WO2022021198A1 - Communication method and apparatus - Google Patents

Communication method and apparatus Download PDF

Info

Publication number
WO2022021198A1
WO2022021198A1 PCT/CN2020/105761 CN2020105761W WO2022021198A1 WO 2022021198 A1 WO2022021198 A1 WO 2022021198A1 CN 2020105761 W CN2020105761 W CN 2020105761W WO 2022021198 A1 WO2022021198 A1 WO 2022021198A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
security
protection mode
protection
security protection
Prior art date
Application number
PCT/CN2020/105761
Other languages
French (fr)
Chinese (zh)
Inventor
张博
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2020/105761 priority Critical patent/WO2022021198A1/en
Publication of WO2022021198A1 publication Critical patent/WO2022021198A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/20Selecting an access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/04Terminal devices adapted for relaying to or from another terminal or user

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a communication method and device thereof.
  • a user equipment In short-range service communication, a user equipment (user equipment, UE1) communicates with the network through UE2, that is, the UE2 provides a relay service for UE1. UE1 needs to select a suitable UE2 and communicate with the network through the UE2. How to select UE2 is an urgent problem to be solved at present.
  • Embodiments of the present application provide a communication method and a device thereof, which are used by a first terminal device to select a second terminal device according to a first parameter, so as to meet the security requirements of communication between the first terminal device and the network.
  • a first aspect of the embodiments of the present application provides a communication method, the method includes:
  • the first terminal device receives a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; then, the first terminal device A second terminal device is selected according to the first parameter, where the second terminal device is configured to provide a relay service for the communication between the first terminal device and the first access network device.
  • the first terminal device can select the second terminal device according to the first The parameter selects a second terminal device that matches the security requirements of the first terminal device, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • the first parameter includes at least one of the following: a first security protection mode supported by a first protocol data unit (protocol data unit, PDU) session, the type of the first access network device, the first security protection mode supported by the first protocol data unit (protocol data unit, PDU) session an indication information, a second indication information, a digital signature, the identification of the second terminal device, the network identification ID of the second terminal device to which the second terminal device belongs or serves, the first data network name (DNN), or, the first All slice information; wherein, the first PDU session is an established PDU session on the second terminal device, the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode, the The second indication information is used to indicate that the first access network device has the capability to support integrity protection, and the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device Yes, the first DNN supports the DNN that provides the relay service for the second terminal device, and the first
  • the first parameter is used to indicate security information for communication between the second terminal device and the first access network device.
  • it may be the security protection method supported by the PDU session established by the second terminal device; or, the type of the first access network device connected to the second terminal device, or the second terminal device supports the relay service.
  • Slice information for DNN or slice It can be seen from this implementation that the parameters used to sign the security information for communication between the second terminal device and the first access network device are diversified, which can help the first terminal device to select a suitable second terminal device to meet the requirements of the first terminal device. The security requirements for communication between the device and the network improve the achievability and practicability of the solution.
  • the method before the first terminal device selects the second terminal device according to the first parameter, the method further includes: the first terminal device determines a first security policy, where the first security policy is the the security policy corresponding to the service to be used by the first terminal device determined by the first terminal device;
  • the first terminal device selects the second terminal device according to the first parameter, including:
  • the first terminal device selects the second terminal device according to the first security policy and the first parameter.
  • the first terminal device may first determine the corresponding first security policy through the service to be used by the first terminal device, and select the second terminal device in combination with the first security policy and the first parameter , thereby further enabling the first terminal device to select a suitable second terminal device to provide relay services for the first terminal device.
  • the first security policy indicates that integrity protection is required or tends to be preferred; the first terminal device selects the second terminal device according to the first security policy and the first parameter, include:
  • the first terminal device selects the second terminal device; or,
  • the first terminal device selects the the second terminal device;
  • the first terminal device selects the second terminal device; or,
  • the first terminal device selects the second terminal device.
  • the first terminal device selects the second terminal according to certain information carried by the first parameter.
  • the first security policy indicates that encryption protection is required or preferred; the first terminal device selects the second terminal device according to the first security policy and the first parameter, include:
  • the first terminal device selects the second terminal device; or,
  • the first terminal device selects the the second terminal device;
  • the first terminal device selects the second terminal device; or,
  • the first terminal device selects the second terminal device.
  • the first terminal device selects the second terminal according to certain information carried by the first parameter when the first security policy indicates that the encryption protection is required or is inclined to be preferred.
  • Multiple possible implementations of the device improve the achievability and diversity of the solution.
  • the first terminal device selects the second terminal device according to the first security policy and the first parameter, including: if the first security policy is consistent with the second security policy, the first A terminal device selects the second terminal device, and the second security policy is a security policy associated with the first DNN and/or the first slice information.
  • the first terminal device can determine the corresponding first terminal device through the first DNN and/or the first slice information carried by the first parameter. Two security policies, and then select the second terminal device in combination with the first security policy and the second security policy.
  • the method further includes: the first terminal device receives a second message, where the second message carries a second parameter, where the second parameter is used to indicate the connection between the third terminal device and the second access network Security information of communication between devices; selecting the second terminal device by the first terminal device according to the first parameter includes: selecting the second terminal device by the first terminal device according to the first parameter and the second parameter.
  • the first terminal device when the first terminal device receives multiple parameters that can be sent by terminal devices that can act as relay nodes, the first terminal device may select the second terminal device in combination with the multiple received parameters.
  • the first terminal device selects the second terminal device according to the first parameter and the second parameter, including:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection
  • the second parameter includes the second security protection mode supported by the second PDU session
  • the second security protection method is that integrity protection is not enabled
  • the first terminal device selects the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU session is the first PDU session.
  • the second parameter includes third indication information and the third indication information indicates the second If the access network device does not support the on-demand protection mode, the first terminal device selects the second terminal device.
  • the method further includes: the first terminal device sends a second message to the second terminal device, where the second message carries the first security policy.
  • the first terminal device sends the first security policy to the second terminal device, so that the second terminal device determines the first security protection mode between the first terminal device and the second terminal device.
  • the method further includes: the first terminal device sends a third message to the second terminal device, where the third message carries any one of the following: first service information, first protection indication, second DNN, second slice information, the first service information is service information corresponding to the service to be used by the first terminal device, and the first protection indication is used to indicate the first terminal device and the first terminal device expected by the first terminal device.
  • a protection mechanism implemented during data communication between access network devices then, the first terminal device receives a second protection instruction sent by the second terminal device, where the second protection instruction is used to instruct the first terminal device to communicate with The protection mechanism executed during data communication between the first access network devices.
  • the first terminal device and the second terminal device determine, through negotiation, a protection mechanism to be executed during data communication between the first terminal device and the first access network device.
  • the first security policy includes protection requirements for encryption protection and protection requirements for integrity protection; the first terminal device selects the second terminal device according to the first security policy and the first parameter , including: when the first terminal device determines through the first parameter that both the second terminal device meets the protection requirements of encryption protection and the protection requirements of integrity protection, the first terminal device selects the second terminal device.
  • the first terminal device when selecting the second terminal device, should select a second terminal device that satisfies both the encryption protection requirement and the integrity protection requirement of the first terminal device.
  • the method further includes: the first terminal device verifies the digital signature; if the verification is successful, the first terminal device executes that the first terminal device selects the digital signature according to the first security policy and the first parameter. The steps of the second terminal device.
  • the first terminal device verifies the digital signature carried in the first message, and if the verification is successful, the first terminal device selects the second terminal device according to the first parameter and the first security policy carried in the first message, In order to avoid that the first parameter is tampered with during the transmission process, which affects the selection of an appropriate second terminal device by the first terminal device.
  • the first message also carries the identifier of the second terminal device; the verification of the digital signature by the first terminal device includes: the first terminal device determines the second terminal according to the identifier of the second terminal device The public key corresponding to the private key of the device; then, the first terminal device verifies the digital signature through the public key.
  • the first message also carries the network identification ID that the second terminal device belongs to or serves; the first terminal device verifying the digital signature includes: the first terminal device determines the network identification ID according to the network identification ID. the root certificate corresponding to the second terminal device; then, the first terminal device verifies the digital signature through the root certificate.
  • a second aspect of the embodiments of the present application provides a communication method, the method comprising:
  • the second terminal device determines a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; Then, the second terminal device sends a first message, where the first message carries the first parameter.
  • the second terminal device sends the first parameter to the first terminal device, so that when the first terminal device selects the second terminal device, it can select the security with the first terminal device according to the first parameter
  • the second terminal device that matches the requirements, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • the first parameter includes at least one of the following: a first security protection mode supported by the first PDU session, a type of the first access network device, first indication information, second indication information, digital signature, the identifier of the second terminal device, the network identification ID of the second terminal device to which the second terminal device belongs or serves, the first DNN, or the first slice information; wherein, the first PDU session is the second terminal device
  • the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode
  • the second indication information is used to indicate that the first access network device has support integrity
  • the protection capability the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device, and the first DNN supports the relay service for the second terminal device.
  • the first slice information is information of a slice that the second terminal device supports to provide a relay service.
  • the first parameter is used to indicate security information for communication between the second terminal device and the first access network device.
  • it may be the security protection method supported by the PDU session established by the second terminal device; or, the type of the first access network device connected to the second terminal device, or the second terminal device supports the relay service.
  • Slice information for DNN or slice It can be seen from this implementation that the parameters used to sign the security information for communication between the second terminal device and the first access network device are diversified, which can help the first terminal device to select a suitable second terminal device to meet the requirements of the first terminal device. The security requirements for communication between the device and the network improve the achievability and practicability of the solution.
  • the method further includes: receiving, by the second terminal device, a second message sent by the first terminal device, where the second message carries a first security policy, and the first security policy is the first security policy.
  • the terminal device determines the security policy corresponding to the service to be used by the first terminal device; the second terminal device determines a first security protection mode according to the first security policy; the second terminal device uses the first security protection mode as the The security protection mode adopted for data communication between the first terminal device and the second terminal device; the second terminal device sends the first security protection mode to the first terminal device.
  • the second terminal device may determine a first security protection mode in combination with a first security policy sent by the first terminal device, and use the first security protection mode as the first terminal device and the second terminal The security protection mode adopted for data communication between devices, thereby determining the security protection mode between the first terminal device and the second terminal device.
  • the second terminal device and the first access network device may negotiate the security protection mode between the second terminal device and the first access network device, so as to realize the security protection mode between the first terminal device and the second terminal device, And the security protection mode is negotiated between the second terminal device and the first access network device.
  • the method further includes: receiving, by the second terminal device, a second message sent by the first terminal device, where the second message carries a first security policy, and the first security policy is the first security policy.
  • the security policy determined by the terminal device corresponding to the service to be used by the first terminal device; the second terminal device uses the third security protection mode as the data communication method between the second terminal device and the first access network device.
  • the adopted security protection mode; the second terminal device sends the third security protection mode to the first terminal device.
  • the second terminal device may determine a third security protection mode in combination with the third security policy and the first security policy sent by the first terminal device, and use the third security protection mode as the second terminal device
  • the security protection mode adopted for the data communication with the first access network device, so as to determine the security protection mode between the second terminal device and the first access network device.
  • a security protection mode is negotiated between the device and the first access network device.
  • the first security protection manner is consistent with the second security protection manner
  • the second security protection manner is an established first security protection manner between the second terminal device and the first access network device Two security protection methods supported by PDU sessions.
  • the second terminal device when the second terminal device determines the first security protection mode, it may consider the situation of the PDU session established by the second terminal device, and preferentially select a PDU session that supports the first security protection mode to use to provide services for the first terminal device.
  • the first security protection manner is consistent with the second security protection manner, including:
  • the second terminal device supports the second security protection mode of the second PDU session. as the first security protection method; or,
  • the second terminal device will use the second security protection method supported by the second PDU session.
  • the protection method is used as the first security protection method; or,
  • the second terminal device will use the second PDU session to support the second security protection mode.
  • the security protection method is used as the first security protection method; or,
  • the second terminal device supports the second PDU session.
  • the second security protection method is used as the first security protection method; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
  • the second terminal device selects a second PDU session on the second terminal device, and the second security protection mode supported by the second PDU session is consistent with the first security protection mode.
  • the method further includes: if the first security protection manner is inconsistent with the second security protection manner, the second terminal device sends the first security protection method to a session management function (session management function, SMF) network element request message; wherein the first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, and the third parameter is used to indicate the first terminal device
  • SMF session management function
  • the security information of the data communication with the second terminal device, the second security protection mode is the security protection mode supported by the established second PDU session between the second terminal device and the first access network device ; the second terminal device receives the fourth security protection mode sent by the first access network device, and the fourth security protection mode is used for data communication between the second terminal device and the first access network device.
  • Security protection mode, the fourth security protection mode is consistent with the first security protection mode.
  • the second terminal device when the second security protection mode supported by the second PDU session is inconsistent with the first security protection mode, the second terminal device sends a first request message to the SMF network element to request to modify the second PDU session Or create a third PDU session, and then receive the fourth security protection mode sent by the first access network device, so that the fourth security protection mode between the second terminal device and the first access network device is the same as the first security protection mode the same way.
  • the first security protection manner is inconsistent with the second security protection manner, including: if the first security policy indicates that the encryption protection is preferred, and the second PDU session supports the second security protection If the security protection mode is not to enable encryption protection, the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode; or,
  • the second terminal device determines the first security protection mode corresponding to the first security policy inconsistent with the second security protection method; or,
  • the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device.
  • the parameters of the security information of the data communication between the second terminal devices, so that the SMF network element determines the third security policy, and the first access network device determines the fourth security protection mode, so that the fourth security protection mode and the first security protection mode are determined The protection method is the same.
  • the method further includes: receiving, by the second terminal device, a third message sent by the first terminal device; wherein the third message carries at least one of the following information: first service information, first Two DNN, second slice information and first protection indication, the first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, the The second slice information is information of the slice to be accessed by the first terminal device, and the first protection indication is used to indicate that the first terminal device expects data to be performed between the first terminal device and the first access network device A protection mechanism executed during communication; the method further includes: the second terminal device determines a second protection indication according to the third message, where the second protection indication is used to indicate the relationship between the first terminal device and the first access network device The protection mechanism executed when data communication is performed between the two terminals; the second terminal device sends the second protection indication to the first terminal device.
  • the third message carries at least one of the following information: first service information, first Two DNN, second slice
  • a protection mechanism executed when a first terminal device, a second terminal device and a third terminal device negotiate data communication between the first terminal device and the first access network device is shown way of implementation.
  • the method further includes: if the second terminal device does not receive the protection indication sent by the first terminal device, the second terminal device determines a second protection indication, where the second protection indication is used for Instruct the protection mechanism to be executed during data communication between the first terminal device and the first access network device; then, the second terminal device sends the second protection instruction to the first terminal device.
  • a third aspect of the embodiments of the present application provides a communication method, the method comprising:
  • the SMF network element receives the first request message sent by the second terminal device.
  • the first request message is used to request to modify the second PDU session or to request to establish the third PDU session.
  • the first request message carries the third parameter, and the first request message
  • the three parameters are used to indicate the security information of the data communication between the first terminal device and the second terminal device; then, the SMF network element determines a third security policy according to the third parameter, and the third security policy is the SMF network
  • the security policy corresponding to the service to be used by the first terminal device determined by the element; the SMF network element sends a fourth message to the first access network device, where the fourth message carries the third security policy.
  • the SMF network element may A request message determines the third security policy, and sends the third security policy to the first access network device, so that the first access network device determines the fourth security protection mode according to the third security policy, so that the fourth security protection The mode is consistent with the first security protection mode, so as to realize the negotiation of the first security protection mode between the first terminal device and the second terminal device and the fourth security protection mode between the second terminal device and the first access network device Consistent.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device.
  • the parameters of the security information of the data communication between the second terminal devices, so that the SMF network element determines the third security policy, and the first access network device determines the fourth security protection mode, so that the fourth security protection mode and the first security protection mode are determined The protection method is the same.
  • the SMF network element determines the third security policy according to the third parameter, including: the SMF network element sends at least one of the following information to a unified data management (unified data management, UDM) network element Item: the first service information, the second DNN and the second slice information; the SMF network element receives the subscription security policy sent by the UDM network element; the SMF network element uses the subscription security policy as the third security policy, Alternatively, the SMF network element determines the third security policy according to the subscription security policy and the first security policy, or the SMF network element determines the third security policy according to the subscription security policy and the first security protection mode.
  • UDM unified data management
  • the specific process of determining the third security policy by the SMF network element according to at least one item of the first service information, the second DNN and the second slice information is shown, which improves the solution's performance. achievability.
  • the SMF network element determining the third security policy according to the third parameter includes: the SMF network element determining according to at least one item of information in the first security policy and the first security protection manner The third security policy.
  • the manner in which the SMF network element is based on the first security policy carried by the third parameter and the third security policy of at least one piece of information in the first security protection manner is shown, which improves the variety of solutions. sex.
  • the fourth message further carries at least one of the following: the first security policy and the first security protection manner.
  • a fourth aspect of the embodiments of the present application provides a communication method.
  • the method includes: a first access network device receives a second message sent by an SMF network element, where the second message carries a third security policy, and the third security policy is the The security policy corresponding to the service to be used by the first terminal device determined by the SMF network element; then, the first access network device determines a fourth security protection mode according to the third security policy, and the fourth security protection mode is used for The security protection mode used for data communication between the second terminal device and the first access network device; the first access network device sends the fourth security protection mode to the second terminal device.
  • the first access network device determines a fourth security protection mode according to the third security policy sent by the SMF network element, and sends the fourth security protection mode to the second terminal device, the fourth security protection mode is
  • the protection mode is a security protection mode used for data communication between the second terminal device and the first access network device, so that the negotiation of the first security protection mode and the fourth security protection mode is achieved.
  • the second message further carries at least one of the following: the first security policy, the first security protection mode; the first access network device determines the fourth security protection according to the third security policy ways, including:
  • the first access network device determines the fourth security protection mode according to the third security policy and the first security protection mode; or,
  • the first access network device determines a fourth security protection manner according to the third security policy and the first security policy; or,
  • the first access network device determines a fourth security protection manner according to the third security policy, the first security protection manner and the first security policy.
  • a fifth aspect of the embodiments of the present application provides a first terminal device, where the first terminal device includes:
  • a transceiver module configured to receive a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device;
  • the processing module is configured to select the second terminal device according to the first parameter, and the second terminal device is configured to provide a relay service for the communication between the first terminal device and the first access network device.
  • the first parameter includes at least one of the following:
  • the first PDU session is an established PDU session on the second terminal device
  • the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode
  • the second indication information is used for In order to indicate that the first access network device has the ability to support integrity protection
  • the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device
  • the first The DNN supports the DNN that provides the relay service for the second terminal device
  • the first slice information is information of the slice that the second terminal device supports to provide the relay service.
  • processing module is also used to:
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
  • This processing module is specifically used for:
  • the second terminal device is selected according to the first security policy and the first parameter.
  • the first security policy indicates that integrity protection is required or tends to be preferred;
  • the processing module is specifically used for:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, then select the second terminal device; or,
  • the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, select the second terminal device ;or,
  • the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, select the second terminal device; or,
  • the second terminal device is selected.
  • the first security policy indicates that encryption protection is required or tends to be preferred;
  • the processing module is specifically used for:
  • the second terminal device is selected.
  • processing module is specifically used for:
  • the second terminal device is selected, and the second security policy is the security policy associated with the first DNN and/or the first slice information.
  • the transceiver module is also used for:
  • the second message carries a second parameter, where the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device;
  • This processing module is specifically used for:
  • the second terminal device is selected according to the first parameter and the second parameter.
  • processing module is specifically used for:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection
  • the second parameter includes the second security protection mode supported by the second PDU session, and the The second security protection mode is to not enable integrity protection
  • select the second terminal device select the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU session is on the third terminal device. an established PDU session; or,
  • the second parameter includes third indication information and the third indication information indicates the second If the access network device does not support the on-demand protection mode, the second terminal device is selected.
  • the transceiver module is also used for:
  • the transceiver module is also used for:
  • the third message carries any of the following: first service information, first protection indication, second DNN, and second slice information, where the first service information is the first terminal Service information corresponding to the service to be used by the device, and the first protection indication is used to indicate the protection mechanism that the first terminal device expects to execute when performing data communication between the first terminal device and the first access network device;
  • a second protection indication sent by the second terminal device is received, where the second protection indication is used to indicate a protection mechanism executed during data communication between the first terminal device and the first access network device.
  • a sixth aspect of the embodiments of the present application provides a second terminal device, where the second terminal device includes:
  • a processing module configured to determine a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate the security of communication between the second terminal device and the first access network device information;
  • a transceiver module configured to send a first message, where the first message carries the first parameter.
  • the first parameter includes at least one of the following:
  • the first PDU session is an established PDU session on the second terminal device
  • the first indication information is the indication information that the first access network device supports the on-demand security protection mode
  • the second indication information is used for Indicates that the first access network device has the ability to support integrity protection
  • the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device
  • the first DNN The second terminal device supports the DNN that provides the relay service
  • the first slice information is information of the slice that the second terminal device supports to provide the relay service.
  • the transceiver module is also used for:
  • the second message carries a first security policy
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device
  • This processing module is also used to:
  • the first security protection mode as the security protection mode adopted for data communication between the first terminal device and the second terminal device;
  • the transceiver module is also used to:
  • the transceiver module is also used for:
  • the second message carries a first security policy
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device
  • This processing module is also used to:
  • the third security protection mode as the security protection mode adopted for the data communication between the second terminal device and the first access network device;
  • the transceiver module is also used to:
  • the first security protection manner is consistent with the second security protection manner
  • the second security protection manner is an established first security protection manner between the second terminal device and the first access network device Two security protection methods supported by PDU sessions.
  • the first security protection manner is consistent with the second security protection manner, including:
  • the second terminal device supports the second security protection mode of the second PDU session. as the first security protection method; or,
  • the second terminal device will use the second security protection method supported by the second PDU session.
  • the protection method is used as the first security protection method; or,
  • the second terminal device will use the second PDU session to support the second security protection mode.
  • the security protection method is used as the first security protection method; or,
  • the second terminal device supports the second PDU session.
  • the second security protection method is used as the first security protection method; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
  • the transceiver module is also used for:
  • the first request message is used to request to modify the second PDU session or to request to establish a third PDU session
  • the first request message carries a third parameter
  • the third parameter is used to indicate that the first terminal device communicates with the third PDU session.
  • the security information of the data communication between the two terminal devices, the second security protection mode is the security protection mode supported by the established second PDU session between the second terminal device and the first access network device;
  • the fourth security protection mode is used for the security protection mode adopted for data communication between the second terminal device and the first access network device, the The fourth security protection mode is consistent with the first security protection mode.
  • the first security protection manner is inconsistent with the second security protection manner, including:
  • the second terminal device determines the first security policy corresponding to the first security policy.
  • One security protection method is inconsistent with the second security protection method; or,
  • the second terminal device determines the first security protection mode corresponding to the first security policy inconsistent with the second security protection method; or,
  • the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • the transceiver module is also used for:
  • the third message carries at least one of the following information: first service information, second DNN, second slice information and first protection indication, and the first service information is a service corresponding to a service to be used by the first terminal device information, the second DNN is the DNN to be accessed by the first terminal device, the second slice information is the information of the slice to be accessed by the first terminal device, and the first protection indication is used to indicate the first terminal device the desired protection mechanism to be executed when data communication is performed between the first terminal device and the first access network device;
  • This processing module is also used to:
  • the second protection indication is used to indicate a protection mechanism to be executed during data communication between the first terminal device and the first access network device;
  • the transceiver module is also used to:
  • processing module is also used to:
  • the second terminal device does not receive the protection indication sent by the first terminal device, determine a second protection indication, where the second protection indication is used to instruct the first terminal device and the first access network device to perform data communication between the first terminal device and the first access network device. the protection mechanisms implemented when communicating;
  • the transceiver module is also used to:
  • a seventh aspect of the embodiments of the present application provides an SMF network element, where the SMF network element includes:
  • a transceiver module configured to receive a first request message sent by the second terminal device, where the first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, The third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device;
  • a processing module configured to determine a third security policy according to the third parameter, where the third security policy is a security policy corresponding to the service to be used by the first terminal device determined by the SMF network element;
  • the transceiver module is configured to send a fourth message to the first access network device, where the fourth message carries the third security policy.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • processing module is specifically used for:
  • the SMF network element receives the subscription security policy sent by the UDM network element;
  • processing module is specifically used for:
  • the third security policy is determined according to at least one item of information in the first security policy and the first security protection manner.
  • the fourth message further carries at least one of the following: the first security policy and the first security protection manner.
  • An eighth aspect of the embodiments of the present application provides a first access network device, where the first access network device includes:
  • a transceiver module configured to receive a second message sent by the SMF network element, where the second message carries a third security policy, where the third security policy is a security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device ;
  • a processing module configured to determine a fourth security protection mode according to the third security policy, where the fourth security protection mode is a security protection mode used for data communication between the second terminal device and the first access network device ;
  • the transceiver module is configured to send the fourth security protection mode to the second terminal device.
  • the second message also carries at least one of the following: the first security policy, the first security protection mode; the processing module is specifically used for:
  • the fourth security protection mode is determined according to the third security policy and the first security protection mode; or,
  • a fourth security protection mode is determined according to the third security policy and the first security policy.
  • the fourth security protection mode is determined according to the third security policy, the first security protection mode and the first security policy.
  • a ninth aspect of an embodiment of the present application provides a first terminal device, where the first terminal device includes: a processor and a memory; a computer program is stored in the memory; the processor is further configured to call and run a computer stored in the memory The program enables the processor to implement any one of the implementation manners of the first aspect.
  • the first terminal device includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
  • a tenth aspect of an embodiment of the present application provides a second terminal device, where the first terminal device includes: a processor and a memory; a computer program is stored in the memory; the processor is further configured to call and run a computer stored in the memory The program enables the processor to implement any one of the implementation manners of the second aspect.
  • the second terminal device includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
  • An eleventh aspect of an embodiment of the present application provides an SMF network element, where the SMF network element includes: a processor and a memory; a computer program is stored in the memory; the processor is further configured to call and run the computer program stored in the memory , so that the processor implements any one of the implementation manners of the third aspect.
  • the SMF network element includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
  • a twelfth aspect of an embodiment of the present application provides a first access network device, where the first access network device includes: a processor and a memory; the memory stores a computer program; the processor is further configured to call and run the The computer program stored in the memory enables the processor to implement any one of the implementation manners of the fourth aspect.
  • the first access network device includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
  • a thirteenth aspect of the embodiments of the present application provides a computer program product including instructions, characterized in that, when the computer program product is run on a computer, the computer is caused to perform the implementation of any one of the first to fourth aspects.
  • a fourteenth aspect of the embodiments of the present application provides a computer-readable storage medium, including computer instructions, which, when the computer instructions are executed on a computer, cause the computer to execute any one of the implementations of the first to fourth aspects.
  • a fifteenth aspect of an embodiment of the present application provides a chip device, including a processor, which is connected to a memory and calls a program stored in the memory, so that the processor executes any one of the first to fourth aspects above an implementation.
  • a sixteenth aspect of an embodiment of the present application provides a communication system, where the communication system includes the first terminal device of the first aspect and the second terminal device of the second aspect.
  • the communication system further includes the SMF network element of the third aspect and the first access network device of the fourth aspect.
  • the first terminal device receives a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; Then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. The second terminal device that matches the security requirements of the first terminal device is selected, so that the second terminal device can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • FIG. 1A is a schematic structural diagram of a communication system according to an embodiment of the present application.
  • FIG. 1B is a schematic diagram of a network system according to an embodiment of the present application.
  • FIG. 1C is another schematic diagram of a network system according to an embodiment of the present application.
  • FIG. 2 is a schematic diagram of an embodiment of a communication method according to an embodiment of the present application.
  • FIG. 3 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • FIG. 4 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • FIG. 5 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a first terminal device according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of a second terminal device according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of an SMF network element according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a first access network device according to an embodiment of the present application.
  • FIG. 10 is another schematic structural diagram of a first terminal device according to an embodiment of the present application.
  • FIG. 11 is another schematic structural diagram of an SMF network element according to an embodiment of the present application.
  • FIG. 12 is another schematic structural diagram of a first access network device according to an embodiment of the present application.
  • FIG. 13 is a schematic diagram of a communication system according to an embodiment of the present application.
  • the communication system applied in this application is introduced as follows:
  • PLMN public land mobile network
  • MNO public mobile network operator
  • 3GPP 3rd generation partnership project
  • 3GPP networks generally include, but are not limited to, a fifth-generation (5th-generation, 5G) network (referred to as a 5G network), a fourth-generation (4th-generation, 4G) network (referred to as a 4G network), and the like.
  • 5G fifth-generation
  • 4G fourth-generation
  • 3GPP networks generally include, but are not limited to, a fifth-generation (5th-generation, 5G) network (referred to as a 5G network), a fourth-generation (4th-generation, 4G) network (referred to as a 4G network), and the like.
  • a PLMN is used as an example for description in this embodiment of the present application.
  • the technical solutions provided in this application can also be applied to long term evolution (long term evolution, LTE) systems, LTE frequency division duplex (frequency division duplex, FDD) systems, LTE time division duplex (time division duplex, TDD), general Mobile communication system (universal mobile telecommunication system, UMTS), worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5th generation, 5G) communication system, device to device (device to device, D2D) ) communication system, vehicle to everything (V2X) communication system, new radio (NR) or other communication systems in the future, such as 6G communication systems.
  • LTE long term evolution
  • FDD frequency division duplex
  • TDD time division duplex
  • UMTS general Mobile communication system
  • WiMAX worldwide interoperability for microwave access
  • 5G fifth generation
  • device to device device to device
  • D2D vehicle to everything
  • NR new radio
  • the 5G network has made network architecture adjustments compared to the 4G network.
  • the 5G network splits the mobility management entity (MME) in the 4G network into two parts including the access and mobility management function (AMF) and the session management function (session management function). , SMF) and other network functions.
  • MME mobility management entity
  • AMF access and mobility management function
  • SMF session management function
  • FIG. 1A is a schematic diagram of a network architecture according to an embodiment of the present application, which takes a 5G network architecture based on a service-oriented architecture in a non-roaming scenario defined in the 3GPP standardization process as an example.
  • the network architecture can include three parts, namely the terminal equipment part, the PLMN and the data network (DN).
  • the terminal equipment part may include a terminal equipment 110, which may also be referred to as user equipment (user equipment, UE).
  • the terminal device 110 in this application is a device with a wireless transceiver function, which can communicate with an access network device (or also referred to as an access device) in a radio access network (RAN) 140 with one or more A plurality of core network (core network, CN) devices (or may also be referred to as core devices) communicate.
  • Terminal equipment 110 may also be referred to as an access terminal, terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, user agent, user device, or the like.
  • the terminal device 110 can be deployed on land, including indoor or outdoor, handheld or vehicle; can also be deployed on water (such as ships, etc.); and can also be deployed in the air (such as planes, balloons, satellites, etc.).
  • the terminal device 110 may be a cellular phone (cellular phone), a cordless phone, a session initiation protocol (SIP) phone, a smart phone (smart phone), a mobile phone (mobile phone), a wireless local loop (WLL) ) station, personal digital assistant (personal digital assistant, PDA), etc.
  • the terminal device 110 may also be a handheld device with a wireless communication function, a computing device or other device connected to a wireless modem, a vehicle-mounted device, a wearable device, a drone device or a terminal in the Internet of Things, the Internet of Vehicles, a 5G network And any form of terminal in the future network, relay user equipment or terminal in the future evolved PLMN, etc.
  • the relay user equipment may be, for example, a 5G home gateway (residential gateway, RG).
  • the terminal device 110 may be a virtual reality (VR) terminal, an augmented reality (AR) terminal, a wireless terminal in industrial control, a wireless terminal in self driving, a remote terminal Wireless terminal in medical (remote medical), wireless terminal in smart grid (smart grid), wireless terminal in transportation safety (transportation safety), wireless terminal in smart city, wireless terminal in smart home (smart home) wireless terminals, etc.
  • VR virtual reality
  • AR augmented reality
  • WLAN wireless terminal in industrial control
  • wireless terminal in self driving a remote terminal
  • Wireless terminal in medical remote medical
  • wireless terminal in smart grid smart grid
  • transportation safety transportation safety
  • wireless terminal in smart city wireless terminal in smart home (smart home) wireless terminals, etc.
  • This embodiment of the present application does not limit the type or type of the terminal device.
  • PLMN can include: network exposure function (NEF) 131, network storage function (network function repository function, NRF) 132, policy control function (policy control function, PCF) 133, UDM 134, application function (application function, AF) ) 135, authentication server function (AUSF) 136, access and mobility management function (AMF) 137, SMF 138, user plane function (UPF) 139 and (wireless) Access network ((radio) access network, (R)AN) 140, etc.
  • NRF network exposure function
  • PCF policy control function
  • PCF policy control function
  • UDM application function
  • AMF access and mobility management function
  • SMF user plane function
  • UPF user plane function
  • the data network DN 120 which may also be referred to as a packet data network (PDN), is usually a network located outside the PLMN, such as a third-party network.
  • the PLMN can access multiple data networks DN 120, and multiple services can be deployed on the data network DN 120, so as to provide the terminal device 110 with services such as data and/or voice.
  • the data network DN 120 can be a private network of a smart factory, the sensors installed in the workshop of the smart factory can be the terminal equipment 110, and the control server of the sensor is deployed in the data network DN 120, and the control server can provide services for the sensors.
  • the sensor can communicate with the control server, obtain the instruction of the control server, and transmit the collected sensor data to the control server according to the instruction.
