types of side link communication modes, including broadcast, multicast, and unicast.
- the standard has allowed encryption and integrity protection for communications between two terminals in two unicast connections, and allowed the terminals to update keys.
- Unicast connection key update refers to the process in which two terminals on the side link update the integrity protection algorithm and encryption algorithm for data transmission. The key update is completed at the respective PC5-S layer, and the updated key needs to be connected. Used by the Packet Data Convergence Protocol (PDCP) entity at the access stratum (AS) layer.
- PDCP Packet Data Convergence Protocol
- AS access stratum
- the terminal includes at least: application layer, radio resource control (Radio Resource Control, RRC) layer, PDCP layer, radio link control (RLC) layer, media access control (media access control, MAC) layer , Physical layer (PHY layer).
- RRC Radio Resource Control
- PDCP Radio Resource Control
- RLC radio link control
- PHY Physical layer
- the RRC layer, PDCP layer, RLC layer, MAC layer, and PHY layer can be collectively referred to as belonging to the access layer (AS).
- the application layer such as the PC5-S layer or the V2X layer, is used to perform application-level control.
- the RRC layer is used to support functions such as radio resource management and RRC connection control.
- protocol layers such as the PDCP layer, the RLC layer, etc.
- the definitions and functions of the protocol layers can be referred to the description of the prior art, which will not be repeated here.
- FIG. 3 it is a schematic diagram of a key update process between two unicast connected terminals. It includes the following steps:
- Step 301 The first terminal sends a key update request message to the second terminal.
- the second terminal can receive the key update request message.
- the key update request message is used to request to update the key of the unicast connection.
- the key update request message may be, for example, a DirectRekeyRequest message.
- the key update request message carries the security capability information of the first terminal, the key update request indication and the high 8 bits of the new key identifier.
- the security capability information includes security algorithms that the first terminal can support in the unicast connection.
- the security algorithm here includes an integrity protection algorithm and/or an encryption algorithm.
- the first terminal sends a key update request message to the second terminal in order to obtain a new 256-bit key, which can be passed through the new The identification of the key (also called the new key identification) for identification.
- the new key identifier is 16 bits, of which the upper 8 bits are confirmed by the first terminal in advance, and the lower 8 bits are confirmed by the second terminal.
- the first terminal sends the high 8 bits of the new key identifier to the second terminal, and the second terminal sends the low 8 bits of the new key identifier to the first terminal, so that both the first terminal and the second terminal can Obtain a new key ID.
- Step 302 The second terminal selects a new security algorithm and determines a new key.
- the second terminal selects an integrity protection algorithm from the integrity protection algorithms supported by the first terminal, and/or selects an encryption algorithm from the encryption algorithms supported by the first terminal. Then the second terminal determines a new key based on the selected integrity protection algorithm and/or the selected encryption algorithm.
- the security context of the new key is established, and subsequently the second terminal can start to receive data encrypted using the new key from the first terminal on the unicast connection. Or it can be understood that the second terminal enables the function of receiving data encrypted with the new key from the first terminal on the unicast connection.
- each unicast connection uses a key.
- the new key negotiated between the first terminal and the second terminal is for one of the unicast connections.
- Step 303 The second terminal sends a security mode command message to the first terminal.
- the second terminal can receive the safe mode command message.
- the security mode command message may be, for example, a DirectSecurityModeCommand message.
- the security mode command message carries an indication of the new integrity protection algorithm and/or the new encryption algorithm selected by the second terminal, the security capability information of the first terminal, and the lower 8 bits of the new key identifier.
- Step 304 The first terminal determines a new key.
- the first terminal first checks the integrity of the received security mode command message, and verifies the security capability information of the first terminal carried. When the verification result is correct, the first terminal performs the verification according to the instructions in the security mode command message According to the new integrity protection algorithm and/or new encryption algorithm of the second terminal, a new key is obtained according to the same key deduction method as the second terminal, and the new key is the same as the new key deduced by the second terminal .
- the security context of the new key is established, and it is determined that the subsequent unicast connection can start to receive data encrypted with the new key from the second terminal, and the new key can be used Encrypt the data that needs to be sent to the second terminal on the unicast connection.
- the second terminal has enabled the function of receiving data encrypted with a new key from the first terminal on the unicast connection, and has enabled the use of a new key pair to be sent to the first terminal on the unicast connection. The function of encrypting the data of the second terminal.
- Step 305 The first terminal sends a security mode complete message to the second terminal.
- the second terminal can receive the security mode completion message.
- the security mode completion message may be, for example, a DirectSecurityModeComplete message, which is used to indicate that the first terminal has completed the key update.
- the second terminal performs integrity verification on the received security mode completion message, and when the verification result is correct, the second terminal confirms that the key update of the first terminal is correct.
- the second terminal After confirming that the key update of the first terminal is correct, the second terminal determines that the new key can be subsequently used to encrypt the data that needs to be sent to the first terminal over the unicast connection. Or it can be understood that the second terminal enables the function of using a new key to encrypt data that needs to be sent to the first terminal over the unicast connection.
- Step 306 The second terminal deletes the key security context corresponding to the old key.
- the second terminal After the second terminal confirms that the key update of the first terminal is correct, it will subsequently use the new key to send data to the first terminal, thus deleting the key security context corresponding to the old key.
- Step 307 The second terminal sends the first signaling to the first terminal.
- the first terminal can receive the first signaling.
- the first signaling is encrypted using the new key.
- Step 308 The first terminal deletes the key security context corresponding to the old key.
- the first terminal parses the first signaling, and if it can parse it correctly, it indicates that the first terminal can correctly receive the data encrypted with the new key, and thus can delete the key security context corresponding to the old key.
- step 306 may also be executed after step 307.
- the time when the second terminal starts to use the new key when receiving data and sending data is different. Specifically, after determining the new key, the second terminal can start to receive data encrypted with the new key from the first terminal, but after confirming that the key of the first terminal is updated correctly, it is determined that the new key can be used.
- the key encrypts the data that needs to be sent to the first terminal. Since the time when the second terminal receives data and sends data starts to use the new key is different, how does the AS layer of the second terminal know when it can start using the new key to encrypt the data that needs to be sent to the first terminal, And how to know when the data encrypted with the new key can be received from the first terminal to ensure correct communication between the second terminal and the first terminal is a problem to be solved.
- the time when the first terminal and the second terminal delete the key security context corresponding to the old key are different.
- the first terminal deletes the key security context corresponding to the old key after step 307
- the second terminal deletes the key security context corresponding to the old key after step 305.
- the second terminal deletes the key security context corresponding to the old key, it may continue to receive data encrypted using the old key from the first terminal.
- the data encrypted with the old key received from the first terminal may include: RLC buffer is not transmitted completely One or more of the data that is not transmitted in the MAC layer buffer area, and the data that is retransmitted due to transmission failure.
- RLC buffer is not transmitted completely One or more of the data that is not transmitted in the MAC layer buffer area, and the data that is retransmitted due to transmission failure.
- the embodiments of the present application provide different communication methods. It should be noted that the keys (such as old keys or new keys) mentioned in these communication methods are all for a specific unicast connection established between the first terminal and the second terminal. Or it can be understood that multiple unicast connections can be established between the first terminal and the second terminal, and each unicast connection uses a key.
- an embodiment of the present application provides a communication method.
- the method is suitable for communication between the first terminal and the second terminal, and the first terminal and the second terminal communicate through a unicast connection.
- the method includes the following steps:
- Step 401 After the first terminal determines the new key, the application layer of the first terminal sends a first instruction to the access layer of the first terminal.
- the first instruction is used to instruct to re-establish the PDCP entity or Used to indicate that the PDCP layer can use the new key to process the received data on the unicast connection.
- the new key is used for the communication of the unicast connection between the first terminal and the second terminal.
- the first indication is used to indicate that the PDCP layer can use the new key to process the received data on the unicast connection, and can also be understood as indicating that the PDCP layer can receive the data encrypted using the new key, or it can be It is understood to be used to indicate that the PDCP layer has the ability to use the new key to process the received data on the unicast connection.
- the first indication may be an indication that the application layer of the first terminal sends a new key to the access layer of the first terminal to process the received data, triggering the application layer of the first terminal to use the new key and integrity
- the protection and encryption algorithms enable the first terminal to use the new key to process the received data on the unicast connection.
- the first instruction may also be a re-establishment instruction of the PDCP entity receiving data related to the unicast connection sent by the application layer of the first terminal to the access layer of the first terminal.
- the PDCP entity receiving the data is in the process of re-establishing A new key and a new integrity protection and encryption algorithm are applied, so that the first terminal has the ability to use the new key to process the received data on the unicast connection.
- the PDCP entity for receiving data is associated with the unicast connection between the first terminal and the second terminal. Or it can be understood that there may be multiple unicast connections between the first terminal and the second terminal, and the PDCP entity for receiving data is associated with one of the unicast connections. When there are multiple unicast connections, different PDCP entities need to be associated with different unicast connections.
- the application layer of the first terminal may be a PC5-S layer or a V2X layer.
- the application layer of the first terminal sends the first instruction to the access layer.
- the application layer may send the first instruction to the PDCP layer.
- the application layer may send the first indication to the RRC layer.
- the RRC layer may instruct the PDCP layer to re-establish the PDCP entity for receiving data of the unicast connection.
- the PDCP entity used to process the received data on the unicast connection using the new key is re-established, that is, the newly established PDCP entity uses the new key to decrypt the received data of the unicast connection.
- the first terminal determines the new key, for example, it may be after sending a security mode command message (the message in step 303 in the embodiment of FIG. 3) to the second terminal.
- a security mode command message the message in step 303 in the embodiment of FIG. 3
- the first terminal may also receive a key update request message (the message in step 301 in the embodiment of FIG. 3) and determine that it can After using the new key to process the received data on the unicast connection.
- a key update request message the message in step 301 in the embodiment of FIG. 3
- the first terminal may also receive a key update request message (the message in step 301 in the embodiment of FIG. 3) and determine that it can After using the new key to process the received data on the unicast connection.
- the first terminal determines that the new key can be used to process the received data on the unicast connection, it can also be understood as the first terminal can use the old key to process the sent data on the unicast connection and can use the new key.
- the key handles the received data on the unicast connection.
- Step 402 After the first terminal receives the information (such as signaling, message, or data) encrypted with the new key, the application layer of the first terminal sends a second instruction to the access layer of the first terminal.
- the second indication is used to instruct to re-establish the PDCP entity for sending data or to instruct the PDCP layer to be able to use the new key to process the sent data on the unicast connection.
- the second indication is used to indicate that the PDCP layer can use the new key to process the data sent on the unicast connection, and can also be understood as indicating that the PDCP layer can send the data of the unicast connection encrypted using the new key. , Or can also be understood as indicating that the PDCP layer can use the new key to encrypt and send the data of the unicast connection that needs to be sent, or can also be understood as indicating that the PDCP layer has the ability to use the new key The ability to process data sent on a unicast connection.
- the second indication may be an indication of the ability of the application layer of the first terminal to send a new key to the access layer of the first terminal to process and send data, triggering the application layer of the first terminal to apply the new key.