  • the data network DN 120 may be an internal office network of a company, and the mobile phones or computers of employees of the company may be terminal devices 110, and the mobile phones or computers of the employees can access information, data resources, etc. on the internal office network of the company.
  • the terminal device 110 may establish a connection with the PLMN through an interface provided by the PLMN (for example, the N1 interface in FIG. 1A , etc.), and use services such as data and/or voice provided by the PLMN.
  • the terminal device 110 can also access the data network DN 120 through the PLMN, and use the operator services deployed on the data network DN 120, and/or services provided by third parties.
  • the above-mentioned third party may be a service party other than the PLMN and the terminal device 110 , and may provide other data and/or voice services for the terminal device 110 .
  • the specific expression form of the above third party can be specifically determined according to the actual application scenario, and is not limited here.
  • the (R)AN 140 is a sub-network of the PLMN and is the implementation system between the service nodes (or network functions) and the terminal equipment 110 in the PLMN.
  • the terminal device 110 To access the PLMN, the terminal device 110 first passes through the (R)AN 140, and then connects with the service node in the PLMN through the (R)AN 140.
  • the access network device in the embodiment of the present application is a device that provides a wireless communication function for the terminal device 110, and may also be referred to as an access device, a (R)AN device, or a network device.
  • the access device includes but is not limited to: next generation node basestation (gNB) in 5G system, evolved node B (eNB) in LTE system, radio network controller (radio network controller, RNC), node B (node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (home evolved nodeB, or home node B, HNB), baseband unit (base band unit, BBU), transmitting and receiving point (TRP), transmitting point (transmitting point, TP), small base station equipment (pico), mobile switching center, or network equipment in future networks, etc.
  • gNB next generation node basestation
  • eNB evolved node B
  • RNC radio network controller
  • node B node B
  • BSC base station controller
  • BTS base transceiver station
  • BTS home base station
  • home evolved nodeB home evolved nodeB, or home node B, HNB
  • baseband unit base band unit
  • TRP transmitting and receiving
  • the access device may include a centralized unit (centralized unit, CU), a distributed unit (distributed unit, DU), and the like.
  • the CU can also be divided into CU-control plane (CP) and CU-user plan (UP), etc.
  • the access device may also be an open radio access network (open radio access network, ORAN) architecture, etc. This application does not limit the specific deployment method of the access device.
  • the network open function NEF (also referred to as NEF network function or NEF network function entity) 131 is a control plane function provided by the operator.
  • the NEF network opening function 131 opens the external interface of the PLMN to a third party in a secure manner.
  • the SMF network function 138 needs to communicate with a third-party network function
  • the NEF network open function 131 can act as a relay for the SMF network function 138 to communicate with a third-party network entity.
  • the NEF network opening function 131 acts as a relay, it can be used as a translation of the identification information of the subscriber and translation of the identification information of a third-party network function.
  • the NEF network opening function 131 when the NEF network opening function 131 sends the subscriber permanent identifier (SUPI) of the subscriber from the PLMN to the third party, the SUPI can be translated into its corresponding external identity (identity, ID). Conversely, when the NEF network opening function 131 sends the external ID (the third party's network entity ID) to the PLMN, it can be translated into SUPI.
  • SUPI subscriber permanent identifier
  • ID identity
  • Network storage function NRF 132 which can be used to maintain real-time information of all network function services in the network.
  • the policy control function PCF 133 is a control plane function provided by the operator for providing the session management function SMF 138 with policies for PDU sessions.
  • the policies may include charging-related policies, QoS-related policies, authorization-related policies, and the like.
  • the unified data management UDM 134 is a control plane function provided by the operator, and is responsible for storing information such as subscriber permanent identifier (SUPI), security context (security context), and subscription data of subscribers in the PLMN.
  • PLMN subscribers may specifically be users who use services provided by the PLMN, such as users who use the terminal equipment core card of China Telecom, or users who use the terminal equipment core card of China Mobile.
  • the SUPI of the subscriber may be the number of the core card of the terminal device, or the like.
  • the above-mentioned security context may be data (cookie) or token (token) stored on a local terminal device (for example, a mobile phone).
  • the contract data of the above-mentioned contract user may be the supporting services of the terminal device chip card, such as the data package of the mobile phone chip card, and the like.
  • the application function AF 135 is used to perform data routing affected by the application, access the network opening function, and interact with the policy framework for policy control, etc.
  • the authentication server function AUSF 136 is a control plane function provided by the operator, and is usually used for first-level authentication, that is, the authentication between the terminal device 110 (subscriber) and the PLMN.
  • Access and Mobility Management Function AMF 137 is a control plane network function provided by the PLMN, responsible for the access control and mobility management of the terminal device 110 accessing the PLMN, including, for example, mobility status management, assignment of user temporary identities, authentication and authorization user functions.
  • the session management function SMF 138 is a control plane network function provided by the PLMN, and is responsible for managing the protocol data unit (protocol data unit, PDU) session of the terminal device 110.
  • the PDU session is a channel for transmitting PDUs, and the terminal device needs to transmit PDUs to and from the DN 120 through the PDU session.
  • PDU sessions may be established, maintained, deleted, etc. by the SMF 138.
  • SMF 138 includes session management (such as session establishment, modification and release, including tunnel maintenance between UPF 139 and (R)AN 140, etc.), selection and control of UPF 139, service and session continuity (SSC) ) mode selection, roaming and other session-related functions.
  • session management such as session establishment, modification and release, including tunnel maintenance between UPF 139 and (R)AN 140, etc.
  • SSC service and session continuity
  • the user plane function UPF 139 is a gateway provided by the operator and is the gateway for the PLMN to communicate with the DN 120.
  • UPF 139 includes user plane-related functions such as packet routing and transmission, packet detection, service usage reporting, quality of service (QoS) processing, legal interception, upstream packet detection, and downstream packet storage.
  • QoS quality of service
  • the network function in the PLMN shown in FIG. 1A may also include a network slice selection function (NSSF) (not shown in FIG. 1 ), which is responsible for determining the network slice instance, selecting the AMF network function 137, and the like.
  • NSSF network slice selection function
  • the network function in the PLMN shown in FIG. 1A may also include a unified data repository (unified data repository, UDR), etc.
  • UDR unified data repository
  • Nnef, Nausf, Nnrf, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • the meaning of the above-mentioned interface serial number reference may be made to the meaning defined in the 3GPP standard protocol, and this application does not limit the meaning of the above-mentioned interface serial number.
  • the terminal device 110 is used as an example for the UE, and the interface names between various network functions in FIG. 1A are only an example.
  • the interface names of the system architecture Other names may also be used, which are not limited in this application.
  • the mobility management network function in this application may be the AMF 137 shown in FIG. 1A , or may be other network functions having the above-mentioned access and mobility management function AMF 137 in the future communication system.
  • the mobility management network function in this application may also be a mobility management entity (mobility management entity, MME) or the like in the LTE system.
  • MME mobility management entity
  • the session management function SMF138 is abbreviated as SMF network element
  • the unified data management UDM134 is abbreviated as UDM network element.
  • Function, UDM network elements can be replaced by unified data management, and UE can be replaced by terminal equipment. It should be understood that other network functions not shown are equally applicable to this alternative method.
  • the network architecture (eg, 5G network architecture) shown in FIG. 1A adopts a service-based architecture and common interfaces, and traditional network element functions are divided into several self-contained and self-managed based on network function virtualization (NFV) technology.
  • NFV network function virtualization
  • Reusable network function service module by flexibly defining the service module set, customized network function reconstruction can be realized, and the external business process can be formed through a unified service invocation interface.
  • the schematic diagram of the network architecture shown in FIG. 1A can be understood as a schematic diagram of a service-based 5G network architecture in a non-roaming scenario.
  • Network slicing technology can enable operators to respond more flexibly and quickly to customer needs and support flexible allocation of network resources.
  • FIG. 1B is a schematic diagram of a network system according to an embodiment of the present application.
  • the network system includes UE1, UE2, UE3 and RAN1.
  • UE1 and UE2 are connected through a proximity communication 5 (prose communication 5, PC5) interface
  • UE2 and RAN1 are connected through a direct wireless interface (the radio interface between UTRAN and the user equipment, Uu) interface of the user equipment.
  • UE1 selects UE2 and communicates with the network through UE2.
  • UE2 plays the role of a UE-to-network relay.
  • the PC5 interface between UE1 and UE2 and the Uu interface between UE2 and RAN1 have corresponding security definitions (on demand security). That is, the security protection mode corresponding to the PC5 interface between UE1 and UE2 and the security protection mode corresponding to the Uu interface between UE2 and RAN1 are determined based on the security policy and can be determined through negotiation.
  • the security policy includes the security policy of the control plane and the security policy of the user plane, and each security policy includes two characteristics of encryption protection and integrity protection.
  • the encryption protection requirements of each security policy are divided into three levels: encryption protection is required for encryption protection, encryption protection is desired or preferred, and encryption protection is not needed.
  • the integrity protection requirements of each security policy are divided into three levels, namely: integrity protection is required for integrity protection, integrity protection is desired or is inclined to use integrity protection preferred, and integrity protection is not needed.
  • the security protection methods include enabling encryption protection or not enabling encryption protection, and enabling integrity protection or not enabling integrity protection.
  • the UE1 sends data or signaling to the RAN1 through the UE2, and the data is sent as an example for description here. If encryption protection is used for data between UE1 and UE2, but encryption protection is not used between UE2 and RAN1. Then an attacker can tamper or eavesdrop on the data sent by UE1 to RAN1 by eavesdropping on the Uu interface between UE2 and RAN1. Although the data between UE1 and UE2 is protected by encryption, the data of UE1 is still leaked during the transmission process between UE2 and RAN1.
  • the embodiments of this application are directed to the security protection mode between UE1 and UE2 and the security protection mode between UE2 and RAN
  • a corresponding negotiation solution is proposed in the negotiation of
  • UE1 and UE3 may be remote UEs (remote UEs) or common UEs.
  • the common UE can complete the communication with the network through the UE relay.
  • the UE in FIG. 1B is a terminal device.
  • the terminal device and the access network device please refer to the related introduction in the aforementioned FIG. 1A , which will not be repeated here.
  • FIG. 1C is another schematic diagram of a network system according to an embodiment of the present application.
  • the network system includes UE1, UE2, UE4, gNB and eNB.
  • FIG. 1C shows a scenario in which UE1 selects a UE to enable communication with the network.
  • UE3 is connected to the gNB, which is the 5G base station of the 5G communication system, and the gNB supports encryption protection and integrity protection.
  • UE3 can provide relay services for UE1 to realize the connection between UE1 and the gNB in the 5G network.
  • the UE4 is connected to the eNB.
  • the eNB is a 4G base station of the 4G communication system.
  • the eNB supports encryption protection but does not support integrity protection.
  • UE4 can provide relay service for UE1, so as to realize the connection between UE1 and the gNB in the 4G network.
  • the embodiment of the present application proposes the technical solution of the embodiment shown in FIG. 2 , and for details, refer to the technical solution of the embodiment shown in FIG. 2 later.
  • FIG. 1B and FIG. 1C above are only to illustrate the applicable scenarios of the technical solutions of the embodiments of the present application.
  • FIG. 1B and FIG. 1C may also include more UEs, base stations, etc., which are not specifically limited in the present application.
  • FIG. 1B shows a scenario in which UE4 is connected to a long-term evolution node eNB.
  • UE4 can also be connected to the next generation evolved Node B (ng-eNB), and ng-NB is an LTE base station connected to the 5G core network.
  • ng-eNB next generation evolved Node B
  • Both eNB and ng-NB support encryption protection but Neither supports integrity protection.
  • the short-range service communication scenario shown in FIG. 1B and the short-range service communication scenario shown in FIG. 1C are only application scenarios shown to illustrate the technical solutions of the embodiments of the present application, except for the above-mentioned FIG. 1B and FIG. 1C .
  • the technical solutions of the embodiments of the present application are also applicable to the selection of relay nodes and the negotiation of security protection modes in any other relay scenarios.
  • FIG. 2 is a schematic diagram of an embodiment of a communication method according to an embodiment of the present application.
  • the communication method includes:
  • the second terminal device determines a first parameter.
  • the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device.
  • the second terminal device is UE2
  • the first access network device is RAN1
  • UE2 can provide relay services for remote UEs (eg, UE1 and UE3 in FIG. 1A ), so as to realize remote Communication between the end UE and the network.
  • remote UEs eg, UE1 and UE3 in FIG. 1A
  • the first parameter includes at least one of the following:
  • the first security protection mode supported by the first PDU session (PDU session1), where the first PDU session is a PDU session established on the second terminal device to be used to provide services for a remote UE or a common UE.
  • the first security protection mode supported by the first PDU session may also be referred to as the first security protection mode of the air interface corresponding to the first PDU session, or the first security protection mode of the bearer of the air interface corresponding to the first PDU session Way.
  • the first security protection manner includes whether to enable encryption protection and whether to enable integrity protection.
  • a first PDU session for transmitting data for the remote UE has been established on the second terminal device, and the first PDU session has a corresponding first security protection mode.
  • the first PDU session has activated data protection between the second terminal device and the base station.
  • encryption protection is enabled by default, or encryption protection is not enabled by default.
  • integrity protection may be enabled by default or not enabled by default.
  • the first parameter further includes the PDU sessions supported by the multiple PDU sessions.
  • the security protection mode or the intersection of the security protection modes supported by the multiple PDU sessions. For example, if PDU session1 supports encryption protection, but PDU session2 does not support encryption protection, the first parameter includes a security protection mode that supports enabling encryption protection.
  • the first parameter may include the DNN and/or NSSAI related to each PDU session, and The security protection methods supported by each PDU session.
  • the type of the first access network device for example, as shown in FIG. 1C, UE3 is connected to gNB, and UE4 is connected to eNB; if the second terminal device is UE3, then the first access network device is gNB, Then the type of the first access network device is a gNB base station or a 5G base station. If the second terminal device is UE4, the first access network device is an eNB, and the type of the first access network device is an eNB base station or a 4G base station. If the second terminal device is UE5, the first access network device is an ng-eNB, and the type of the first access network device is an ng-eNB base station or an evolved 4G base station. There are no restrictions on other base station types here.
  • First indication information where the first indication information is indication information of whether the first access network device supports the on-demand protection mode.
  • the first indication information indicates that the first The access network device supports the on-demand protection mode; if the RAN1 to which the UE2 is connected does not support the on-demand protection mode, the first indication information indicates that the first access network device does not support the on-demand protection mode.
  • Second indication information where the second indication information is used to indicate that the first access network device has the capability of supporting integrity protection. For example, as shown in FIG. 1C , if the second terminal device is UE3, and the gNB connected to UE3 supports integrity protection, the first parameter includes the second indication information.
  • a digital signature is calculated by the second terminal device through the private key of the second terminal device and/or the certificate of the second terminal device, and the content of the digital signature includes the second terminal device and the first terminal device. Security information between access network devices.
  • the first parameter when the digital signature is calculated by the second terminal device through the certificate of the second terminal device, the first parameter also carries the certificate of the second terminal device, and the root certificate of the second terminal device carries the certificate of the second terminal device.
  • the public key corresponding to the private key of the second terminal device.
  • the process for the second terminal device to obtain the private key of the second terminal device is as follows: in the registration process of the second terminal device, the UE obtains the private key of the second terminal device from the PCF network element, the UDM network element, and the unified data repository (unified data repository, UDR network element). , key management entities, or network devices such as proximity-based services functions (prose functions).
  • the configuration process of the private key of the second terminal device and/or the root certificate of the second terminal device is introduced by taking the PCF network element as an example.
  • the PCF network element sends first configuration information to the AMF network element, where the first configuration information carries the private key of the second terminal device and/or the certificate of the second terminal device.
  • the AMF network element sends the private key of the second terminal device and/or the certificate of the second terminal device to the second terminal device through a non-access stratum (non access stratum, NAS) message.
  • non-access stratum non access stratum
  • the identity of the second terminal device that is, the user equipment identity (user equipment identity, UE ID) of the second terminal device.
  • the user equipment identity user equipment identity, UE ID
  • SUPI subscriber permanent identifier
  • publicly available subscription identifier generator public subscription identifier
  • GPSI Global System for Mobile communications
  • the network identification ID that the second terminal device belongs to or serves For example, PLMN ID, non-public network identity (NPN ID), PLMN ID
  • the name of the first data network (data network name, DNN), the first DNN supports the DNN that provides the relay service for the second terminal device, and is used to indicate that the second terminal device supports providing services for the first DNN. Relay service.
  • First slice information where the first slice information is information of a slice that the second terminal device supports to provide a relay service.
  • the first slice information is used to indicate that the second terminal device supports providing a relay service for the service corresponding to the slice.
  • the first slice information is single network slice selection assistance information (single network slice selection assistance information, S-NSSAI).
  • the above-mentioned first parameter can be understood as the current protection status of the second terminal device and the first access network device or the security protection mode that can be executed in the future, so that the first terminal device can determine whether to select this parameter according to the security requirements of the first terminal device. second terminal equipment.
  • the second terminal device sends a first message to the first terminal device.
  • the first message carries the first parameter.
  • the related introduction of the first parameter please refer to the related introduction of the foregoing step 201, which will not be repeated here.
  • the first message carries the identity information of the second terminal device as the UE relay.
  • the first parameter is added to the first message in this embodiment.
  • the first terminal device is configured to communicate with the network through the UE relay
  • the second terminal device is configured to perform the role of the UE relay.
  • the specific configuration manner is not limited in this application.
  • the first terminal device in the registration process of the first terminal device, is configured from a PCF network element (it may also be a UDM network element, a UDR network element, a key management entity or a network device such as a prose function) Obtain second configuration information.
  • the second configuration information includes the capability of the first terminal device to use UE relay.
  • the second terminal device obtains the third configuration information from a PCF network element (which may also be a network device such as a UDM network element, a UDR network element, a key management entity, or a prose function).
  • the third configuration information includes that the second terminal device can perform the function of UE relay.
  • the following describes the configuration process by taking the process of acquiring the second configuration information by the first terminal device and taking the PCF network element as an example.
  • the PCF network element sends the second configuration information to the AMF network element, and the AMF network element sends the second configuration information to the first terminal device through a NAS message.
  • the first message is a broadcast message or a multicast message of the second terminal device, or is a response message sent by the second terminal device to the first terminal device.
  • this embodiment further includes step 202 a , and step 202 a is performed before step 202 .
  • Step 202a The first terminal device sends a second request message.
  • the second request message is used to indicate that the first terminal device needs UE-to-network relay; or, the second request message is used to request a service.
  • the second terminal device after the second terminal device receives the second request message, the second terminal device sends a response message to the first terminal device.
  • the response message carries the first parameter and the identity information of the second terminal device as the UE relay.
  • the first terminal device selects the first terminal device according to the first parameter.
  • the first terminal device determines whether to select the second terminal device as a relay node for subsequent connection to the network through the first parameter. For example, as shown in FIG. 1B , UE1 determines whether to select UE2 as a relay node connecting to RAN1.
  • this embodiment further includes step 203 a, and this step 203 a is performed before step 203 .
  • Step 203a The first terminal device determines a first security policy.
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device.
  • the first security policy includes protection requirements for encryption protection and protection requirements for integrity protection.
  • the service to be used by the first terminal device may be characterized by at least one of the following pieces of information: first service information, second DNN, and second slice information.
  • the first service information is service information corresponding to a service to be used by the first terminal device.
  • the second DNN is the DNN corresponding to the service to be used by the first terminal device.
  • the second slice information is slice information corresponding to the service to be used by the first terminal device.
  • the first service information is used to identify service information.
  • the first service information includes at least one of the following: service type, service identifier, application type, and application identifier.
  • the first terminal device determines the first security policy by at least one item of information among the first service information, the second DNN and the second slice information, that is, the first terminal device determines its security requirements.
  • the first security policy includes encryption protection as required and integrity protection as preferred.
  • step 203 specifically includes:
  • the first terminal device selects the second terminal device according to the first security policy and the first parameter.
  • Step 203 is described below with reference to the specific content of the first security policy.
  • the first terminal device performs at least one of the following operations:
  • the first terminal device selects the second terminal device.
  • the first terminal device can select the second terminal device.
  • the first terminal device can select the message that has established the PDU session.
  • the second terminal device and the PDU session supports enabling integrity protection.
  • the first terminal device may select a PDU session that supports enabling integrity protection to provide the first terminal device. Serve.
  • the first terminal device selects the first access network device. Two terminal equipment.
  • UE1 when UE1 selects UE relay, since UE3 is connected to gNB, gNB supports integrity protection.
  • the UE4 is connected to the eNB, and the eNB does not support integrity protection. Therefore, UE1 selects the UE3 as the UE relay according to the indication information carried in the message broadcast by UE3, and the indication information indicates that the gNB supports integrity protection. That is, the UE1 communicates with the network through the UE3.
  • the first terminal device selects the second terminal device.
  • the gNB connected to the UE3 supports the on-demand protection mode, it can be understood that the gNB supports flexibly turning on encryption protection and flexibly turning on integrity protection, and then UE1 selects UE3.
  • the first terminal device selects the second terminal device.
  • the first parameter includes the second indication information.
  • the first terminal device selects the second terminal device, so that the gNB can provide the integrity protection service subsequently.
  • the first security policy indicates that the integrity protection is preferred
  • the preferred means that the integrity protection can be enabled the integrity protection may not be enabled. Therefore, when the first terminal device selects the second terminal device, there is no restriction on whether the second terminal device can provide integrity protection. For example, regardless of whether the second terminal device is connected to a 5G base station or a 4G base station, the first terminal device can select the second terminal device.
  • the first terminal device performs at least one of the following operations:
  • the first terminal device selects the second terminal device.
  • the first terminal device can select the second terminal device.
  • the first terminal device receives multiple messages broadcast by terminal devices that can be used as UE relays, and PDU sessions are established on the multiple terminal devices, the first terminal device can select the second terminal device, and The PDU session on the second terminal device supports enabling encryption protection.
  • the first terminal device selects the second terminal equipment.
  • the first terminal device selects the second terminal device.
  • the gNB connected to UE3 supports on-demand protection, it can be understood that the gNB supports flexibly enabling encryption protection and flexibly enabling integrity protection, and UE1 selects UE3.
  • the first terminal device selects the second terminal device.
  • the first security policy indicates that the encryption protection is preferred
  • the preferred means that the encryption protection can be enabled, or the encryption protection may not be enabled. Therefore, when the first terminal device selects the second terminal device, it does not limit whether the second terminal device is capable of providing encryption protection. For example, regardless of whether the established PDU session on the second terminal device supports encryption protection, the first terminal device can select the second terminal device.
  • the first security policy indicates that encryption protection is required
  • other capabilities of the second terminal device are not limited except that the first terminal device selects a PDU session that supports encryption protection when selecting an established PDU session. Because no matter what type of base station the second terminal device is connected to, encryption protection is supported.
  • the second terminal device is not required.
  • ability is not limited.
  • the first terminal device preferentially selects the second terminal device that has established a PDU session, and the encryption protection or integrity protection of the PDU session is not enabled.
  • the first terminal device selects the second terminal device.
  • Consistency of the first DNN and the second DNN includes: the first DNN is the same as the second DNN, or the first DNN includes (covers) the second DNN.
  • the first slice information being consistent with the second slice information includes: the first slice information is the same as the second slice information, or the first slice information includes (covers) the second slice information.
  • the first terminal device Select the second terminal device.
  • the first security policy is consistent with the second security policy can be understood as the security policy corresponding to the second DNN and/or the second slice information to be accessed by the first terminal device can be provided by the second security policy.
  • the first security policy indicates that encryption protection is required, then the encryption protection in the second security policy must be required.
  • the first security policy indicates that the encryption protection is preferred, then the encryption protection in the second security policy is required or preferred.
  • the same is true for the integrity protection indicated by the first security policy, and details are not repeated here.
  • the first security policy indicates that the encryption protection is not needed, then there is no restriction on the second security policy. If the first security policy indicates that the integrity protection is not needed, there is no restriction on the second security policy.
  • the above shows the process of selecting the second terminal device by the first terminal device according to certain information carried by the first parameter.
  • the first terminal device may select the second terminal device according to one or more parameters in the first parameters, that is, the first terminal device performs the above-mentioned multiple processes of selecting the second terminal device by the first terminal device .
  • the first terminal device determines through the first parameter that both the second terminal device meets the protection requirements of the encryption protection and the protection requirements of the integrity protection of the first security policy, and the first terminal device selects the second terminal device .
  • the scenario where relay is selected in this embodiment is applicable to the hop-by-hop protection mechanism and the end-to-end protection mechanism.
  • the first terminal device selects the second terminal device according to the type of the base station connected to the second terminal device, or whether the base station supports integrity protection, or whether the base station supports on-demand protection and other parameters. terminal device; then, the first terminal device implements end-to-end security protection between the first terminal device and the base station through the second terminal device.
  • the first parameter includes a digital signature.
  • the first terminal device verifies the correctness of the digital signature, if the verification is correct, the first terminal device performs the step of selecting the second terminal device; if the verification is incorrect , the first terminal device determines that the first message is an illegal message, and discards the first message.
  • the first terminal device verifies the digital signature by using the public key corresponding to the private key of the second terminal device.
  • the first terminal device obtains the public key of the second terminal device. Specifically, the first terminal device obtains the public key of the second terminal device in the following manner: the first message also carries the identifier of the second terminal device, and the first terminal device determines the first terminal device through the identifier of the second terminal device. 2. The public key of the terminal device.
  • the first terminal device verifies the digital signature through the certificate of the second terminal device.
  • the first message carries the certificate of the second terminal device and the digital signature.
  • the first terminal device verifies the certificate of the second terminal device, and when the verification is successful, the first terminal device uses the certificate of the second terminal device to verify the digital signature. Specifically, the first terminal device may verify the certificate of the second terminal device received by the first terminal device by using the root certificate of the second terminal device.
  • the first terminal device obtains the root certificate in the following manner.
  • the first message also carries a network identifier (for example, PLMN ID and/or NPN ID) to which the second terminal device belongs, and the first terminal device determines the root certificate of the second terminal device according to the network identifier.
  • a network identifier for example, PLMN ID and/or NPN ID
  • the first terminal device when the first terminal device receives multiple messages broadcast by terminal devices serving as UE relays, if multiple terminal devices meet the security requirements of the first terminal device, the first terminal device will The priority of the broadcast parameters selects the second terminal device.
  • the PDU session that supports enabling integrity protection has a higher priority.
  • the type of access network devices capable of supporting integrity protection has a higher priority.
  • the process of selecting the second terminal device by the first terminal device is performed by taking the first terminal device receiving two messages broadcast by the terminal device serving as the UE relay as an example.
  • This embodiment further includes step 203b, and step 203b is performed before step 203.
  • Step 203b The first terminal device receives the second message.
  • the second message carries a second parameter
  • the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device.
  • UE1 receives the first message broadcasted by UE3, where the first message carries the first parameter.
  • UE1 receives the second message broadcasted by UE4, where the second message carries the second parameter.
  • the above step 203 specifically includes: the first terminal device selects the second terminal device according to the first parameter and the second parameter.
  • the first terminal device may select the second terminal device according to the first security policy, the first parameter and the second parameter. Two possible options are shown below:
  • first parameter includes the first security protection mode supported by the first PDU session and the first security protection mode is to enable integrity protection
  • the second parameter includes the second security protection mode supported by the second PDU session
  • the second security protection mode is that integrity protection is not enabled
  • the first terminal device selects the second terminal device.
  • the first PDU session is an established PDU session on the second terminal device
  • the second PDU session is an established PDU session on the third terminal device.
  • the first security protection mode supports turning on integrity protection, but the second security protection mode does not support turning on integrity protection, it can be understood that the priority of the first security protection mode is higher, and the first terminal device can select the first security protection mode. Two terminal equipment.
  • the first terminal device selects the second terminal device.
  • the priority of the first indication information is higher than the priority of the third indication information, so the first terminal device selects the second terminal device.
  • the first terminal device may also select the second terminal device according to other parameters. For example, the first terminal device selects the second terminal device according to the types of access network devices to which the multiple terminal devices are connected.
  • the 5G base station supports integrity protection, while the 4G base station does not support integrity protection, so the first terminal device preferentially selects the second terminal device connected to the 5G base station.
  • the above shows a solution in which the first terminal device selects the second terminal device from the plurality of terminal devices according to the priority of a parameter broadcast by the plurality of terminal devices.
  • the first terminal device comprehensively selects the second terminal device according to the priorities of multiple parameters.
  • the first terminal device sends a fifth message to the second terminal device.
  • the first terminal device may send a message to the second terminal device to facilitate communication with the network.
  • the first terminal device receives a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; Then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device is selected, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • FIG. 3 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • the communication method includes:
  • the first terminal device sends a second message to the second terminal device.
  • the second message carries a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device.
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device.
  • the related introduction of the first security policy please refer to the related introduction to the first security policy in step 203a in the above-mentioned embodiment shown in FIG. 2 , and details are not repeated here.
  • the first terminal device is configured to implement communication with the network through the UE relay, while the second terminal device is configured to perform the role of the UE relay.
  • the relevant introduction of the specific configuration method please refer to the steps in the embodiment shown in the aforementioned FIG. 2 The relevant introduction in 202 will not be repeated here.
  • this embodiment may be implemented on the basis of the embodiment shown in FIG. 2 , that is, the first terminal device selects the second terminal device as the UE relay through the method of the embodiment shown in FIG. 2 .
  • the first security policy is a user plane (user plane, UP) security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device.
  • UP user plane
  • the second terminal device determines a first security protection mode according to the first security policy.
  • the second terminal device may determine that the first security protection mode is to enable encryption protection and enable integrity protection.
  • the second terminal device may determine the first security protection mode in combination with the established PDU session of the second terminal device, so as to solve the problem between the second terminal device and the established PDU session.
  • the problem is that the security protection mode adopted in the data communication between the first access network devices and the first security protection mode are negotiated.
  • Case a The following shows multiple possible implementations in which the first security protection mode is consistent with the second security protection mode supported by the second PDU session.
  • the second PDU session is a PDU session that has been established on the second terminal device and is used to provide services for a remote UE or a common UE.
  • Implementation mode 1 If the first security policy indicates that encryption protection is required, and the second security protection mode supported by the second PDU session is to enable encryption protection, the second terminal device will use the second security protection mode supported by the second PDU session.
  • the encryption protection mode in the first security protection mode is used as the encryption protection mode in the first security protection mode.
  • the second terminal device determines that the encryption protection requirement in the first security protection mode should be to enable encryption protection, and the second security protection mode supported by the second PDU session is to enable encryption protection. From the perspective of encryption protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the encryption protection mode in the second security protection mode as the encryption protection mode in the first security protection mode, That is, the encryption protection mode in the first security protection mode is consistent with the encryption protection mode in the second security protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the second terminal device for the first terminal device.
  • Implementation mode 2 If the first security policy indicates that integrity protection is required, and the second security protection mode supported by the second PDU session is to enable integrity protection, the second terminal device will use the second security protection mode supported by the second PDU session to be enabled. The integrity protection mode in the protection mode is used as the integrity protection mode in the first security protection mode.
  • the second terminal device determines that the integrity protection requirement in the first security protection mode should be to enable integrity protection, and the second security protection mode supported by the second PDU session is enabled Integrity protection. From the perspective of integrity protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the integrity protection mode in the second security protection mode as the integrity protection mode in the first security protection mode The security protection mode, that is, the integrity protection mode in the first security protection mode is consistent with the integrity protection mode in the second security protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the first terminal device for the first terminal device.
  • Implementation mode 3 If the first security policy indicates that encryption protection is not needed, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device will use the second security protection mode supported by the second PDU session. The encryption protection mode in the security protection mode is used as the encryption protection mode in the first security protection mode.
  • the second terminal device determines that the encryption protection requirement in the first security protection mode may be not to enable encryption protection. From the perspective of encryption protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the encryption protection mode in the second security protection mode supported by the second PDU session as the first security protection The encryption protection mode in the mode, that is, the encryption protection mode in the first security protection mode is consistent with the encryption protection mode in the second security protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the first terminal device for the first terminal device.
  • Implementation mode 4 If the first security policy indicates that the integrity protection is not needed, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device supports the second PDU session. The integrity protection mode in the second security protection mode is used as the integrity protection mode in the first security protection mode.
  • the second terminal device determines that the integrity protection requirement in the first security protection mode may be not to enable integrity protection. From the perspective of integrity protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the integrity protection mode in the second security protection mode supported by the second PDU session as the first security mode Integrity protection mode in protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the first terminal device for the first terminal device.
  • Implementation mode 5 If the first security policy indicates that the encryption protection is inclined to be preferred, the second terminal device uses the encryption protection mode in the second security protection mode supported by the second PDU session as the encryption protection mode in the first security protection mode. Encryption protection method.
  • the second terminal device determines that the encryption protection in the first security protection mode can be enabled or disabled. Therefore, from the perspective of encryption protection, the second PDU session can provide services for the first terminal device regardless of whether the second security protection mode is to enable encryption protection or not to enable encryption protection. Therefore, the second terminal device uses the encryption protection mode in the second security protection mode supported by the second PDU session as the encryption protection mode in the first security protection mode. And, the second terminal device determines to provide services for the first terminal device through the second PDU session.
  • Implementation mode 6 If the first security policy indicates that the integrity protection is inclined to be preferred, the second terminal device uses the integrity protection mode in the second security protection mode supported by the second PDU session as the first security protection mode Integrity protection method in .