- Key and integrity protection and encryption algorithm so that the first terminal has the ability to use the new key to process the data sent on the unicast connection; it can also be the application layer of the first terminal sending to the access layer of the first terminal A re-establishment instruction of the PDCP entity that sends data related to the unicast connection, and the PDCP entity that receives the data applies a new key and a new integrity protection and encryption algorithm during the re-establishment process, so that the first terminal has The ability to use the new key to process the data sent on the unicast connection.
- the PDCP entity used to send data is associated with the unicast connection between the first terminal and the second terminal. Or it can be understood that there may be multiple unicast connections between the first terminal and the second terminal, and the PDCP entity for sending data is associated with one of the unicast connections. When there are multiple unicast connections, different PDCP entities need to be associated with different unicast connections.
- the PDCP entity used to send data and the PDCP entity used to receive data in this embodiment are associated with the same unicast connection.
- the application layer of the first terminal sends the second instruction to the access layer.
- the application layer may send the first instruction to the PDCP layer.
- the application layer may send a second instruction to the RRC layer, and after receiving the second instruction, the RRC layer may instruct the PDCP layer to re-establish the PDCP entity for sending data.
- the PDCP entity used to encrypt and send the unicast connection data that needs to be sent is re-established using a new key.
- the first terminal after the first terminal receives the data encrypted with the new key, for example, it may be after receiving the security mode completion message (the message in step 305 in the embodiment of FIG. 3) from the second terminal. .
- the first terminal after the first terminal determines the new key, it can also be the first terminal after determining that the new key can be used to process the data sent on the unicast connection, for example, it can be verified from the first terminal. After the received data encrypted by the new key is correct, and based on this, it is considered that the first terminal has confirmed the new key and established a security context related to the new key.
- the first terminal determines that the new key can be used to process the sent data on the unicast connection, it can also be understood that the first terminal can use the new key to process the received data on the unicast connection and can use the new key.
- the key handles the data sent on the unicast connection.
- first terminal in the embodiment in FIG. 4 may be the second terminal in the embodiment in FIG. 3, and the second terminal in the embodiment in FIG. 4 may be the first terminal in the embodiment in FIG. 3.
- the above-mentioned first indication may also be referred to as a PDCP entity re-establishment indication.
- the PDCP layer receives the first indication, it will re-establish the PDCP entity.
- the above-mentioned second indication may also be referred to as a PDCP entity re-establishment indication.
- the PDCP layer receives the second indication, it will re-establish the PDCP entity.
- the application layer of the terminal can notify the access layer at the corresponding point in time that it can start to use the new key to decrypt the received data, and at the corresponding point in time, notify the access layer that it can start using the new key.
- the key encrypts the data to be sent, so that the correct communication between the first terminal and the second terminal can be guaranteed.
- the application layer of the terminal sends the The access layer sends a third instruction, which is used to instruct to re-establish the PDCP entity for sending data and to re-establish the PDCP entity for receiving data, or to instruct the PDCP layer to be able to use the new key to process unicast Send data and receive data on the connection.
- the PDCP entity used to send data of the unicast connection and the PDCP entity used to receive the data of the unicast connection are different PDCP entities.
- the third indication is used to indicate that the PDCP layer can use the new key to process the sent data and received data on the unicast connection, and it can also be understood as used to indicate that the PDCP layer can use the new key to send the unicast that needs to be sent.
- the data of the connection is encrypted and sent, and the data of the received unicast connection can be decrypted using a new key.
- the foregoing third indication may also be referred to as a PDCP entity re-establishment indication. When the PDCP layer receives the third indication, it will re-establish the PDCP entity.
- the application layer of the terminal can be the PC5-S layer or the V2X layer.
- the application layer of the terminal sends the third instruction to the access layer.
- the application layer may send the first instruction to the PDCP layer.
- the application layer may send a third instruction to the RRC layer.
- the RRC layer may instruct the PDCP layer to re-establish a PDCP entity for sending data for unicast connections and to re-establish a unicast connection for receiving unicast connections.
- the PDCP entity of the data may be instructed to re-establish a PDCP entity for sending data for unicast connections and to re-establish a unicast connection for receiving unicast connections.
- the terminal determines the new key for example, it may be after determining the new key and before sending the security mode completion message (the message in step 305 in the embodiment of FIG. 3).
- the terminal may also be after the terminal determines that the new key can be used to process the data sent and received on the unicast connection. For example, it may be receiving and verifying that the security mode command message sent by the second terminal (such as the message of step 303 in the embodiment of FIG. 3) is correct, and based on this, it is considered that the second terminal has confirmed the new key and established a new secret. After the security context associated with the key.
- an embodiment of the present application provides a communication method, which is applicable between a first terminal and a second terminal, and the first terminal and the second terminal communicate through a unicast connection.
- the method includes the following steps:
- Step 501 The first terminal receives a first data packet from a second terminal, the first data carries a key identifier, and the key corresponding to the key identifier is used for unicast connection between the first terminal and the second terminal. Communication.
- the first data packet is encrypted using the key corresponding to the key identifier.
- the first data packet may be a PDCP Data protocol data unit (protocol data unit, PDU) received from a lower layer by the PDCP entity receiving the data, including a control plane data packet and/or a user plane data packet.
- PDU PDCP Data protocol data unit
- the first terminal will store the key security context corresponding to the key identifier. In some cases, such as in the key update process in the embodiment of FIG. 3, the first terminal will also delete the key security context corresponding to the old key and establish the key security context corresponding to the new key.
- the first terminal may continue to receive data encrypted with the old key.
- the second terminal in the embodiment of FIG. 3 after deleting the key security context corresponding to the old key, it may continue to receive data encrypted with the old key.
- Step 502 If the key security context corresponding to the key identifier is not stored in the first terminal, the first terminal discards the first data packet.
- the first terminal receives and processes the first data packet. For example, the first terminal uses the key corresponding to the key identifier to decrypt the first data packet.
- the key security context corresponding to the key identifier is not stored in the first terminal, it indicates that the first terminal and the second terminal have used the key corresponding to the key identifier, but due to some reasons, such as key update, The first terminal deletes the key security context corresponding to the key. Therefore, if the first terminal continues to receive the key security context corresponding to the key, the first terminal will not be able to decrypt the first data, so the first terminal can discard the first data packet.
- the first terminal in this embodiment may be the second terminal in the embodiment corresponding to FIG. 3.
- the first terminal After the first terminal receives the first data packet carrying the key identifier, if the first terminal does not store the key security context corresponding to the key identifier, the first terminal discards the first data packet, and now In some technologies, the parsing error is found only after the first data packet is parsed and transmitted to the Internet Protocol (IP) layer, and the first data packet is discarded. It can be seen that the above-mentioned solution of the present application can discard data packets that cannot be resolved in advance, thus ensuring correct communication between the terminal and other terminals, and at the same time can save resource overhead.
- IP Internet Protocol
- an embodiment of the present application provides a communication method, which is applicable between a first terminal and a second terminal, and the first terminal and the second terminal communicate through a unicast connection.
- the process of establishing a unicast connection between the first terminal and the second terminal is: first establish a unicast connection between the first terminal and the second terminal. After the unicast connection is successfully established, the first terminal and the second terminal are automatically established. RRC connection between two terminals.
- the process of disconnecting the unicast connection between the first terminal and the second terminal is: first disconnect the unicast connection between the first terminal and the second terminal. After the unicast connection is successfully disconnected, the first terminal and the second terminal are automatically disconnected. RRC connection between the second terminal.
- the method includes the following steps:
- Step 601 The first terminal performs integrity protection check on the received RRC message.
- the RRC message in this step may also be referred to as a PC5-RRC message.
- the first terminal is an RRC message received from a second terminal that has established a unicast connection with the first terminal, and performs an integrity protection check on the RRC message.
- Step 602 When the integrity protection check fails, the RRC layer of the first terminal sends a first indication and the identification of the second terminal to the application layer of the first terminal, the first indication and the identification of the second terminal Used by the application layer to disconnect the unicast connection between the first terminal and the second terminal.
- the application layer here can be the PC5-S layer or the V2X layer.
- the application layer of the first terminal After receiving the first indication and the identification of the second terminal from the RRC layer, the application layer of the first terminal disconnects the unicast connection between the first terminal and the second terminal according to the first indication and the identification of the second terminal.
- the reason for the failure to perform integrity protection verification on the received message may be that the attacker has tampered with some information in the received RRC message. Therefore, this method can ensure communication by disconnecting the unicast connection between the two terminals. Safety.
- the application layer of the first terminal may also update the Layer 2 ID (Layer 2 ID), that is, the MAC layer identity of the first terminal, so as to improve communication security.
- Layer 2 ID Layer 2 ID
- the first terminal may also use the new key to re-establish the unicast connection with the second terminal, thereby improving communication security.
- the RRC layer of the first terminal can report the first indication and the identification of the second terminal to the application layer to trigger the application layer to disconnect Unicast connection between the first terminal and the second terminal.
- the reason for the failure to perform integrity protection verification on the received message is generally that the attacker has tampered with some information in the RRC message. Therefore, this method can ensure communication security by disconnecting the unicast connection between the two terminals. .
- the first indication is an RRC connection disconnection indication.
- the RRC connection disconnection indication is used to indicate that the RRC connection between the first terminal and the second terminal has been disconnected.
- the first terminal first disconnects the RRC connection between the first terminal and the second terminal, and then in step 602, the RRC layer of the first terminal sends the RRC to the application layer.
- the disconnection indication and the identification of the second terminal The application layer of the first terminal determines that the RRC connection between the first terminal and the second terminal has been disconnected according to the RRC connection disconnection instruction, and then triggers the application layer of the first terminal to disconnect the connection between the first terminal and the second terminal.
- Unicast connection is based on Method 1, after step 601, the first terminal first disconnects the RRC connection between the first terminal and the second terminal, and then in step 602, the RRC layer of the first terminal sends the RRC to the application layer.
- the disconnection indication and the identification of the second terminal The application layer of the first terminal determines that the RRC connection between the first terminal and the second terminal has been disconnected according to the RRC connection disconnection instruction, and then triggers the application layer of the first terminal to disconnect the connection between the first terminal and the second terminal.
- Method 2 The first indication is an integrity protection check failure indication.
- the integrity protection check failure indication is used to indicate that the first terminal fails to perform integrity protection check on the received RRC message.
- the RRC layer of the first terminal fails the integrity protection check of the received RRC message in the above step 601, it sends the integrity protection to the application layer of the first terminal in the above step 602.
- the verification failure indication and the identification of the second terminal The application layer of the first terminal disconnects the unicast connection between the first terminal and the second terminal according to the integrity protection check failure indication and the identifier of the second terminal. After the unicast connection between the first terminal and the second terminal is disconnected, the RRC connection between the first terminal and the second terminal will also be automatically disconnected.
- an embodiment of the present application provides another communication method. As shown in FIG. 7, the method includes the following steps:
- Step 701 The first terminal performs integrity protection check on the received RRC message.
- the RRC message in this step may also be a PC5-RRC message.
- the first terminal is an RRC message received from a second terminal that has established a unicast connection with the first terminal, and performs an integrity protection check on the RRC message.
- Step 702 When the integrity protection check fails, the first terminal sends side link information to the network device, where the side link information includes a second indication and an identifier of the second terminal.