  • the second terminal device determines that the integrity protection in the first security protection manner may be to enable integrity protection or not to enable integrity protection. Therefore, from the perspective of integrity protection, regardless of whether the second security protection mode is to enable integrity protection or not to enable integrity protection, the second PDU session can provide services for the first terminal device. Therefore, the second terminal device uses the integrity protection mode in the second security protection mode supported by the second PDU session as the integrity protection mode in the first security protection mode. And, the second terminal device determines to provide services for the first terminal device through the second PDU session.
  • the second terminal equipment may combine the multiple PDU sessions with the security protection requirements.
  • Corresponding quality of service (QoS) and slice information, etc. select the second PDU session from the plurality of PDU sessions.
  • the foregoing implementation manners 1 to 6 only illustrate the process of determining the first security protection manner by the second terminal device from the perspective of encryption protection or integrity protection.
  • the second terminal device when the second terminal device chooses to provide services for the first terminal device through the PDU session, it should select a PDU session whose encryption protection and integrity protection both meet the encryption protection requirements and integrity protection requirements of the first terminal device. That is, the second security protection mode supported by the second PDU session meets the encryption protection requirements and integrity protection requirements of the first terminal device.
  • Case b The following shows various possible implementations in which the first security protection mode is inconsistent with the second security protection mode supported by the second PDU session.
  • the second PDU session is a PDU session that has been established on the second terminal device and is used to provide services for a remote UE or a common UE.
  • Implementation mode 1 If the first security policy indicates that encryption protection is inclined to be preferred, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device determines the first security policy corresponding to the first security policy. The security protection method is inconsistent with the second security protection method.
  • the second terminal device determines the first security protection corresponding to the first security policy. The method is inconsistent with the second security protection method.
  • the second terminal device may request to modify the second PDU session or request to establish a new third PDU session.
  • Implementation mode 2 If the first security policy indicates that the integrity protection is inclined to be preferred, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device determines the corresponding first security policy. The first security protection mode is inconsistent with the second security protection mode.
  • the implementation mode 2 is similar to the implementation mode 1. For details, please refer to the related introduction of the implementation mode 1.
  • Implementation mode 3 If the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy, and/or, the integrity protection of the second security protection mode does not match the integrity protection indicated by the first security policy , the second terminal device determines that the first security protection mode is inconsistent with the second security protection mode.
  • the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy, including many possible forms.
  • the following examples are introduced:
  • the second security protection mode is not to enable encryption protection, and the first security policy indicates that encryption protection is required;
  • the second security protection method is to enable encryption protection, and the first security policy indicates that the encryption protection is not needed.
  • the integrity protection of the second security protection does not match the integrity protection indicated by the first security policy, including multiple possible forms.
  • the following examples are introduced:
  • the second security protection mode is not to enable integrity protection, and the first security policy indicates that integrity protection is required;
  • the second security protection method is to enable integrity protection, and the first security policy indicates that integrity protection is not needed.
  • the second terminal device determines that the first security protection mode is inconsistent with the second security protection mode, and the second terminal device may request to modify the second PDU session or request to establish a new third PDU session.
  • a PDU session is not established on the second terminal device.
  • the second terminal device may request to establish a new third PDU session for providing services to the first terminal device.
  • the second terminal device uses the first security protection mode as a security protection mode used for data communication between the first terminal device and the second terminal device.
  • the second terminal device sends the first security protection mode to the first terminal device.
  • the first terminal device sends a second message to the second terminal device, where the second message carries the first security policy; then, the second terminal device determines the first security protection mode according to the first security policy, The first security protection mode is used as the security protection mode used for data communication between the first terminal device and the second terminal device, and the first security protection mode is sent to the first terminal device.
  • the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device
  • the security protection mode is consistent with the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device, so as to improve the security of data transmission.
  • step 302 is an implementation manner in which the second terminal device considers the establishment of a PDU session when determining the first security protection manner.
  • This embodiment of the present application also provides another embodiment, which is similar to the embodiment shown in FIG. 3 , except that step 302 is replaced with: the second terminal device according to the fourth security policy and/or the second terminal device
  • the received first security policy determines the first security protection mode.
  • the fourth security policy is a security policy determined by the second terminal device and corresponding to the service to be used by the first terminal device. Then, the second terminal device compares the first security protection mode with the second security protection mode supported by the established second PDU session.
  • the second terminal device can modify the second PDU session or create a new PDU session, the modified second PDU session or the newly created third PDU session is obtained; or, if no PDU session is established on the second terminal device, then the second terminal device creates the third PDU session. That is, the second terminal device first determines the first security protection mode, and then selects a corresponding PDU session in combination with the establishment of the PDU session on the second terminal device to provide services for the first terminal device.
  • the fourth security protection mode supported by the modified second PDU session is the same as the first security protection mode; or, the fourth security protection mode supported by the third PDU session is the same as the first security protection mode.
  • this embodiment further includes steps 305 to 309 , and steps 305 to 309 are executed after step 303 .
  • the second terminal device sends the first request message to the SMF network element.
  • the first request message is used for requesting to modify the second PDU session or for requesting to establish a third PDU session.
  • the first request message carries a third parameter, and the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device.
  • the second terminal device may request the SMF network element to modify the second PDU session or request to establish a new third PDU session.
  • the second terminal device may provide services for the first terminal device through the modified second PDU session; or, the second terminal device may provide services for the first terminal device through the third PDU session.
  • the third parameter includes at least one of the following:
  • First service information where the first service information is service information corresponding to a service to be used by the first terminal device. For example, business ID, business type, etc.
  • a second DNN where the second DNN is a DNN to be accessed by the first terminal device.
  • Second slice information where the second slice information is slice information of the slice to be accessed by the first terminal device.
  • First indication information where the first indication information is used to indicate that the first request message is a request message for a PDU session for providing a relay service.
  • a first protection indication where the first protection indication is used to indicate a protection mechanism that the first terminal device expects to execute during data communication between the first terminal device and the first access network device.
  • the first protection indication is used to indicate that the first terminal device expects to use the E2E protection mechanism or the hop-by-hop protection mechanism.
  • the first request message sent by the second terminal device to the SMF network element may be: the second terminal device sends the first request message to the SMF network element through the first access device and the AMF network element, and the first access device sends the first request message to the SMF network element.
  • the network access device and the AMF network element play a relay role for the first request message.
  • the second terminal device first sends the third parameter to the AMF network element, and then the AMF network element sends the third parameter to the SMF network element.
  • Step 305 is only described as the information received by the final SMF network element, and there is no restriction on the transmission mode of the information.
  • the SMF network element determines a third security policy according to the third parameter.
  • the third security policy is the security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device.
  • the third security policy is similar to the first security policy.
  • the third security policy may be understood by referring to the relevant introduction of the first security policy in the embodiment shown in FIG. 2 .
  • the following describes the manner in which the SMF network element determines the third security policy in combination with the above-mentioned third parameter.
  • the third parameter carries the first security policy, and the above step 306 specifically includes:
  • the SMF network element determines the third security policy according to the first security policy.
  • the SMF network element sets the third security policy so that the third security policy is the same as the first security policy; or, the SMF network element directly uses the first security policy as the third security policy.
  • the third parameter carries the first security protection mode, and the above step 306 specifically includes:
  • the SMF network element determines the third security policy according to the first security protection manner.
  • the SMF network element determines the first security policy according to the first security protection manner, and then the SMF network element sets the third security policy to be the same as the first security policy.
  • the first security protection mode is to enable encryption protection and not to enable integrity protection
  • the SMF network element determines according to the first security protection mode that the encryption protection indicated by the first security policy is required, and the integrity protection indicated by the first security policy is not needed. Then, the SMF network element sets the third security policy, and the third security policy is the same as the first security policy, that is, the encryption protection indicated by the third security policy is required, and the integrity protection indicated by the first security policy is not needed.
  • Mode 3 is described below in combination with steps 1 to 3.
  • the third parameter includes at least one item of information: first service information, second DNN, and second slice information.
  • Step 1 The SMF network element sends at least one of the following information to the UDM network element: first service information, second DNN and second slice information.
  • the SMF network element sends the at least one item of information to the UDM network element.
  • Step 2 The SMF network element receives the subscription security policy sent by the UDM network element.
  • the UDM network element acquires the subscription security policy corresponding to the at least one piece of information, and sends the subscription security policy to the SMF network element.
  • Step 3 the SMF network element takes the signed security policy as the third security policy; or, the SMF network element determines the third security policy according to the signed security policy and the first security policy; or, the SMF network element determines the third security policy according to the signed security policy and the first security protection way to determine the third security policy.
  • the SMF network element may determine the third security policy according to the subscription security policy and the first security policy.
  • the SMF network element may use the subscribed security policy as the third security policy.
  • the SMF network element may use the subscription security policy as the third security policy.
  • the SMF network element may use the subscription security policy as the third security policy.
  • the encryption protection indicated by the subscription security policy is required and the integrity protection indicated by the subscription security policy is not needed, the encryption protection indicated by the first security policy is required and the integrity protection indicated by the first security policy is preferred, and the SMF network element
  • the contracted security policy may be used as the third security policy.
  • the encryption protection indicated by the subscription security policy does not match the encryption protection indicated by the first security policy instruction, including multiple possible forms.
  • the following examples illustrate:
  • the encryption protection indicated by the contract security policy is not needed, and the encryption protection indicated by the first security policy instruction is required.
  • the integrity protection indicated by the subscription security policy does not match the integrity protection indicated by the first security policy instruction, including multiple possible forms, and the following examples illustrate:
  • the integrity protection indicated by the contract security policy is not needed, and the integrity protection indicated by the first security policy indication is required.
  • the encryption protection indicated by the subscription security policy does not match the encryption protection indicated by the first security policy indication, and/or the integrity protection indicated by the subscription security policy is the same as that indicated by the first security policy indication.
  • the SMF network element releases the session establishment process or the session modification process, and sends a reject message to the first access network device, and then the first access network device sends a reject message to the second terminal device .
  • the SMF network element may determine the third security policy according to the subscription security policy and the first security protection mode. Specifically, the SMF network element determines the first security policy according to the first security protection mode, and the SMF network element performs the determination of whether the first security policy and the subscription security policy match; if they match, the SMF network element sets the third security policy, Make the third security policy the same as the first security policy.
  • Mode 4 the third parameter further includes a first security protection mode; the above step 306 specifically includes: the SMF network element determines a third security policy according to the first security policy and the first security protection mode.
  • the first security protection mode is to enable encryption protection and disable integrity protection.
  • the first security policy indicates that encryption protection is required, and the first security policy indicates that integrity protection is preferred.
  • the SMF network element can set the third security policy, for example, the third security policy indicates that encryption protection is required, and the first security policy indicates that integrity protection is preferred; or, the third security policy indicates that encryption protection is required, and the first security policy Indicates that integrity protection is not needed.
  • the SMF network element may also determine that the PDU session is to be established for the first terminal device according to the first indication information.
  • the third parameter includes at least one item of information among the first protection indication, the first service information, the second DNN, and the second slice information
  • the SMF network element determines the second protection indication according to the at least one item of information, and transmits the information through the AMF network
  • the element sends the second protection indication to the second terminal device.
  • the second protection instruction is the protection mechanism executed by the SMF network element when determining the data communication between the first terminal device and the first access network device.
  • the SMF network element sends a fourth message to the first access network device.
  • the fourth message carries the third security policy.
  • the fourth message further carries at least one of the following information: a first security protection mode and a first security policy.
  • the fourth message may not carry the first security protection mode or the first security policy.
  • the first access network device determines a fourth security protection manner according to the third security policy.
  • the first access network device determines that the fourth security protection mode is to enable encryption protection and not enable integrity protection .
  • the second message further carries at least one of the following: a first security policy and a first security protection mode.
  • the first access network device determines a fourth security protection mode according to the third security policy and the first security protection mode.
  • the encryption protection mode of the fourth security protection mode determined by the first access network device should also be the same as the encryption protection mode in the first security protection mode.
  • the third security policy indicating that the integrity protection is preferred, which will not be described one by one here.
  • the first access network device sends a sixth message to the SMF network element, where the sixth message is a failure message or a PDU session Release request message.
  • the third security policy indicates that integrity protection is required and the first security protection mode does not enable integrity protection
  • the third security policy indicates that encryption protection is not needed and the first security protection mode is to enable encryption protection.
  • the situation is similar to the situation where the third security policy indicates that the integrity protection is not needed and the first security protection mode is to enable the integrity protection, and will not be described one by one here.
  • the failure message also carries a rejection reason, where the rejection reason is that the third security policy does not match the first security protection mode.
  • the first access network device sends the sixth message to the second terminal device.
  • the first access network device determines the fourth security protection mode according to the third security policy and the first security policy.
  • the first access network device determines the fourth security protection mode according to the third security policy, the first security policy and the local policy, where the local policy is determined by the first access network device to be used by the first terminal device The security policy corresponding to the business.
  • the first access network device may determine the fourth security protection mode, that is, the security protection mode between the second terminal device and the first access network device.
  • the mismatch between the encryption protection indicated by the third security policy and the encryption protection indicated by the first security policy includes multiple possible forms.
  • the following examples illustrate:
  • the encryption protection indicated by the third security policy is not needed, and the encryption protection indicated by the first security policy is required.
  • the integrity protection indicated by the third security policy does not match the integrity protection indicated by the first security policy.
  • the following examples illustrate:
  • the integrity protection indicated by the third security policy is not needed, and the integrity protection indicated by the first security policy is required.
  • the first An access network device sends a seventh message to the SMF network element, where the seventh message is a failure message or a PDU session release request message.
  • the failure message carries a rejection reason, and the rejection reason is that the third security policy is inconsistent with the first security policy.
  • the first access network device also sends the seventh message to the second terminal device.
  • the first access network device may also determine the fourth security protection manner only according to the first security policy, or determine the fourth security protection manner only according to the first security protection manner.
  • Four safety protection methods to ensure that the fourth safety protection method is consistent with the first safety protection method.
  • the first access network device sends a fourth security protection mode to the second terminal device.
  • the fourth security protection mode is the same as the first security protection mode, and the fourth security protection mode is a security protection mode used during data communication between the second terminal device and the first access network device.
  • the second terminal device receives the fourth security protection mode, if the first security protection mode has not been sent to the first terminal device or the first security protection mode has not been determined before then, the second terminal device The fourth security protection mode may be used as the first security protection mode, and the first security protection mode is sent to the first terminal device.
  • the above-mentioned step 304 may be performed after step 309, that is, the second terminal device may send the first security protection mode to the first terminal device after the establishment of the third PDU session or the modification of the second PDU session is completed.
  • the second terminal device determines the first security protection mode and the fourth security protection mode, so as to realize the first security protection mode between the first terminal device and the second terminal device and the connection between the second terminal device and the first terminal device.
  • a fourth security protection method is agreed between the network access devices (encryption protection is enabled or encryption protection is enabled at all, and integrity protection is enabled or integrity protection is enabled at all).
  • the above shows the process of negotiating consensus between the first security protection mode and the fourth security protection mode.
  • the second terminal device may negotiate the encryption algorithm and the integrity algorithm corresponding to the first security protection mode and the encryption algorithm and the integrity algorithm corresponding to the fourth security protection mode.
  • the above shows the process of negotiating consensus between the first security protection mode and the fourth security protection mode on the user plane.
  • the negotiation of the control plane security protection mode between the first terminal device and the second terminal device and the control plane protection mode between the second terminal device and the first access network device can also be implemented through this application.
  • the negotiation method of the technical solution of the example is negotiated.
  • This embodiment of the present application also provides an embodiment, which is similar to the embodiment shown in FIG. 3 , except that in the embodiment shown in FIG. 3 , steps 301 to 304 are not executed, and the first step of step 305 is not executed.
  • the request message is used to request the third security policy, that is, the first security policy is not carried in the first parameter.
  • the third security policy is the security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device.
  • the first access network device determines a fourth security protection mode according to the third security policy, and sends it to the second terminal device.
  • the second terminal device uses the fourth security protection mode as the first security protection mode.
  • This embodiment of the present application further provides an embodiment, which is similar to the embodiment shown in FIG. 3, except that in step 305, the second terminal device sends the first security policy to the first access network device And/or the first security protection manner, the second terminal device sends at least one item of information among the first service information, the first DNN and the second slice information to the SMF network element.
  • the first access network device stores the first security policy and/or the first security protection manner.
  • the first access network device receives the third security policy from the SMF network element; in step 308, the first terminal device according to at least one of the first security policy, the first security protection mode and the third security policy
  • the item information determines the fourth security protection method.
  • the specific determination method is similar in step 308 in the embodiment shown in FIG. 3 above to determine the fourth security protection method by the first terminal device. For details, please refer to the related introduction of step 308 in the embodiment shown in FIG.
  • the embodiment shown in FIG. 3 further includes steps 310 to 312 .
  • steps 310 to 312 and steps 301 to 309 in the aforementioned embodiment shown in FIG. 3 do not have a fixed execution order.
  • steps 310 to 312 may be performed before step 301, or may be performed between steps 301 to 309, or performed after step 309, which is not specifically limited in this application.
  • the first terminal device sends a third message to the second terminal device.
  • the third message carries the first protection indication.
  • the third message further carries at least one item of information: first service information, second DNN, and second slice information.
  • the third message can be understood as the fifth message of step 204 in the embodiment shown in FIG. 2 .
  • the second terminal device determines a second protection indication according to the third message.
  • the second protection indication is used to instruct a protection mechanism to be executed during data communication between the first terminal device and the first access network device.
  • the second terminal device determines which protection mechanism to execute according to the received first protection instruction, and generates a second protection instruction.
  • the second terminal device determines the second protection instruction according to the first protection instruction and the local security policy determined by the second terminal device and corresponding to the service to be used by the first terminal device. For example, the second terminal device determines a protection mechanism according to at least one item of information in the first service information, the second DNN, and the second slice information, and determines which protection mechanism is the main protection mechanism together with the protection mechanism indicated by the first protection instruction , and then generate the corresponding protection indication.
  • the second terminal device sends a second protection indication to the first terminal device.
  • the second terminal device determines the local security corresponding to the service to be used by the first terminal device determined by the second terminal device.
  • the policy determines the second protection indication, and sends the second protection indication to the first terminal device.
  • the above-mentioned embodiment shown in FIG. 3 shows that the second terminal device first determines the security protection mode between the first terminal device and the second terminal device according to the first security policy, and then determines the second terminal device and the first access network device.
  • the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device are negotiated and agreed.
  • the second terminal device may first determine a third security protection mode according to the first security policy and the fourth security policy, and use the third security protection mode as the second terminal device and the first access network device The security protection method used for data communication between them.
  • the fourth security policy is a security policy determined by the second terminal device corresponding to the service to be used by the first terminal device. Then, the second terminal device determines the security protection mode between the first terminal device and the second terminal device, so as to realize the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first terminal device.
  • the security protection mode between access network devices is negotiated.
  • the above-mentioned embodiment shown in FIG. 3 shows a technical solution in which the first security protection mode is determined by the second terminal device.
  • the first security protection mode may also be determined by the first terminal device, and the first security protection mode may be sent by the first terminal device to the second terminal device, so as to realize the connection between the first terminal device and the second terminal device.
  • the security protection mode between them is consistent with the negotiation of the security protection mode between the second terminal device and the first access network device.
  • FIG. 4 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • the method includes:
  • the second terminal device sends a broadcast message to the first terminal device.
  • the broadcast message carries the first parameter.
  • the related introduction of the first parameter please refer to the related introduction of the first parameter in step 201 in the embodiment shown in FIG. 2 , which will not be repeated here.
  • the broadcast message can be understood as a possible implementation of the first message in step 202 in the embodiment shown in FIG. 2.
  • the broadcast message please refer to the first message in step 202 in the embodiment shown in FIG. 2.
  • the first terminal device selects the second terminal device according to the first parameter.
  • step 402 and step 203 in the embodiment shown in FIG. 2 please refer to the related introduction of step 203 in the embodiment shown in FIG. 2, which will not be repeated here.
  • the first terminal device sends a communication request (communication request) message to the second terminal device.
  • the communication request message also carries at least one of the following information: first protection indication, security capability of the first terminal device, first service information, second DNN, second slice information, first security policy, relay indication .
  • the security capability of the first terminal device refers to an encryption algorithm and an integrity protection algorithm supported by the first terminal device.
  • the relay indication is used to instruct the second terminal device to forward data as the UE relay, or, used to indicate that the communication request message is a message sent to the UE relay.
  • the communication request message may be understood as a specific implementation manner of the third message in the embodiment shown in FIG. 3 .
  • the first service information, the second DNN and the second slice information may also be sent to the second terminal device in the DSM Complete message in the subsequent step 405.
  • the second terminal device determines the second protection indication according to the communication request message.
  • step 404 is optional, and the protection mechanism between the first terminal device and the first access network device may be pre-configured or specified through a communication protocol.
  • Step 404 is described below in two possible cases.
  • the communication request message carries the first protection indication.
  • the second terminal device determines which protection mechanism to execute according to the first protection instruction, and generates the second protection instruction.
  • the second terminal device determines a second protection indication according to at least one item of information in the second service information, the first DNN, and the first slice information of the service supported by the second terminal device, and associates it with the first protection indication. Together the protection indications determine which protection indication is ultimately selected as the target protection indication. For example, the second protection indication is used as the finalized protection indication.
  • the communication request message does not carry the first protection indication.
  • the second terminal device determines the second protection indication according to at least one item of information among the second service information, the first DNN and the first slice information.
  • the communication request message carries at least one item of information among the first service information, the second DNN, and the second slice information, and the second terminal device according to the first service information, the second DNN, and the second slice information. At least one item of information determines the second protection indication.
  • the communication request message may be understood as a specific implementation manner of the third message in step 310 in the embodiment shown in FIG. 3 .
  • the second terminal device After the second terminal device receives the communication request message, the second terminal device further performs the following operations:
  • the communication request message also carries the security capability of the first terminal device.
  • the second terminal device determines the first encryption algorithm and the first integrity protection algorithm according to the security capability of the first terminal device and the security capability of the second terminal device.
  • the first encryption algorithm can be used for signaling communication between the first terminal device and the first access network device
  • the first integrity protection algorithm can be used for the communication between the first terminal device and the first access network device. signaling communication.
  • the communication request message also carries at least one item of information among the first service information, the second DNN, and the second slice information.
  • the second terminal device determines whether the second terminal device can provide the service for the first terminal device through the at least one item of information. If the second terminal device can provide the service, the second terminal device performs step 404; The second terminal device sends a rejection message to the first terminal device.
  • the second terminal device sends a direct security mode command (direct security mode command, DSM Command) message to the first terminal device.
  • a direct security mode command direct security mode command, DSM Command
  • the DSM Command message carries the first encryption algorithm and the first integrity protection algorithm.
  • the DSM Command message also carries a first protection indication, for the first terminal device to verify whether the first protection indication in the DSM Command message is consistent with the first protection indication in the communication request message in step 403.
  • the second terminal device performs integrity protection on the DSM Command message through the shared key between the first terminal device and the second terminal device.
  • the first terminal device sends a direct security mode complete (direct security mode complete, DSM Complete) message to the second terminal device.
  • a direct security mode complete direct security mode complete, DSM Complete
  • the DSM Complete message carries the first security policy.
  • the first terminal device receives the second protection instruction carried in the DSM Command message, and determines a corresponding protection mechanism according to the second protection instruction.
  • the first terminal device verifies the integrity of the DSM Command message, and if the verification succeeds, the first terminal device performs step 406; if the verification fails, the first terminal device The device sends a rejection message to the second terminal device.
  • the first terminal device can perform integrity verification on the first protection indication carried in the DSM Command message through the shared key between the first terminal device and the second terminal device.
  • the first security policy may also be carried in the communication request message in step 403 . If the first security policy is carried in the communication request message in step 403, the DSM Complete message in step 406 may not carry the first security policy. If the first security policy is carried in step 403 , step 407 may be performed before step 405 .
  • the second terminal device determines the first security protection mode according to the first security policy, and uses the first security protection mode as the security protection mode used for the communication between the first terminal device and the second terminal device.
  • Step 407 is similar to step 302 and step 303 in the aforementioned embodiment shown in FIG. 3 .
  • the first security protection mode is an UP security protection mode between the first terminal device and the second terminal device.
  • the second terminal device determines whether the second terminal device has a second security protection mode supported by the PDU session that is consistent with the first security protection mode, and if so, executes step 409; if not, executes step 410.
  • Step 408 is similar to the description of the two possible situations of the first security protection mode and the second security protection mode in step 302 in the embodiment shown in FIG. 3. For details, please refer to step 302 in the embodiment shown in FIG. 3. The related introduction of the two possible situations of the first security protection mode and the second security protection mode will not be repeated here.
  • the second terminal device sends the first security protection mode to the first terminal device.
  • the second terminal device sends a first request message to the SMF network element.
  • the SMF network element determines a third security policy according to the second parameter.
  • the SMF network element sends a fourth message to the first access network device.
  • the first access network device determines a fourth security protection mode according to the third security policy.
  • the first access network device sends a fourth security protection mode to the second terminal device.
  • Steps 409 to 414 are similar to steps 304 to 309 in the aforementioned embodiment shown in FIG. 3 .
  • steps 304 to 309 in the aforementioned embodiment shown in FIG. 3 please refer to the related introductions similar to steps 304 to 309 in the aforementioned embodiment shown in FIG. 3 , which will not be repeated here. .
  • the second terminal device sends the first security protection mode to the first terminal device.
  • step 415 may also be performed before step 410, that is, performed after the second terminal device completes the establishment of the third PDU session or after the modification of the second PDU session is completed.
  • the first terminal device receives a broadcast message sent by the second terminal device, where the broadcast message carries the first parameter; then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device is selected, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • the first terminal device sends the first security policy to the second terminal device; then, the second terminal device determines the first security protection mode according to the first security policy, and uses the first security protection mode as the first terminal The security protection mode used in the data communication between the device and the second terminal device, and then send the first security protection mode to the first terminal device.
  • the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device
  • the security protection mode of the first terminal device and the second terminal device is consistent with the security protection mode between the second terminal device and the first access network device, so as to improve the security of data transmission.
  • FIG. 5 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • the communication method includes:
  • the second terminal device sends a broadcast message to the first terminal device.
  • the first terminal device selects the second terminal device according to the first parameter.
  • the first terminal device sends a communication request message to the second terminal device.
  • the second terminal device determines a second protection indication according to the communication request message.
  • the second terminal device sends a DSM Command message to the first terminal device.
  • the first terminal device sends a DSM Complete message to the second terminal device.
  • the second terminal device determines a first security protection mode according to the first security policy, and uses the first security protection mode as a security protection mode adopted for the communication between the first terminal device and the second terminal device.
  • the second terminal device determines whether the second terminal device has a second security protection mode supported by the PDU session that is consistent with the first security protection mode, and if so, executes step 509; if not, executes step 510.
  • the second terminal device sends the first security protection mode to the first terminal device.
  • Steps 501 to 509 are similar to steps 401 to 409 in the embodiment shown in FIG. 4 .
  • steps 501 to 509 are similar to steps 401 to 409 in the embodiment shown in FIG. 4 .
  • the second terminal device sends a third request message to the first access network device.
  • the third request message is similar to the first request message in step 305 in the embodiment shown in FIG. 3.
  • the first access network device sends a fourth request message to the SMF network element.
  • the fourth request message carries the first service information, the second DNN and the second slice information.
  • the first access network device after receiving the third request message, determines the first security policy, the first security protection mode, the first service information, the second DNN and the third request message carried in the third request message. Two slice information. Then, the first access network device sends a fourth request message to the SMF network element, where the fourth request message carries the first service information, the second DNN and the second slice information, but does not carry the first security policy and the first security way of protection.
  • the SMF network element determines a third security policy according to the first service information.
  • the third security policy is the security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device.
  • the third security policy is similar to the first security policy.
  • the third security policy may be understood by referring to the relevant introduction of the first security policy in the embodiment shown in FIG. 2 .
  • the SMF network element sends at least one of the following information to the UDM network element: first service information, second DNN and second slice information.
  • the UDM network element acquires the corresponding subscription security policy through the at least one piece of information, and sends the subscription security policy to the SMF network element.
  • the SMF network element uses the subscription security policy as the third security policy.
  • the first access network device receives the eighth message sent by the SMF network element.
  • the eighth message carries the third security policy.
  • the first access network device determines a fourth security protection mode according to the third security policy.
  • the third request message in step 510 also carries at least one item of information of the first security policy, the first security protection mode, and the third security policy.
  • the first access network device determines a fourth security protection mode according to at least one item of information of the first security policy, the third security policy, the first security protection mode, and the third security policy.
  • the specific determination method is similar to the determination method of the fourth security protection by the first access device in the embodiment shown in FIG. 3. For details, please refer to the determination of the fourth security protection by the first access device in the embodiment shown in FIG. 3. The relevant introduction of the protection method will not be repeated here.
  • the first access network device sends a fourth security protection mode to the second terminal device.
  • Steps 514 to 515 are similar to steps 308 to 309 in the aforementioned embodiment shown in FIG. 3 .
  • steps 308 to 309 in the aforementioned embodiment shown in FIG. 3 please refer to the related introductions of steps 308 to 309 in the aforementioned embodiment shown in FIG. 3 , which will not be repeated here.
  • the second terminal device sends the first security protection mode to the first terminal device.
  • step 516 may also be performed before step 510, that is, performed after the second terminal device completes the establishment of the third PDU session or after the modification of the second PDU session is completed.
  • the first terminal device receives a broadcast message sent by the second terminal device, and the broadcast message carries the first parameter; then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device is selected, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • the first terminal device sends the first security policy to the second terminal device; then, the second terminal device determines the first security protection mode according to the first security policy, and uses the first security protection mode as the first terminal The security protection mode used in the data communication between the device and the second terminal device, and then send the first security protection mode to the first terminal device.
  • the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device
  • the security protection mode of the first terminal device and the second terminal device is consistent with the security protection mode between the second terminal device and the first access network device, so as to improve the security protection mode between the first terminal device and the second terminal device. Security of data transmission between devices in an access network.
  • FIG. 6 is a schematic structural diagram of a first terminal device according to an embodiment of the present application.
  • the first terminal device may be configured to perform the steps performed by the first terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the first terminal device includes a transceiver module 601 and a processing module 602;
  • a transceiver module 601 configured to receive a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device;
  • the processing module 602 is configured to select the second terminal device according to the first parameter, where the second terminal device is configured to provide a relay service for the communication between the first terminal device and the first access network device.
  • the first parameter includes at least one of the following:
  • the first PDU session is an established PDU session on the second terminal device
  • the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode
  • the second indication information is used for To indicate that the first access network device has the ability to support integrity protection
  • the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device
  • the first The DNN supports the DNN that provides the relay service for the second terminal device
  • the first slice information is information of the slice that the second terminal device supports to provide the relay service.
  • processing module 602 is further configured to:
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
  • the processing module 602 is specifically used for:
  • the second terminal device is selected according to the first security policy and the first parameter.
  • the first security policy indicates that integrity protection is required or tends to be preferred; the processing module 602 is specifically configured to:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, then select the second terminal device; or,
  • the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, select the second terminal device ;or,
  • the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, select the second terminal device; or,
  • the second terminal device is selected.
  • the first security policy indicates that encryption protection is required or tends to be preferred;
  • the processing module 602 is specifically configured to:
  • the second terminal device is selected.
  • processing module 602 is specifically used for:
  • the second terminal device is selected, and the second security policy is the security policy associated with the first DNN and/or the first slice information.
  • the transceiver module 601 is further used for:
  • the second message carries a second parameter, where the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device;
  • the processing module 602 is specifically used for:
  • the second terminal device is selected according to the first parameter and the second parameter.
  • processing module 602 is specifically used for:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection
  • the second parameter includes the second security protection mode supported by the second PDU session, and the The second security protection mode is to not enable integrity protection
  • select the second terminal device select the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU session is on the third terminal device. an established PDU session; or,
  • the second parameter includes third indication information and the third indication information indicates the second If the access network device does not support the on-demand protection mode, the second terminal device is selected.
  • the transceiver module 601 is further used for:
  • the transceiver module 601 is further used for:
  • the third message carries any of the following: first service information, first protection indication, second DNN, and second slice information, where the first service information is the first terminal Service information corresponding to the service to be used by the device, and the first protection indication is used to indicate the protection mechanism that the first terminal device expects to execute when performing data communication between the first terminal device and the first access network device;
  • a second protection indication sent by the second terminal device is received, where the second protection indication is used to indicate a protection mechanism executed during data communication between the first terminal device and the first access network device.
  • the transceiver module 601 receives a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; then , the processing module 602 selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the processing module 602 can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • FIG. 7 is a schematic structural diagram of a second terminal device according to an embodiment of the present application.
  • the second terminal device may be configured to perform the steps performed by the second terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the second terminal device includes a processing module 701 and a transceiver module 702 .
  • the processing module 701 is configured to determine a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate the communication between the second terminal device and the first access network device.
  • the transceiver module 702 is configured to send a first message, where the first message carries the first parameter.
  • the first parameter includes at least one of the following:
  • the first PDU session is an established PDU session on the second terminal device
  • the first indication information is the indication information that the first access network device supports the on-demand security protection mode
  • the second indication information is used for Indicates that the first access network device has the ability to support integrity protection
  • the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device
  • the first DNN The second terminal device supports the DNN that provides the relay service
  • the first slice information is information of the slice that the second terminal device supports to provide the relay service.
  • the transceiver module 702 is further configured to:
  • the second message carries a first security policy
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device
  • the processing module 701 is also used for:
  • the first security protection mode as the security protection mode adopted for data communication between the first terminal device and the second terminal device;
  • the transceiver module 702 is also used for:
  • the transceiver module 702 is further configured to:
  • the second message carries a first security policy
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device
  • the processing module 701 is also used for:
  • the third security protection mode as the security protection mode adopted for data communication between the second terminal device and the first access network device;
  • the transceiver module 702 is also used for:
  • the first security protection manner is consistent with the second security protection manner
  • the second security protection manner is an established first security protection manner between the second terminal device and the first access network device Two security protection methods supported by PDU sessions.