- the foregoing second indication is an integrity protection check failure indication, which is used to indicate that the first terminal fails to perform integrity protection check on the received RRC message from the second terminal. Therefore, the network device learns that the first terminal fails to check the integrity protection of the received RRC message from the second terminal.
- the above-mentioned second indication can also be used to indicate that the unicast connection between the first terminal and the second terminal has a radio link failure (Radio Link Failure, RLF), and the reason for the failure is the The integrity protection check of the RRC message of the second terminal fails. Therefore, the network device learns that the first terminal fails to check the integrity protection of the received RRC message from the second terminal.
- RLF Radio Link Failure
- the network device may try to find an attacker or trigger an alarm.
- the first terminal may report the second indication and the identifier of the second terminal to the network device.
- the network device can troubleshoot the unicast connection failure between the first terminal and the second terminal based on the reported information. Ensure correct communication between the second terminal and the first terminal.
- the first terminal when the first terminal fails the integrity protection check of the received control plane RRC message, a corresponding processing method is provided.
- the first terminal may send side link information to the network device, and the side link information includes integrity Protection verification failure indication and the second terminal's identity. That is, after the first terminal fails the integrity protection verification of the received user plane message, it triggers the first terminal to report to the network device the side chain carrying the integrity protection verification failure indication and the identifier of the second terminal Path information, so that the network device learns that the first terminal fails to check the integrity protection of the received RRC message from the second terminal.
- the network device may try to find an attacker or trigger an alarm.
- the first terminal triggers the first terminal to report to the network device an integrity protection verification failure indication and a data packet discarded due to a user plane message integrity protection verification failure. Side link information of the identification of the second terminal.
- the first terminal may report the integrity protection verification failure indication and the identification of the second terminal to the network device.
- the network device can troubleshoot the unicast connection failure between the first terminal and the second terminal based on the reported information. Therefore, the correct communication between the second terminal and the first terminal can be guaranteed.
- the identifier of the second terminal in any of the foregoing embodiments of the present application may be, for example, the layer 2 identifier of the second terminal, or the IP address, or the subscriber identity module (Subscriber Identity Module, in specific implementation). SIM) etc.
- the terminal is used to implement the operation of the terminal (such as the first terminal or the second terminal) in the above embodiments.
- the terminal includes: an antenna 810, a radio frequency device 820, and a signal processing part 830.
- the antenna 810 is connected to the radio frequency device 820.
- the radio frequency device 820 receives the information sent by the network device or other terminal through the antenna 810, and sends the information sent by the network device or other terminal to the signal processing part 830 for processing.
- the signal processing part 830 processes the information of the terminal and sends it to the radio frequency device 820.
- the radio frequency device 820 processes the information of the terminal and sends it to the network equipment or other terminals via the antenna 810.
- the signal processing part 830 is used to realize the processing of each communication protocol layer of the data.
- the signal processing part 830 may be a subsystem of the terminal, and the terminal may also include other subsystems, such as a central processing subsystem, for processing the terminal operating system and application layer; for another example, the peripheral subsystem is used for Realize the connection with other equipment.
- the signal processing part 830 may be a separately provided chip.
- the above devices may be located in the signal processing part 830.
- the signal processing part 830 may include one or more processing elements 831, for example, a main control CPU and other integrated circuits, and an interface circuit 833.
- the signal processing part 830 may also include a storage element 832.
- the storage element 832 is used to store data and programs.
- the program used to execute the method executed by the terminal in the above method may or may not be stored in the storage element 832, for example, stored in a memory other than the signal processing part 830
- the signal processing part 830 loads the program into the cache for use.
- the interface circuit 833 is used to communicate with the device.
- the above devices may be located in the signal processing part 830, which may be implemented by a chip.
- the chip includes at least one processing element and an interface circuit. Used to communicate with other devices.
- the unit that implements each step in the above method can be implemented in the form of a processing element scheduler.
- the device includes a processing element and a storage element, and the processing element calls a program stored by the storage element to execute the above method embodiments.
- the storage element may be a storage element whose processing element is on the same chip, that is, an on-chip storage element.
- the program used to execute the method executed by the terminal in the above method may be a storage element on a different chip from the processing element, that is, an off-chip storage element.
- the processing element calls or loads a program from the off-chip storage element on the on-chip storage element to call and execute the method executed by the terminal in the above method embodiment.