  • the first security protection manner is consistent with the second security protection manner, including:
  • the second terminal device supports the second security protection mode of the second PDU session. as the first security protection method; or,
  • the second terminal device will use the second security protection method supported by the second PDU session.
  • the protection method is used as the first security protection method; or,
  • the second terminal device will use the second PDU session to support the second security protection mode.
  • the security protection method is used as the first security protection method; or,
  • the second terminal device supports the second PDU session.
  • the second security protection method is used as the first security protection method; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
  • the transceiver module 702 is further configured to:
  • the first request message is used to request to modify the second PDU session or to request to establish a third PDU session
  • the first request message carries a third parameter
  • the third parameter is used to indicate that the first terminal device communicates with the third PDU session.
  • the security information of the data communication between the two terminal devices, the second security protection mode is the security protection mode supported by the established second PDU session between the second terminal device and the first access network device;
  • the fourth security protection mode is used for the security protection mode adopted for data communication between the second terminal device and the first access network device, the The fourth security protection mode is consistent with the first security protection mode.
  • the first security protection manner is inconsistent with the second security protection manner, including:
  • the second terminal device determines the first security policy corresponding to the first security policy.
  • One security protection method is inconsistent with the second security protection method; or,
  • the second terminal device determines the first security protection mode corresponding to the first security policy inconsistent with the second security protection method; or,
  • the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • the transceiver module 702 is further configured to:
  • the third message carries at least one of the following information: first service information, second DNN, second slice information and first protection indication, and the first service information is a service corresponding to a service to be used by the first terminal device information, the second DNN is the DNN to be accessed by the first terminal device, the second slice information is the information of the slice to be accessed by the first terminal device, and the first protection indication is used to indicate the first terminal device the desired protection mechanism to be executed when data communication is performed between the first terminal device and the first access network device;
  • the processing module 701 is also used for:
  • the second protection indication is used to indicate a protection mechanism to be executed during data communication between the first terminal device and the first access network device;
  • the transceiver module 702 is also used for:
  • processing module 701 is further used for:
  • the second terminal device does not receive the protection indication sent by the first terminal device, determine a second protection indication, where the second protection indication is used to instruct the first terminal device and the first access network device to perform data communication between the first terminal device and the first access network device. the protection mechanisms implemented when communicating;
  • the transceiver module 702 is also used for:
  • the processing module 701 determines a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate the relationship between the second terminal device and the first access network device Security information for communication; the transceiver module 702 sends a first message, where the first message carries the first parameter.
  • the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device
  • the security protection mode is consistent with the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device, so as to improve the security of data transmission.
  • FIG. 8 is a schematic structural diagram of an SMF network element according to an embodiment of the present application.
  • the SMF network element may be used to perform all or part of the steps performed by the SMF network element in the embodiments shown in FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the SMF network element includes a transceiver module 801 and a processing module 802 .
  • a transceiver module 801 configured to receive a first request message sent by a second terminal device, where the first request message is used to request to modify the second PDU session or to request the establishment of a third PDU session, and the first request message carries a third parameter , the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device;
  • a processing module 802 configured to determine a third security policy according to the third parameter, where the third security policy is a security policy corresponding to the service to be used by the first terminal device determined by the SMF network element;
  • the transceiver module 801 is configured to send a fourth message to the first access network device, where the fourth message carries the third security policy.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • processing module 802 is specifically used for:
  • the SMF network element receives the subscription security policy sent by the UDM network element;
  • processing module 802 is specifically used for:
  • the third security policy is determined according to at least one item of information in the first security policy and the first security protection manner.
  • the fourth message further carries at least one of the following: the first security policy and the first security protection manner.
  • the transceiver module 801 receives the first request message sent by the second terminal device , the processing module 802 determines a third security policy according to the first request message sent by the second terminal device, and sends the third security policy to the first access network device, so that the first access network device can follow the third security policy Determine the fourth security protection mode, so that the fourth security protection mode is consistent with the first security protection mode, so as to realize the first security protection mode between the first terminal device and the second terminal device and the second terminal device and the first access
  • the fourth security protection mode between network devices is negotiated.
  • FIG. 9 is a schematic structural diagram of a first access network device according to an embodiment of the present application.
  • the first access network device may be configured to perform the steps performed by the first access network device in the embodiments shown in FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the first access network device includes a transceiver module 901 and a processing module 902 .
  • the transceiver module 901 is configured to receive a second message sent by the SMF network element, where the second message carries a third security policy, and the third security policy is the security corresponding to the service to be used by the first terminal device determined by the SMF network element Strategy;
  • a processing module 902 configured to determine a fourth security protection mode according to the third security policy, where the fourth security protection mode is the security protection adopted for data communication between the second terminal device and the first access network device Way;
  • the transceiver module 901 is configured to send the fourth security protection mode to the second terminal device.
  • the second message also carries at least one of the following: the first security policy, the first security protection mode; the processing module 902 is specifically configured to:
  • the fourth security protection mode is determined according to the third security policy and the first security protection mode; or,
  • a fourth security protection mode is determined according to the third security policy and the first security policy.
  • a fourth security protection mode is determined according to the third security policy, the first security protection mode and the first security policy
  • the transceiver module 901 receives a second message sent by an SMF network element, where the second message carries a third security policy, and the third security policy is a service determined by the SMF network element to be used by the first terminal device Corresponding security policy; the processing module 902 determines a fourth security protection mode according to the third security policy, where the fourth security protection mode is used for data communication between the second terminal device and the first access network device Security protection mode; the transceiver module 901 sends the fourth security protection mode to the second terminal device.
  • the fourth security protection mode is a security protection mode used for data communication between the second terminal device and the first access network device, so that the negotiation of the first security protection mode and the fourth security protection mode is achieved.
  • FIG. 10 A possible schematic structural diagram of the first terminal device is shown below through FIG. 10 .
  • FIG. 10 shows a schematic structural diagram of a simplified first terminal device.
  • the first terminal device takes a mobile phone as an example.
  • the first terminal device includes a processor, a memory, a radio frequency circuit, an antenna, and an input and output device.
  • the processor is mainly used to process communication protocols and communication data, control terminal equipment, execute software programs, and process data of software programs.
  • the memory is mainly used to store software programs and data.
  • the radio frequency circuit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal.
  • Antennas are mainly used to send and receive radio frequency signals in the form of electromagnetic waves.
  • Input and output devices such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users. It should be noted that some types of first terminal devices may not have input and output devices.
  • the processor When data needs to be sent, the processor performs baseband processing on the data to be sent, and outputs the baseband signal to the radio frequency circuit.
  • the radio frequency circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal through the antenna in the form of electromagnetic waves.
  • the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data. deal with.
  • only one memory and processor are shown in FIG. 10 . In an actual end device product, there may be one or more processors and one or more memories.
  • the memory may also be referred to as a storage medium or a storage device or the like.
  • the memory may be set independently of the processor, or may be integrated with the processor, which is not limited in this embodiment of the present application.
  • the antenna and radio frequency circuit with a transceiver function can be regarded as a transceiver unit of the first terminal device
  • the processor with a processing function can be regarded as a processing unit of the first terminal device.
  • the first terminal device includes a transceiver unit 1010 and a processing unit 1020 .
  • the transceiving unit may also be referred to as a transceiver, a transceiver, a transceiving device, or the like.
  • the processing unit may also be referred to as a processor, a processing single board, a processing module, a processing device, and the like.
  • the device for implementing the receiving function in the transceiver unit 1010 may be regarded as a receiving unit, and the device for implementing the transmitting function in the transceiver unit 1010 may be regarded as a transmitting unit, that is, the transceiver unit 1010 includes a receiving unit and a transmitting unit.
  • the transceiver unit may also sometimes be referred to as a transceiver, a transceiver, or a transceiver circuit.
  • the receiving unit may also sometimes be referred to as a receiver, receiver, or receiving circuit, or the like.
  • the transmitting unit may also sometimes be referred to as a transmitter, a transmitter, or a transmitting circuit, or the like.
  • transceiving unit 1010 is configured to perform the sending and receiving operations of the first terminal device in the above method embodiments
  • processing unit 1020 is configured to perform other operations on the first terminal device in the above method embodiments except the transceiving operations.
  • the transceiver unit 1010 is configured to perform the transceiver operation of the first terminal device in step 202 in FIG. 2 , and/or the transceiver unit 1010 is further configured to execute the first terminal device in this embodiment of the present application. other sending and receiving steps.
  • the chip When the terminal device is a chip, the chip includes a transceiver unit and a processing unit.
  • the transceiver unit may be an input/output circuit or a communication interface
  • the processing unit may be a processor or a microprocessor or an integrated circuit or a logic circuit integrated on the chip.
  • Fig. 10 is multiplexed, and Fig. 10 may also be used to perform all or part of the steps performed by the second terminal device in the foregoing method embodiments, and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the present application also provides an SMF network element. Please refer to FIG. 11 , which is another schematic structural diagram of the SMF network element in the embodiment of the present application. For the steps performed by the SMF network element, reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the SMF network element includes: a processor 1101 and a memory 1102 .
  • the SMF network element further includes a transceiver 1103 .
  • the processor 1101, the memory 1102 and the transceiver 1103 are respectively connected through a bus, and the memory stores computer instructions.
  • the processing module 802 in the foregoing embodiment may specifically be the processor 1101 in this embodiment, so the specific implementation of the processor 1101 will not be described again.
  • the transceiver module 801 in the foregoing embodiment may specifically be the transceiver 1103 in this embodiment, so the specific implementation of the transceiver 1103 will not be described again.
  • the present application also provides a first access network device. Please refer to FIG. 12 , which is another schematic structural diagram of the first access network device in the embodiment of the present application.
  • FIG. 12 is another schematic structural diagram of the first access network device in the embodiment of the present application.
  • FIG. 4 and FIG. 5 For the steps performed by the first access network device in the embodiments shown in FIG. 4 and FIG. 5 , reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the first access network device includes: a processor 1201 and a memory 1202 .
  • the first access network device further includes a transceiver 1203 .
  • the processor 1201, the memory 1202 and the transceiver 1203 are respectively connected through a bus, and the memory stores computer instructions.
  • the processing module 902 in the foregoing embodiment may specifically be the processor 1201 in this embodiment, so the specific implementation of the processor 1201 will not be described again.
  • the transceiver module 901 in the foregoing embodiment may specifically be the transceiver 1203 in this embodiment, so the specific implementation of the transceiver 1203 will not be described again.
  • an embodiment of the present application further provides a communication system, where the communication system includes a first terminal device as shown in FIG. 6 and a second terminal device as shown in FIG. 7 .
  • the first terminal device shown in FIG. 6 is used to perform all or part of the steps performed by the first terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 and FIG. 5
  • the second terminal device shown in FIG. 7 The device is configured to perform all or part of the steps performed by the second terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 and FIG. 5 .
  • the communication system further includes the SMF network element shown in FIG. 8 and the first access network device shown in FIG. 9 .
  • the SMF network element shown in FIG. 8 is used to perform all or part of the steps performed by the SMF network element in the embodiments shown in FIG. 3 , FIG. 4 and FIG. 5
  • the first access network device shown in FIG. 9 is used for Perform all or part of the steps performed by the first access network device in the embodiments shown in FIG. 3 , FIG. 4 and FIG. 5 .
  • Embodiments of the present application also provide a computer program product including instructions, which, when executed on a computer, cause the computer to execute the communication methods of the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 .
  • Embodiments of the present application further provide a computer-readable storage medium, including computer instructions, when the computer instructions are executed on a computer, the computer can execute the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 . communication method.
  • An embodiment of the present application further provides a chip device, which includes a processor, which is connected to a memory and calls a program stored in the memory, so that the processor executes the above-mentioned steps shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 .
  • the communication method of an embodiment is not limited to a chip device, which includes a processor, which is connected to a memory and calls a program stored in the memory, so that the processor executes the above-mentioned steps shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 .
  • the processor mentioned in any of the above can be a general-purpose central processing unit, a microprocessor, an application-specific integrated circuit (ASIC), or one or more of the above-mentioned Fig. 2, An integrated circuit for executing the program of the communication method of the embodiment shown in FIG. 3 , FIG. 4 and FIG. 5 .
  • the memory mentioned in any one of the above can be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (random access memory, RAM), and the like.
  • the disclosed system, apparatus and method may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable storage medium.
  • the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: a U disk, a removable hard disk, a read-only memory, a random access memory, a magnetic disk or an optical disk and other media that can store program codes.

Abstract

Embodiments of the present application provide a communication method and apparatus. The method comprises: a first terminal device acquires a first parameter, the first parameter being used for indicating security information of communication between a second terminal device and a first access network device; and the first terminal device selects the second terminal device according to the first parameter. By implementing the solution provided in the present invention, the first terminal can select, according to the first parameter, the second terminal that provides a relay service for the first terminal device and the first access network device, so as to satisfy the requirement of the first terminal for communicating with the network by means of the second terminal.

Description

通信方法及其装置Communication method and device therefor 技术领域technical field
本申请涉及通信技术领域,尤其涉及一种通信方法及其装置。The present application relates to the field of communication technologies, and in particular, to a communication method and device thereof.
背景技术Background technique
在近距离业务通信中,用户设备(user equipment,UE1)通过UE2与网络进行通信,即该UE2为UE1提供中继服务。UE1需要选择合适的UE2,并通过该UE2与网络进行通信。如何选择UE2是当前亟待解决的问题。In short-range service communication, a user equipment (user equipment, UE1) communicates with the network through UE2, that is, the UE2 provides a relay service for UE1. UE1 needs to select a suitable UE2 and communicate with the network through the UE2. How to select UE2 is an urgent problem to be solved at present.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供了一种通信方法及其装置,用于第一终端设备根据第一参数选择第二终端设备,以满足第一终端设备与网络之间的通信的安全需求。Embodiments of the present application provide a communication method and a device thereof, which are used by a first terminal device to select a second terminal device according to a first parameter, so as to meet the security requirements of communication between the first terminal device and the network.
本申请实施例的第一方面提供一种通信方法,该方法包括:A first aspect of the embodiments of the present application provides a communication method, the method includes:
第一终端设备接收第一消息,该第一消息携带第一参数,该第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息;然后,第一终端设备根据第一参数选择第二终端设备,该第二终端设备用于为第一终端设备与第一接入网设备之间的通信提供中继服务。The first terminal device receives a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; then, the first terminal device A second terminal device is selected according to the first parameter, where the second terminal device is configured to provide a relay service for the communication between the first terminal device and the first access network device.
本实施例中,由于第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息,因此,第一终端设备在选择第二终端设备时,可以根据该第一参数选择与该第一终端设备的安全需求匹配的第二终端设备,这样一定程序能够满足后续第一终端设备与网络之间的通信所对应的安全需求。In this embodiment, since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first The parameter selects a second terminal device that matches the security requirements of the first terminal device, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
一种可能的实现方式中,该第一参数包括以下至少一项:第一协议数据单元(protocol data unit,PDU)会话支持的第一安全保护方式、该第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、该第二终端设备的标识、该第二终端设备归属的或服务的网络标识ID、第一数据网络名称(data network name,DNN)、或者、第一切片信息;其中,该第一PDU会话为该第二终端设备上已建立的PDU会话,该第一指示信息为该第一接入网设备是否支持按需安全保护方式的指示信息,该第二指示信息用于指示该第一接入网设备具备支持完整性保护的能力,该数字签名为该第二终端设备通过该第二终端设备的私钥或该第二终端设备的根证书生成的,该第一DNN为该第二终端设备支持提供中继服务的DNN,该第一切片信息为该第二终端设备支持提供中继服务的切片的信息。In a possible implementation manner, the first parameter includes at least one of the following: a first security protection mode supported by a first protocol data unit (protocol data unit, PDU) session, the type of the first access network device, the first security protection mode supported by the first protocol data unit (protocol data unit, PDU) session an indication information, a second indication information, a digital signature, the identification of the second terminal device, the network identification ID of the second terminal device to which the second terminal device belongs or serves, the first data network name (DNN), or, the first All slice information; wherein, the first PDU session is an established PDU session on the second terminal device, the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode, the The second indication information is used to indicate that the first access network device has the capability to support integrity protection, and the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device Yes, the first DNN supports the DNN that provides the relay service for the second terminal device, and the first slice information is the information of the slice that the second terminal device supports to provide the relay service.
在该可能的实现方式中,该第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息。具体可以是通过第二终端设备已建立的PDU会话支持的安全保护方式;或者是,第二终端设备连接的第一接入网设备的类型,或者是,第二终端设备支持提供中继服务的DNN或切片的切片信息。由该实现方式可知,用于体征第二终端设备与第一接入网设备之间进行通信的安全信息的参数多样化,能够帮忙第一终端设备选择合适第二终端设备,以满足第一终端设备与网络之间进行通信的安全需求,提高了方案的可实现性和实用性。In this possible implementation manner, the first parameter is used to indicate security information for communication between the second terminal device and the first access network device. Specifically, it may be the security protection method supported by the PDU session established by the second terminal device; or, the type of the first access network device connected to the second terminal device, or the second terminal device supports the relay service. Slice information for DNN or slice. It can be seen from this implementation that the parameters used to sign the security information for communication between the second terminal device and the first access network device are diversified, which can help the first terminal device to select a suitable second terminal device to meet the requirements of the first terminal device. The security requirements for communication between the device and the network improve the achievability and practicability of the solution.
另一种可能的实现方式中,在该第一终端设备根据该第一参数选择第二终端设备之前,该方法还包括:该第一终端设备确定第一安全策略,该第一安全策略为该第一终端设备确定的该第一终端设备将使用的业务对应的安全策略;In another possible implementation manner, before the first terminal device selects the second terminal device according to the first parameter, the method further includes: the first terminal device determines a first security policy, where the first security policy is the the security policy corresponding to the service to be used by the first terminal device determined by the first terminal device;
该第一终端设备根据该第一参数选择该第二终端设备,包括:The first terminal device selects the second terminal device according to the first parameter, including:
该第一终端设备根据该第一安全策略和该第一参数选择该第二终端设备。The first terminal device selects the second terminal device according to the first security policy and the first parameter.
在该可能的实现方式中,该第一终端设备可以先通过该第一终端设备将使用的业务确定对应的第一安全策略,并结合该第一安全策略和第一参数选择该第二终端设备,从而进一步使得该第一终端设备能够选择合适的第二终端设备,以为该第一终端设备提供中继服务。In this possible implementation manner, the first terminal device may first determine the corresponding first security policy through the service to be used by the first terminal device, and select the second terminal device in combination with the first security policy and the first parameter , thereby further enabling the first terminal device to select a suitable second terminal device to provide relay services for the first terminal device.
另一种可能的实现方式中,该第一安全策略指示完整性保护为需要required或者倾向于需要preferred;该第一终端设备根据该第一安全策略和该第一参数选择该第二终端设备,包括:In another possible implementation manner, the first security policy indicates that integrity protection is required or tends to be preferred; the first terminal device selects the second terminal device according to the first security policy and the first parameter, include:
若该第一参数包括该第一PDU会话支持的第一安全保护方式,且该第一安全保护方式为开启完整性保护,则该第一终端设备选择该第二终端设备;或者,If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, the first terminal device selects the second terminal device; or,
若该第一参数包括该第一接入网设备的类型,且该第一接入网设备的类型指示该第一接入网设备具备支持开启完整性保护的能力,该第一终端设备选择该第二终端设备;或者,If the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, the first terminal device selects the the second terminal device; or,
若该第一参数包括该第一指示信息,且该第一指示信息指示所述第一接入网设备支持按需保护方式,该第一终端设备选择该第二终端设备;或者,If the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, the first terminal device selects the second terminal device; or,
若该第一参数包括该第二指示信息,该第一终端设备选择该第二终端设备。If the first parameter includes the second indication information, the first terminal device selects the second terminal device.
在该可能的实现方式中,示出了在第一安全策略指示完整性保护为需要required或者倾向于需要preferred的情况下,第一终端设备根据该第一参数携带的某个信息选择该第二终端设备的多种可能的实现方式,提高了方案的可实现性和多样性。In this possible implementation, it is shown that when the first security policy indicates that integrity protection is required or tends to be preferred, the first terminal device selects the second terminal according to certain information carried by the first parameter The multiple possible implementation manners of the terminal device improve the achievability and diversity of the solution.
另一种可能的实现方式中,该第一安全策略指示加密保护为需要required或者为倾向于需要preferred;该第一终端设备根据该第一安全策略和该第一参数选择该第二终端设备,包括:In another possible implementation manner, the first security policy indicates that encryption protection is required or preferred; the first terminal device selects the second terminal device according to the first security policy and the first parameter, include:
若该第一参数包括该第一PDU会话支持的第一安全保护方式,且该第一安全保护方式为开启加密保护,该第一终端设备选择该第二终端设备;或者,If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable encryption protection, the first terminal device selects the second terminal device; or,
若该第一参数包括该第一接入网设备的类型,且该第一接入网设备的类型指示该第一接入网设备具备支持开启完整性保护的能力,该第一终端设备选择该第二终端设备;或者,If the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, the first terminal device selects the the second terminal device; or,
若该第一参数包括该第一指示信息,且该第一指示信息指示所述第一接入网设备支持按需保护方式,该第一终端设备选择该第二终端设备;或者,If the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, the first terminal device selects the second terminal device; or,
若该第一参数包括该第二指示信息,该第一终端设备选择该第二终端设备。If the first parameter includes the second indication information, the first terminal device selects the second terminal device.
在该可能的实现方式中,示出了在第一安全策略指示加密保护为需要required或者为倾向于需要preferred的情况下,第一终端设备根据第一参数携带的某个信息选择该第二终端设备的多种可能的实现方式,提高了方案的可实现性和多样性。In this possible implementation, it is shown that the first terminal device selects the second terminal according to certain information carried by the first parameter when the first security policy indicates that the encryption protection is required or is inclined to be preferred. Multiple possible implementations of the device improve the achievability and diversity of the solution.
另一种可能的实现方式中,该第一终端设备根据该第一安全策略和该第一参数选择该第二终端设备,包括:若该第一安全策略与第二安全策略一致时,该第一终端设备选择该 第二终端设备,该第二安全策略为该第一DNN和/或该第一切片信息关联的安全策略。In another possible implementation manner, the first terminal device selects the second terminal device according to the first security policy and the first parameter, including: if the first security policy is consistent with the second security policy, the first A terminal device selects the second terminal device, and the second security policy is a security policy associated with the first DNN and/or the first slice information.
在该可能的实现方式中,由于每个DNN和切片都配置有对应的安全策略,因此第一终端设备可以通过该第一参数携带的第一DNN和/或第一切片信息确定对应的第二安全策略,再结合第一安全策略和第二安全策略选择第二终端设备。In this possible implementation manner, since each DNN and slice are configured with a corresponding security policy, the first terminal device can determine the corresponding first terminal device through the first DNN and/or the first slice information carried by the first parameter. Two security policies, and then select the second terminal device in combination with the first security policy and the second security policy.
另一种可能的实现方式中,该方法还包括:该第一终端设备接收第二消息,该第二消息携带第二参数,该第二参数用于指示第三终端设备与第二接入网设备之间的通信的安全信息;该第一终端设备根据该第一参数选择该第二终端设备,包括:该第一终端设备根据该第一参数和该第二参数选择该第二终端设备。In another possible implementation manner, the method further includes: the first terminal device receives a second message, where the second message carries a second parameter, where the second parameter is used to indicate the connection between the third terminal device and the second access network Security information of communication between devices; selecting the second terminal device by the first terminal device according to the first parameter includes: selecting the second terminal device by the first terminal device according to the first parameter and the second parameter.
在该可能的实现方式,当第一终端设备接收到多个能够作为中继节点(relay)的终端设备发送的参数时,第一终端设备可以结合接收到的多份参数选择第二终端设备。In this possible implementation manner, when the first terminal device receives multiple parameters that can be sent by terminal devices that can act as relay nodes, the first terminal device may select the second terminal device in combination with the multiple received parameters.
另一种可能的实现方式中,该第一终端设备根据该第一参数和该第二参数选择该第二终端设备,包括:In another possible implementation manner, the first terminal device selects the second terminal device according to the first parameter and the second parameter, including:
若该第一参数包括第一PDU会话支持的第一安全保护方式,且该第一安全保护方式为开启完整性保护,该第二参数包括第二PDU会话支持的第二安全保护方式,且该第二安全保护方式为不开启完整性保护,该第一终端设备选择该第二终端设备,该第一PDU会话为该第二终端设备上已建立的PDU会话,该第二PDU会话为该第三终端设备上已建立的PDU会话;或者,If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, the second parameter includes the second security protection mode supported by the second PDU session, and the The second security protection method is that integrity protection is not enabled, the first terminal device selects the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU session is the first PDU session. Three established PDU sessions on end devices; or,
若该第一参数包括该第一指示信息且该第一指示信息指示该第一接入网设备支持按需保护方式,该第二参数包括第三指示信息且该第三指示信息指示该第二接入网设备不支持按需保护方式,则该第一终端设备选择该第二终端设备。If the first parameter includes the first indication information and the first indication information indicates that the first access network device supports the on-demand protection mode, the second parameter includes third indication information and the third indication information indicates the second If the access network device does not support the on-demand protection mode, the first terminal device selects the second terminal device.
在该实现方式中,示出了第一终端设备根据接收到的多个终端设备发送的参数选择第二终端设备的多种可能的选择方式。In this implementation manner, multiple possible selection manners in which the first terminal device selects the second terminal device according to the received parameters sent by the multiple terminal devices are shown.
另一种可能的实现方式中,该方法还包括:第一终端设备向第二终端设备发送第二消息,该第二消息携带第一安全策略。In another possible implementation manner, the method further includes: the first terminal device sends a second message to the second terminal device, where the second message carries the first security policy.
在该可能的实现方式中,该第一终端设备向第二终端设备发送该第一安全策略,以便于第二终端设备确定第一终端设备与第二终端设备之间的第一安全保护方式。In this possible implementation, the first terminal device sends the first security policy to the second terminal device, so that the second terminal device determines the first security protection mode between the first terminal device and the second terminal device.
另一种可能的实现方式中,该方法还包括:第一终端设备向第二终端设备发送第三消息,该第三消息携带以下任一项:第一业务信息、第一保护指示、第二DNN、第二切片信息,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第一保护指示用于指示该第一终端设备期望的该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;然后,该第一终端设备接收该第二终端设备发送的第二保护指示,该第二保护指示用于指示该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制。In another possible implementation manner, the method further includes: the first terminal device sends a third message to the second terminal device, where the third message carries any one of the following: first service information, first protection indication, second DNN, second slice information, the first service information is service information corresponding to the service to be used by the first terminal device, and the first protection indication is used to indicate the first terminal device and the first terminal device expected by the first terminal device. A protection mechanism implemented during data communication between access network devices; then, the first terminal device receives a second protection instruction sent by the second terminal device, where the second protection instruction is used to instruct the first terminal device to communicate with The protection mechanism executed during data communication between the first access network devices.
在该可能的实现方式中,第一终端设备与第二终端设备通过协商确定第一终端设备与第一接入网设备之间进行数据通信时执行的保护机制。In this possible implementation manner, the first terminal device and the second terminal device determine, through negotiation, a protection mechanism to be executed during data communication between the first terminal device and the first access network device.
另一种可能的实现方式中,该第一安全策略包括加密保护的保护需求和完整性保护的保护需求;该第一终端设备根据该第一安全策略和该第一参数选择该第二终端设备,包括: 当该第一终端设备通过该第一参数确定该第二终端设备均满足加密保护的保护需求和完整性保护的保护需求时,该第一终端设备选择该第二终端设备。In another possible implementation manner, the first security policy includes protection requirements for encryption protection and protection requirements for integrity protection; the first terminal device selects the second terminal device according to the first security policy and the first parameter , including: when the first terminal device determines through the first parameter that both the second terminal device meets the protection requirements of encryption protection and the protection requirements of integrity protection, the first terminal device selects the second terminal device.
在该可能的实现方式中,该第一终端设备在选择第二终端设备时,应当选择同时满足第一终端设备的加密保护需求和完整性保护需求的第二终端设备。In this possible implementation manner, when selecting the second terminal device, the first terminal device should select a second terminal device that satisfies both the encryption protection requirement and the integrity protection requirement of the first terminal device.
另一种可能的实现方式中,该方法还包括:第一终端设备验证该数字签名;若验证成功,则该第一终端设备执行第一终端设备根据该第一安全策略和第一参数选择该第二终端设备的步骤。In another possible implementation manner, the method further includes: the first terminal device verifies the digital signature; if the verification is successful, the first terminal device executes that the first terminal device selects the digital signature according to the first security policy and the first parameter. The steps of the second terminal device.
在该可能的实现方式中,第一终端设备验证第一消息携带的数字签名,如果验证成功第一终端设备再根据第一消息携带的第一参数和第一安全策略选择该第二终端设备,以避免传输过程中,第一参数被篡改,影响第一终端设备选择合适的第二终端设备。In this possible implementation, the first terminal device verifies the digital signature carried in the first message, and if the verification is successful, the first terminal device selects the second terminal device according to the first parameter and the first security policy carried in the first message, In order to avoid that the first parameter is tampered with during the transmission process, which affects the selection of an appropriate second terminal device by the first terminal device.
另一种可能的实现方式中,该第一消息还携带第二终端设备的标识;该第一终端设备验证该数字签名包括:第一终端设备根据该第二终端设备的标识确定该第二终端设备的私钥对应的公钥;然后,第一终端设备通过该公钥验证该数字签名。In another possible implementation manner, the first message also carries the identifier of the second terminal device; the verification of the digital signature by the first terminal device includes: the first terminal device determines the second terminal according to the identifier of the second terminal device The public key corresponding to the private key of the device; then, the first terminal device verifies the digital signature through the public key.
在该可能的实现方式中,提供了一种第一终端设备验证数字签名的具体方式。In this possible implementation manner, a specific manner for the first terminal device to verify the digital signature is provided.
另一种可能的实现方式中,该第一消息还携带第二终端设备归属的或服务的网络标识ID;该第一终端设备验证该数字签名包括:第一终端设备根据该网络标识ID确定该第二终端设备对应的根证书;然后,第一终端设备通过该根证书验证该数字签名。In another possible implementation manner, the first message also carries the network identification ID that the second terminal device belongs to or serves; the first terminal device verifying the digital signature includes: the first terminal device determines the network identification ID according to the network identification ID. the root certificate corresponding to the second terminal device; then, the first terminal device verifies the digital signature through the root certificate.
在该可能的实现方式中,提供了另一种第一终端设备验证数字签名的具体方式。In this possible implementation manner, another specific manner for the first terminal device to verify the digital signature is provided.
本申请实施例第二方面提供一种通信方法,该方法包括:A second aspect of the embodiments of the present application provides a communication method, the method comprising:
第二终端设备确定第一参数,其中,该第二终端设备支持提供中继服务的功能,该第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息;然后的,第二终端设备发送第一消息,该第一消息携带第一参数。The second terminal device determines a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; Then, the second terminal device sends a first message, where the first message carries the first parameter.
在该可能的实现方式中,第二终端设备向第一终端设备发送第一参数,这样第一终端设备在选择第二终端设备时,可以根据该第一参数选择与该第一终端设备的安全需求匹配的第二终端设备,这样一定程序能够满足后续第一终端设备与网络之间的通信所对应的安全需求。In this possible implementation manner, the second terminal device sends the first parameter to the first terminal device, so that when the first terminal device selects the second terminal device, it can select the security with the first terminal device according to the first parameter The second terminal device that matches the requirements, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
一种可能的实现方式中,该第一参数包括以下至少一项:第一PDU会话支持的第一安全保护方式、该第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、该第二终端设备的标识、该第二终端设备归属的或服务的网络标识ID、第一DNN、或者、第一切片信息;其中,该第一PDU会话为该第二终端设备上已建立的PDU会话,该第一指示信息为该第一接入网设备是否支持按需安全保护方式的指示信息,该第二指示信息用于指示该第一接入网设备具备支持完整性保护的能力,该数字签名为该第二终端设备通过该第二终端设备的私钥或该第二终端设备的根证书生成的,该第一DNN为该第二终端设备支持提供中继服务的DNN,该第一切片信息为该第二终端设备支持提供中继服务的切片的信息。In a possible implementation manner, the first parameter includes at least one of the following: a first security protection mode supported by the first PDU session, a type of the first access network device, first indication information, second indication information, digital signature, the identifier of the second terminal device, the network identification ID of the second terminal device to which the second terminal device belongs or serves, the first DNN, or the first slice information; wherein, the first PDU session is the second terminal device The first indication information is the indication information of whether the first access network device supports the on-demand security protection mode, and the second indication information is used to indicate that the first access network device has support integrity The protection capability, the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device, and the first DNN supports the relay service for the second terminal device. DNN, the first slice information is information of a slice that the second terminal device supports to provide a relay service.
在该可能的实现方式中,该第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息。具体可以是通过第二终端设备已建立的PDU会话支持的安全保护方式;或者是,第二终端设备连接的第一接入网设备的类型,或者是,第二终端设备支持提供中 继服务的DNN或切片的切片信息。由该实现方式可知,用于体征第二终端设备与第一接入网设备之间进行通信的安全信息的参数多样化,能够帮忙第一终端设备选择合适第二终端设备,以满足第一终端设备与网络之间进行通信的安全需求,提高了方案的可实现性和实用性。In this possible implementation manner, the first parameter is used to indicate security information for communication between the second terminal device and the first access network device. Specifically, it may be the security protection method supported by the PDU session established by the second terminal device; or, the type of the first access network device connected to the second terminal device, or the second terminal device supports the relay service. Slice information for DNN or slice. It can be seen from this implementation that the parameters used to sign the security information for communication between the second terminal device and the first access network device are diversified, which can help the first terminal device to select a suitable second terminal device to meet the requirements of the first terminal device. The security requirements for communication between the device and the network improve the achievability and practicability of the solution.
另一种可能的实现方式中,该方法还包括:该第二终端设备接收该第一终端设备发送的第二消息,该第二消息携带第一安全策略,该第一安全策略为该第一终端设备确定的该第一终端设备将使用的业务对应的安全策略;该第二终端设备根据该第一安全策略确定第一安全保护方式;该第二终端设备将该第一安全保护方式作为该第一终端设备与该第二终端设备之间的数据通信所采用的安全保护方式;该第二终端设备向该第一终端设备发送该第一安全保护方式。In another possible implementation manner, the method further includes: receiving, by the second terminal device, a second message sent by the first terminal device, where the second message carries a first security policy, and the first security policy is the first security policy. The terminal device determines the security policy corresponding to the service to be used by the first terminal device; the second terminal device determines a first security protection mode according to the first security policy; the second terminal device uses the first security protection mode as the The security protection mode adopted for data communication between the first terminal device and the second terminal device; the second terminal device sends the first security protection mode to the first terminal device.
在该可能的实现方式中,该第二终端设备可以结合第一终端设备发送的第一安全策略确定第一安全保护方式,将该第一安全保护方式作为该第一终端设备与该第二终端设备之间的数据通信所采用的安全保护方式,从而确定第一终端设备与第二终端设备之间的安全保护方式。这样便于第二终端设备与第一接入网设备协商第二终端设备与第一接入网设备之间的安全保护方式,从而实现第一终端设备与第二终端设备之间的安全保护方式,以及第二终端设备与第一接入网设备之间之间的安全保护方式协商一致。In this possible implementation manner, the second terminal device may determine a first security protection mode in combination with a first security policy sent by the first terminal device, and use the first security protection mode as the first terminal device and the second terminal The security protection mode adopted for data communication between devices, thereby determining the security protection mode between the first terminal device and the second terminal device. In this way, it is convenient for the second terminal device and the first access network device to negotiate the security protection mode between the second terminal device and the first access network device, so as to realize the security protection mode between the first terminal device and the second terminal device, And the security protection mode is negotiated between the second terminal device and the first access network device.
另一种可能的实现方式中,该方法还包括:该第二终端设备接收该第一终端设备发送的第二消息,该第二消息携带第一安全策略,该第一安全策略为该第一终端设备确定的该第一终端设备将使用的业务对应的安全策略;该第二终端设备根据该第一安全策略和第二安全策略确定第三安全保护方式,该第二安全策略为该第二终端设备确定的该第一终端设备将使用的业务对应的安全策略;该第二终端设备将该第三安全保护方式作为该第二终端设备与该第一接入网设备之间的数据通信所采用的安全保护方式;该第二终端设备向该第一终端设备发送该第三安全保护方式。In another possible implementation manner, the method further includes: receiving, by the second terminal device, a second message sent by the first terminal device, where the second message carries a first security policy, and the first security policy is the first security policy. the security policy determined by the terminal device corresponding to the service to be used by the first terminal device; the second terminal device determines a third security protection mode according to the first security policy and the second security policy, and the second security policy is the second security policy The security policy determined by the terminal device corresponding to the service to be used by the first terminal device; the second terminal device uses the third security protection mode as the data communication method between the second terminal device and the first access network device. The adopted security protection mode; the second terminal device sends the third security protection mode to the first terminal device.
在该可能的实现方式中,该第二终端设备可以结合第三安全策略和第一终端设备发送的第一安全策略确定第三安全保护方式,将该第三安全保护方式作为该第二终端设备与该第一接入网设备之间的数据通信所采用的安全保护方式,从而确定第二终端设备与第一接入网设备之间的安全保护方式。这样便于第二终端设备与第一终端设备协商第一终端设备与第二终端设备之间的安全保护方式,从而实现第一终端设备与第二终端设备之间的安全保护方式,以及第二终端设备与第一接入网设备之间之间的安全保护方式协商一致。In this possible implementation manner, the second terminal device may determine a third security protection mode in combination with the third security policy and the first security policy sent by the first terminal device, and use the third security protection mode as the second terminal device The security protection mode adopted for the data communication with the first access network device, so as to determine the security protection mode between the second terminal device and the first access network device. In this way, it is convenient for the second terminal device and the first terminal device to negotiate the security protection mode between the first terminal device and the second terminal device, thereby realizing the security protection mode between the first terminal device and the second terminal device, and the second terminal device. A security protection mode is negotiated between the device and the first access network device.
另一种可能的实现方式中,该第一安全保护方式与第二安全保护方式一致,该第二安全保护方式为该第二终端设备与该第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式。In another possible implementation manner, the first security protection manner is consistent with the second security protection manner, and the second security protection manner is an established first security protection manner between the second terminal device and the first access network device Two security protection methods supported by PDU sessions.
在该可能的实现方式中,第二终端设备确定第一安全保护方式时,可以考虑该第二终端设备建立的PDU会话的情况,优先选择与支持该第一安全保护方式的PDU会话,以用于为第一终端设备提供服务。In this possible implementation, when the second terminal device determines the first security protection mode, it may consider the situation of the PDU session established by the second terminal device, and preferentially select a PDU session that supports the first security protection mode to use to provide services for the first terminal device.
另一种可能的实现方式中,该第一安全保护方式与第二安全保护方式一致,包括:In another possible implementation manner, the first security protection manner is consistent with the second security protection manner, including:
若该第一安全策略指示加密保护为需要required,且该第二PDU会话支持的第二安全 保护方式为开启加密保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that encryption protection is required, and the second security protection mode supported by the second PDU session is to enable encryption protection, the second terminal device supports the second security protection mode of the second PDU session. as the first security protection method; or,
若该第一安全策略指示完整性保护为需要required,且该第二PDU会话支持的第二安全保护方式为开启完整性保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that integrity protection is required, and the second security protection mode supported by the second PDU session is to enable integrity protection, the second terminal device will use the second security protection method supported by the second PDU session. The protection method is used as the first security protection method; or,
若该第一安全策略指示加密保护为不需要not needed,且该第二PDU会话支持的第二安全保护方式为不开启加密保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that the encryption protection is not needed, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device will use the second PDU session to support the second security protection mode. The security protection method is used as the first security protection method; or,
若该第一安全策略指示完整性保护为不需要not needed,且该第二PDU会话支持的第二安全保护方式为不开启完整性保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that the integrity protection is not needed, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device supports the second PDU session. The second security protection method is used as the first security protection method; or,
若该第一安全策略指示加密保护为倾向于需要preferred,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that encryption protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode; or,
若该第一安全策略指示完整性保护为倾向于需要preferred,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式。If the first security policy indicates that integrity protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
在该可能的实现方式中,该第二终端设备选择第二终端设备上的第二PDU会话,该第二PDU会话支持的第二安全保护方式与该第一安全保护方式一致。In this possible implementation manner, the second terminal device selects a second PDU session on the second terminal device, and the second security protection mode supported by the second PDU session is consistent with the first security protection mode.
另一种可能的实现方式中,该方法还包括:若该第一安全保护方式与第二安全保护方式不一致,该第二终端设备向会话管理功能(session management function,SMF)网元发送第一请求消息;其中,该第一请求消息用于请求修改第二PDU会话或用于请求建立第三PDU会话,该第一请求消息携带第三参数,该第三参数用于指示该第一终端设备与该第二终端设备之间的数据通信的安全信息,该第二安全保护方式为该第二终端设备与该第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式;该第二终端设备接收第一接入网设备发送的第四安全保护方式,该第四安全保护方式用于该第二终端设备与该第一接入网设备之间的数据通信所采用的安全保护方式,该第四安全保护方式与该第一安全保护方式一致。In another possible implementation manner, the method further includes: if the first security protection manner is inconsistent with the second security protection manner, the second terminal device sends the first security protection method to a session management function (session management function, SMF) network element request message; wherein the first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, and the third parameter is used to indicate the first terminal device The security information of the data communication with the second terminal device, the second security protection mode is the security protection mode supported by the established second PDU session between the second terminal device and the first access network device ; the second terminal device receives the fourth security protection mode sent by the first access network device, and the fourth security protection mode is used for data communication between the second terminal device and the first access network device. Security protection mode, the fourth security protection mode is consistent with the first security protection mode.
在该可能的实现方式中,当第二PDU会话支持的第二安全保护方式与第一安全保护方式不一致时,第二终端设备向SMF网元发送第一请求消息,以请求修改第二PDU会话或新建第三PDU会话,再接收第一接入网设备发送的第四安全保护方式,这样第二终端设备与第一接入网设备之间的第四安全保护方式与所述第一安全保护方式一致。In this possible implementation, when the second security protection mode supported by the second PDU session is inconsistent with the first security protection mode, the second terminal device sends a first request message to the SMF network element to request to modify the second PDU session Or create a third PDU session, and then receive the fourth security protection mode sent by the first access network device, so that the fourth security protection mode between the second terminal device and the first access network device is the same as the first security protection mode the same way.
另一种可能的实现方式中,该第一安全保护方式与第二安全保护方式不一致,包括:若该第一安全策略指示加密保护为倾向于需求preferred,且该第二PDU会话支持的第二安全保护方式为不开启加密保护,则该第二终端设备确定该第一安全策略对应的该第一安全保护方式与该第二安全保护方式不一致;或者,In another possible implementation manner, the first security protection manner is inconsistent with the second security protection manner, including: if the first security policy indicates that the encryption protection is preferred, and the second PDU session supports the second security protection If the security protection mode is not to enable encryption protection, the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode; or,
若该第一安全策略指示完整性保护为倾向于需要preferred,且该第二安全保护方式为不开启完整性保护,则该第二终端设备确定该第一安全策略对应的该第一安全保护方式与该第二安全保护方式不一致;或者,If the first security policy indicates that integrity protection tends to be preferred, and the second security protection mode is not to enable integrity protection, the second terminal device determines the first security protection mode corresponding to the first security policy inconsistent with the second security protection method; or,
若该第二安全保护方式的加密保护与该第一安全策略指示的加密保护不匹配且该第二安全保护方式的完整性保护与该第一安全策略指示的完整性保护不匹配,则该第二终端设备确定该第一安全策略对应的该第一安全保护方式与该第二安全保护方式不一致。If the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy and the integrity protection of the second security protection mode does not match the integrity protection of the first security policy The second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
在该可能的实现方式中,示出了多种第一安全保护方式与第二安全保护方式不一致的可能情况,提供了一些相应的判定方式。In this possible implementation manner, a plurality of possible situations in which the first security protection manner and the second security protection manner are inconsistent are shown, and some corresponding determination manners are provided.
另一种可能的实现方式中,该第三参数包括以下至少一项:In another possible implementation manner, the third parameter includes at least one of the following:
第一业务信息、第二DNN、第二切片信息、该第一安全策略和该第一安全保护方式;the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode;
其中,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第二DNN为该第一终端设备将接入的DNN,该第二切片信息为该第一终端设备将接入的切片的信息。The first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, and the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
在该可能的实现方式中,该第三参数用于指示该第一终端设备与该第二终端设备之间的数据通信的安全信息,本实现方式中,提供多种用于第一终端设备与该第二终端设备之间的数据通信的安全信息的参数,以便于SMF网元确定第三安全策略,第一接入网设备确定第四安全保护方式,使得第四安全保护方式与第一安全保护方式一致。In this possible implementation manner, the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device. The parameters of the security information of the data communication between the second terminal devices, so that the SMF network element determines the third security policy, and the first access network device determines the fourth security protection mode, so that the fourth security protection mode and the first security protection mode are determined The protection method is the same.
另一种可能的实现方式中,该方法还包括:该第二终端设备接收该第一终端设备发送的第三消息;其中,该第三消息携带以下至少一项信息:第一业务信息、第二DNN、第二切片信息和第一保护指示,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第二DNN为该第一终端设备将接入的DNN,该第二切片信息为该第一终端设备将接入的切片的信息,该第一保护指示用于指示该第一终端设备期望的该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;该方法还包括:该第二终端设备根据该第三消息确定第二保护指示,该第二保护指示用于指示该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;该第二终端设备向该第一终端设备发送该第二保护指示。In another possible implementation manner, the method further includes: receiving, by the second terminal device, a third message sent by the first terminal device; wherein the third message carries at least one of the following information: first service information, first Two DNN, second slice information and first protection indication, the first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, the The second slice information is information of the slice to be accessed by the first terminal device, and the first protection indication is used to indicate that the first terminal device expects data to be performed between the first terminal device and the first access network device A protection mechanism executed during communication; the method further includes: the second terminal device determines a second protection indication according to the third message, where the second protection indication is used to indicate the relationship between the first terminal device and the first access network device The protection mechanism executed when data communication is performed between the two terminals; the second terminal device sends the second protection indication to the first terminal device.
在该可能的实现方式中,示出了一种第一终端设备、第二终端设备和第三终端设备协商该第一终端设备与第一接入网设备之间进行数据通信时执行的保护机制的实现方式。In this possible implementation manner, a protection mechanism executed when a first terminal device, a second terminal device and a third terminal device negotiate data communication between the first terminal device and the first access network device is shown way of implementation.
另一种可能的实现方式中,该方法还包括:若第二终端设备未接收到该第一终端设备发送的保护指示,该第二终端设备确定第二保护指示,该第二保护指示用于指示该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;然后,该第二终端设备向该第一终端设备发送该第二保护指示。In another possible implementation manner, the method further includes: if the second terminal device does not receive the protection indication sent by the first terminal device, the second terminal device determines a second protection indication, where the second protection indication is used for Instruct the protection mechanism to be executed during data communication between the first terminal device and the first access network device; then, the second terminal device sends the second protection instruction to the first terminal device.
在该可能的实现方式中,示出了另外一种第一终端设备、第二终端设备和第三终端设备协商该第一终端设备与第一接入网设备之间进行数据通信时执行的保护机制的实现方式。In this possible implementation manner, another protection performed when the first terminal device, the second terminal device and the third terminal device negotiate the data communication between the first terminal device and the first access network device is shown How the mechanism is implemented.
本申请实施例第三方面提供一种通信方法,该方法包括:A third aspect of the embodiments of the present application provides a communication method, the method comprising:
SMF网元接收第二终端设备发送的第一请求消息,该第一请求消息用于请求修改第二PDU会话或用于请求建立第三PDU会话,该第一请求消息携带第三参数,该第三参数用于指示第一终端设备与该第二终端设备之间的数据通信的安全信息;然后,该SMF网元根据该第三参数确定第三安全策略,该第三安全策略为该SMF网元确定的该第一终端设备将使 用的业务对应的安全策略;该SMF网元向该第一接入网设备发送第四消息,该第四消息携带该第三安全策略。The SMF network element receives the first request message sent by the second terminal device. The first request message is used to request to modify the second PDU session or to request to establish the third PDU session. The first request message carries the third parameter, and the first request message The three parameters are used to indicate the security information of the data communication between the first terminal device and the second terminal device; then, the SMF network element determines a third security policy according to the third parameter, and the third security policy is the SMF network The security policy corresponding to the service to be used by the first terminal device determined by the element; the SMF network element sends a fourth message to the first access network device, where the fourth message carries the third security policy.
在该可能的实现方式中,当第一安全保护方式与第二安全保护方式不一致时,或者,该第二终端设备上未建立有PDU会话时,SMF网元可以根据第二终端设备发送的第一请求消息确定第三安全策略,并将该第三安全策略发送给第一接入网设备,以便于第一接入网设备根据第三安全策略确定第四安全保护方式,使得第四安全保护方式与第一安全保护方式一致,从而实现第一终端设备与第二终端设备之间的第一安全保护方式和第二终端设备与第一接入网设备之间的第四安全保护方式的协商一致。In this possible implementation manner, when the first security protection manner is inconsistent with the second security protection manner, or when no PDU session is established on the second terminal device, the SMF network element may A request message determines the third security policy, and sends the third security policy to the first access network device, so that the first access network device determines the fourth security protection mode according to the third security policy, so that the fourth security protection The mode is consistent with the first security protection mode, so as to realize the negotiation of the first security protection mode between the first terminal device and the second terminal device and the fourth security protection mode between the second terminal device and the first access network device Consistent.
一种可能的实现方式中,该第三参数包括以下至少一项:In a possible implementation manner, the third parameter includes at least one of the following:
第一业务信息、第二DNN、第二切片信息、该第一安全策略和该第一安全保护方式;the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode;
其中,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第二DNN为该第一终端设备将接入的DNN,该第二切片信息为该第一终端设备将接入的切片的信息。The first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, and the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
在该可能的实现方式中,该第三参数用于指示该第一终端设备与该第二终端设备之间的数据通信的安全信息,本实现方式中,提供多种用于第一终端设备与该第二终端设备之间的数据通信的安全信息的参数,以便于SMF网元确定第三安全策略,第一接入网设备确定第四安全保护方式,使得第四安全保护方式与第一安全保护方式一致。In this possible implementation manner, the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device. The parameters of the security information of the data communication between the second terminal devices, so that the SMF network element determines the third security policy, and the first access network device determines the fourth security protection mode, so that the fourth security protection mode and the first security protection mode are determined The protection method is the same.
另一种可能的实现方式中,该SMF网元根据该第三参数确定第三安全策略,包括:该SMF网元向统一数据管理(unified data management,UDM)网元发送以下信息中的至少一项:该第一业务信息、该第二DNN和该第二切片信息;该SMF网元接收该UDM网元发送的签约安全策略;该SMF网元将该签约安全策略作为该第三安全策略,或者,该SMF网元根据该签约安全策略和该第一安全策略确定该第三安全策略,或者,该SMF网元根据该签约安全策略和该第一安全保护方式确定该第三安全策略。In another possible implementation manner, the SMF network element determines the third security policy according to the third parameter, including: the SMF network element sends at least one of the following information to a unified data management (unified data management, UDM) network element Item: the first service information, the second DNN and the second slice information; the SMF network element receives the subscription security policy sent by the UDM network element; the SMF network element uses the subscription security policy as the third security policy, Alternatively, the SMF network element determines the third security policy according to the subscription security policy and the first security policy, or the SMF network element determines the third security policy according to the subscription security policy and the first security protection mode.
在该可能的实现方式中,示出了SMF网元根据该第一业务信息、该第二DNN和该第二切片信息中的至少一项信息确定第三安全策略的具体过程,提升了方案的可实现性。In this possible implementation, the specific process of determining the third security policy by the SMF network element according to at least one item of the first service information, the second DNN and the second slice information is shown, which improves the solution's performance. achievability.
另一种可能的实现方式中,该SMF网元根据该第三参数确定第三安全策略,包括:该SMF网元根据该第一安全策略和该第一安全保护方式中的至少一项信息确定该第三安全策略。In another possible implementation manner, the SMF network element determining the third security policy according to the third parameter includes: the SMF network element determining according to at least one item of information in the first security policy and the first security protection manner The third security policy.
在该可能的实现方式中,示出了SMF网元根据第三参数携带的第一安全策略和该第一安全保护方式中的至少一项信息的第三安全策略的方式,提升了方案的多样性。In this possible implementation manner, the manner in which the SMF network element is based on the first security policy carried by the third parameter and the third security policy of at least one piece of information in the first security protection manner is shown, which improves the variety of solutions. sex.
另一种可能的实现方式中,该第四消息还携带以下至少一项:该第一安全策略、该第一安全保护方式。In another possible implementation manner, the fourth message further carries at least one of the following: the first security policy and the first security protection manner.
本申请实施例第四方面提供一种通信方法,该方法包括:第一接入网设备接收SMF网元发送的第二消息,该第二消息携带第三安全策略,该第三安全策略为该SMF网元确定的该第一终端设备将使用的业务对应的安全策略;然后,该第一接入网设备根据该第三安全策略确定第四安全保护方式,该第四安全保护方式为用于该第二终端设备与第一接入网设备之间的数据通信所采用的安全保护方式;该第一接入网设备向第二终端设备发送该第四 安全保护方式。A fourth aspect of the embodiments of the present application provides a communication method. The method includes: a first access network device receives a second message sent by an SMF network element, where the second message carries a third security policy, and the third security policy is the The security policy corresponding to the service to be used by the first terminal device determined by the SMF network element; then, the first access network device determines a fourth security protection mode according to the third security policy, and the fourth security protection mode is used for The security protection mode used for data communication between the second terminal device and the first access network device; the first access network device sends the fourth security protection mode to the second terminal device.
在该可能的实现方式中,该第一接入网设备根据SMF网元发送的第三安全策略确定第四安全保护方式,并向第二终端设备发送该第四安全保护方式,该第四安全保护方式为用于该第二终端设备与第一接入网设备之间的数据通信所采用的安全保护方式,从而实现第一安全保护方式与第四安全保护方式的协商一致。In this possible implementation manner, the first access network device determines a fourth security protection mode according to the third security policy sent by the SMF network element, and sends the fourth security protection mode to the second terminal device, the fourth security protection mode is The protection mode is a security protection mode used for data communication between the second terminal device and the first access network device, so that the negotiation of the first security protection mode and the fourth security protection mode is achieved.
一种可能的实现方式中,该第二消息还携带以下至少一项:该第一安全策略、该第一安全保护方式;该第一接入网设备根据该第三安全策略确定第四安全保护方式,包括:In a possible implementation manner, the second message further carries at least one of the following: the first security policy, the first security protection mode; the first access network device determines the fourth security protection according to the third security policy ways, including:
该第一接入网设备根据该第三安全策略和该第一安全保护方式确定该第四安全保护方式;或者,The first access network device determines the fourth security protection mode according to the third security policy and the first security protection mode; or,
该第一接入网设备根据该第三安全策略和该第一安全策略确定第四安全保护方式;或者,The first access network device determines a fourth security protection manner according to the third security policy and the first security policy; or,
该第一接入网设备根据该第三安全策略、该第一安全保护方式和该第一安全策略确定第四安全保护方式。The first access network device determines a fourth security protection manner according to the third security policy, the first security protection manner and the first security policy.
在该可能的实现方式中,示出了第一接入网设备根据第二消息携带的参数确定第四安全保护方式的多种可能的实现方式,提升了方案的可实现性和多样性。In this possible implementation manner, multiple possible implementation manners in which the first access network device determines the fourth security protection manner according to the parameters carried in the second message are shown, which improves the implementability and diversity of the solution.
本申请实施例第五方面提供一种第一终端设备,该第一终端设备包括:A fifth aspect of the embodiments of the present application provides a first terminal device, where the first terminal device includes:
收发模块,用于接收第一消息,该第一消息携带第一参数,该第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息;a transceiver module, configured to receive a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device;
处理模块,用于根据该第一参数选择该第二终端设备,该第二终端设备用于为该第一终端设备与该第一接入网设备之间的通信提供中继服务。The processing module is configured to select the second terminal device according to the first parameter, and the second terminal device is configured to provide a relay service for the communication between the first terminal device and the first access network device.
一种可能的实现方式中,该第一参数包括以下至少一项:In a possible implementation manner, the first parameter includes at least one of the following:
第一PDU会话支持的第一安全保护方式、该第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、该第二终端设备的标识、该第二终端设备归属的或服务的网络标识ID、第一数据网络名称DNN、或者、第一切片信息;The first security protection mode supported by the first PDU session, the type of the first access network device, the first indication information, the second indication information, the digital signature, the identifier of the second terminal device, the belonging of the second terminal device Or the network identification ID of the service, the first data network name DNN, or, the first slice information;
其中,该第一PDU会话为该第二终端设备上已建立的PDU会话,该第一指示信息为该第一接入网设备是否支持按需安全保护方式的指示信息,该第二指示信息用于指示该第一接入网设备具备支持完整性保护的能力,该数字签名为该第二终端设备通过该第二终端设备的私钥或该第二终端设备的根证书生成的,该第一DNN为该第二终端设备支持提供中继服务的DNN,该第一切片信息为该第二终端设备支持提供中继服务的切片的信息。The first PDU session is an established PDU session on the second terminal device, the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode, and the second indication information is used for In order to indicate that the first access network device has the ability to support integrity protection, the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device, the first The DNN supports the DNN that provides the relay service for the second terminal device, and the first slice information is information of the slice that the second terminal device supports to provide the relay service.
另一种可能的实现方式中,该处理模块还用于:In another possible implementation, the processing module is also used to:
确定第一安全策略,该第一安全策略为该第一终端设备确定的该第一终端设备将使用的业务对应的安全策略;determining a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
该处理模块具体用于:This processing module is specifically used for:
根据该第一安全策略和该第一参数选择该第二终端设备。The second terminal device is selected according to the first security policy and the first parameter.
另一种可能的实现方式中,该第一安全策略指示完整性保护为需要required或者倾向于需要preferred;该处理模块具体用于:In another possible implementation manner, the first security policy indicates that integrity protection is required or tends to be preferred; the processing module is specifically used for:
若该第一参数包括该第一PDU会话支持的第一安全保护方式,且该第一安全保护方式 为开启完整性保护,则选择该第二终端设备;或者,If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, then select the second terminal device; or,
若该第一参数包括该第一接入网设备的类型,且该第一接入网设备的类型指示该第一接入网设备具备支持开启完整性保护的能力,则选择该第二终端设备;或者,If the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, select the second terminal device ;or,
若该第一参数包括该第一指示信息,且该第一指示信息指示该第一接入网设备支持按需保护方式,则选择该第二终端设备;或者,If the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, select the second terminal device; or,
若该第一参数包括该第二指示信息,则选择该第二终端设备。If the first parameter includes the second indication information, the second terminal device is selected.
另一种可能的实现方式中,该第一安全策略指示加密保护为需要required或者为倾向于需要preferred;该处理模块具体用于:In another possible implementation manner, the first security policy indicates that encryption protection is required or tends to be preferred; the processing module is specifically used for:
若该第一参数包括该第一PDU会话支持的第一安全保护方式,且该第一安全保护方式为开启加密保护,则选择该第二终端设备。If the first parameter includes a first security protection mode supported by the first PDU session, and the first security protection mode is to enable encryption protection, the second terminal device is selected.
另一种可能的实现方式中,该处理模块具体用于:In another possible implementation manner, the processing module is specifically used for:
若该第一安全策略与第二安全策略一致时,则选择该第二终端设备,该第二安全策略为该第一DNN和/或该第一切片信息关联的安全策略。If the first security policy is consistent with the second security policy, the second terminal device is selected, and the second security policy is the security policy associated with the first DNN and/or the first slice information.
另一种可能的实现方式中,该收发模块还用于:In another possible implementation manner, the transceiver module is also used for:
接收第二消息,该第二消息携带第二参数,该第二参数用于指示第三终端设备与第二接入网设备之间的通信的安全信息;receiving a second message, where the second message carries a second parameter, where the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device;
该处理模块具体用于:This processing module is specifically used for:
根据该第一参数和该第二参数选择该第二终端设备。The second terminal device is selected according to the first parameter and the second parameter.
另一种可能的实现方式中,该处理模块具体用于:In another possible implementation manner, the processing module is specifically used for:
若该第一参数包括第一PDU会话支持的第一安全保护方式,且该第一安全保护方式为开启完整性保护,该第二参数包括第二PDU会话支持的第二安全保护方式,且该第二安全保护方式为不开启完整性保护,则选择该第二终端设备,该第一PDU会话为该第二终端设备上已建立的PDU会话,该第二PDU会话为该第三终端设备上已建立的PDU会话;或者,If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, the second parameter includes the second security protection mode supported by the second PDU session, and the The second security protection mode is to not enable integrity protection, then select the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU session is on the third terminal device. an established PDU session; or,
若该第一参数包括该第一指示信息且该第一指示信息指示该第一接入网设备支持按需保护方式,该第二参数包括第三指示信息且该第三指示信息指示该第二接入网设备不支持按需保护方式,则选择该第二终端设备。If the first parameter includes the first indication information and the first indication information indicates that the first access network device supports the on-demand protection mode, the second parameter includes third indication information and the third indication information indicates the second If the access network device does not support the on-demand protection mode, the second terminal device is selected.
另一种可能的实现方式中,该收发模块还用于:In another possible implementation manner, the transceiver module is also used for:
向该第二终端设备发送第二消息,该第二消息携带第一安全策略。Send a second message to the second terminal device, where the second message carries the first security policy.
另一种可能的实现方式中,该收发模块还用于:In another possible implementation manner, the transceiver module is also used for:
向该第二终端设备发送第三消息,该第三消息携带以下任一项:第一业务信息、第一保护指示、第二DNN、第二切片信息,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第一保护指示用于指示该第一终端设备期望的该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;Send a third message to the second terminal device, where the third message carries any of the following: first service information, first protection indication, second DNN, and second slice information, where the first service information is the first terminal Service information corresponding to the service to be used by the device, and the first protection indication is used to indicate the protection mechanism that the first terminal device expects to execute when performing data communication between the first terminal device and the first access network device;
接收该第二终端设备发送的第二保护指示,该第二保护指示用于指示该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制。A second protection indication sent by the second terminal device is received, where the second protection indication is used to indicate a protection mechanism executed during data communication between the first terminal device and the first access network device.
本申请实施例第六方面提供一种第二终端设备,该第二终端设备包括:A sixth aspect of the embodiments of the present application provides a second terminal device, where the second terminal device includes:
处理模块,用于确定第一参数,其中,该第二终端设备支持提供中继服务的功能,该 第一参数用于指示该第二终端设备与第一接入网设备之间进行通信的安全信息;a processing module, configured to determine a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate the security of communication between the second terminal device and the first access network device information;
收发模块,用于发送第一消息,该第一消息携带该第一参数。A transceiver module, configured to send a first message, where the first message carries the first parameter.
一种可能的实现方式中,该第一参数包括以下至少一项:In a possible implementation manner, the first parameter includes at least one of the following:
第一PDU会话支持的第一安全保护方式、该第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、该第二终端设备的标识、该第二终端设备归属的或服务的网络标识ID、第一数据网络名称DNN、或者、第一切片信息;The first security protection mode supported by the first PDU session, the type of the first access network device, the first indication information, the second indication information, the digital signature, the identifier of the second terminal device, the belonging of the second terminal device Or the network identification ID of the service, the first data network name DNN, or, the first slice information;
其中,该第一PDU会话为该第二终端设备上已建立的PDU会话,该第一指示信息为该第一接入网设备支持按需安全保护方式的指示信息,该第二指示信息用于指示该第一接入网设备具备支持完整性保护的能力,该数字签名为该第二终端设备通过该第二终端设备的私钥或该第二终端设备的根证书生成的,该第一DNN为该第二终端设备支持提供中继服务的DNN,该第一切片信息为该第二终端设备支持提供中继服务的切片的信息。The first PDU session is an established PDU session on the second terminal device, the first indication information is the indication information that the first access network device supports the on-demand security protection mode, and the second indication information is used for Indicates that the first access network device has the ability to support integrity protection, the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device, the first DNN The second terminal device supports the DNN that provides the relay service, and the first slice information is information of the slice that the second terminal device supports to provide the relay service.
另一种可能的实现方式中,该收发模块还用于:In another possible implementation manner, the transceiver module is also used for:
接收该第一终端设备发送的第二消息,该第二消息携带第一安全策略,该第一安全策略为该第一终端设备确定的该第一终端设备将使用的业务对应的安全策略;receiving a second message sent by the first terminal device, where the second message carries a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
该处理模块还用于:This processing module is also used to:
根据该第一安全策略确定第一安全保护方式;determining a first security protection mode according to the first security policy;
将该第一安全保护方式作为该第一终端设备与该第二终端设备之间的数据通信所采用的安全保护方式;Using the first security protection mode as the security protection mode adopted for data communication between the first terminal device and the second terminal device;
该收发模块还用于:The transceiver module is also used to:
向该第一终端设备发送该第一安全保护方式。Send the first security protection mode to the first terminal device.
另一种可能的实现方式中,该收发模块还用于:In another possible implementation manner, the transceiver module is also used for:
接收该第一终端设备发送的第二消息,该第二消息携带第一安全策略,该第一安全策略为该第一终端设备确定的该第一终端设备将使用的业务对应的安全策略;receiving a second message sent by the first terminal device, where the second message carries a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
该处理模块还用于:This processing module is also used to:
根据该第一安全策略和第二安全策略确定第三安全保护方式,该第二安全策略为该第二终端设备确定的该第一终端设备将使用的业务对应的安全策略;Determine a third security protection mode according to the first security policy and the second security policy, where the second security policy is a security policy determined by the second terminal device corresponding to the service to be used by the first terminal device;
将该第三安全保护方式作为该第二终端设备与该第一接入网设备之间的数据通信所采用的安全保护方式;Using the third security protection mode as the security protection mode adopted for the data communication between the second terminal device and the first access network device;
该收发模块还用于:The transceiver module is also used to:
向该第一终端设备发送该第三安全保护方式。Send the third security protection mode to the first terminal device.
另一种可能的实现方式中,该第一安全保护方式与第二安全保护方式一致,该第二安全保护方式为该第二终端设备与该第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式。In another possible implementation manner, the first security protection manner is consistent with the second security protection manner, and the second security protection manner is an established first security protection manner between the second terminal device and the first access network device Two security protection methods supported by PDU sessions.