- the unit for the terminal to implement each step in the above method may be configured as one or more processing elements, and these processing elements are provided on the signal processing part 830, where the processing elements may be integrated circuits, for example: One or more ASICs, or, one or more DSPs, or, one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits can be integrated together to form a chip.
- the units that implement each step in the above method can be integrated together and implemented in the form of a system-on-a-chip (SOC), and the SOC chip is used to implement the above method.
- SOC system-on-a-chip
- At least one processing element and storage element can be integrated in the chip, and the above terminal execution method can be implemented by the processing element calling the stored program of the storage element; or, at least one integrated circuit can be integrated in the chip for realizing the above terminal execution Or, can be combined with the above implementations, the functions of some units are implemented in the form of calling programs by processing elements, and the functions of some units are implemented in the form of integrated circuits.
- the above device may include at least one processing element and an interface circuit, wherein at least one processing element is used to execute any of the methods executed by the terminal provided in the above method embodiments.
- the processing element can execute part or all of the steps executed by the terminal in the first way: calling the program stored in the storage element; or in the second way: combining instructions through the integrated logic circuit of the hardware in the processor element Part or all of the steps executed by the terminal are executed in a manner; of course, part or all of the steps executed by the terminal may be executed in combination with the first manner and the second manner.
- the processing element here is the same as the above description, and it may be a general-purpose processor, such as a CPU, or one or more integrated circuits configured to implement the above method, such as: one or more ASICs, or, one or more micro-processing DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms.
- the storage element can be a memory or a collective term for multiple storage elements.
- At least one refers to any combination of these items, including any combination of a single item (a) or a plurality of items (a).
- at least one of a, b, or c (a, kind) can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or Multiple.
- Multiple refers to two or more than two, and other quantifiers are similar.
- the size of the sequence numbers of the above-mentioned processes does not mean the order of execution.
- the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present invention.
- the implementation process constitutes any limitation.
- the disclosed system, device, and method can be implemented in other ways.
- the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
- the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
- the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
- the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
- the computer program product includes one or more computer instructions.
- the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
- the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
- the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).
- the various illustrative logic units and circuits described in the embodiments of this application can be implemented by general-purpose processors, digital signal processors, application-specific integrated circuits (ASIC), field programmable gate arrays (FPGA) or other programmable logic devices, Discrete gates or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the described functions.
- the general-purpose processor may be a microprocessor.
- the general-purpose processor may also be any traditional processor, controller, microcontroller, or state machine.
- the processor can also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration. accomplish.
- the steps of the method or algorithm described in the embodiments of the present application can be directly embedded in hardware, a software unit executed by a processor, or a combination of the two.
- the software unit can be stored in random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read-Only Memory, ROM), EPROM memory, EEPROM memory, registers, hard disks, removable disks, CD-ROM or notebooks. Any other storage media in the field.
- the storage medium may be connected to the processor, so that the processor can read information from the storage medium, and can store and write information to the storage medium.
- the storage medium may also be integrated into the processor.
- the processor and the storage medium can be arranged in the ASIC.
- These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
- the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
- the functions described in this application can be implemented by hardware, software, firmware, or any combination thereof. When implemented by software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium.
- the computer-readable medium includes a computer storage medium and a communication medium, where the communication medium includes any medium that facilitates the transfer of a computer program from one place to another.
- the storage medium may be any available medium that can be accessed by a general-purpose or special-purpose computer.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本申请实施例提供通信方法及装置。该方法包括:第一终端对接收到的RRC消息进行完整性保护校验;当完整性保护校验失败,第一终端的RRC层向第一终端的应用层发送第一指示和第二终端的标识,所述第一指示和第二终端的标识用于所述应用层断开第一终端与第二终端之间的单播连接。基于该方案,在第一终端对接收到的消息执行完整性保护校验失败的情况下,第一终端的RRC层可以向应用层上报第一指示和第二终端的标识,触发应用层断开第一终端与第二终端之间的单播连接。由于给定了对接收到的消息执行完整性保护校验失败的情况下的处理机制,因而可以保障第二终端与第一终端之间的正确通信。
Description
相关申请的交叉引用
本申请要求在2020年05月20日提交中国专利局、申请号为202010432218.X、申请名称为“通信方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请实施例涉及通信技术领域,尤其涉及通信方法及装置。
车联网(vehicle to everthing,V2X)是智能交通运输系统的关键技术,被认为是物联网体系中最有产业潜力、市场需求最明确的领域之一。车联网一般是指通过装载在车上的传感器、车载终端等提供车辆信息,实现车辆到车辆(vehicle to vehicle,V2V),车辆到基础设施(vehicle to infrastructure,V2I),车辆到网络(vehicle to Network,V2N)以及车辆到行人(vehicle to pedestrian,V2P)之间的相互通信的通信网络。一般的,在V2X场景下,终端与其他终端之间进行直连通信的通信链路可以称之为边链或者侧链(sidelink,SL),SL接口可以称之为PC5口。
在新空口(new radio,NR)V2X中,终端之间的高可靠性业务对通信质量提出了更高的要求,如何保障终端之间的正确通信,是目前需要解决的问题。
发明内容
本申请实施例提供通信方法及装置,用以保障终端之间的正确通信。
第一方面,本申请实施例提供一种通信方法,包括:第一终端对接收到的RRC消息进行完整性保护校验;当完整性保护校验失败,第一终端的RRC层向第一终端的应用层发送第一指示和第二终端的标识,所述第一指示和第二终端的标识用于所述应用层断开第一终端与第二终端之间的单播连接。