另一种可能的实现方式中,该第一安全保护方式与第二安全保护方式一致,包括:In another possible implementation manner, the first security protection manner is consistent with the second security protection manner, including:
若该第一安全策略指示加密保护为需要required,且该第二PDU会话支持的第二安全保护方式为开启加密保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that encryption protection is required, and the second security protection mode supported by the second PDU session is to enable encryption protection, the second terminal device supports the second security protection mode of the second PDU session. as the first security protection method; or,
若该第一安全策略指示完整性保护为需要required,且该第二PDU会话支持的第二安全保护方式为开启完整性保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that integrity protection is required, and the second security protection mode supported by the second PDU session is to enable integrity protection, the second terminal device will use the second security protection method supported by the second PDU session. The protection method is used as the first security protection method; or,
若该第一安全策略指示加密保护为不需要not needed,且该第二PDU会话支持的第二安全保护方式为不开启加密保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that the encryption protection is not needed, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device will use the second PDU session to support the second security protection mode. The security protection method is used as the first security protection method; or,
若该第一安全策略指示完整性保护为不需要not needed,且该第二PDU会话支持的第二安全保护方式为不开启完整性保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that the integrity protection is not needed, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device supports the second PDU session. The second security protection method is used as the first security protection method; or,
若该第一安全策略指示加密保护为倾向于需要preferred,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that encryption protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode; or,
若该第一安全策略指示完整性保护为倾向于需要preferred,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式。If the first security policy indicates that integrity protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
另一种可能的实现方式中,该收发模块还用于:In another possible implementation manner, the transceiver module is also used for:
若该第一安全保护方式与第二安全保护方式不一致,向SMF网元发送第一请求消息;If the first security protection mode is inconsistent with the second security protection mode, send a first request message to the SMF network element;
其中,该第一请求消息用于请求修改第二PDU会话或用于请求建立第三PDU会话,该第一请求消息携带第三参数,该第三参数用于指示该第一终端设备与该第二终端设备之间的数据通信的安全信息,该第二安全保护方式为该第二终端设备与该第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式;Wherein, the first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, and the third parameter is used to indicate that the first terminal device communicates with the third PDU session. The security information of the data communication between the two terminal devices, the second security protection mode is the security protection mode supported by the established second PDU session between the second terminal device and the first access network device;
接收该第一接入网设备发送的第四安全保护方式,该第四安全保护方式用于该第二终端设备与该第一接入网设备之间的数据通信所采用的安全保护方式,该第四安全保护方式与该第一安全保护方式一致。receiving a fourth security protection mode sent by the first access network device, where the fourth security protection mode is used for the security protection mode adopted for data communication between the second terminal device and the first access network device, the The fourth security protection mode is consistent with the first security protection mode.
另一种可能的实现方式中,该第一安全保护方式与该第二安全保护方式不一致,包括:In another possible implementation manner, the first security protection manner is inconsistent with the second security protection manner, including:
若该第一安全策略指示加密保护为倾向于需要preferred,且该第二PDU会话支持的第二安全保护方式为不开启加密保护,则该第二终端设备确定该第一安全策略对应的该第一安全保护方式与该第二安全保护方式不一致;或者,If the first security policy indicates that encryption protection tends to be preferred, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device determines the first security policy corresponding to the first security policy. One security protection method is inconsistent with the second security protection method; or,
若该第一安全策略指示完整性保护为倾向于需要preferred,且该第二安全保护方式为不开启完整性保护,则该第二终端设备确定该第一安全策略对应的该第一安全保护方式与该第二安全保护方式不一致;或者,If the first security policy indicates that integrity protection tends to be preferred, and the second security protection mode is not to enable integrity protection, the second terminal device determines the first security protection mode corresponding to the first security policy inconsistent with the second security protection method; or,
若该第二安全保护方式的加密保护与该第一安全策略指示的加密保护不匹配且该第二安全保护方式的完整性保护与该第一安全策略指示的完整性保护不匹配,则该第二终端设备确定该第一安全策略对应的该第一安全保护方式与该第二安全保护方式不一致。If the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy and the integrity protection of the second security protection mode does not match the integrity protection of the first security policy The second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
另一种可能的实现方式中,该第三参数包括以下至少一项:In another possible implementation manner, the third parameter includes at least one of the following:
第一业务信息、第二DNN、第二切片信息、该第一安全策略和该第一安全保护方式;the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode;
其中,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第二DNN为该第一终端设备将接入的DNN,该第二切片信息为该第一终端设备将接入的切片的信息。The first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, and the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
另一种可能的实现方式中,该收发模块还用于:In another possible implementation manner, the transceiver module is also used for:
接收该第一终端设备发送的第三消息;receiving a third message sent by the first terminal device;
其中,该第三消息携带以下至少一项信息:第一业务信息、第二DNN、第二切片信息和第一保护指示,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第二DNN为该第一终端设备将接入的DNN,该第二切片信息为该第一终端设备将接入的切片的信息,该第一保护指示用于指示该第一终端设备期望的该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;Wherein, the third message carries at least one of the following information: first service information, second DNN, second slice information and first protection indication, and the first service information is a service corresponding to a service to be used by the first terminal device information, the second DNN is the DNN to be accessed by the first terminal device, the second slice information is the information of the slice to be accessed by the first terminal device, and the first protection indication is used to indicate the first terminal device the desired protection mechanism to be executed when data communication is performed between the first terminal device and the first access network device;
该处理模块还用于:This processing module is also used to:
根据该第三消息确定第二保护指示,该第二保护指示用于指示该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;determining a second protection indication according to the third message, where the second protection indication is used to indicate a protection mechanism to be executed during data communication between the first terminal device and the first access network device;
该收发模块还用于:The transceiver module is also used to:
向该第一终端设备发送该第二保护指示。Send the second protection indication to the first terminal device.
另一种可能的实现方式中,该处理模块还用于:In another possible implementation, the processing module is also used to:
若该第二终端设备未接收到该第一终端设备发送的保护指示,确定第二保护指示,该第二保护指示用于指示该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;If the second terminal device does not receive the protection indication sent by the first terminal device, determine a second protection indication, where the second protection indication is used to instruct the first terminal device and the first access network device to perform data communication between the first terminal device and the first access network device. the protection mechanisms implemented when communicating;
该收发模块还用于:The transceiver module is also used to:
向该第一终端设备发送该第二保护指示。Send the second protection indication to the first terminal device.
本申请实施例第七方面提供一种SMF网元,该SMF网元包括:A seventh aspect of the embodiments of the present application provides an SMF network element, where the SMF network element includes:
收发模块,用于接收第二终端设备发送的第一请求消息,该第一请求消息用于请求修改第二PDU会话或用于请求建立第三PDU会话,该第一请求消息携带第三参数,该第三参数用于指示第一终端设备与该第二终端设备之间的数据通信的安全信息;a transceiver module, configured to receive a first request message sent by the second terminal device, where the first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, The third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device;
处理模块,用于根据该第三参数确定第三安全策略,该第三安全策略为该SMF网元确定的该第一终端设备将使用的业务对应的安全策略;a processing module, configured to determine a third security policy according to the third parameter, where the third security policy is a security policy corresponding to the service to be used by the first terminal device determined by the SMF network element;
该收发模块,用于向该第一接入网设备发送第四消息,该第四消息携带该第三安全策略。The transceiver module is configured to send a fourth message to the first access network device, where the fourth message carries the third security policy.
一种可能的实现方式中,该第三参数包括以下至少一项:In a possible implementation manner, the third parameter includes at least one of the following:
第一业务信息、第二DNN、第二切片信息、该第一安全策略和该第一安全保护方式;the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode;
其中,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第二DNN为该第一终端设备将接入的DNN,该第二切片信息为该第一终端设备将接入的切片的信息。The first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, and the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
另一种可能的实现方式中,该处理模块具体用于:In another possible implementation manner, the processing module is specifically used for:
向UDM网元发送以下信息中的至少一项:该第一业务信息、该第二DNN和该第二切片信息;该SMF网元接收该UDM网元发送的签约安全策略;Send at least one of the following information to the UDM network element: the first service information, the second DNN and the second slice information; the SMF network element receives the subscription security policy sent by the UDM network element;
将该签约安全策略作为该第三安全策略,或者,根据该签约安全策略和该第一安全策略确定该第三安全策略,或者,根据该签约安全策略和该第一安全保护方式确定该第三安全策略。Use the contracted security policy as the third security policy, or determine the third security policy according to the contracted security policy and the first security policy, or determine the third security policy according to the contracted security policy and the first security protection mode security strategy.
另一种可能的实现方式中,该处理模块具体用于:In another possible implementation manner, the processing module is specifically used for:
根据该第一安全策略和该第一安全保护方式中的至少一项信息确定该第三安全策略。The third security policy is determined according to at least one item of information in the first security policy and the first security protection manner.
另一种可能的实现方式中,该第四消息还携带以下至少一项:该第一安全策略、该第一安全保护方式。In another possible implementation manner, the fourth message further carries at least one of the following: the first security policy and the first security protection manner.
本申请实施例第八方面提供一种第一接入网设备,该第一接入网设备包括:An eighth aspect of the embodiments of the present application provides a first access network device, where the first access network device includes:
收发模块,用于接收SMF网元发送的第二消息,该第二消息携带第三安全策略,该第三安全策略为该SMF网元确定的该第一终端设备将使用的业务对应的安全策略;A transceiver module, configured to receive a second message sent by the SMF network element, where the second message carries a third security policy, where the third security policy is a security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device ;
处理模块,用于根据该第三安全策略确定第四安全保护方式,该第四安全保护方式为用于该第二终端设备与第一接入网设备之间的数据通信所采用的安全保护方式;a processing module, configured to determine a fourth security protection mode according to the third security policy, where the fourth security protection mode is a security protection mode used for data communication between the second terminal device and the first access network device ;
收发模块,用于向第二终端设备发送该第四安全保护方式。The transceiver module is configured to send the fourth security protection mode to the second terminal device.
一种可能的实现方式中,该第二消息还携带以下至少一项:该第一安全策略、该第一安全保护方式;该处理模块具体用于:In a possible implementation manner, the second message also carries at least one of the following: the first security policy, the first security protection mode; the processing module is specifically used for:
根据该第三安全策略和该第一安全保护方式确定该第四安全保护方式;或者,The fourth security protection mode is determined according to the third security policy and the first security protection mode; or,
根据该第三安全策略和该第一安全策略确定第四安全保护方式;或者,A fourth security protection mode is determined according to the third security policy and the first security policy; or,
根据该第三安全策略、该第一安全保护方式和该第一安全策略确定第四安全保护方式。The fourth security protection mode is determined according to the third security policy, the first security protection mode and the first security policy.
本申请实施例第九方面提供一种第一终端设备,该第一终端设备包括:处理器和存储器;该存储器中存储有计算机程序;该处理器还用于调用并运行该存储器中存储的计算机程序,使得处理器实现如第一方面任意一种实现方式。A ninth aspect of an embodiment of the present application provides a first terminal device, where the first terminal device includes: a processor and a memory; a computer program is stored in the memory; the processor is further configured to call and run a computer stored in the memory The program enables the processor to implement any one of the implementation manners of the first aspect.
可选的,该第一终端设备包括收发器;该处理器用于控制该收发器收发信号。Optionally, the first terminal device includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
本申请实施例第十方面提供一种第二终端设备,该第一终端设备包括:处理器和存储器;该存储器中存储有计算机程序;该处理器还用于调用并运行该存储器中存储的计算机程序,使得处理器实现如第二方面任意一种实现方式。A tenth aspect of an embodiment of the present application provides a second terminal device, where the first terminal device includes: a processor and a memory; a computer program is stored in the memory; the processor is further configured to call and run a computer stored in the memory The program enables the processor to implement any one of the implementation manners of the second aspect.
可选的,该第二终端设备包括收发器;该处理器用于控制该收发器收发信号。Optionally, the second terminal device includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
本申请实施例第十一方面提供一种SMF网元,该SMF网元包括:处理器和存储器;该存储器中存储有计算机程序;该处理器还用于调用并运行该存储器中存储的计算机程序,使得处理器实现如第三方面任意一种实现方式。An eleventh aspect of an embodiment of the present application provides an SMF network element, where the SMF network element includes: a processor and a memory; a computer program is stored in the memory; the processor is further configured to call and run the computer program stored in the memory , so that the processor implements any one of the implementation manners of the third aspect.
可选的,该SMF网元包括收发器;该处理器用于控制该收发器收发信号。Optionally, the SMF network element includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
本申请实施例第十二方面提供一种第一接入网设备,该第一接入网设备包括:处理器和存储器;该存储器中存储有计算机程序;该处理器还用于调用并运行该存储器中存储的计算机程序,使得处理器实现如第四方面任意一种实现方式。A twelfth aspect of an embodiment of the present application provides a first access network device, where the first access network device includes: a processor and a memory; the memory stores a computer program; the processor is further configured to call and run the The computer program stored in the memory enables the processor to implement any one of the implementation manners of the fourth aspect.
可选的,该第一接入网设备包括收发器;该处理器用于控制该收发器收发信号。Optionally, the first access network device includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
本申请实施例第十三方面提供一种包括指令的计算机程序产品,其特征在于,当其在计算机上运行时,使得该计算机执行如第一方面至第四方面中任一种的实现方式。A thirteenth aspect of the embodiments of the present application provides a computer program product including instructions, characterized in that, when the computer program product is run on a computer, the computer is caused to perform the implementation of any one of the first to fourth aspects.
本申请实施例第十四方面提供一种计算机可读存储介质,包括计算机指令,当该计算机指令在计算机上运行时,使得计算机执行如第一方面至第四方面中的任一种实现方式。A fourteenth aspect of the embodiments of the present application provides a computer-readable storage medium, including computer instructions, which, when the computer instructions are executed on a computer, cause the computer to execute any one of the implementations of the first to fourth aspects.
本申请实施例第十五方面提供一种芯片装置,包括处理器,用于与存储器相连,调用该存储器中存储的程序,以使得该处理器执行上述第一方面至第四方面中的任一种实现方式。A fifteenth aspect of an embodiment of the present application provides a chip device, including a processor, which is connected to a memory and calls a program stored in the memory, so that the processor executes any one of the first to fourth aspects above an implementation.
本申请实施例第十六方面提供一种通信系统,该通信系统包括如第一方面的第一终端设备和第二方面的第二终端设备。A sixteenth aspect of an embodiment of the present application provides a communication system, where the communication system includes the first terminal device of the first aspect and the second terminal device of the second aspect.
可选的,该通信系统还包括第三方面的SMF网元和第四方面的第一接入网设备。Optionally, the communication system further includes the SMF network element of the third aspect and the first access network device of the fourth aspect.
本申请实施例中,第一终端设备接收第一消息,该第一消息携带第一参数,该第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息;然后,第一终端设备根据该第一参数选择第二终端设备。由此可知,由于第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息,因此,第一终端设备在选择第二终端设备时,可以根据该第一参数选择与该第一终端设备的安全需求匹配的第二终端设备,这样第二终端设备能够满足后续第一终端设备与网络之间的通信所对应的安全需求。In this embodiment of the present application, the first terminal device receives a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; Then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. The second terminal device that matches the security requirements of the first terminal device is selected, so that the second terminal device can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
附图说明Description of drawings
图1A为本申请实施例通信系统的一个架构示意图;1A is a schematic structural diagram of a communication system according to an embodiment of the present application;
图1B为本申请实施例网络系统的一个示意图;1B is a schematic diagram of a network system according to an embodiment of the present application;
图1C为本申请实施例网络系统的另一个示意图;1C is another schematic diagram of a network system according to an embodiment of the present application;
图2为本申请实施例通信方法的一个实施例示意图;FIG. 2 is a schematic diagram of an embodiment of a communication method according to an embodiment of the present application;
图3为本申请实施例通信方法的另一个实施例示意图;FIG. 3 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application;
图4为本申请实施例通信方法的另一个实施例示意图;FIG. 4 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application;
图5为本申请实施例通信方法的另一个实施例示意图;FIG. 5 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application;
图6为本申请实施例第一终端设备的一个结构示意图;FIG. 6 is a schematic structural diagram of a first terminal device according to an embodiment of the present application;
图7为本申请实施例第二终端设备的一个结构示意图;FIG. 7 is a schematic structural diagram of a second terminal device according to an embodiment of the present application;
图8为本申请实施例SMF网元的一个结构示意图;FIG. 8 is a schematic structural diagram of an SMF network element according to an embodiment of the present application;
图9为本申请实施例第一接入网设备的一个结构示意图;FIG. 9 is a schematic structural diagram of a first access network device according to an embodiment of the present application;
图10为本申请实施例第一终端设备的另一个结构示意图;FIG. 10 is another schematic structural diagram of a first terminal device according to an embodiment of the present application;
图11为本申请实施例SMF网元的另一个结构示意图;11 is another schematic structural diagram of an SMF network element according to an embodiment of the present application;
图12为本申请实施例第一接入网设备的另一个结构示意图;FIG. 12 is another schematic structural diagram of a first access network device according to an embodiment of the present application;
图13为本申请实施例通信系统的一个示意图。FIG. 13 is a schematic diagram of a communication system according to an embodiment of the present application.
具体实施方式detailed description
为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地描述。在本文中提及的“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域技术人员可以显式地和隐式地理解的是,本文所描述的实施例可以与其它实施例相结合。In order to make the objectives, technical solutions and advantages of the present application clearer, the present application will be further described below with reference to the accompanying drawings. Reference herein to an "embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor a separate or alternative embodiment that is mutually exclusive of other embodiments. Those skilled in the art will understand, both explicitly and implicitly, that the embodiments described herein may be combined with other embodiments.
下面对本申请应用的通信系统进行介绍:The communication system applied in this application is introduced as follows:
本申请提供的技术方案可以应用于各种通信系统。一个通信系统中,由运营者运营的部分可称为公共陆地移动网络(public land mobile network,PLMN)(也可以称为运营商网络等)。PLMN是由政府或其所批准的经营者,为公众提供陆地移动通信业务目的而建立 和经营的网络,主要是移动网络运营商(mobile network operator,MNO)为用户提供移动宽带接入服务的公共网络。本申请中所描述的PLMN,具体可为符合第三代合作伙伴项目(3rd generation partnership project,3GPP)标准要求的网络,简称3GPP网络。3GPP网络通常包括但不限于第五代移动通信(5th-generation,5G)网络(简称5G网络)、第四代移动通信(4th-generation,4G)网络(简称4G网络)等。The technical solutions provided in this application can be applied to various communication systems. In a communication system, the part operated by the operator may be referred to as a public land mobile network (PLMN) (also referred to as an operator network, etc.). PLMN is a network established and operated by the government or its approved operators for the purpose of providing land mobile communication services to the public, mainly a public mobile network operator (MNO) that provides mobile broadband access services to users. The internet. The PLMN described in this application may specifically be a network that meets the requirements of the 3rd generation partnership project (3GPP) standard, which is referred to as a 3GPP network for short. 3GPP networks generally include, but are not limited to, a fifth-generation (5th-generation, 5G) network (referred to as a 5G network), a fourth-generation (4th-generation, 4G) network (referred to as a 4G network), and the like.
为了方便描述,本申请实施例中将以PLMN为例进行说明。或者,本申请提供的技术方案还可以应用于长期演进(long term evolution,LTE)系统、LTE频分双工(frequency division duplex,FDD)系统、LTE时分双工(time division duplex,TDD)、通用移动通信系统(universal mobile telecommunication system,UMTS)、全球互联微波接入(worldwide interoperability for microwave access,WiMAX)通信系统、第五代(5th generation,5G)通信系统、设备到设备(device to device,D2D)通信系统、车联网(vehicle to everything,V2X)通信系统、新无线(new radio,NR)或者未来的其他通信系统,如6G通信系统等。For the convenience of description, a PLMN is used as an example for description in this embodiment of the present application. Alternatively, the technical solutions provided in this application can also be applied to long term evolution (long term evolution, LTE) systems, LTE frequency division duplex (frequency division duplex, FDD) systems, LTE time division duplex (time division duplex, TDD), general Mobile communication system (universal mobile telecommunication system, UMTS), worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5th generation, 5G) communication system, device to device (device to device, D2D) ) communication system, vehicle to everything (V2X) communication system, new radio (NR) or other communication systems in the future, such as 6G communication systems.
随着移动带宽接入服务的扩展,移动网络也会随之发展以便更好地支持多样化的商业模式,满足更加多样化的应用业务以及更多行业的需求。例如,为了给更多的行业提供更好、更完善的服务,5G网络相对于4G网络做了网络架构调整。如5G网络将4G网络中的移动管理实体(mobility management entity,MME)进行拆分,拆分为包括接入与移动性管理功能(access and mobility management function,AMF)和会话管理功能(session management function,SMF)等多个网络功能。With the expansion of mobile bandwidth access services, mobile networks will also develop to better support diversified business models, meet the needs of more diverse application services and more industries. For example, in order to provide better and more complete services to more industries, the 5G network has made network architecture adjustments compared to the 4G network. For example, the 5G network splits the mobility management entity (MME) in the 4G network into two parts including the access and mobility management function (AMF) and the session management function (session management function). , SMF) and other network functions.
图1A是本申请实施例的一种网络架构示意图,它以3GPP标准化过程中定义的非漫游场景下基于服务化架构的5G网络架构为例。该网络架构可以包括三部分,分别是终端设备部分、PLMN和数据网络(data network,DN)。FIG. 1A is a schematic diagram of a network architecture according to an embodiment of the present application, which takes a 5G network architecture based on a service-oriented architecture in a non-roaming scenario defined in the 3GPP standardization process as an example. The network architecture can include three parts, namely the terminal equipment part, the PLMN and the data network (DN).
终端设备部分可以包括终端设备110,该终端设备110也可以称为用户设备(user equipment,UE)。本申请中的终端设备110是一种具有无线收发功能的设备,可以经无线接入网(radio access network,RAN)140中的接入网设备(或者也可以称为接入设备)与一个或多个核心网(core network,CN)设备(或者也可以称为核心设备)进行通信。终端设备110也可称为接入终端、终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、用户代理或用户装置等。终端设备110可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。终端设备110可以是蜂窝电话(cellular phone)、无绳电话、会话启动协议(session initiation protocol,SIP)电话、智能电话(smart phone)、手机(mobile phone)、无线本地环路(wireless local loop,WLL)站、个人数字处理(personal digital assistant,PDA)等。或者,终端设备110还可以是具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它设备、车载设备、可穿戴设备、无人机设备或物联网、车联网中的终端、5G网络以及未来网络中的任意形态的终端、中继用户设备或者未来演进的PLMN中的终端等。其中,中继用户设备例如可以是5G家庭网关(residential gateway,RG)。例如终端设备110可以是虚拟现实(virtual reality,VR) 终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。本申请实施例对终端设备的类型或种类等并不限定。The terminal equipment part may include a terminal equipment 110, which may also be referred to as user equipment (user equipment, UE). The terminal device 110 in this application is a device with a wireless transceiver function, which can communicate with an access network device (or also referred to as an access device) in a radio access network (RAN) 140 with one or more A plurality of core network (core network, CN) devices (or may also be referred to as core devices) communicate. Terminal equipment 110 may also be referred to as an access terminal, terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, user agent, user device, or the like. The terminal device 110 can be deployed on land, including indoor or outdoor, handheld or vehicle; can also be deployed on water (such as ships, etc.); and can also be deployed in the air (such as planes, balloons, satellites, etc.). The terminal device 110 may be a cellular phone (cellular phone), a cordless phone, a session initiation protocol (SIP) phone, a smart phone (smart phone), a mobile phone (mobile phone), a wireless local loop (WLL) ) station, personal digital assistant (personal digital assistant, PDA), etc. Alternatively, the terminal device 110 may also be a handheld device with a wireless communication function, a computing device or other device connected to a wireless modem, a vehicle-mounted device, a wearable device, a drone device or a terminal in the Internet of Things, the Internet of Vehicles, a 5G network And any form of terminal in the future network, relay user equipment or terminal in the future evolved PLMN, etc. The relay user equipment may be, for example, a 5G home gateway (residential gateway, RG). For example, the terminal device 110 may be a virtual reality (VR) terminal, an augmented reality (AR) terminal, a wireless terminal in industrial control, a wireless terminal in self driving, a remote terminal Wireless terminal in medical (remote medical), wireless terminal in smart grid (smart grid), wireless terminal in transportation safety (transportation safety), wireless terminal in smart city, wireless terminal in smart home (smart home) wireless terminals, etc. This embodiment of the present application does not limit the type or type of the terminal device.
PLMN可以包括:网络开放功能(network exposure function,NEF)131、网络存储功能(network function repository function,NRF)132、策略控制功能(policy control function,PCF)133、UDM134、应用功能(application function,AF)135、认证服务器功能(authentication server function,AUSF)136、接入与移动性管理功能(access and mobility management function,AMF)137、SMF138、用户面功能(user plane function,UPF)139以及(无线)接入网((radio)access network,(R)AN)140等。上述PLMN中,除(无线)接入网140部分之外的部分可以称为核心网络(core network,CN)部分或核心网部分。PLMN can include: network exposure function (NEF) 131, network storage function (network function repository function, NRF) 132, policy control function (policy control function, PCF) 133, UDM 134, application function (application function, AF) ) 135, authentication server function (AUSF) 136, access and mobility management function (AMF) 137, SMF 138, user plane function (UPF) 139 and (wireless) Access network ((radio) access network, (R)AN) 140, etc. In the above-mentioned PLMN, the part other than the (radio) access network 140 part may be referred to as a core network (core network, CN) part or a core network part.
数据网络DN 120,也可以称为分组数据网络(packet data network,PDN),通常是位于PLMN之外的网络,例如第三方网络。示例性的,PLMN可以接入多个数据网络DN 120,数据网络DN 120上可部署多种业务,从而为终端设备110提供数据和/或语音等服务。例如,数据网络DN 120可以是某智能工厂的私有网络,智能工厂安装在车间的传感器可为终端设备110,数据网络DN 120中部署了传感器的控制服务器,控制服务器可为传感器提供服务。传感器可与控制服务器通信,获取控制服务器的指令,根据指令将采集的传感器数据传送给控制服务器等。又例如,数据网络DN 120可以是某公司的内部办公网络,该公司员工的手机或者电脑可为终端设备110,员工的手机或者电脑可以访问公司内部办公网络上的信息、数据资源等。终端设备110可通过PLMN提供的接口(例如图1A中的N1接口等)与PLMN建立连接,使用PLMN提供的数据和/或语音等服务。终端设备110还可通过PLMN访问数据网络DN 120,使用数据网络DN 120上部署的运营商业务,和/或第三方提供的业务。其中,上述第三方可为PLMN和终端设备110之外的服务方,可为终端设备110提供其他数据和/或语音等服务。其中,上述第三方的具体表现形式,具体可根据实际应用场景确定,在此不做限制。The data network DN 120, which may also be referred to as a packet data network (PDN), is usually a network located outside the PLMN, such as a third-party network. Exemplarily, the PLMN can access multiple data networks DN 120, and multiple services can be deployed on the data network DN 120, so as to provide the terminal device 110 with services such as data and/or voice. For example, the data network DN 120 can be a private network of a smart factory, the sensors installed in the workshop of the smart factory can be the terminal equipment 110, and the control server of the sensor is deployed in the data network DN 120, and the control server can provide services for the sensors. The sensor can communicate with the control server, obtain the instruction of the control server, and transmit the collected sensor data to the control server according to the instruction. For another example, the data network DN 120 may be an internal office network of a company, and the mobile phones or computers of employees of the company may be terminal devices 110, and the mobile phones or computers of the employees can access information, data resources, etc. on the internal office network of the company. The terminal device 110 may establish a connection with the PLMN through an interface provided by the PLMN (for example, the N1 interface in FIG. 1A , etc.), and use services such as data and/or voice provided by the PLMN. The terminal device 110 can also access the data network DN 120 through the PLMN, and use the operator services deployed on the data network DN 120, and/or services provided by third parties. The above-mentioned third party may be a service party other than the PLMN and the terminal device 110 , and may provide other data and/or voice services for the terminal device 110 . Wherein, the specific expression form of the above third party can be specifically determined according to the actual application scenario, and is not limited here.
示例性的,下面对PLMN中的网络功能进行简要介绍。Exemplarily, the following briefly introduces the network functions in the PLMN.
(R)AN 140是PLMN的子网络,是PLMN中业务节点(或网络功能)与终端设备110之间的实施系统。终端设备110要接入PLMN,首先是经过(R)AN 140,进而通过(R)AN 140与PLMN中的业务节点连接。本申请实施例中的接入网设备,是一种为终端设备110提供无线通信功能的设备,也可以称为接入设备、(R)AN设备或网络设备等。如该接入设备包括但不限于:5G系统中的下一代基站(next generation node basestation,gNB)、LTE系统中的演进型基站(evolved node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(home evolved nodeB,或home node B,HNB)、基带单元(base band unit,BBU)、传输接收点(transmitting and receiving point, TRP)、发射点(transmitting point,TP)、小基站设备(pico)、移动交换中心,或者未来网络中的网络设备等。可理解,本申请对接入网设备的具体类型不作限定。采用不同无线接入技术的系统中,具备接入网设备功能的设备的名称可能会有所不同。The (R)AN 140 is a sub-network of the PLMN and is the implementation system between the service nodes (or network functions) and the terminal equipment 110 in the PLMN. To access the PLMN, the terminal device 110 first passes through the (R)AN 140, and then connects with the service node in the PLMN through the (R)AN 140. The access network device in the embodiment of the present application is a device that provides a wireless communication function for the terminal device 110, and may also be referred to as an access device, a (R)AN device, or a network device. For example, the access device includes but is not limited to: next generation node basestation (gNB) in 5G system, evolved node B (eNB) in LTE system, radio network controller (radio network controller, RNC), node B (node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (home evolved nodeB, or home node B, HNB), baseband unit (base band unit, BBU), transmitting and receiving point (TRP), transmitting point (transmitting point, TP), small base station equipment (pico), mobile switching center, or network equipment in future networks, etc. It is understandable that the present application does not limit the specific type of the access network device. In systems using different wireless access technologies, the names of devices with access network device functions may be different.
可选的,在接入设备的一些部署中,接入设备可以包括集中式单元(centralized unit,CU)和分布式单元(distributed unit,DU)等。在接入设备的另一些部署中,CU还可以划分为CU-控制面(control plane,CP)和CU-用户面(user plan,UP)等。在接入设备的又一些部署中,接入设备还可以是开放的无线接入网(open radio access network,ORAN)架构等,本申请对于接入设备的具体部署方式不作限定。Optionally, in some deployments of the access device, the access device may include a centralized unit (centralized unit, CU), a distributed unit (distributed unit, DU), and the like. In other deployments of the access device, the CU can also be divided into CU-control plane (CP) and CU-user plan (UP), etc. In some other deployments of the access device, the access device may also be an open radio access network (open radio access network, ORAN) architecture, etc. This application does not limit the specific deployment method of the access device.
网络开放功能NEF(也可以称为NEF网络功能或NEF网络功能实体)131是由运营商提供控制面功能。NEF网络开放功能131以安全的方式对第三方开放PLMN的对外接口。在SMF网络功能138需要与第三方的网络功能通信时,NEF网络开放功能131可作为SMF网络功能138与第三方的网络实体通信的中继。NEF网络开放功能131作为中继时,可作为签约用户的标识信息的翻译,以及第三方的网络功能的标识信息的翻译。比如,NEF网络开放功能131将签约用户的用户永久标识符(subscriber permanent identifier,SUPI)从PLMN发送到第三方时,可以将SUPI翻译成其对应的外部身份标识(identity,ID)。反之,NEF网络开放功能131将外部ID(第三方的网络实体ID)发送到PLMN时,可将其翻译成SUPI。The network open function NEF (also referred to as NEF network function or NEF network function entity) 131 is a control plane function provided by the operator. The NEF network opening function 131 opens the external interface of the PLMN to a third party in a secure manner. When the SMF network function 138 needs to communicate with a third-party network function, the NEF network open function 131 can act as a relay for the SMF network function 138 to communicate with a third-party network entity. When the NEF network opening function 131 acts as a relay, it can be used as a translation of the identification information of the subscriber and translation of the identification information of a third-party network function. For example, when the NEF network opening function 131 sends the subscriber permanent identifier (SUPI) of the subscriber from the PLMN to the third party, the SUPI can be translated into its corresponding external identity (identity, ID). Conversely, when the NEF network opening function 131 sends the external ID (the third party's network entity ID) to the PLMN, it can be translated into SUPI.
网络存储功能NRF 132,可用于维护网络中所有网络功能服务的实时信息。Network storage function NRF 132, which can be used to maintain real-time information of all network function services in the network.
策略控制功能PCF 133是由运营商提供的控制面功能,用于向会话管理功能SMF 138提供PDU会话的策略。策略可以包括计费相关策略、QoS相关策略和授权相关策略等。The policy control function PCF 133 is a control plane function provided by the operator for providing the session management function SMF 138 with policies for PDU sessions. The policies may include charging-related policies, QoS-related policies, authorization-related policies, and the like.
统一数据管理UDM 134是由运营商提供的控制面功能,负责存储PLMN中签约用户的用户永久标识符(subscriber permanent identifier,SUPI)、安全上下文(security context)、签约数据等信息。上述PLMN的签约用户具体可为使用PLMN提供的业务的用户,例如使用中国电信的终端设备芯卡的用户,或者使用中国移动的终端设备芯卡的用户等。示例性的,签约用户的SUPI可为终端设备芯卡的号码等。上述安全上下文可以为存储在本地终端设备(例如手机)上的数据(cookie)或者令牌(token)等。上述签约用户的签约数据可以为该终端设备芯卡的配套业务,例如该手机芯卡的流量套餐等。The unified data management UDM 134 is a control plane function provided by the operator, and is responsible for storing information such as subscriber permanent identifier (SUPI), security context (security context), and subscription data of subscribers in the PLMN. The above-mentioned PLMN subscribers may specifically be users who use services provided by the PLMN, such as users who use the terminal equipment core card of China Telecom, or users who use the terminal equipment core card of China Mobile. Exemplarily, the SUPI of the subscriber may be the number of the core card of the terminal device, or the like. The above-mentioned security context may be data (cookie) or token (token) stored on a local terminal device (for example, a mobile phone). The contract data of the above-mentioned contract user may be the supporting services of the terminal device chip card, such as the data package of the mobile phone chip card, and the like.