基于上述方案,在第一终端对接收到的消息执行完整性保护校验失败的情况下,第一终端的RRC层可以向应用层上报第一指示和第二终端的标识,触发应用层断开第一终端与第二终端之间的单播连接。由于给定了对接收到的消息执行完整性保护校验失败的情况下的处理机制,因而可以保障第二终端与第一终端之间的正确通信。并且,对接收到的消息执行完整性保护校验失败的原因一般是攻击者篡改了RRC消息中的某些信息,因此该方法通过断开两个终端之间的单播连接,可以保障通信安全。
在一种可能的实现方法中,第一终端的RRC层断开第一终端与所述第二终端之间的RRC连接;则所述第一指示为RRC连接断开指示,用于指示所述第一终端与所述第二终端之间的RRC连接已经断开。
基于上述方案,第一终端的RRC层先断开第一终端与第二终端之间的RRC连接,并将连接断开的结果上报给应用层,从而触发应用层断开第一终端与第二终端之间的单播连 接,有助于实现第一终端与第二终端之间的正确通信。
在另一种可能的实现方法中,第一指示为完整性保护校验失败指示,用于指示所述第一终端对接收到的来自所述第二终端的RRC消息进行完整性保护校验失败。
基于上述方案,第一终端将完整性保护校验失败的情况上报给应用层,从而触发应用层断开第一终端与第二终端之间的单播连接,有助于实现第一终端与第二终端之间的正确通信。
在一种可能的实现方法中,第一终端的应用层更新第一终端的层2标识。
基于该方案,由于更新了第一终端的层2标识,可以防止攻击者重复攻击,因而可以提升通信安全。
在一种可能的实现方法中,第一终端使用新的密钥,重新建立与第二终端之间的单播连接。
基于该方案,由于使用新的密钥重建立单播连接,因而可以提升通信安全。
在一种可能的实现方法中,所述第一终端向网络设备发送侧行链路信息,所述侧行链路信息包括第二指示和第二终端的标识,所述第二指示用于指示所述第一终端与所述第二终端之间的单播连接发生无线链路失败且失败原因是对接收到的来自所述第二终端的RRC消息进行完整性保护校验失败。
基于上述方案,在第一终端对接收到的RRC消息执行完整性保护校验失败的情况下,第一终端可以向网络设备上报第二指示和第二终端的标识。由于给定了对接收到的消息执行完整性保护校验失败的情况下的处理机制,使得网络设备可以基于上报的信息去排查第一终端与第二终端之间的单播连接故障,因而可以保障第二终端与第一终端之间的正确通信。
第二方面,本申请实施例提供一种通信方法,包括:第一终端对接收到的RRC消息进行完整性保护校验;当所述完整性保护校验失败,第一终端向网络设备发送侧行链路信息,所述侧行链路信息包括第二指示和第二终端的标识,第二指示用于指示第一终端与第二终端之间的单播连接发生无线链路失败且失败原因是对接收到的来自第二终端的RRC消息进行完整性保护校验失败。
基于上述方案,在第一终端对接收到的RRC消息执行完整性保护校验失败的情况下,第一终端可以向网络设备上报第二指示和第二终端的标识。由于给定了对接收到的消息执行完整性保护校验失败的情况下的处理机制,使得网络设备可以基于上报的信息去排查第一终端与第二终端之间的单播连接故障,因而可以保障第二终端与第一终端之间的正确通信。
第三方面,本申请实施例提供一种通信方法,包括:第一终端在确定新的密钥之后,所述第一终端的应用层向所述第一终端的接入层发送第一指示,用于指示重建立用于接收数据的PDCP实体或用于指示PDCP层能够使用所述新的密钥处理单播连接上的接收数据,所述新的密钥用于所述第一终端与第二终端之间的所述单播连接的通信,所述用于接收数据的PDCP实体关联于所述单播连接;所述第一终端在接收到使用所述新的密钥加密的信息之后,所述第一终端的应用层向所述第一终端的接入层发送第二指示,用于指示重建立用于发送数据的PDCP实体或用于指示PDCP层能够使用所述新的密钥处理所述单播连接上的发送数据,所述用于发送数据的PDCP实体关联于所述单播连接。
其中,“用于指示PDCP层能够使用所述新的密钥处理单播连接上的接收数据”,也可 以理解为“用于指示PDCP层具有使用所述新的密钥处理单播连接上的接收数据的能力”。
其中,“用于指示PDCP层能够使用所述新的密钥处理单播连接上的发送数据”,也可以理解为“用于指示PDCP层具有使用所述新的密钥处理单播连接上的发送数据的能力”。
基于上述方案,终端的应用层可以在相应的时间点上通知接入层可以开始使用新的密钥对接收到数据进行解密,以及在相应的时间点上通知接入层可以开始使用新的密钥对需要发送的数据进行加密,从而可以保障第一终端与第二终端之间的正确通信。
在一种可能的实现方法中,所述第一终端在确定新的密钥之后,所述第一终端的应用层向所述第一终端的接入层发送第一指示,包括:所述第一终端在确定所述新的密钥,以及向所述第二终端发送了安全模式命令消息之后,所述第一终端的应用层向所述第一终端的接入层发送所述第一指示;或者,所述第一终端在确定所述新的密钥,以及确定能够使用所述新的密钥处理所述单播连接上的接收数据之后,所述第一终端的应用层向所述第一终端的接入层发送所述第一指示。
在一种可能的实现方法中,所述第一终端在接收到使用所述新的密钥加密的信息之后,所述第一终端的应用层向所述第一终端的接入层发送第二指示,包括:所述第一终端在接收到使用所述新的密钥加密的安全模式完成消息之后,所述第一终端的应用层向所述第一终端的接入层发送所述第二指示;或者,所述第一终端在接收到使用所述新的密钥加密的信息,以及确定能够使用所述新的秘钥处理所述单播连接上的发送数据之后,所述第一终端的应用层向所述第一终端的接入层发送所述第二指示。
在一种可能的实现方法中,所述接入层为所述PDCP层;所述第一终端的应用层向所述第一终端的接入层发送第一指示,包括:所述第一终端的所述应用层向所述第一终端的所述PDCP层发送所述第一指示;所述第一终端的应用层向所述第一终端的接入层发送第二指示,包括:所述第一终端的所述应用层向所述第一终端的所述PDCP层发送所述第二指示。
在另一种可能的实现方法中,所述接入层为RRC层;所述第一终端的应用层向所述第一终端的接入层发送第一指示,包括:所述第一终端的所述应用层通过所述RRC层,向所述第一终端的所述PDCP层发送所述第一指示;所述第一终端的应用层向所述第一终端的接入层发送第二指示,包括:所述第一终端的所述应用层通过所述RRC层,向所述第一终端的所述PDCP层发送所述第二指示。
第四方面,本申请实施例提供一种通信方法,包括:第一终端接收来自第二终端的第一数据包,所述第一数据包携带密钥标识,所述密钥标识对应的密钥用于所述第一终端与所述第二终端之间的单播连接的通信;若所述第一终端内没有存储有所述密钥标识对应的密钥安全上下文,则所述第一终端丢弃所述第一数据包。
基于上述方案,第一终端接收到携带密钥标识的第一数据包之后,若第一终端没有存储该密钥标识对应的密钥安全上下文,则第一终端丢弃该第一数据包,而现有技术中是在解析该第一数据包并传输到IP层后才发现解析错误,进而丢弃该第一数据包。可以看出,本申请上述方案可以提前丢弃无法解析的数据包,因而可以保障该终端与其他终端之间的正确通信,同时还可以节约资源开销。
第五方面,本申请实施例提供一种通信装置,该装置可以是第一终端,还可以是用于第一终端的芯片。该装置具有实现上述第一方面至第四方面的方法,第一方面至第四方面的各可能的实现方法中的任意方法的功能。该功能可以通过硬件实现,也可以通过硬件执 行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第六方面,本申请实施例提供一种通信装置,包括处理器和存储器;该存储器用于存储计算机执行指令,当该装置运行时,该处理器执行该存储器存储的该计算机执行指令,以使该装置执行如上述第一方面至第四方面的方法,第一方面至第四方面的各可能的实现方法中的任意方法。
第七方面,本申请实施例提供一种通信装置,包括用于执行上述第一方面至第四方面的方法,第一方面至第四方面的各可能的实现方法中的任意方法的各个步骤的单元或手段(means)。
第八方面,本申请实施例提供一种通信装置,包括处理器和接口电路,所述处理器用于通过接口电路与其它装置通信,并执行上述第一方面至第四方面的方法,第一方面至第四方面的各可能的实现方法中的任意方法。该处理器包括一个或多个。
第九方面,本申请实施例提供一种通信装置,包括处理器,用于与存储器相连,用于调用所述存储器中存储的程序,以执行上述第一方面至第四方面的方法,第一方面至第四方面的各可能的实现方法中的任意方法。该存储器可以位于该装置之内,也可以位于该装置之外。且该处理器包括一个或多个。
第十方面,本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得处理器执行上述第一方面至第四方面的方法,第一方面至第四方面的各可能的实现方法中的任意方法。
第十一方面,本申请实施例还提供一种计算机程序产品,该计算机产品包括计算机程序,当计算机程序运行时,使得上述第一方面至第四方面的方法,第一方面至第四方面的各可能的实现方法中的任意方法被执行。
第十二方面,本申请实施例还提供一种芯片系统,包括:处理器,用于执行上述第一方面至第四方面的方法,第一方面至第四方面的各可能的实现方法中的任意方法。
图1为本申请实施例所适用的一种网络架构示意图;
图2为本申请实施例提供的一种协议栈的示意图;
图3为单播连接的两个终端之间的一种密钥更新流程示意图;
图4为本申请实施例提供一种通信方法示意图;
图5为本申请实施例提供又一种通信方法示意图;
图6为本申请实施例提供又一种通信方法示意图;
图7为本申请实施例提供又一种通信方法示意图;
图8为本申请实施例提供的一种终端示意图。
如图1所示,为本申请实施例所适用的一种网络架构示意图,包括至少两个终端和至少一个网络设备。可选的,终端可以通过无线接口(如Uu口)与网络设备通信。终端之间可以通过网络设备进行通信,也可以进行直连通信,比如通过终端之间的PC5接口通信。终端之间的链路可以称为侧行链路,或者边链路,或者旁链路,或者PC5接口链路,或者 终端间链路。
终端(terminal),是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。所述终端可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端、用户设备(user equipment,UE)等。本申请实施例中的终端与终端之间支持直连通信,终端与终端之间的直连通信也可以称为D2D通信。
网络设备,是一种为终端提供无线通信功能的设备,网络设备包括但不限于:第五代(5th generation,5G)中的下一代基站(g nodeB,gNB)、演进型节点B(evolved node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved nodeB,或home node B,HNB)、基带单元(baseBand unit,BBU)、传输点(transmitting and receiving point,TRP)、发射点(transmitting point,TP)、移动交换中心等。
5G独立部署时,网络设备的逻辑体系可以采用集中单元(centralized unit,CU)和分布单元(distributed unit,DU)分离模式。基于协议栈功能的配置,CU-DU逻辑体系可以分为两种,即CU-DU分离架构和CU-DU融合架构。针对CU-DU分离架构,协议栈的功能可以动态配置和分割,其中一些功能在CU中实现,剩余功能在DU中实现。为满足不同分割选项的需求,需要支持理想传输网络和非理想传输网络。CU与DU之间的接口应当遵循第三代合作伙伴计划(3rd generation partnership project,3GPP)规范要求。针对CU-DU融合架构,CU和DU的逻辑功能整合在同一个网络设备中,以实现协议栈的全部功能。
随着技术的发展,5G NR技术引入D2D通信和终端间的协作通信。NR V2X标准已经支持三种类型的侧行链路通信模式,包括广播、组播和单播。针对NR V2X单播连接,标准上已经允许两个单播连接的两个终端之间的通信进行加密和完整性保护,并且允许终端之间更新密钥。单播连接密钥更新是指侧行链路的两个终端更新数据传输的完整性保护算法和加密算法的过程,密钥更新在各自的PC5-S层完成,更新后的密钥需要被接入层(access stratum,AS)层的分组数据汇聚协议(Packet Data Convergence Protocol,PDCP)实体使用。
如图2所示,为本申请实施例提供的一种协议栈的示意图。终端的协议栈至少包括:应用层、无线资源控制(Radio Resource Control,RRC)层、PDCP层、无线链路控制(radio link control,RLC)层、媒体接入控制(media access control,MAC)层、物理层(PHY layer)。其中,RRC层、PDCP层、RLC层、MAC层、PHY层可以统称为属于接入层(AS)。
应用层,例如包括PC5-S层或V2X层,用于执行应用层面的控制。
RRC层用于支持无线资源的管理、RRC连接控制等功能。
对于其他的协议层,例如PDCP层、RLC层等,其定义与功能可以参见现有技术的说明,在此不再赘述。
如图3所示,为单播连接的两个终端之间的一种密钥更新流程示意图。包括以下步骤:
步骤301,第一终端向第二终端发送密钥更新请求消息。相应地,第二终端可以接收到该密钥更新请求消息。
该密钥更新请求消息用于请求更新该单播连接的密钥。该密钥更新请求消息比如可以是DirectRekeyRequest消息。
该密钥更新请求消息携带第一终端的安全能力信息、密钥更新请求指示和新的密钥标识的高8位。安全能力信息包括第一终端能够在该单播连接中支持的安全算法。这里的安全算法包括完整性保护算法和/或加密算法。
需要说明的是,第一终端与第二终端之间的密钥更新流程中,第一终端向第二终端发送密钥更新请求消息,是为了获取一个256位的新的密钥,可以通过新的密钥的标识(也称为新的密钥标识)进行标识。该新的密钥标识为16位,其中高8位是由第一终端提前确认的,低8位是由第二终端确认的。由第一终端将新的密钥标识的高8位发送给第二终端,由第二终端将新的密钥标识的低8位发送给第一终端,从而第一终端和第二终端都可以获得新的密钥标识。
步骤302,第二终端选择新的安全算法,并确定新的密钥。
第二终端根据第一终端的安全能力信息,从第一终端支持的完整性保护算法中选择一个完整性保护算法,和/或从第一终端支持的加密算法中选择一个加密算法。然后第二终端基于选择的完整性保护算法和/或选择的加密算法,确定一个新的密钥。
在第二终端确定新的密钥之后,则建立新秘钥的安全上下文,后续第二终端可以开始在该单播连接上从第一终端接收使用新的密钥加密的数据。或者理解为,第二终端开启了在该单播连接上从第一终端接收使用新的密钥加密的数据的功能。
需要说明的是,第一终端与第二终端之间可以建立多条单播连接,每个单播连接使用一个密钥。第一终端与第二终端之间协商的新的密钥是针对其中某个单播连接的。
步骤303,第二终端向第一终端发送安全模式命令消息。相应地,第二终端可以接收到该安全模式命令消息。
该安全模式命令消息比如可以是DirectSecurityModeCommand消息。
该安全模式命令消息中携带第二终端选择的新的完整性保护算法和/或新的加密算法的指示、第一终端的安全能力信息和新的密钥标识的低8位。
步骤304,第一终端确定新的密钥。
第一终端先对接收到的安全模式命令消息进行完整性校验,并对携带的第一终端的安全能力信息进行验证,当验证结果都为正确,则第一终端根据安全模式命令消息中指示的新的完整性保护算法和/或新的加密算法,按照与第二终端相同的密钥推演方法,得到新的密钥,该新的密钥与第二终端推演得到的新的密钥相同。
第一终端确定新的密钥之后,则建立新秘钥的安全上下文,确定后续可以开始在该单播连接上从第二终端接收使用新的密钥加密的数据,以及可以使用新的密钥对需要在该单播连接上发送至第二终端的数据进行加密。或者理解为,第二终端开启了在该单播连接上从第一终端接收使用新的密钥加密的数据的功能,以及开启了使用新的密钥对需要在该单 播连接上发送至第二终端的数据进行加密的功能。
步骤305,第一终端向第二终端发送安全模式完成消息。相应地,第二终端可以接收到该安全模式完成消息。
该安全模式完成消息例如可以是DirectSecurityModeComplete消息,用于指示第一终端已经完成密钥更新。
第二终端对接收到的安全模式完成消息进行完整性校验,当校验结果为正确,则第二终端确认第一终端的密钥更新正确。
第二终端确认第一终端的密钥更新正确之后,则确定后续可以使用新的密钥对需要在该单播连接上发送至第一终端的数据进行加密。或者理解为,第二终端开启了使用新的密钥对需要在该单播连接上发送至第一终端的数据进行加密的功能。
步骤306,第二终端删除旧的密钥对应的密钥安全上下文。
第二终端确认第一终端的密钥更新正确之后,后续将使用新的密钥向第一终端发送数据,因而删除旧的密钥对应的密钥安全上下文。
步骤307,第二终端向第一终端发送第一信令。相应地,第一终端可以接收到该第一信令。
该第一信令是使用新的密钥进行加密的。
步骤308,第一终端删除旧的密钥对应的密钥安全上下文。
第一终端解析第一信令,若能正确解析,表明第一终端可以正确接收使用新的密钥加密的数据,因而可以删除旧的密钥对应的密钥安全上下文。
需要说明的是,上述步骤306也可以是在步骤307之后执行。
通过上述过程,实现了第一终端与第二终端之间的密钥更新,可以提升通信的安全性。
针对上述第一终端与第二终端之间的密钥更新流程,至少存在以下两个问题:
问题1)、第二终端接收数据与发送数据开始使用新的密钥的时机是不同的。具体的,第二终端在确定新的密钥之后,则可以开始从第一终端接收使用新的密钥加密的数据,但是在确认第一终端的密钥更新正确之后才确定可以使用新的密钥对需要发送至第一终端的数据进行加密。由于第二终端接收数据与发送数据开始使用新的密钥的时机不同,则第二终端的AS层如何获知在何时可以开始使用新的密钥对需要发送至第一终端的数据进行加密,以及如何获知在何时可以从第一终端接收使用新的密钥加密的数据,以保障第二终端与第一终端之间的正确通信,是有待解决的问题。
问题2)、第一终端与第二终端删除旧的密钥对应的密钥安全上下文的时机是不同的。参考图3,第一终端是在步骤307之后删除旧的密钥对应的密钥安全上下文,而第二终端是在步骤305之后删除旧的密钥对应的密钥安全上下文。第二终端删除了旧的密钥对应的密钥安全上下文后,可能继续收到第一终端发送的使用旧的密钥加密的数据。由于侧行链路密钥更新的流程中没有引入RLC实体重建立及MAC实体重置等流程,因此从第一终端接收到的使用旧的密钥加密的数据可能包括:RLC缓存区未传完的数据、MAC层缓存区未传完的数据、传输失败导致重传的数据中的一种或多种。此时,第二终端如何识别并处理这些使用旧的密钥加密的数据,以保障第二终端与第一终端之间的正确通信,也是有待解决的问题。
此外,在第一终端与第二终端完成密钥更新流程之后的正常通信过程中,还可能出现 以下问题:
问题3)、第一终端或第二终端对接收到的消息执行完整性保护校验失败的情况。该情况下,第一终端或第二终端该如何处理,以保障第二终端与第一终端之间的正确通信,也是有待解决的问题。
为解决上述问题1)至3),本申请实施例提供不同的通信方法。需要说明的是,在这些通信方法中提到的密钥(如旧的密钥或新的密钥)均是针对第一终端与第二终端之间建立的某一条特定的单播连接。或者理解为,第一终端与第二终端之间可以建立多条单播连接,每个单播连接使用一个密钥。
为解决上述问题1),本申请实施例提供一种通信方法。该方法适用于第一终端与第二终端之间,且第一终端与第二终端之间通过单播连接通信。
如图4所示,该方法包括以下步骤:
步骤401,第一终端在确定新的密钥之后,第一终端的应用层向第一终端的接入层发送第一指示,该第一指示用于指示重建立用于接收数据的PDCP实体或用于指示PDCP层能够使用新的密钥处理单播连接上的接收数据。该新的密钥用于第一终端与第二终端之间的单播连接的通信。
其中,第一指示用于指示PDCP层能够使用新的密钥处理单播连接上的接收数据,也可以理解为用于指示PDCP层能够接收使用该新的密钥进行加密的数据,或者也可以理解为用于指示PDCP层具有使用所述新的密钥处理单播连接上的接收数据的能力。
所述第一指示可以是第一终端的应用层向第一终端的接入层发送的一个新的密钥处理接收数据的能力指示,触发第一终端的应用层使用新的密钥及完整性保护和加密算法,使得第一终端具备使用新的密钥处理所述单播连接上的接收数据的能力。第一指示也可以是第一终端的应用层向第一终端的接入层发送的一个该单播连接相关的接收数据的PDCP实体的重建立指示,所述接收数据的PDCP实体重建立过程中应用了新的密钥及新的完整性保护和加密算法,使得第一终端具备使用新的密钥处理所述单播连接上的接收数据的能力。
用于接收数据的PDCP实体关联于第一终端与第二终端之间的单播连接。或者理解为,第一终端与第二终端之间可能会存在多个单播连接,用于接收数据的PDCP实体关联于其中一个单播连接。当有多个单播连接时,则需要不同的PDCP实体关联于不同的单播连接。
其中,第一终端的应用层可以是PC5-S层或V2X层。
第一终端的应用层向接入层发送第一指示,比如可以是应用层向PDCP层发送第一指示。再比如还可以是应用层向RRC层发送第一指示,RRC层接收到第一指示后,可以指示PDCP层重建立用于接收单播连接的数据的PDCP实体。具体的,重建立用于使用新的密钥处理单播连接上的接收数据的PDCP实体,也即新建立的PDCP实体使用新的密钥对接收到的单播连接的数据进行解密。
作为一种实现方法,第一终端在确定新的密钥之后,比如可以是在向第二终端发送了安全模式命令消息(如图3实施例中的步骤303的消息)之后。
作为另一种实现方法,第一终端在确定新的密钥之后,比如还可以是第一终端在接收密钥更新请求消息(如图3实施例中的步骤301的消息)并基此确定能够使用新的密钥处 理单播连接上的接收数据之后。其中,第一终端在确定能够使用新的密钥处理单播连接上的接收数据,也可以理解为是第一终端能够使用旧的密钥处理单播连接上的发送数据以及能够使用新的密钥处理单播连接上的接收数据。
步骤402,第一终端在接收到使用新的密钥加密的信息(如信令(signalling)、消息或数据)之后,第一终端的应用层向第一终端的接入层发送第二指示,该第二指示用于指示重建立用于发送数据的PDCP实体或用于指示PDCP层能够使用新的密钥处理单播连接上的发送数据。
其中,第二指示用于指示PDCP层能够使用新的密钥处理单播连接上的发送数据,也可以理解为用于指示PDCP层能够发送使用该新的密钥进行加密的单播连接的数据,或者也可以理解为用于指示PDCP层能够使用该新的密钥对需要发送的单播连接的数据进行加密并发送,或者也可以理解为用于指示PDCP层具有使用所述新的密钥处理单播连接上的发送数据的能力。
具体的,所述第二指示可以是第一终端的应用层向第一终端的接入层发送的一个新的密钥处理发送数据的能力指示,触发第一终端的应用层去应用新的密钥及完整性保护和加密算法,使得第一终端具备使用新的密钥处理所述单播连接上的发送数据的能力;也可以是第一终端的应用层向第一终端的接入层发送的一个该单播连接相关的发送数据的PDCP实体的重建立指示,所述接收数据的PDCP实体重建立过程中应用了新的密钥及新的完整性保护和加密算法,使得第一终端具备使用新的密钥处理所述单播连接上的发送数据的能力。
用于发送数据的PDCP实体关联于第一终端与第二终端之间的单播连接。或者理解为,第一终端与第二终端之间可能会存在多个单播连接,用于发送数据的PDCP实体关联于其中一个单播连接。当有多个单播连接时,则需要不同的PDCP实体关联于不同的单播连接。
需要说明的是,该实施例中的用于发送数据的PDCP实体与用于接收数据的PDCP实体是关联到同一个单播连接的。
第一终端的应用层向接入层发送第二指示,比如可以是应用层向PDCP层发送第一指示。或者还可以是应用层向RRC层发送第二指示,RRC层接收到第二指示后,可以指示PDCP层重建立用于发送数据的PDCP实体。具体的,重建立用于使用新的密钥对需要发送的单播连接的数据进行加密和发送的PDCP实体。
作为一种实现方法,第一终端在接收到使用新的密钥加密的数据之后,比如可以是在从第二终端接收到安全模式完成消息(如图3实施例中的步骤305的消息)之后。
作为另一种实现方法,第一终端在确定新的密钥之后,也可以是第一终端在确定能够使用新的密钥处理单播连接上的发送数据之后,比如可以是验证从第一终端接收到的新的密钥加密的数据正确并基此认为第一终端已经确认新的密钥并建立了新的密钥相关的安全上下文之后。其中,第一终端在确定能够使用新的密钥处理单播连接上的发送数据,也可以理解为是第一终端能够使用新的密钥处理单播连接上的接收数据以及能够使用新的密钥处理单播连接上的发送数据。
需要说明的是,该图4实施例中的第一终端可以是图3实施例中的第二终端,该图4实施例中的第二终端可以是图3实施例中的第一终端。
作为一种实现方法,上述第一指示也可以称为PDCP实体重建立指示。当PDCP层接收到第一指示,则会重建立PDCP实体。上述第二指示也可以称为PDCP实体重建立指示。 当PDCP层接收到第二指示,则会重建立PDCP实体。
基于上述方案,终端的应用层可以在相应的时间点上通知接入层可以开始使用新的密钥对接收到数据进行解密,以及在相应的时间点上通知接入层可以开始使用新的密钥对需要发送的数据进行加密,从而可以保障第一终端与第二终端之间的正确通信。
在一种实现方法中,针对上述图3实施例中的第一终端、或上述图4实施例中的第二终端,该终端在确定新的密钥之后,该终端的应用层向该终端的接入层发送第三指示,该第三指示用于指示重建立用于发送数据的PDCP实体以及重建立用于接收数据的PDCP实体,或者用于指示PDCP层能够使用新的密钥处理单播连接上的发送数据和接收数据。
需要说明的是,用于发送单播连接的数据的PDCP实体与用于接收单播连接的数据的PDCP实体是不同的PDCP实体。
其中,第三指示用于指示PDCP层能够使用新的密钥处理单播连接上的发送数据和接收数据,也可以理解为用于指示PDCP层能够使用该新的密钥对需要发送的单播连接的数据进行加密及发送,以及能够对接收到的单播连接的数据使用新的密钥进行解密。作为一种实现方法,上述第三指示也可以称为PDCP实体重建立指示。当PDCP层接收到第三指示,则会重建立PDCP实体。
其中,终端的应用层可以是PC5-S层或V2X层。
终端的应用层向接入层发送第三指示,比如可以是应用层向PDCP层发送第一指示。再比如还可以是应用层向RRC层发送第三指示,RRC层接收到第三指示后,可以指示PDCP层重建立用于发送单播连接的数据的PDCP实体以及重建立用于接收单播连接的数据的PDCP实体。
作为一种实现方法,终端在确定新的密钥之后,例如可以是在确定新的密钥之后以及在发送安全模式完成消息(如图3实施例中的步骤305的消息)之前。
作为另一种实现方法,终端在确定新的密钥之后,还可以是终端在确定能够使用新的密钥处理单播连接上的发送数据和接收数据之后。例如可以是在接收并验证第二终端发送的安全模式命令消息(如图3实施例中的步骤303的消息)正确,并基此认为第二终端已经确认新的密钥并建立了新的密钥相关的安全上下文之后。
为解决上述问题2),本申请实施例提供一种通信方法,该方法适用于第一终端与第二终端之间,且第一终端与第二终端之间通过单播连接通信。
如图5所示,该方法包括以下步骤:
步骤501,第一终端接收来自第二终端的第一数据包,该第一数据携带密钥标识,该密钥标识对应的密钥用于第一终端与第二终端之间的单播连接的通信。
该第一数据包是使用该密钥标识对应的密钥进行加密的。比如,第一数据包可以是接收数据的PDCP实体从下层接收的PDCP Data协议数据单元(protocol data unit,PDU),包括控制面的数据包和/或用户面的数据包。
在正常情况下,第一终端会存储该密钥标识对应的密钥安全上下文。在某些情况下,比如图3实施例中的密钥更新流程中,第一终端也会删除旧的密钥对应的密钥安全上下文,并建立新的密钥对应的密钥安全上下文。
在删除了旧的密钥对应的密钥安全上下文之后,第一终端也可能会继续收到使用旧的 密钥进行加密的数据。如上述图3实施例中的第二终端,在删除了旧的密钥对应的密钥安全上下文之后,可能会继续收到使用旧的密钥进行加密的数据。
步骤502,若第一终端内没有存储有该密钥标识对应的密钥安全上下文,则第一终端丢弃该第一数据包。
若第一终端内存储有该密钥标识对应的密钥安全上下文,则第一终端接收并处理该第一数据包。比如第一终端使用该密钥标识对应的密钥对该第一数据包进行解密。
若第一终端内没有存储有该密钥标识对应的密钥安全上下文,表明第一终端与第二终端曾经使用该密钥标识对应的密钥,但由于某些原因,如密钥更新,导致第一终端删除了该密钥对应的密钥安全上下文。因此,第一终端若继续收到该密钥对应的密钥安全上下文,则第一终端将无法解密该第一数据,因而第一终端可以丢弃该第一数据包。
作为一个示例,该实施例中的第一终端可以是图3对应实施例中的第二终端。
基于上述方案,第一终端接收到携带密钥标识的第一数据包之后,若第一终端没有存储该密钥标识对应的密钥安全上下文,则第一终端丢弃该第一数据包,而现有技术中是在解析该第一数据包并传输到互联网协议(internet protocol,IP)层后才发现解析错误,进而丢弃该第一数据包。可以看出,本申请上述方案可以提前丢弃无法解析的数据包,因而可以保障该终端与其他终端之间的正确通信,同时还可以节约资源开销。
为解决上述问题3),本申请实施例提供一种通信方法,该方法适用于第一终端与第二终端之间,且第一终端与第二终端之间通过单播连接通信。
其中,第一终端与第二终端之间建立单播连接的过程为:第一终端与第二终端之间先建立单播连接,在单播连接建立成功后,则自动建立第一终端与第二终端之间的RRC连接。
第一终端与第二终端之间断开单播连接的过程为:第一终端与第二终端之间先断开单播连接,在单播连接断开成功后,则自动断开第一终端与第二终端之间的RRC连接。
如图6所示,该方法包括以下步骤:
步骤601,第一终端对接收到的RRC消息进行完整性保护校验。
该步骤中的RRC消息也可以称为PC5-RRC消息。第一终端是从与第一终端建立了单播连接的第二终端接收到的RRC消息,并且对该RRC消息进行完整性保护校验。
步骤602,当所述完整性保护校验失败,第一终端的RRC层向第一终端的应用层发送第一指示和第二终端的标识,所述第一指示和所述第二终端的标识用于所述应用层断开所述第一终端与所述第二终端之间的单播连接。
这里的应用层可以是PC5-S层或V2X层。
第一终端的应用层从RRC层接收到第一指示和第二终端的标识之后,则根据第一指示和第二终端的标识,断开第一终端与第二终端之间的单播连接。对接收到的消息执行完整性保护校验失败的原因可能是攻击者篡改了接收到的RRC消息中的某些信息,因此该方法通过断开两个终端之间的单播连接,可以保障通信安全。