应用功能AF 135,用于进行应用影响的数据路由,接入网络开放功能,与策略框架交互进行策略控制等。The application function AF 135 is used to perform data routing affected by the application, access the network opening function, and interact with the policy framework for policy control, etc.
认证服务器功能AUSF 136是由运营商提供的控制面功能,通常用于一级认证,即终端设备110(签约用户)与PLMN之间的认证。The authentication server function AUSF 136 is a control plane function provided by the operator, and is usually used for first-level authentication, that is, the authentication between the terminal device 110 (subscriber) and the PLMN.
接入与移动性管理功能AMF 137是由PLMN提供的控制面网络功能,负责终端设备110接入PLMN的接入控制和移动性管理,例如包括移动状态管理,分配用户临时身份标识,认证和授权用户等功能。Access and Mobility Management Function AMF 137 is a control plane network function provided by the PLMN, responsible for the access control and mobility management of the terminal device 110 accessing the PLMN, including, for example, mobility status management, assignment of user temporary identities, authentication and authorization user functions.
会话管理功能SMF 138是由PLMN提供的控制面网络功能,负责管理终端设备110的协议数据单元(protocol data unit,PDU)会话。PDU会话是一个用于传输PDU的通道,终端设备需要通过PDU会话与DN 120互相传输PDU。PDU会话可以由SMF 138负责建立、维 护和删除等。SMF 138包括会话管理(如会话建立、修改和释放,包含UPF 139和(R)AN 140之间的隧道维护等)、UPF 139的选择和控制、业务和会话连续性(service and session continuity,SSC)模式选择、漫游等会话相关的功能。The session management function SMF 138 is a control plane network function provided by the PLMN, and is responsible for managing the protocol data unit (protocol data unit, PDU) session of the terminal device 110. The PDU session is a channel for transmitting PDUs, and the terminal device needs to transmit PDUs to and from the DN 120 through the PDU session. PDU sessions may be established, maintained, deleted, etc. by the SMF 138. SMF 138 includes session management (such as session establishment, modification and release, including tunnel maintenance between UPF 139 and (R)AN 140, etc.), selection and control of UPF 139, service and session continuity (SSC) ) mode selection, roaming and other session-related functions.
用户面功能UPF 139是由运营商提供的网关,是PLMN与DN 120通信的网关。UPF 139包括数据包路由和传输、包检测、业务用量上报、服务质量(quality of service,QoS)处理、合法监听、上行包检测、下行数据包存储等用户面相关的功能。The user plane function UPF 139 is a gateway provided by the operator and is the gateway for the PLMN to communicate with the DN 120. UPF 139 includes user plane-related functions such as packet routing and transmission, packet detection, service usage reporting, quality of service (QoS) processing, legal interception, upstream packet detection, and downstream packet storage.
图1A所示的PLMN中的网络功能还可以包括网络切片选择功能(network slice selection function,NSSF)(图1中未示出),用于负责确定网络切片实例,选择AMF网络功能137等。图1A所示的PLMN中的网络功能还可以包括统一数据存储(unified data repository,UDR)等,本申请实施例对于PLMN中包括的其他网络功能不作限定。The network function in the PLMN shown in FIG. 1A may also include a network slice selection function (NSSF) (not shown in FIG. 1 ), which is responsible for determining the network slice instance, selecting the AMF network function 137, and the like. The network function in the PLMN shown in FIG. 1A may also include a unified data repository (unified data repository, UDR), etc. The embodiment of the present application does not limit other network functions included in the PLMN.
图1A中Nnef、Nausf、Nnrf、Npcf、Nudm、Naf、Namf、Nsmf、N1、N2、N3、N4,以及N6为接口序列号。示例性的,上述接口序列号的含义可参见3GPP标准协议中定义的含义,本申请对于上述接口序列号的含义不做限制。需要说明的是,图1A中仅以终端设备110为UE作出了示例性说明,图1A中的各个网络功能之间的接口名称也仅仅是一个示例,在具体实现中,该系统架构的接口名称还可能为其他名称,本申请对此不作限定。In FIG. 1A , Nnef, Nausf, Nnrf, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers. Exemplarily, for the meaning of the above-mentioned interface serial number, reference may be made to the meaning defined in the 3GPP standard protocol, and this application does not limit the meaning of the above-mentioned interface serial number. It should be noted that, in FIG. 1A , only the terminal device 110 is used as an example for the UE, and the interface names between various network functions in FIG. 1A are only an example. In the specific implementation, the interface names of the system architecture Other names may also be used, which are not limited in this application.
本申请中的移动性管理网络功能可以是图1A所示的AMF 137,也可以是未来通信系统中的具有上述接入与移动性管理功能AMF 137的其他网络功能。或者,本申请中的移动性管理网络功能还可以是LTE系统中的移动管理实体(mobility management entity,MME)等。The mobility management network function in this application may be the AMF 137 shown in FIG. 1A , or may be other network functions having the above-mentioned access and mobility management function AMF 137 in the future communication system. Alternatively, the mobility management network function in this application may also be a mobility management entity (mobility management entity, MME) or the like in the LTE system.
为了方便描述,本申请实施例将会话管理功能SMF138简称为SMF网元,将统一数据管理UDM134简称为UDM网元,即本申请实施例中后文所描述的SMF网元均可以替换为会话管理功能,UDM网元均可以替换为统一数据管理,UE均可以替换为终端设备。应当理解的是,其他未示出的网络功能同样适用该替换方法。For the convenience of description, in this embodiment of the present application, the session management function SMF138 is abbreviated as SMF network element, and the unified data management UDM134 is abbreviated as UDM network element. Function, UDM network elements can be replaced by unified data management, and UE can be replaced by terminal equipment. It should be understood that other network functions not shown are equally applicable to this alternative method.
图1A中示出的网络架构(例如5G网络架构)采用基于服务的架构和通用接口,传统网元功能基于网络功能虚拟化(network function virtualization,NFV)技术拆分成若干个自包含、自管理、可重用的网络功能服务模块,通过灵活定义服务模块集合,可以实现定制化的网络功能重构,对外通过统一的服务调用接口组成业务流程。图1A中示出的网络架构示意图可以理解为一种非漫游场景下基于服务的5G网络架构示意图。在该架构中,根据特定场景需求,将不同网络功能按需有序组合,可以实现网络的能力与服务的定制化,从而为不同业务部署专用网络,实现5G网络切片(network slicing)。网络切片技术可以使运营商能够更加灵活、快速地响应客户需求,支持网络资源的灵活分配。The network architecture (eg, 5G network architecture) shown in FIG. 1A adopts a service-based architecture and common interfaces, and traditional network element functions are divided into several self-contained and self-managed based on network function virtualization (NFV) technology. , Reusable network function service module, by flexibly defining the service module set, customized network function reconstruction can be realized, and the external business process can be formed through a unified service invocation interface. The schematic diagram of the network architecture shown in FIG. 1A can be understood as a schematic diagram of a service-based 5G network architecture in a non-roaming scenario. In this architecture, according to the needs of specific scenarios, different network functions can be combined in an orderly manner on demand, which can realize the customization of network capabilities and services, so as to deploy dedicated networks for different services and realize 5G network slicing. Network slicing technology can enable operators to respond more flexibly and quickly to customer needs and support flexible allocation of network resources.
请参阅图1B,图1B为本申请实施例网络系统的一个示意图。该网络系统包括UE1、UE2、UE3和RAN1。其中,UE1与UE2之间通过邻近通信5(prose communication 5,PC5)接口连接,UE2与RAN1之间通过用户设备直接的无线接口(the radio interface between UTRAN and the user equipment,Uu)接口连接。Please refer to FIG. 1B , which is a schematic diagram of a network system according to an embodiment of the present application. The network system includes UE1, UE2, UE3 and RAN1. Among them, UE1 and UE2 are connected through a proximity communication 5 (prose communication 5, PC5) interface, and UE2 and RAN1 are connected through a direct wireless interface (the radio interface between UTRAN and the user equipment, Uu) interface of the user equipment.
UE1选择UE2,并通过UE2与网络进行通信。UE2扮演UE到网络的中继节点(UE-to-network relay)的角色。UE1与UE2之间的PC5接口和UE2与RAN1之间的Uu接口都有对应的安全定义(on  demand security)。即UE1与UE2之间的PC5接口对应的安全保护方式和UE2与RAN1之间的Uu接口对应的安全保护方式是基于安全策略确定的,并且可以通过协商确定。UE1 selects UE2 and communicates with the network through UE2. UE2 plays the role of a UE-to-network relay. The PC5 interface between UE1 and UE2 and the Uu interface between UE2 and RAN1 have corresponding security definitions (on demand security). That is, the security protection mode corresponding to the PC5 interface between UE1 and UE2 and the security protection mode corresponding to the Uu interface between UE2 and RAN1 are determined based on the security policy and can be determined through negotiation.
其中,安全策略包括控制面的安全策略和用户面的安全策略,每个安全策略包括加密保护和完整性保护两个特性。而每个安全策略的加密保护需求分为三个等级,分别为:加密保护为需要加密保护required、希望加密保护或倾向于使用加密保护preferred和不需要加密保护not needed。每个安全策略的完整性保护需求分为三个等级,分别为:完整性保护为需要完整性保护required、希望完整性保护或倾向于使用完整性保护preferred和不需要完整性保护not needed。安全保护方式包括开启加密保护或不开启加密保护,和开启完整性保护或不开启完整性保护。Among them, the security policy includes the security policy of the control plane and the security policy of the user plane, and each security policy includes two characteristics of encryption protection and integrity protection. The encryption protection requirements of each security policy are divided into three levels: encryption protection is required for encryption protection, encryption protection is desired or preferred, and encryption protection is not needed. The integrity protection requirements of each security policy are divided into three levels, namely: integrity protection is required for integrity protection, integrity protection is desired or is inclined to use integrity protection preferred, and integrity protection is not needed. The security protection methods include enabling encryption protection or not enabling encryption protection, and enabling integrity protection or not enabling integrity protection.
在UE1通过UE2向RAN1发送数据或信令,这里以发送数据为例进行说明。如果UE1与UE2之间的数据采用了加密保护,而UE2与RAN1之间没有采用加密保护。那么攻击者可以通过窃听UE2与RAN1之间的Uu接口,以篡改或窃听UE1向RAN1发送的数据。虽然UE1与UE2之间的数据采用了加密保护,但是UE1的数据仍在UE2与RAN1之间的传输过程中泄露。The UE1 sends data or signaling to the RAN1 through the UE2, and the data is sent as an example for description here. If encryption protection is used for data between UE1 and UE2, but encryption protection is not used between UE2 and RAN1. Then an attacker can tamper or eavesdrop on the data sent by UE1 to RAN1 by eavesdropping on the Uu interface between UE2 and RAN1. Although the data between UE1 and UE2 is protected by encryption, the data of UE1 is still leaked during the transmission process between UE2 and RAN1.
因此,为了确保UE1与UE2之间的安全保护方式与UE2与RAN之间的安全保护方式保持一致,本申请实施例针对UE1与UE2之间的安全保护方式与UE2与RAN之间的安全保护方式的协商提出了相应的协商方案,具体可以参阅后文图3所示的实施例的相关介绍。Therefore, in order to ensure that the security protection mode between UE1 and UE2 is consistent with the security protection mode between UE2 and RAN, the embodiments of this application are directed to the security protection mode between UE1 and UE2 and the security protection mode between UE2 and RAN A corresponding negotiation solution is proposed in the negotiation of
上述图1B中,UE1和UE3可以为远端UE(remote UE)或者普通UE。但是,该普通UE能够通过UE relay完成与网络的通信。图1B中的UE为终端设备,终端设备和接入网设备的相关介绍请参阅前述图1A中的相关介绍,这里不再赘述。In the foregoing FIG. 1B , UE1 and UE3 may be remote UEs (remote UEs) or common UEs. However, the common UE can complete the communication with the network through the UE relay. The UE in FIG. 1B is a terminal device. For the related introduction of the terminal device and the access network device, please refer to the related introduction in the aforementioned FIG. 1A , which will not be repeated here.
请参阅图1C,图1C为本申请实施例网络系统的另一个示意图。该网络系统包括UE1、UE2、UE4、gNB和eNB。图1C示出了UE1选择UE以实现与网络的通信的场景。其中,UE3与gNB连接,gNB为5G通信系统的5G基站,gNB支持加密保护和完整性保护。UE3作为中继节点,能够为UE1提供中继服务,以实现UE1与5G网络中的gNB连接。而UE4与eNB连接,eNB为4G通信系统的4G基站,eNB支持加密保护但不支持完整性保护。UE4作为中继节点,能够为UE1提供中继服务,以实现UE1与4G网络中的gNB连接。针对UE1如何选择合适的UE以实现与网络的通信,本申请实施例提出了图2所示的实施例的技术方案,具体可以参阅后文图2所示的实施例的技术方案。Please refer to FIG. 1C , which is another schematic diagram of a network system according to an embodiment of the present application. The network system includes UE1, UE2, UE4, gNB and eNB. FIG. 1C shows a scenario in which UE1 selects a UE to enable communication with the network. Among them, UE3 is connected to the gNB, which is the 5G base station of the 5G communication system, and the gNB supports encryption protection and integrity protection. As a relay node, UE3 can provide relay services for UE1 to realize the connection between UE1 and the gNB in the 5G network. The UE4 is connected to the eNB. The eNB is a 4G base station of the 4G communication system. The eNB supports encryption protection but does not support integrity protection. As a relay node, UE4 can provide relay service for UE1, so as to realize the connection between UE1 and the gNB in the 4G network. Regarding how UE1 selects an appropriate UE to communicate with the network, the embodiment of the present application proposes the technical solution of the embodiment shown in FIG. 2 , and for details, refer to the technical solution of the embodiment shown in FIG. 2 later.
上述图1B和图1C仅仅是为了说明本申请实施例的技术方案所适用的场景,图1B和图1C中还可以包括更多的UE和基站等,具体本申请不做限定。其次,图1B中示出了UE4连接长期演进节点eNB的场景。在实际应用中,UE4也可以是连接下一代演进型节点B(next generation evolved Node B,ng-eNB),ng-NB为连接5G核心网的LTE基站,eNB和ng-NB都支持加密保护但都不支持完整性保护。1B and FIG. 1C above are only to illustrate the applicable scenarios of the technical solutions of the embodiments of the present application. FIG. 1B and FIG. 1C may also include more UEs, base stations, etc., which are not specifically limited in the present application. Second, FIG. 1B shows a scenario in which UE4 is connected to a long-term evolution node eNB. In practical applications, UE4 can also be connected to the next generation evolved Node B (ng-eNB), and ng-NB is an LTE base station connected to the 5G core network. Both eNB and ng-NB support encryption protection but Neither supports integrity protection.
需要说明的是,上述图1B所示的近距离业务通信场景和图1C所示的近距离业务通信场景仅仅是为了说明本申请实施例的技术方案而示出的应用场景,除了上述图1B和图1C示出的UE-to-network的中继场景,本申请实施例的技术方案还适用于其他任何中继场景下的中继节点的选择和安全保护方式的协商。It should be noted that the short-range service communication scenario shown in FIG. 1B and the short-range service communication scenario shown in FIG. 1C are only application scenarios shown to illustrate the technical solutions of the embodiments of the present application, except for the above-mentioned FIG. 1B and FIG. 1C . In the UE-to-network relay scenario shown in FIG. 1C , the technical solutions of the embodiments of the present application are also applicable to the selection of relay nodes and the negotiation of security protection modes in any other relay scenarios.
请参阅图2,图2为本申请实施例通信方法的一个实施例示意图。在图2中,该通信方法 包括:Please refer to FIG. 2 , which is a schematic diagram of an embodiment of a communication method according to an embodiment of the present application. In Figure 2, the communication method includes:
201、第二终端设备确定第一参数。201. The second terminal device determines a first parameter.
其中,该第二终端设备支持提供中继服务的功能,第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息。The second terminal device supports the function of providing a relay service, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device.
例如,如图1B所示,第二终端设备为UE2,第一接入网设备为RAN1,UE2能够为远端UE(例如,如图1A中的UE1和UE3)提供中继服务,以实现远端UE与网络之间的通信。For example, as shown in FIG. 1B , the second terminal device is UE2, the first access network device is RAN1, and UE2 can provide relay services for remote UEs (eg, UE1 and UE3 in FIG. 1A ), so as to realize remote Communication between the end UE and the network.
该第一参数包括以下至少一项:The first parameter includes at least one of the following:
1、第一PDU会话(PDU session1)支持的第一安全保护方式,该第一PDU会话为第二终端设备上已建立的待用于为远端UE或普通UE提供服务的PDU会话。1. The first security protection mode supported by the first PDU session (PDU session1), where the first PDU session is a PDU session established on the second terminal device to be used to provide services for a remote UE or a common UE.
其中,第一PDU会话支持的第一安全保护方式也可以称为第一PDU会话对应的空口的第一安全保护方式,或者,第一PDU会话对应的空口的承载(bearer)的第一安全保护方式。该第一安全保护方式包括是否开启加密保护和是否开启完整性保护。The first security protection mode supported by the first PDU session may also be referred to as the first security protection mode of the air interface corresponding to the first PDU session, or the first security protection mode of the bearer of the air interface corresponding to the first PDU session Way. The first security protection manner includes whether to enable encryption protection and whether to enable integrity protection.
具体的,第二终端设备上已建立为远端UE传输数据的第一PDU会话,该第一PDU会话有对应的第一安全保护方式。该第一PDU会话已经激活了第二终端设备与基站之间的数据保护。例如,默认开启加密保护,或默认不开启加密保护。可选的,还可以默认开启完整性保护或默认不开启完整性保护。Specifically, a first PDU session for transmitting data for the remote UE has been established on the second terminal device, and the first PDU session has a corresponding first security protection mode. The first PDU session has activated data protection between the second terminal device and the base station. For example, encryption protection is enabled by default, or encryption protection is not enabled by default. Optionally, integrity protection may be enabled by default or not enabled by default.
需要说明的是,当第二终端设备上已建立了多个用于为远端UE或普通UE传输数据的PDU会话时,可选的,该第一参数还包括该多个PDU会话所支持的安全保护方式,或者,该多个PDU会话所支持的安全保护方式的交集。例如,PDU session1支持加密保护,而PDU session2没不支持加密保护,则该第一参数包括支持开启加密保护的安全保护方式。It should be noted that, when multiple PDU sessions for transmitting data for remote UEs or common UEs have been established on the second terminal device, optionally, the first parameter further includes the PDU sessions supported by the multiple PDU sessions. The security protection mode, or the intersection of the security protection modes supported by the multiple PDU sessions. For example, if PDU session1 supports encryption protection, but PDU session2 does not support encryption protection, the first parameter includes a security protection mode that supports enabling encryption protection.
需要说明的是,可选的,如果每个PDU会话与DNN和/或(network slice selection assistance information,NSSAI)都相关,那么第一参数可以包括每个PDU会话相关的DNN和/或NSSAI,以及每个PDU会话支持的安全保护方式。It should be noted that, optionally, if each PDU session is related to DNN and/or (network slice selection assistance information, NSSAI), the first parameter may include the DNN and/or NSSAI related to each PDU session, and The security protection methods supported by each PDU session.
2、第一接入网设备的类型,例如,如图1C所示,UE3连接的是gNB,而UE4连接的是eNB;若第二终端设备为UE3,则第一接入网设备为gNB,那么该第一接入网设备的类型为gNB基站或者5G基站。若第二终端设备为UE4,则第一接入网设备为eNB,那么该第一接入网设备的类型为eNB基站或者4G基站。若第二终端设备为UE5,则第一接入网设备为ng-eNB,那么该第一接入网设备的类型为ng-eNB基站或者演进型4G基站。这里其他基站类型不做限制。2. The type of the first access network device, for example, as shown in FIG. 1C, UE3 is connected to gNB, and UE4 is connected to eNB; if the second terminal device is UE3, then the first access network device is gNB, Then the type of the first access network device is a gNB base station or a 5G base station. If the second terminal device is UE4, the first access network device is an eNB, and the type of the first access network device is an eNB base station or a 4G base station. If the second terminal device is UE5, the first access network device is an ng-eNB, and the type of the first access network device is an ng-eNB base station or an evolved 4G base station. There are no restrictions on other base station types here.
3、第一指示信息,该第一指示信息为第一接入网设备是否支持按需保护方式的指示信息。3. First indication information, where the first indication information is indication information of whether the first access network device supports the on-demand protection mode.
具体的,如图1B所示,若UE2连接的RAN1支持按需保护方式(可以理解为该RAN1支持灵活地开启加密保护和灵活地开启完整性保护),则该第一指示信息指示该第一接入网设备支持按需保护方式;若该UE2连接的RAN1不支持按需保护方式,则第一指示信息指示该第一接入网设备不支持按需保护方式。Specifically, as shown in FIG. 1B , if the RAN1 connected to the UE2 supports the on-demand protection mode (it can be understood that the RAN1 supports flexibly enabling encryption protection and flexibly enabling integrity protection), the first indication information indicates that the first The access network device supports the on-demand protection mode; if the RAN1 to which the UE2 is connected does not support the on-demand protection mode, the first indication information indicates that the first access network device does not support the on-demand protection mode.
4、第二指示信息,该第二指示信息用于指示该第一接入网设备具备支持完整性保护的能力。例如,如图1C所示,第二终端设备为UE3,UE3连接的gNB支持完整性保护,则该第一参数包括该第二指示信息。4. Second indication information, where the second indication information is used to indicate that the first access network device has the capability of supporting integrity protection. For example, as shown in FIG. 1C , if the second terminal device is UE3, and the gNB connected to UE3 supports integrity protection, the first parameter includes the second indication information.
5、数字签名,该数字签名为该第二终端设备通过该第二终端设备的私钥和/或该第二终端设备的证书计算得到的,该数字签名的内容包括第二终端设备与第一接入网设备之间的安全信息。5. A digital signature, the digital signature is calculated by the second terminal device through the private key of the second terminal device and/or the certificate of the second terminal device, and the content of the digital signature includes the second terminal device and the first terminal device. Security information between access network devices.
具体的,当该数字签名为该第二终端设备通过该第二终端设备的证书计算得到的时,该第一参数还携带该第二终端设备的证书,该第二终端设备的根证书携带该第二终端设备的私钥对应的公钥。Specifically, when the digital signature is calculated by the second terminal device through the certificate of the second terminal device, the first parameter also carries the certificate of the second terminal device, and the root certificate of the second terminal device carries the certificate of the second terminal device. The public key corresponding to the private key of the second terminal device.
第二终端设备获取第二终端设备的私钥的过程具体为:在第二终端设备的注册流程中,UE从PCF网元、UDM网元、统一数据存储库(unified data repository,UDR网元)、密钥管理实体或临近业务功能(proximity-based services function,prose function)等网络设备得到的。这里以PCF网元为例介绍第二终端设备的私钥和/或该第二终端设备的根证书的配置过程。PCF网元向AMF网元发送第一配置信息,该第一配置信息携带该第二终端设备的私钥和/或该第二终端设备的证书。然后,AMF网元通过非接入层(non access stratum,NAS)消息向该第二终端设备发送该第二终端设备的私钥和/或该第二终端设备的证书。The process for the second terminal device to obtain the private key of the second terminal device is as follows: in the registration process of the second terminal device, the UE obtains the private key of the second terminal device from the PCF network element, the UDM network element, and the unified data repository (unified data repository, UDR network element). , key management entities, or network devices such as proximity-based services functions (prose functions). Here, the configuration process of the private key of the second terminal device and/or the root certificate of the second terminal device is introduced by taking the PCF network element as an example. The PCF network element sends first configuration information to the AMF network element, where the first configuration information carries the private key of the second terminal device and/or the certificate of the second terminal device. Then, the AMF network element sends the private key of the second terminal device and/or the certificate of the second terminal device to the second terminal device through a non-access stratum (non access stratum, NAS) message.
6、第二终端设备的标识,即第二终端设备的用户设备标识(user equipment identity,UE ID)。例如,用户永久标识符(subscriber permanent identifier,SUPI)、可公开使用的签约标识(generic public subscription identifier,GPSI)等。6. The identity of the second terminal device, that is, the user equipment identity (user equipment identity, UE ID) of the second terminal device. For example, subscriber permanent identifier (SUPI), publicly available subscription identifier (generic public subscription identifier, GPSI), etc.
7、第二终端设备归属的或服务的网络标识ID。例如,PLMN ID、非公共网络标识(non-public network identity,NPN ID)、PLMN ID||NPN ID。其中“||”代表两个标识的级联。7. The network identification ID that the second terminal device belongs to or serves. For example, PLMN ID, non-public network identity (NPN ID), PLMN ID||NPN ID. Where "||" represents the concatenation of two identities.
8、第一数据网络名称(data network name,DNN),该第一DNN为该第二终端设备支持提供中继服务的DNN,用来表示该第二终端设备支持为该第一DNN的业务提供中继服务。8. The name of the first data network (data network name, DNN), the first DNN supports the DNN that provides the relay service for the second terminal device, and is used to indicate that the second terminal device supports providing services for the first DNN. Relay service.
9、第一切片信息,该第一切片信息为该第二终端设备支持提供中继服务的切片的信息。9. First slice information, where the first slice information is information of a slice that the second terminal device supports to provide a relay service.
该第一切片信息用来表示该第二终端设备支持为该切片对应的业务提供中继服务。例如,该第一切片信息为单网络切片选择辅助信息(single network slice selection assistance information,S-NSSAI)。The first slice information is used to indicate that the second terminal device supports providing a relay service for the service corresponding to the slice. For example, the first slice information is single network slice selection assistance information (single network slice selection assistance information, S-NSSAI).
上述第一参数可以理解为第二终端设备与第一接入网设备当前的保护状态或者未来可以执行的安全保护方式,以便于第一终端设备根据该第一终端设备的安全需求确定是否选择该第二终端设备。The above-mentioned first parameter can be understood as the current protection status of the second terminal device and the first access network device or the security protection mode that can be executed in the future, so that the first terminal device can determine whether to select this parameter according to the security requirements of the first terminal device. second terminal equipment.
202、第二终端设备向第一终端设备发送第一消息。202. The second terminal device sends a first message to the first terminal device.
其中,该第一消息携带该第一参数,第一参数的相关介绍请参阅上述步骤201的相关介绍,这里不再赘述。The first message carries the first parameter. For the related introduction of the first parameter, please refer to the related introduction of the foregoing step 201, which will not be repeated here.
需要说明的是,第一消息携带该第二终端设备作为UE relay的身份信息。在此基础上,本实施例中第一消息新增该第一参数。It should be noted that the first message carries the identity information of the second terminal device as the UE relay. On this basis, the first parameter is added to the first message in this embodiment.
具体的,第一终端设备被配置可以通过UE relay实现与网络的通信,而第二终端设备被配置可以执行UE relay的角色。具体的配置方式本申请不做限定。Specifically, the first terminal device is configured to communicate with the network through the UE relay, and the second terminal device is configured to perform the role of the UE relay. The specific configuration manner is not limited in this application.
下面示例一种可能的配置方式:在第一终端设备的注册流程中,第一终端设备从PCF网元(还可以是UDM网元、UDR网元、密钥管理实体或prose function等网络设备)获取第 二配置信息。该第二配置信息包括该第一终端设备能使用UE relay的能力。在第二终端设备的注册流程中,第二终端设备从PCF网元(还可以是UDM网元、UDR网元、密钥管理实体或prose function等网络设备)获取第三配置信息。该第三配置信息包括该第二终端设备能执行UE relay的功能。The following is an example of a possible configuration method: in the registration process of the first terminal device, the first terminal device is configured from a PCF network element (it may also be a UDM network element, a UDR network element, a key management entity or a network device such as a prose function) Obtain second configuration information. The second configuration information includes the capability of the first terminal device to use UE relay. In the registration process of the second terminal device, the second terminal device obtains the third configuration information from a PCF network element (which may also be a network device such as a UDM network element, a UDR network element, a key management entity, or a prose function). The third configuration information includes that the second terminal device can perform the function of UE relay.
下面以第一终端设备获取该第二配置信息的过程且以PCF网元为例介绍配置过程。PCF网元向AMF网元发送第二配置信息,再由AMF网元通过NAS消息向该第一终端设备发送该第二配置信息。The following describes the configuration process by taking the process of acquiring the second configuration information by the first terminal device and taking the PCF network element as an example. The PCF network element sends the second configuration information to the AMF network element, and the AMF network element sends the second configuration information to the first terminal device through a NAS message.
可选的,该第一消息为第二终端设备的广播消息或组播消息,或者,为第二终端设备向第一终端设备发送的响应消息。Optionally, the first message is a broadcast message or a multicast message of the second terminal device, or is a response message sent by the second terminal device to the first terminal device.
若第一消息为第二终端设备向第一终端设备发送的响应消息,则本实施例还包括步骤202a,且步骤202a在步骤202之前执行。If the first message is a response message sent by the second terminal device to the first terminal device, this embodiment further includes step 202 a , and step 202 a is performed before step 202 .
步骤202a:第一终端设备发送第二请求消息。Step 202a: The first terminal device sends a second request message.
该第二请求消息用于表示该第一终端设备需要UE-to-network relay;或者,该第二请求消息用于请求业务。The second request message is used to indicate that the first terminal device needs UE-to-network relay; or, the second request message is used to request a service.
在该实现方式中,第二终端设备接收到该第二请求消息后,第二终端设备向该第一终端设备发送响应消息。该响应消息携带第一参数和该第二终端设备作为UE relay的身份信息。In this implementation manner, after the second terminal device receives the second request message, the second terminal device sends a response message to the first terminal device. The response message carries the first parameter and the identity information of the second terminal device as the UE relay.
203、第一终端设备根据第一参数选择第一终端设备。203. The first terminal device selects the first terminal device according to the first parameter.
具体的,第一终端设备接收到该第一消息后,通过该第一参数判断是否选择该第二终端设备作为后续连接网络的中继节点。例如,如图1B所示,UE1判断是否选择UE2作为连接RAN1的中继节点。Specifically, after receiving the first message, the first terminal device determines whether to select the second terminal device as a relay node for subsequent connection to the network through the first parameter. For example, as shown in FIG. 1B , UE1 determines whether to select UE2 as a relay node connecting to RAN1.
可选的,本实施例还包括步骤203a,且该步骤203a在步骤203之前执行。Optionally, this embodiment further includes step 203 a, and this step 203 a is performed before step 203 .
步骤203a:第一终端设备确定第一安全策略。Step 203a: The first terminal device determines a first security policy.
其中,第一安全策略为第一终端设备确定的第一终端设备将使用的业务对应的安全策略。该第一安全策略包括加密保护的保护需求和完整性保护的保护需求。The first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device. The first security policy includes protection requirements for encryption protection and protection requirements for integrity protection.
第一终端设备将使用的业务可以通过以下至少一项信息表征:第一业务信息、第二DNN和第二切片信息。The service to be used by the first terminal device may be characterized by at least one of the following pieces of information: first service information, second DNN, and second slice information.
该第一业务信息为第一终端设备将使用的业务对应的业务信息。第二DNN为第一终端设备将使用的业务对应的DNN。第二切片信息为第一终端设备将使用的业务对应的切片信息。The first service information is service information corresponding to a service to be used by the first terminal device. The second DNN is the DNN corresponding to the service to be used by the first terminal device. The second slice information is slice information corresponding to the service to be used by the first terminal device.
该第一业务信息用来标识业务的信息。可选的,该第一业务信息包括以下至少一项:业务类型、业务标识、应用类型和应用标识。The first service information is used to identify service information. Optionally, the first service information includes at least one of the following: service type, service identifier, application type, and application identifier.
具体的,第一终端设备通过该第一业务信息、第二DNN和第二切片信息中的至少一项信息确定该第一安全策略,即第一终端设备确定其安全需求。例如,该第一安全策略包括加密保护为需要required,完整性保护为倾向于需要preferred。Specifically, the first terminal device determines the first security policy by at least one item of information among the first service information, the second DNN and the second slice information, that is, the first terminal device determines its security requirements. For example, the first security policy includes encryption protection as required and integrity protection as preferred.
在步骤203a的基础上,步骤203具体包括:On the basis of step 203a, step 203 specifically includes:
第一终端设备根据该第一安全策略和第一参数选择第二终端设备。The first terminal device selects the second terminal device according to the first security policy and the first parameter.
为了描述方便和清楚,下面从加密保护角度或完整性保护角度分别作介绍。For the convenience and clarity of description, the following descriptions are made from the perspective of encryption protection or integrity protection.
下面结合第一安全策略的具体内容介绍步骤203。Step 203 is described below with reference to the specific content of the first security policy.
1、若第一安全策略指示完整性保护为需要required或者倾向于需要preferred,第一终端设备执行以下至少一项操作:1. If the first security policy indicates that integrity protection is required or tends to be preferred, the first terminal device performs at least one of the following operations:
a、若第一参数包括第一PDU会话支持的第一安全保护方式,且第一安全保护方式为开启完整性保护,则第一终端设备选择第二终端设备。a. If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, the first terminal device selects the second terminal device.
由于此时第二终端设备上已经有合适的PDU session1能够提供完整性保护,第一终端设备可以选择该第二终端设备。Since there is already a suitable PDU session1 on the second terminal device at this time that can provide integrity protection, the first terminal device can select the second terminal device.
本实施例中,若第一终端设备接收到多个能够作为UE relay的终端设备广播的消息时,且该多个终端设备上都建立有PDU会话,第一终端设备可以选择已建立PDU会话的第二终端设备且该PDU会话支持开启完整性保护。In this embodiment, if the first terminal device receives multiple messages broadcast by terminal devices that can be used as UE relays, and the multiple terminal devices have established PDU sessions, the first terminal device can select the message that has established the PDU session. The second terminal device and the PDU session supports enabling integrity protection.
需要说明的是,若第一终端设备接收到第二终端设备广播的多个PDU会话支持的安全保护方式时,第一终端设备可以选择支持开启完整性保护的PDU会话为该第一终端设备提供服务。It should be noted that, if the first terminal device receives the security protection mode supported by multiple PDU sessions broadcast by the second terminal device, the first terminal device may select a PDU session that supports enabling integrity protection to provide the first terminal device. Serve.
b、若第一参数包括第一接入网设备的类型,且该第一接入网设备的类型指示该第一接入网设备具备支持开启完整性保护的能力,该第一终端设备选择第二终端设备。b. If the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, the first terminal device selects the first access network device. Two terminal equipment.
例如,如图1C所示,UE1选择UE relay时,由于UE3连接的是gNB,gNB支持完整性保护。UE4连接的是eNB,eNB不支持完整性保护。因此,UE1根据UE3广播的消息中携带的指示信息选择该UE3作为UE relay,该指示信息指示gNB支持完整性保护。即UE1通过该UE3实现与网络的通信。For example, as shown in Figure 1C, when UE1 selects UE relay, since UE3 is connected to gNB, gNB supports integrity protection. The UE4 is connected to the eNB, and the eNB does not support integrity protection. Therefore, UE1 selects the UE3 as the UE relay according to the indication information carried in the message broadcast by UE3, and the indication information indicates that the gNB supports integrity protection. That is, the UE1 communicates with the network through the UE3.
c、若第一参数包括第一指示信息,且该第一指示信息指示该第一接入网设备支持按需保护方式,则该第一终端设备选择该第二终端设备。c. If the first parameter includes first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, the first terminal device selects the second terminal device.
如图1C所示,若UE3连接的gNB支持按需保护方式,可以理解gNB支持灵活地开启加密保护和灵活地开启完整性保护,则UE1选择UE3。As shown in FIG. 1C , if the gNB connected to the UE3 supports the on-demand protection mode, it can be understood that the gNB supports flexibly turning on encryption protection and flexibly turning on integrity protection, and then UE1 selects UE3.
d、若第一参数包括第二指示信息,则该第一终端设备选择该第二终端设备。d. If the first parameter includes the second indication information, the first terminal device selects the second terminal device.
例如,如图1C所示,第二终端设备为UE3,UE3连接的gNB支持完整性保护,则该第一参数包括该第二指示信息。当该第一参数携带该第二指示信息,该第一终端设备选择该第二终端设备,以便于后续该gNB能够提供完整性保护服务。For example, as shown in FIG. 1C , if the second terminal device is UE3, and the gNB connected to UE3 supports integrity protection, the first parameter includes the second indication information. When the first parameter carries the second indication information, the first terminal device selects the second terminal device, so that the gNB can provide the integrity protection service subsequently.
上述仅仅是示出了第一安全策略指示完整性保护为required或preferred时,第一终端设备的一些可能的实现方式。The above only illustrates some possible implementations of the first terminal device when the first security policy indicates that the integrity protection is required or preferred.
需要说明的是,当第一安全策略指示完整性保护为preferred时,由于preferred意味着可以开启完整性保护,也可以不开启完整性保护。因此,第一终端设备在选择第二终端设备时,对于第二终端设备是否能够提供完整性保护并不做限制。例如,无论第二终端设备连接的是5G基站还是4G基站,第一终端设备都可以选择该第二终端设备。It should be noted that, when the first security policy indicates that the integrity protection is preferred, since the preferred means that the integrity protection can be enabled, the integrity protection may not be enabled. Therefore, when the first terminal device selects the second terminal device, there is no restriction on whether the second terminal device can provide integrity protection. For example, regardless of whether the second terminal device is connected to a 5G base station or a 4G base station, the first terminal device can select the second terminal device.
2、若第一安全策略指示加密保护为需要required或者倾向于需要preferred,第一终端设备执行以下至少一项操作:2. If the first security policy indicates that encryption protection is required or tends to be preferred, the first terminal device performs at least one of the following operations:
a、若第一参数包括第一PDU会话支持的第一安全保护方式,且该第一安全保护方式为开启加密保护,则该第一终端设备选择该第二终端设备。a. If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable encryption protection, the first terminal device selects the second terminal device.
由于此时第二终端设备上已经有合适的PDU session1能够提供加密保护,第一终端设备可以选择该第二终端设备。Since there is already a suitable PDU session1 on the second terminal device at this time that can provide encryption protection, the first terminal device can select the second terminal device.
需要说明的是,若第一终端设备接收到多个能够作为UE relay的终端设备广播的消息,且该多个终端设备上都建立有PDU会话,第一终端设备可以选择第二终端设备,且该第二终端设备上的PDU会话支持开启加密保护。It should be noted that if the first terminal device receives multiple messages broadcast by terminal devices that can be used as UE relays, and PDU sessions are established on the multiple terminal devices, the first terminal device can select the second terminal device, and The PDU session on the second terminal device supports enabling encryption protection.
b、若第一参数包括第一接入网设备的类型,且该第一接入网设备的类型指示该第一接入网设备具备支持开启加密保护的能力,则该第一终端设备选择该第二终端设备。b. If the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling encryption protection, the first terminal device selects the second terminal equipment.
c、若第一参数包括第一指示信息,且该第一指示信息指示该第一接入网设备支持按需保护方式,则该第一终端设备选择该第二终端设备。c. If the first parameter includes first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, the first terminal device selects the second terminal device.
具体的,如图1C所示,若UE3连接的gNB支持按需保护方式,可以理解为gNB支持灵活地开启加密保护和灵活地开启完整性保护,则UE1选择UE3。Specifically, as shown in FIG. 1C , if the gNB connected to UE3 supports on-demand protection, it can be understood that the gNB supports flexibly enabling encryption protection and flexibly enabling integrity protection, and UE1 selects UE3.
d、若第一参数包括第一接入网设备支持加密保护的能力的指示信息,则该第一终端设备选择该第二终端设备。d. If the first parameter includes indication information of the capability of the first access network device to support encryption protection, the first terminal device selects the second terminal device.
上述仅仅是示出了第一安全策略指示加密性保护为required或preferred,第一终端设备的一些可能的实现方式。The above only shows some possible implementations of the first terminal device when the first security policy indicates that the encryption protection is required or preferred.
需要说明的是,当第一安全策略指示加密保护为preferred时,由于preferred意味着可以开启加密保护,也可以不开启加密保护。因此,第一终端设备在选择第二终端设备时,对于第二终端设备是否能力提供加密保护并不做限制。例如,无论第二终端设备上已建立的PDU会话是否支持加密保护,第一终端设备都可以选择该第二终端设备。当第一安全策略指示加密保护为required时,除了在选择已建立的PDU会话时第一终端设备选择支持加密保护的PDU会话之外,对于第二终端设备的其他能力并不做限制。因为不管第二终端设备连接的基站是哪种类型,都支持加密保护。It should be noted that, when the first security policy indicates that the encryption protection is preferred, the preferred means that the encryption protection can be enabled, or the encryption protection may not be enabled. Therefore, when the first terminal device selects the second terminal device, it does not limit whether the second terminal device is capable of providing encryption protection. For example, regardless of whether the established PDU session on the second terminal device supports encryption protection, the first terminal device can select the second terminal device. When the first security policy indicates that encryption protection is required, other capabilities of the second terminal device are not limited except that the first terminal device selects a PDU session that supports encryption protection when selecting an established PDU session. Because no matter what type of base station the second terminal device is connected to, encryption protection is supported.
3、若第一安全策略指示加密保护或完整性保护为not needed,由于not needed意味着不开启加密保护和不开启完整性保护,第一终端设备选择第二终端设备时,对第二终端设备的能力并不做限制。当然,第一终端设备优先选择已经建立了PDU会话的第二终端设备,且该PDU会话加密保护或完整性保护是没有开启的。3. If the first security policy indicates that encryption protection or integrity protection is not needed, because not needed means that encryption protection and integrity protection are not turned on, when the first terminal device selects the second terminal device, the second terminal device is not required. ability is not limited. Of course, the first terminal device preferentially selects the second terminal device that has established a PDU session, and the encryption protection or integrity protection of the PDU session is not enabled.
4、若该第一参数包括第一DNN且该第一DNN与该第一终端设备将接入的第二DNN一致,和/或,若该第一参数包括第一切片信息且该第一切片信息与该第一终端设备将接入的切片的第二切片信息一致时,该第一终端设备选择该第二终端设备。4. If the first parameter includes a first DNN and the first DNN is consistent with the second DNN to be accessed by the first terminal device, and/or, if the first parameter includes first slice information and the first When the slice information is consistent with the second slice information of the slice to be accessed by the first terminal device, the first terminal device selects the second terminal device.
第一DNN和第二DNN一致包括:该第一DNN与第二DNN相同,或者,第一DNN包括(覆盖)该第二DNN。Consistency of the first DNN and the second DNN includes: the first DNN is the same as the second DNN, or the first DNN includes (covers) the second DNN.
该第一切片信息与该第二切片信息一致包括:该第一切片信息与第二切片信息相同,或者,该第一切片信息包括(覆盖)该第二切片信息。The first slice information being consistent with the second slice information includes: the first slice information is the same as the second slice information, or the first slice information includes (covers) the second slice information.
5、若第一参数包括第一DNN和/或第一切片信息,且该第一DNN和/或第一切片信息关联的第二安全策略与第一安全策略一致时,第一终端设备选择第二终端设备。5. If the first parameter includes the first DNN and/or the first slice information, and the second security policy associated with the first DNN and/or the first slice information is consistent with the first security policy, the first terminal device Select the second terminal device.
其中,第一安全策略与第二安全策略一致可以理解为该第一终端设备将接入的第二DNN和/或第二切片信息对应的安全策略能够被第二安全策略所提供。Wherein, that the first security policy is consistent with the second security policy can be understood as the security policy corresponding to the second DNN and/or the second slice information to be accessed by the first terminal device can be provided by the second security policy.
例如,第一安全策略指示加密保护为required,那么第二安全策略中的加密保护必须为required。第一安全策略指示加密保护为preferred,那么第二安全策略中的加密保护为required或preferred。对于第一安全策略指示的完整性保护的情况也类似,不再赘述。第一安全策略指示加密保护为not needed,那么对于第二安全策略不做限制。对于第一安全策略指示完整性保护为not needed,则对于第二安全策略也不做限制。For example, if the first security policy indicates that encryption protection is required, then the encryption protection in the second security policy must be required. The first security policy indicates that the encryption protection is preferred, then the encryption protection in the second security policy is required or preferred. The same is true for the integrity protection indicated by the first security policy, and details are not repeated here. The first security policy indicates that the encryption protection is not needed, then there is no restriction on the second security policy. If the first security policy indicates that the integrity protection is not needed, there is no restriction on the second security policy.
需要说明的是,上述示出了第一终端设备根据第一参数携带的某个信息选择第二终端设备的过程。在实际应用中,第一终端设备可以根据第一参数中的一个或多个参数选择第二终端设备,即第一终端设备执行上述示出的第一终端设备选择第二终端设备的多个过程。It should be noted that the above shows the process of selecting the second terminal device by the first terminal device according to certain information carried by the first parameter. In practical applications, the first terminal device may select the second terminal device according to one or more parameters in the first parameters, that is, the first terminal device performs the above-mentioned multiple processes of selecting the second terminal device by the first terminal device .
具体的,第一终端设备通过该第一参数确定该第二终端设备均满足该第一安全策略的加密保护的保护需求和完整性保护的保护需求,第一终端设备才选择该第二终端设备。Specifically, the first terminal device determines through the first parameter that both the second terminal device meets the protection requirements of the encryption protection and the protection requirements of the integrity protection of the first security policy, and the first terminal device selects the second terminal device .
另外,本实施例选择relay的场景适用于逐跳保护机制和端到端保护机制。例如,对于端到端保护机制,可以理解为第一终端设备根据第二终端设备连接的基站的类型、或者该基站是否支持完整性保护,或者该基站是否支持按需保护等参数,选择第二终端设备;然后,第一终端设备通过该第二终端设备实现第一终端设备与基站之间能够执行端到端安全保护。In addition, the scenario where relay is selected in this embodiment is applicable to the hop-by-hop protection mechanism and the end-to-end protection mechanism. For example, for the end-to-end protection mechanism, it can be understood that the first terminal device selects the second terminal device according to the type of the base station connected to the second terminal device, or whether the base station supports integrity protection, or whether the base station supports on-demand protection and other parameters. terminal device; then, the first terminal device implements end-to-end security protection between the first terminal device and the base station through the second terminal device.
可选的,该第一参数包括数字签名。在该第一终端设备在选择第二终端设备之前,该第一终端设备校验该数字签名的正确性,如果验证正确,则第一终端设备执行选择第二终端设备的步骤;如果验证不正确,则第一终端设备确定该第一消息为不合法的消息,并丢弃该第一消息。Optionally, the first parameter includes a digital signature. Before the first terminal device selects the second terminal device, the first terminal device verifies the correctness of the digital signature, if the verification is correct, the first terminal device performs the step of selecting the second terminal device; if the verification is incorrect , the first terminal device determines that the first message is an illegal message, and discards the first message.
下面示出第一终端设备校验数字签名的两种可能的实现方式中。Two possible implementations for the first terminal device to verify the digital signature are shown below.
1、第一终端设备通过该第二终端设备的私钥对应的公钥校验该数字签名。1. The first terminal device verifies the digital signature by using the public key corresponding to the private key of the second terminal device.
在该方式下,该第一终端设备获取该第二终端设备的公钥。具体的,第一终端设备通过如下方式获取该第二终端设备的公钥:该第一消息还携带该第二终端设备的标识,该第一终端设备通过该第二终端设备的标识确定该第二终端设备的公钥。In this manner, the first terminal device obtains the public key of the second terminal device. Specifically, the first terminal device obtains the public key of the second terminal device in the following manner: the first message also carries the identifier of the second terminal device, and the first terminal device determines the first terminal device through the identifier of the second terminal device. 2. The public key of the terminal device.
2、第一终端设备通过该第二终端设备的证书校验该数字签名。2. The first terminal device verifies the digital signature through the certificate of the second terminal device.
在该方式下,该第一消息携带该第二终端设备的证书和该数字签名。该第一终端设备校验该第二终端设备的证书,当校验成功,该第一终端设备利用该第二终端设备的证书校验该数字签名。具体的,第一终端设备可以通过该第二终端设备的根证书来校验该第一终端设备接收到的该第二终端设备的证书。In this manner, the first message carries the certificate of the second terminal device and the digital signature. The first terminal device verifies the certificate of the second terminal device, and when the verification is successful, the first terminal device uses the certificate of the second terminal device to verify the digital signature. Specifically, the first terminal device may verify the certificate of the second terminal device received by the first terminal device by using the root certificate of the second terminal device.
该第一终端设备通过如下方式获取该根证书。该第一消息还携带该第二终端设备归属的网络标识(例如,PLMN ID和/或NPN ID),第一终端设备根据该网络标识确定该第二终端设备的根证书。The first terminal device obtains the root certificate in the following manner. The first message also carries a network identifier (for example, PLMN ID and/or NPN ID) to which the second terminal device belongs, and the first terminal device determines the root certificate of the second terminal device according to the network identifier.
可选的,当第一终端设备接收到多个作为UE relay的终端设备广播的消息时,如果有多个终端设备都满足第一终端设备的安全需求,那么第一终端设备根据多个终端设备广播的参数的优先级选择该第二终端设备。Optionally, when the first terminal device receives multiple messages broadcast by terminal devices serving as UE relays, if multiple terminal devices meet the security requirements of the first terminal device, the first terminal device will The priority of the broadcast parameters selects the second terminal device.
例如,多个终端设备广播多个终端设备上已建立的PDU会话支持的安全保护方式,那么支持开启完整性保护的PDU会话优先级较高。多个终端设备广播多个终端设备所连接的接入 网设备的类型,那么具备支持完整性保护的能力的接入网设备的类型的优先级较高。For example, if multiple terminal devices broadcast the security protection mode supported by the established PDU sessions on the multiple terminal devices, the PDU session that supports enabling integrity protection has a higher priority. When multiple terminal devices broadcast the types of access network devices to which the multiple terminal devices are connected, the type of access network devices capable of supporting integrity protection has a higher priority.
下面以第一终端设备接收到两个作为UE relay的终端设备广播的消息为例进行第一终端设备选择第二终端设备的过程。本实施例还包括步骤203b,且步骤203b在步骤203之前执行。In the following, the process of selecting the second terminal device by the first terminal device is performed by taking the first terminal device receiving two messages broadcast by the terminal device serving as the UE relay as an example. This embodiment further includes step 203b, and step 203b is performed before step 203.
步骤203b:第一终端设备接收第二消息。Step 203b: The first terminal device receives the second message.
其中,该第二消息携带第二参数,该第二参数用于指示第三终端设备与第二接入网设备之间的通信的安全信息。Wherein, the second message carries a second parameter, and the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device.
例如,如图1C所示,UE1接收UE3广播的第一消息,该第一消息携带第一参数。UE1接收UE4广播的第二消息,该第二消息携带第二参数。For example, as shown in FIG. 1C , UE1 receives the first message broadcasted by UE3, where the first message carries the first parameter. UE1 receives the second message broadcasted by UE4, where the second message carries the second parameter.
则上述步骤203具体包括:第一终端设备根据第一参数和第二参数选择第二终端设备。The above step 203 specifically includes: the first terminal device selects the second terminal device according to the first parameter and the second parameter.
具体的,第一终端设备可以根据第一安全策略、第一参数和第二参数选择第二终端设备。下面示出两种可能的选择方式:Specifically, the first terminal device may select the second terminal device according to the first security policy, the first parameter and the second parameter. Two possible options are shown below:
1、若第一参数包括第一PDU会话支持的第一安全保护方式且该第一安全保护方式为开启完整性保护,而第二参数包括第二PDU会话支持的第二安全保护方式,且该第二安全保护方式为不开启完整性保护,则第一终端设备选择第二终端设备。1. If the first parameter includes the first security protection mode supported by the first PDU session and the first security protection mode is to enable integrity protection, and the second parameter includes the second security protection mode supported by the second PDU session, and the The second security protection mode is that integrity protection is not enabled, and the first terminal device selects the second terminal device.
其中,第一PDU会话为第二终端设备上已建立的PDU会话,第二PDU会话为第三终端设备上已建立的PDU会话。The first PDU session is an established PDU session on the second terminal device, and the second PDU session is an established PDU session on the third terminal device.
由上述可知,第一安全保护方式支持开启完整性保护,而第二安全保护方式不支持开启完整性保护,则可以理解为第一安全保护方式的优先级较高,第一终端设备可以选择第二终端设备。It can be seen from the above that the first security protection mode supports turning on integrity protection, but the second security protection mode does not support turning on integrity protection, it can be understood that the priority of the first security protection mode is higher, and the first terminal device can select the first security protection mode. Two terminal equipment.
2、若第一参数包括第一指示信息且第一指示信息指示第一接入网设备支持按需保护,第二参数包括第三指示信息且第三指示信息指示第二接入网设备不支持按需保护,则第一终端设备选择第二终端设备。2. If the first parameter includes first indication information and the first indication information indicates that the first access network device supports on-demand protection, the second parameter includes third indication information and the third indication information indicates that the second access network device does not support For protection on demand, the first terminal device selects the second terminal device.
由上述可知,第一指示信息的优先级高于第三指示信息的优先级,因此第一终端设备选择第二终端设备。It can be seen from the above that the priority of the first indication information is higher than the priority of the third indication information, so the first terminal device selects the second terminal device.
需要说明的是,第一终端设备还可以根据其他参数选择第二终端设备。例如,第一终端设备根据多个终端设备连接的接入网设备的类型选择该第二终端设备。5G基站支持完整性保护,而4G基站不支持完整性保护,因此第一终端设备优先选择连接5G基站的第二终端设备。It should be noted that the first terminal device may also select the second terminal device according to other parameters. For example, the first terminal device selects the second terminal device according to the types of access network devices to which the multiple terminal devices are connected. The 5G base station supports integrity protection, while the 4G base station does not support integrity protection, so the first terminal device preferentially selects the second terminal device connected to the 5G base station.
上述示出第一终端设备根据多个终端设备广播的一个参数的优先级从多个终端设备选择第二终端设备的方案。在实际应用中,第一终端设备根据多个参数的优先级综合选择该第二终端设备。The above shows a solution in which the first terminal device selects the second terminal device from the plurality of terminal devices according to the priority of a parameter broadcast by the plurality of terminal devices. In practical applications, the first terminal device comprehensively selects the second terminal device according to the priorities of multiple parameters.
204、第一终端设备向第二终端设备发送第五消息。204. The first terminal device sends a fifth message to the second terminal device.
具体的,该第一终端设备选择该第二终端设备之后,第一终端设备可以向第二终端设备发送消息,以便于实现与网络之间的通信。Specifically, after the first terminal device selects the second terminal device, the first terminal device may send a message to the second terminal device to facilitate communication with the network.
本申请实施例中,第一终端设备接收第一消息,该第一消息携带第一参数,该第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息;然后,第一终端设 备根据该第一参数选择第二终端设备。由此可知,由于第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息,因此,第一终端设备在选择第二终端设备时,可以根据该第一参数选择与该第一终端设备的安全需求匹配的第二终端设备,这样一定程序能够满足后续第一终端设备与网络之间的通信所对应的安全需求。In this embodiment of the present application, the first terminal device receives a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; Then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device is selected, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
请参阅图3,图3为本申请实施例通信方法的另一个实施例示意图。在图3中,该通信方法包括:Please refer to FIG. 3 , which is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application. In Figure 3, the communication method includes:
301、第一终端设备向第二终端设备发送第二消息。301. The first terminal device sends a second message to the second terminal device.
其中,第二消息携带第一安全策略,该第一安全策略为第一终端设备确定的第一终端设备将使用的业务对应的安全策略。关于第一安全策略的相关介绍请参阅前述图2所示的实施例中的步骤203a中对第一安全策略的相关介绍,这里不再赘述。The second message carries a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device. For the related introduction of the first security policy, please refer to the related introduction to the first security policy in step 203a in the above-mentioned embodiment shown in FIG. 2 , and details are not repeated here.
第一终端设备被配置可以通过UE relay实现与网络的通信,而第二终端设备被配置可以执行UE relay的角色,具体的配置方式的相关介绍请参阅前述图2所示的实施例中的步骤202中的相关介绍,这里不再赘述。The first terminal device is configured to implement communication with the network through the UE relay, while the second terminal device is configured to perform the role of the UE relay. For the relevant introduction of the specific configuration method, please refer to the steps in the embodiment shown in the aforementioned FIG. 2 The relevant introduction in 202 will not be repeated here.
需要说明的是,本实施例可以是基于图2所示的实施例的基础上执行的,即第一终端设备通过图2所示的实施例的方法选择第二终端设备作为UE relay。It should be noted that this embodiment may be implemented on the basis of the embodiment shown in FIG. 2 , that is, the first terminal device selects the second terminal device as the UE relay through the method of the embodiment shown in FIG. 2 .
可选的,该第一安全策略为该第一终端设备确定的第一终端设备将使用的业务对应的用户面(user plane,UP)安全策略。Optionally, the first security policy is a user plane (user plane, UP) security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device.
302、第二终端设备根据第一安全策略确定第一安全保护方式。302. The second terminal device determines a first security protection mode according to the first security policy.
例如,第一安全策略为加密保护为required、完整性保护为required,那么第二终端设备可以确定第一安全保护方式为开启加密保护和开启完整性保护。For example, if the first security policy is that encryption protection is required and integrity protection is required, the second terminal device may determine that the first security protection mode is to enable encryption protection and enable integrity protection.
需要说明的是,在第二终端设备确定第一安全保护方式时,第二终端设备可以结合第二终端设备的已建立的PDU会话的情况确定第一安全保护方式,以解决第二终端设备与第一接入网设备之间的数据通信所采用的安全保护方式与第一安全保护方式协商一致的问题。It should be noted that, when the second terminal device determines the first security protection mode, the second terminal device may determine the first security protection mode in combination with the established PDU session of the second terminal device, so as to solve the problem between the second terminal device and the established PDU session. The problem is that the security protection mode adopted in the data communication between the first access network devices and the first security protection mode are negotiated.
一、针对第二终端设备上已建立有PDU会话,第一安全保护方式与第二安全保护方式的两种可能的情况。1. For a PDU session already established on the second terminal device, there are two possible situations of the first security protection mode and the second security protection mode.
情况a:下面示出第一安全保护方式与第二PDU会话支持的第二安全保护方式一致的多种可能的实现方式。Case a: The following shows multiple possible implementations in which the first security protection mode is consistent with the second security protection mode supported by the second PDU session.
其中,第二PDU会话为该第二终端设备上已建立的且用于为远端UE或普通UE提供服务的PDU会话。Wherein, the second PDU session is a PDU session that has been established on the second terminal device and is used to provide services for a remote UE or a common UE.
实现方式1、若第一安全策略指示加密保护为需要required,且第二PDU会话支持的第二安全保护方式为开启加密保护,则第二终端设备将第二PDU会话支持的第二安全保护方式中的加密保护方式作为该第一安全保护方式中的加密保护方式。 Implementation mode 1. If the first security policy indicates that encryption protection is required, and the second security protection mode supported by the second PDU session is to enable encryption protection, the second terminal device will use the second security protection mode supported by the second PDU session. The encryption protection mode in the first security protection mode is used as the encryption protection mode in the first security protection mode.
由于第一安全策略指示加密保护为required,因此第二终端设备确定第一安全保护方式中的加密保护需求应当是开启加密保护,而第二PDU会话支持的第二安全保护方式为开启加密保护。从加密保护角度来说,第二PDU会话可以为第一终端设备提供服务,所以第二终端设备可以将第二安全保护方式中的加密保护方式作为该第一安全保护方式中的加密保护方式,即第一安全保护方式中的加密保护方式与第二安全保护方式中的加密保护方式一致。 并且,第二终端设备确定通过第二PDU会话为第一终端设备提供服务,用于为第一终端设备传输该第二终端设备的数据。Since the first security policy indicates that encryption protection is required, the second terminal device determines that the encryption protection requirement in the first security protection mode should be to enable encryption protection, and the second security protection mode supported by the second PDU session is to enable encryption protection. From the perspective of encryption protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the encryption protection mode in the second security protection mode as the encryption protection mode in the first security protection mode, That is, the encryption protection mode in the first security protection mode is consistent with the encryption protection mode in the second security protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the second terminal device for the first terminal device.
实现方式2、若第一安全策略指示完整性保护为需要required,且第二PDU会话支持的第二安全保护方式为开启完整性保护,则第二终端设备将第二PDU会话支持的第二安全保护方式中的完整性保护方式作为该第一安全保护方式中的完整性保护方式。Implementation mode 2: If the first security policy indicates that integrity protection is required, and the second security protection mode supported by the second PDU session is to enable integrity protection, the second terminal device will use the second security protection mode supported by the second PDU session to be enabled. The integrity protection mode in the protection mode is used as the integrity protection mode in the first security protection mode.
由于第一安全策略指示完整性保护为需要required,因此第二终端设备确定第一安全保护方式中的完整性保护需求应当是开启完整性保护,第二PDU会话支持的第二安全保护方式为开启完整性保护。从完整性保护角度来说,该第二PDU会话可以为第一终端设备提供服务,所以第二终端设备可以将第二安全保护方式中的完整性保护方式作为该第一安全保护方式中的完整性保护方式,即第一安全保护方式中的完整性保护方式与第二安全保护方式中的完整性保护方式一致。并且,第二终端设备确定通过第二PDU会话为第一终端设备提供服务,用于为第一终端设备传输该第一终端设备的数据。Since the first security policy indicates that integrity protection is required, the second terminal device determines that the integrity protection requirement in the first security protection mode should be to enable integrity protection, and the second security protection mode supported by the second PDU session is enabled Integrity protection. From the perspective of integrity protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the integrity protection mode in the second security protection mode as the integrity protection mode in the first security protection mode The security protection mode, that is, the integrity protection mode in the first security protection mode is consistent with the integrity protection mode in the second security protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the first terminal device for the first terminal device.
实现方式3、若第一安全策略指示加密保护为不需要not needed,且第二PDU会话支持的第二安全保护方式为不开启加密保护,则第二终端设备将第二PDU会话支持的第二安全保护方式中的加密保护方式作为该第一安全保护方式中的加密保护方式。Implementation mode 3: If the first security policy indicates that encryption protection is not needed, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device will use the second security protection mode supported by the second PDU session. The encryption protection mode in the security protection mode is used as the encryption protection mode in the first security protection mode.
由于第一安全策略指示加密保护为not needed,因此第二终端设备确定第一安全保护方式中的加密保护需求可以为不开启加密保护。从加密保护角度来说,第二PDU会话可以为第一终端设备提供服务,所以第二终端设备可以将该第二PDU会话支持的第二安全保护方式中的加密保护方式作为该第一安全保护方式中的加密保护方式,即第一安全保护方式中的加密保护方式与第二安全保护方式中的加密保护方式一致。并且,第二终端设备确定通过第二PDU会话为第一终端设备提供服务,用于为第一终端设备传输该第一终端设备的数据。Since the first security policy indicates that the encryption protection is not needed, the second terminal device determines that the encryption protection requirement in the first security protection mode may be not to enable encryption protection. From the perspective of encryption protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the encryption protection mode in the second security protection mode supported by the second PDU session as the first security protection The encryption protection mode in the mode, that is, the encryption protection mode in the first security protection mode is consistent with the encryption protection mode in the second security protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the first terminal device for the first terminal device.
实现方式4、若第一安全策略指示完整性保护为不需要not needed,且第二PDU会话支持的第二安全保护方式为不开启完整性保护,则第二终端设备将该第二PDU会话支持的第二安全保护方式中的完整性保护方式作为该第一安全保护方式中的完整性保护方式。Implementation mode 4: If the first security policy indicates that the integrity protection is not needed, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device supports the second PDU session. The integrity protection mode in the second security protection mode is used as the integrity protection mode in the first security protection mode.
由于第一安全策略指示完整性保护为not needed,因此第二终端设备确定第一安全保护方式中的完整性保护需求可以为不开启完整性保护。从完整性保护角度来说,第二PDU会话可以为第一终端设备提供服务,所以第二终端设备可以将第二PDU会话支持的第二安全保护方式中的完整性保护方式作为该第一安全保护方式中的完整性保护方式。并且,第二终端设备确定通过第二PDU会话为第一终端设备提供服务,用于为第一终端设备传输该第一终端设备的数据。Since the first security policy indicates that the integrity protection is not needed, the second terminal device determines that the integrity protection requirement in the first security protection mode may be not to enable integrity protection. From the perspective of integrity protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the integrity protection mode in the second security protection mode supported by the second PDU session as the first security mode Integrity protection mode in protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the first terminal device for the first terminal device.
实现方式5、若第一安全策略指示加密保护为倾向于需要preferred,则第二终端设备将该第二PDU会话支持的第二安全保护方式中的加密保护方式作为该第一安全保护方式中的加密保护方式。Implementation mode 5: If the first security policy indicates that the encryption protection is inclined to be preferred, the second terminal device uses the encryption protection mode in the second security protection mode supported by the second PDU session as the encryption protection mode in the first security protection mode. Encryption protection method.
由于第一安全策略指示加密保护为倾向于需要preferred,第二终端设备确定第一安全保护方式中的加密保护可以为开启加密保护或不开启加密保护。因此,从加密保护角度来说,无论第二安全保护方式为开启加密保护还是不开启加密保护,第二PDU会话都能够为第一终端设备提供服务。因此第二终端设备将第二PDU会话支持的第二安全保护方式中的加密 保护方式作为第一安全保护方式中的加密保护方式。并且,第二终端设备确定通过第二PDU会话为第一终端设备提供服务。Since the first security policy indicates that the encryption protection tends to be preferred, the second terminal device determines that the encryption protection in the first security protection mode can be enabled or disabled. Therefore, from the perspective of encryption protection, the second PDU session can provide services for the first terminal device regardless of whether the second security protection mode is to enable encryption protection or not to enable encryption protection. Therefore, the second terminal device uses the encryption protection mode in the second security protection mode supported by the second PDU session as the encryption protection mode in the first security protection mode. And, the second terminal device determines to provide services for the first terminal device through the second PDU session.
实现方式6、若第一安全策略指示完整性保护为倾向于需要preferred,则第二终端设备将该第二PDU会话支持的第二安全保护方式中的完整性保护方式作为该第一安全保护方式中的完整性保护方式。Implementation mode 6: If the first security policy indicates that the integrity protection is inclined to be preferred, the second terminal device uses the integrity protection mode in the second security protection mode supported by the second PDU session as the first security protection mode Integrity protection method in .
由于第一安全策略指示完整性保护为倾向于需要preferred,第二终端设备确定第一安全保护方式中的完整性保护可以为开启完整性保护或不开启完整性保护。因此,从完整