可选的,第一终端的应用层还可以更新层2标识(Layer2ID),即第一终端的MAC层身份标识,从而提升通信安全。
可选的,第一终端还可以使用新的密钥,重新建立与第二终端之间的单播连接,从而提升通信安全。
基于上述方案,在第一终端对接收到的消息执行完整性保护校验失败的情况下,第一终端的RRC层可以向应用层上报第一指示和第二终端的标识,触发应用层断开第一终端与第二终端之间的单播连接。由于给定了对接收到的消息执行完整性保护校验失败的情况下的处理机制,因而可以保障第二终端与第一终端之间的正确通信。并且,对接收到的消息执行完整性保护校验失败的原因一般是攻击者篡改了RRC消息中的某些信息,因此该方法通过断开两个终端之间的单播连接,可以保障通信安全。
作为示例,下面给出上述步骤602中的第一指示的两种不同实现方法。
方法1,第一指示为RRC连接断开指示。
该RRC连接断开指示用于指示第一终端与第二终端之间的RRC连接已经断开。
也即,基于该方法1,则在步骤601之后,第一终端先断开第一终端与第二终端之间的RRC连接,然后在上述步骤602中第一终端的RRC层向应用层发送RRC连接断开指示和第二终端的标识。第一终端的应用层根据RRC连接断开指示,确定第一终端与第二终端之间的RRC连接已经断开,则触发第一终端的应用层断开第一终端与第二终端之间的单播连接。
方法2,第一指示为完整性保护校验失败指示。
该完整性保护校验失败指示用于指示第一终端对接收到的RRC消息进行完整性保护校验失败。
也即,基于该方法2,第一终端的RRC层在上述步骤601中对接收到的RRC消息进行完整性保护校验失败后,在上述步骤602中向第一终端的应用层发送完整性保护校验失败指示和第二终端的标识。第一终端的应用层根据完整性保护校验失败指示和第二终端的标识,断开第一终端与第二终端之间的单播连接。在第一终端与第二终端之间的单播连接断开之后,第一终端与第二终端之间的RRC连接也将自动断开。
为解决上述问题3),本申请实施例提供另一种通信方法,如图7所示,该方法包括以下步骤:
步骤701,第一终端对接收到的RRC消息进行完整性保护校验。
该步骤中的RRC消息也可以是PC5-RRC消息。第一终端是从与第一终端建立了单播连接的第二终端接收到的RRC消息,并且对该RRC消息进行完整性保护校验。
步骤702,当所述完整性保护校验失败,第一终端向网络设备发送侧行链路信息,该侧行链路信息包括第二指示和第二终端的标识。
作为一种实现方法,上述第二指示是一个完整性保护校验失败指示,用于指示第一终端对接收到的来自第二终端的RRC消息进行完整性保护校验失败。从而网络设备获知第一终端对接收到的来自第二终端的RRC消息完整性保护校验失败。
作为另一种实现方法,上述第二指示还可以用于指示第一终端与第二终端之间的单播连接发生无线链路失败(Radio Link Failure,RLF)且失败原因是对接收到的来自第二终端的RRC消息进行完整性保护校验失败。从而网络设备获知第一终端对接收到的来自第二终端的RRC消息完整性保护校验失败。
可选的,网络设备获知第一终端对接收到的来自第二终端的RRC消息完整性保护校验失败之后,可以尝试寻找攻击者或者是触发报警等。
基于上述方案,在第一终端对接收到的RRC消息执行完整性保护校验失败的情况下, 第一终端可以向网络设备上报第二指示和第二终端的标识。由于给定了对接收到的消息执行完整性保护校验失败的情况下的处理机制,使得网络设备可以基于上报的信息去排查第一终端与第二终端之间的单播连接故障,因而可以保障第二终端与第一终端之间的正确通信。
上述图6实施例或图7实施例中,当第一终端对接收到的控制面的RRC消息进行完整性保护校验失败时,给出了相应的处理方法。在另一种场景下,如果第一终端对接收到的用户面消息进行完整性保护校验失败,则第一终端可以向网络设备发送侧行链路信息,该侧行链路信息包括完整性保护校验失败指示和第二终端的标识。也即,当第一终端在对接收到的用户面消息进行完整性保护校验失败后,触发第一终端向网络设备上报携带完整性保护校验失败指示和第二终端的标识的侧行链路信息,从而网络设备获知第一终端对接收到的来自第二终端的RRC消息完整性保护校验失败。
可选的,网络设备获知第一终端对接收到的来自第二终端的用户面消息完整性保护校验失败之后,可以尝试寻找攻击者或者是触发报警等。
可选的,第一终端在确定由于用户面消息完整性保护校验失败而丢弃的数据包达到预设的一个阈值时,才触发第一终端向网络设备上报携带完整性保护校验失败指示和第二终端的标识的侧行链路信息。
基于上述方案,在第一终端对接收到的用户面消息执行完整性保护校验失败的情况下,第一终端可以向网络设备上报完整性保护校验失败指示和第二终端的标识。由于给定了对接收到的用户面消息执行完整性保护校验失败的情况下的处理机制,使得网络设备可以基于上报的信息去排查第一终端与第二终端之间的单播连接故障,因而可以保障第二终端与第一终端之间的正确通信。
需要说明的是,本申请中上述各个实施例可以单独实施例,也可以相互结合实施。具体的,图4至图7分别对应的实施例中的任意两个或两个以上的实施例都可以相互结合进行实施。
需要说明的是,本申请上述任一实施例中的第二终端的标识,在具体实现中,比如可以是:第二终端的层2标识、或IP地址、或用户识别模块(Subscriber Identity Module,SIM)等。
参考图8,为本申请实施例提供的一种终端的结构示意图。该终端用于实现以上实施例中终端(如第一终端或第二终端)的操作。如图8所示,该终端包括:天线810、射频装置820、信号处理部分830。天线810与射频装置820连接。在下行方向上,射频装置820通过天线810接收网络设备或其他终端发送的信息,将网络设备或其他终端发送的信息发送给信号处理部分830进行处理。在上行方向上,信号处理部分830对终端的信息进行处理,并发送给射频装置820,射频装置820对终端的信息进行处理后经过天线810发送给网络设备或其他终端。
信号处理部分830用于实现对数据各通信协议层的处理。信号处理部分830可以为该终端的一个子系统,则该终端还可以包括其它子系统,例如中央处理子系统,用于实现对终端操作系统以及应用层的处理;再如,周边子系统用于实现与其它设备的连接。信号处理部分830可以为单独设置的芯片。可选的,以上的装置可以位于信号处理部分830。
信号处理部分830可以包括一个或多个处理元件831,例如,包括一个主控CPU和其它集成电路,以及包括接口电路833。此外,该信号处理部分830还可以包括存储元件832。存储元件832用于存储数据和程序,用于执行以上方法中终端所执行的方法的程序可能存储,也可能不存储于该存储元件832中,例如,存储于信号处理部分830之外的存储器中,使用时信号处理部分830加载该程序到缓存中进行使用。接口电路833用于与装置通信。以上装置可以位于信号处理部分830,该信号处理部分830可以通过芯片实现,该芯片包括至少一个处理元件和接口电路,其中处理元件用于执行以上终端执行的任一种方法的各个步骤,接口电路用于与其它装置通信。在一种实现中,实现以上方法中各个步骤的单元可以通过处理元件调度程序的形式实现,例如该装置包括处理元件和存储元件,处理元件调用存储元件存储的程序,以执行以上方法实施例中终端执行的方法。存储元件可以为处理元件处于同一芯片上的存储元件,即片内存储元件。
在另一种实现中,用于执行以上方法中终端所执行的方法的程序可以在与处理元件处于不同芯片上的存储元件,即片外存储元件。此时,处理元件从片外存储元件调用或加载程序于片内存储元件上,以调用并执行以上方法实施例中终端执行的方法。
在又一种实现中,终端实现以上方法中各个步骤的单元可以是被配置成一个或多个处理元件,这些处理元件设置于信号处理部分830上,这里的处理元件可以为集成电路,例如:一个或多个ASIC,或,一个或多个DSP,或,一个或者多个FPGA,或者这些类集成电路的组合。这些集成电路可以集成在一起,构成芯片。
实现以上方法中各个步骤的单元可以集成在一起,以片上系统(system-on-a-chip,SOC)的形式实现,该SOC芯片,用于实现以上方法。该芯片内可以集成至少一个处理元件和存储元件,由处理元件调用存储元件的存储的程序的形式实现以上终端执行的方法;或者,该芯片内可以集成至少一个集成电路,用于实现以上终端执行的方法;或者,可以结合以上实现方式,部分单元的功能通过处理元件调用程序的形式实现,部分单元的功能通过集成电路的形式实现。
可见,以上装置可以包括至少一个处理元件和接口电路,其中至少一个处理元件用于执行以上方法实施例所提供的任一种终端执行的方法。处理元件可以以第一种方式:即调用存储元件存储的程序的方式执行终端执行的部分或全部步骤;也可以以第二种方式:即通过处理器元件中的硬件的集成逻辑电路结合指令的方式执行终端执行的部分或全部步骤;当然,也可以结合第一种方式和第二种方式执行终端执行的部分或全部步骤。
这里的处理元件同以上描述,可以是通用处理器,例如CPU,还可以是被配置成实施以上方法的一个或多个集成电路,例如:一个或多个ASIC,或,一个或多个微处理器DSP,或,一个或者多个FPGA等,或这些集成电路形式中至少两种的组合。存储元件可以是一个存储器,也可以是多个存储元件的统称。
本领域普通技术人员可以理解:本申请中涉及的第一、第二、第三等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。“至少一个”是指一个或者多个。至少两个是指两个或者多个。“至少一个”、“任意一个”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个、种),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c, 其中a,b,c可以是单个,也可以是多个。“多个”是指两个或两个以上,其它量词与之类似。
应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。
本申请实施例中所描述的各种说明性的逻辑单元和电路可以通过通用处理器,数字信号处理器,专用集成电路(ASIC),现场可编程门阵列(FPGA)或其它可编程逻辑装置,离散门或晶体管逻辑,离散硬件部件,或上述任何组合的设计来实现或操作所描述的功能。通用处理器可以为微处理器,可选地,该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现,例如数字信号处理器和微处理器,多个微处理器,一个或多个微处理器联合一个数字信号处理器核,或任何其它类似的配置来实现。
本申请实施例中所描述的方法或算法的步骤可以直接嵌入硬件、处理器执行的软件单元、或者这两者的结合。软件单元可以存储于随机存取存储器(Random Access Memory,RAM)、闪存、只读存储器(Read-Only Memory,ROM)、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动磁盘、CD-ROM或本领域中其它任意形式的存储媒介中。示 例性地,存储媒介可以与处理器连接,以使得处理器可以从存储媒介中读取信息,并可以向存储媒介存写信息。可选地,存储媒介还可以集成到处理器中。处理器和存储媒介可以设置于ASIC中。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包括这些改动和变型在内。
Claims (31)
- 一种通信方法,其特征在于,包括:第一终端对接收到的无线资源控制RRC消息进行完整性保护校验;当所述完整性保护校验失败,所述第一终端的RRC层向所述第一终端的应用层发送第一指示和第二终端的标识,所述第一指示和所述第二终端的标识用于所述应用层断开所述第一终端与所述第二终端之间的单播连接。
- 如权利要求1所述的方法,其特征在于,还包括:所述第一终端的RRC层断开所述第一终端与所述第二终端之间的RRC连接;则所述第一指示为RRC连接断开指示,用于指示所述第一终端与所述第二终端之间的RRC连接已经断开。
- 如权利要求1所述的方法,其特征在于,所述第一指示为完整性保护校验失败指示,用于指示所述第一终端对接收到的来自所述第二终端的RRC消息进行完整性保护校验失败。
- 如权利要求1-3任一所述的方法,其特征在于,还包括:所述第一终端的应用层更新所述第一终端的层2标识。
- 如权利要求1-4任一所述的方法,其特征在于,还包括:所述第一终端使用新的密钥,重新建立与所述第二终端之间的单播连接。
- 如权利要求1-5任一所述的方法,其特征在于,还包括:所述第一终端向网络设备发送侧行链路信息,所述侧行链路信息包括第二指示和第二终端的标识,所述第二指示用于指示所述第一终端与所述第二终端之间的单播连接发生无线链路失败且失败原因是对接收到的来自所述第二终端的RRC消息进行完整性保护校验失败。
- 一种通信方法,其特征在于,包括:第一终端在确定新的密钥之后,所述第一终端的应用层向所述第一终端的接入层发送第一指示,用于指示重建立用于接收数据的分组数据汇聚协议PDCP实体或用于指示PDCP层能够使用所述新的密钥处理单播连接上的接收数据,所述新的密钥用于所述第一终端与第二终端之间的所述单播连接的通信,所述用于接收数据的PDCP实体关联于所述单播连接;所述第一终端在接收到使用所述新的密钥加密的信息之后,所述第一终端的应用层向所述第一终端的接入层发送第二指示,用于指示重建立用于发送数据的PDCP实体或用于指示PDCP层能够使用所述新的密钥处理所述单播连接上的发送数据,所述用于发送数据的PDCP实体关联于所述单播连接。
- 如权利要求7所述的方法,其特征在于,所述第一终端在确定新的密钥之后,所述第一终端的应用层向所述第一终端的接入层发送第一指示,包括:所述第一终端在确定所述新的密钥,以及向所述第二终端发送了安全模式命令消息之后,所述第一终端的应用层向所述第一终端的接入层发送所述第一指示;或者,所述第一终端在确定所述新的密钥,以及确定能够使用所述新的密钥处理所述单播连接上的接收数据之后,所述第一终端的应用层向所述第一终端的接入层发送所述第一指示。
- 如权利要求7或8所述的方法,其特征在于,所述第一终端在接收到使用所述新的密钥加密的信息之后,所述第一终端的应用层向所述第一终端的接入层发送第二指示,包括:所述第一终端在接收到使用所述新的密钥加密的安全模式完成消息之后,所述第一终端的应用层向所述第一终端的接入层发送所述第二指示;或者,所述第一终端在接收到使用所述新的密钥加密的信息,以及确定能够使用所述新的秘钥处理所述单播连接上的发送数据之后,所述第一终端的应用层向所述第一终端的接入层发送所述第二指示。
- 如权利要求7-9任一所述的方法,其特征在于,所述接入层为所述PDCP层;所述第一终端的应用层向所述第一终端的接入层发送第一指示,包括:所述第一终端的所述应用层向所述第一终端的所述PDCP层发送所述第一指示;所述第一终端的应用层向所述第一终端的接入层发送第二指示,包括:所述第一终端的所述应用层向所述第一终端的所述PDCP层发送所述第二指示。
- 如权利要求7-10任一所述的方法,其特征在于,所述接入层为RRC层;所述第一终端的应用层向所述第一终端的接入层发送第一指示,包括:所述第一终端的所述应用层通过所述RRC层,向所述第一终端的所述PDCP层发送所述第一指示;所述第一终端的应用层向所述第一终端的接入层发送第二指示,包括:所述第一终端的所述应用层通过所述RRC层,向所述第一终端的所述PDCP层发送所述第二指示。
- 一种通信方法,其特征在于,包括:第一终端接收来自第二终端的第一数据包,所述第一数据包携带密钥标识,所述密钥标识对应的密钥用于所述第一终端与所述第二终端之间的单播连接的通信;若所述第一终端内没有存储有所述密钥标识对应的密钥安全上下文,则所述第一终端丢弃所述第一数据包。
- 一种通信装置,其特征在于,包括:用于对接收到的无线资源控制RRC消息进行完整性保护校验的单元;用于当所述完整性保护校验失败,通过第一终端的RRC层向所述第一终端的应用层发送第一指示和第二终端的标识的单元,所述第一指示和所述第二终端的标识用于所述应用层断开所述第一终端与所述第二终端之间的单播连接。
- 如权利要求13所述的装置,其特征在于,所述装置还包括,用于通过所述第一终端的RRC层断开所述第一终端与所述第二终端之间的RRC连接的单元;则所述第一指示为RRC连接断开指示,用于指示所述第一终端与所述第二终端之间的RRC连接已经断开。
- 如权利要求13所述的装置,其特征在于,所述第一指示为完整性保护校验失败指示,用于指示所述第一终端对接收到的来自所述第二终端的RRC消息进行完整性保护校验失败。
- 如权利要求13-15任一所述的装置,其特征在于,所述装置还包括,用于通过所述第一终端的应用层更新所述第一终端的层2标识的单元。
- 如权利要求13-16任一所述的装置,其特征在于,所述装置还包括,用于使用新的 密钥,重新建立与所述第二终端之间的单播连接的单元。
- 如权利要求13-17任一所述的装置,其特征在于,所述装置还包括,用于向网络设备发送侧行链路信息的单元,所述侧行链路信息包括第二指示和第二终端的标识,所述第二指示用于指示所述第一终端与所述第二终端之间的单播连接发生无线链路失败且失败原因是对接收到的来自所述第二终端的RRC消息进行完整性保护校验失败。
- 一种通信装置,其特征在于,包括:用于确定新的密钥的单元;用于在确定新的密钥之后,通过第一终端的应用层向所述第一终端的接入层发送第一指示,用于指示重建立用于接收数据的分组数据汇聚协议PDCP实体或用于指示PDCP层能够使用所述新的密钥处理单播连接上的接收数据的单元,所述新的密钥用于所述第一终端与第二终端之间的所述单播连接的通信,所述用于接收数据的PDCP实体关联于所述单播连接;以及,用于在接收到使用所述新的密钥加密的信息之后,通过所述第一终端的应用层向所述第一终端的接入层发送第二指示的单元,用于指示重建立用于发送数据的PDCP实体或用于指示PDCP层能够使用所述新的密钥处理所述单播连接上的发送数据,所述用于发送数据的PDCP实体关联于所述单播连接。
- 如权利要求19所述的装置,其特征在于,所述装置还包括,用于在确定所述新的密钥,以及向所述第二终端发送了安全模式命令消息之后,通过所述第一终端的应用层向所述第一终端的接入层发送所述第一指示的单元;或者,用于在确定所述新的密钥,以及确定能够使用所述新的密钥处理所述单播连接上的接收数据之后,通过所述第一终端的应用层向所述第一终端的接入层发送所述第一指示的单元。
- 如权利要求19或20所述的装置,其特征在于,所述装置还包括,用于在接收到使用所述新的密钥加密的安全模式完成消息之后,通过所述第一终端的应用层向所述第一终端的接入层发送所述第二指示的单元;或者,用于在接收到使用所述新的密钥加密的信息,以及所述处理单元确定能够使用所述新的秘钥处理所述单播连接上的发送数据之后,通过所述第一终端的应用层向所述第一终端的接入层发送所述第二指示的单元。
- 如权利要求19-21任一所述的装置,其特征在于,所述接入层为所述PDCP层。
- 如权利要求19-22任一所述的装置,其特征在于,所述接入层为RRC层。
- 一种通信装置,其特征在于,包括:用于接收来自第二终端的第一数据包的单元,所述第一数据包携带密钥标识,所述密钥标识对应的密钥用于第一终端与所述第二终端之间的单播连接的通信;用于若所述第一终端内没有存储有所述密钥标识对应的密钥安全上下文,则丢弃所述第一数据包的单元。
- 一种通信装置,其特征在于,包括:处理器和存储器;所述存储器用于存储计算机执行指令,当所述通信装置运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述通信装置执行如权利要求1-12任一项所述的通信方法。
- 一种芯片系统,其特征在于,包括:存储器,用于存储计算机程序;处理器,用于从所述存储器调用并运行所述计算机程序,使得安装有所述芯片系统的 设备执行如利要求1-12任一项所述的通信方法。
- 一种计算机可读存储介质,其特征在于,包括计算机程序,当其在计算机上运行时,使得所述计算机执行如利要求1-12任一项所述的通信方法。
- 一种计算机程序产品,其特征在于,所述计算机程序产品包括计算机程序,当所述计算机程序运行时,使得权利要求1-12任一项所述的通信方法被执行。
- 一种通信系统,其特征在于,包括如权利要求13~18任一项所述的通信装置,或者如权利要求19-23任一项所述的通信装置,或者如权利要求24所述的通信装置。
- 如权利要求29所述的系统,其特征在于,还包括第二终端。
- 如权利要求29或30所述的系统,其特征在于,还包括网络设备。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP21807610.7A EP4145880A4 (en) | 2020-05-20 | 2021-05-20 | COMMUNICATION METHOD AND DEVICE |
US17/990,237 US20230085378A1 (en) | 2020-05-20 | 2022-11-18 | Communication Method and Apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010432218.XA CN113727338A (zh) | 2020-05-20 | 2020-05-20 | 通信方法及装置 |
CN202010432218.X | 2020-05-20 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/990,237 Continuation US20230085378A1 (en) | 2020-05-20 | 2022-11-18 | Communication Method and Apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021233358A1 true WO2021233358A1 (zh) | 2021-11-25 |
Family
ID=78671284
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/094751 WO2021233358A1 (zh) | 2020-05-20 | 2021-05-20 | 通信方法及装置 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20230085378A1 (zh) |
EP (1) | EP4145880A4 (zh) |
CN (1) | CN113727338A (zh) |
WO (1) | WO2021233358A1 (zh) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200107268A1 (en) * | 2018-09-28 | 2020-04-02 | Lg Electronics Inc. | Method and apparatus for entering a connected state with a network for continuing transmission in wireless communication system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102446197B1 (ko) * | 2017-06-14 | 2022-09-22 | 삼성전자주식회사 | Pdcp pdu들의 무결성 검사 실패의 핸들링을 위한 방법 및 사용자 단말기 |
-
2020
- 2020-05-20 CN CN202010432218.XA patent/CN113727338A/zh active Pending
-
2021
- 2021-05-20 EP EP21807610.7A patent/EP4145880A4/en active Pending
- 2021-05-20 WO PCT/CN2021/094751 patent/WO2021233358A1/zh unknown
-
2022
- 2022-11-18 US US17/990,237 patent/US20230085378A1/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200107268A1 (en) * | 2018-09-28 | 2020-04-02 | Lg Electronics Inc. | Method and apparatus for entering a connected state with a network for continuing transmission in wireless communication system |
Non-Patent Citations (3)
Title |
---|
CATT (RAPPORTEUR): "Summary of offline discussion for PDCP remaining issues (CATT)", 3GPP TSG-RAN WG2 MEETING #109BIS-E; R2-2004078, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. Online Meeting ;20200420 - 20200430, 1 May 2020 (2020-05-01), Online Meeting ;20200420 - 20200430, XP051879347 * |
HUAWEI, HISILICON: "Considerations on RLM for NR V2X unicast", 3GPP TSG-RAN WG2 MEETING#106; R2-1907419 CONSIDERATIONS ON RLM FOR NR V2X UNICAST, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, 13 May 2019 (2019-05-13), Reno, USA; 20190513 - 20190517, XP051730855 * |
LG ELECTRONICS, ERICSSON: "PC5 unicast link handling regarding RLF", 3GPP TSG-SA WG2 MEETING #136; S2-1911373, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. Reno, USA; 20191118 - 20191122, 8 November 2019 (2019-11-08), Reno, USA; 20191118 - 20191122, XP051821465 * |
Also Published As
Publication number | Publication date |
---|---|
EP4145880A4 (en) | 2023-10-18 |
EP4145880A1 (en) | 2023-03-08 |
US20230085378A1 (en) | 2023-03-16 |
CN113727338A (zh) | 2021-11-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9801072B2 (en) | Non-access stratum architecture and protocol enhancements for long term evolution mobile units | |
US10470234B2 (en) | Communication method, network-side device, and user equipment | |
WO2019095885A1 (zh) | 网络接入的方法、终端设备和网络设备 | |
US11818139B2 (en) | Data integrity protection method and apparatus | |
WO2019062996A1 (zh) | 一种安全保护的方法、装置和系统 | |
WO2020052416A1 (zh) | 一种安全保护方法、设备及系统 | |
WO2018058687A1 (zh) | 一种处理控制信令的方法、设备及系统 | |
WO2015165051A1 (zh) | 数据传输方法及设备 | |
WO2019095990A1 (zh) | 一种通信方法及装置 | |
US20220303763A1 (en) | Communication method, apparatus, and system | |
EP4005261A1 (en) | Security key updates in dual connectivity | |
WO2023179679A1 (zh) | 一种基于信道秘钥的加密方法及装置 | |
WO2020159654A1 (en) | Integrity protection with message authentication codes having different lengths | |
WO2014040259A1 (zh) | 一种rrc连接重建方法、设备和网络系统 | |
WO2021233358A1 (zh) | 通信方法及装置 | |
WO2022151086A1 (zh) | 集成的接入和回传的通信方法以及装置 | |
WO2021168713A1 (zh) | 通信方法及装置 | |
WO2023098209A1 (zh) | 一种数据传输保护方法、设备及系统 | |
WO2023011263A1 (zh) | 消息传输方法及通信装置 | |
CN114208240B (zh) | 数据传输方法、装置及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21807610 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2021807610 Country of ref document: EP Effective date: 20221202 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |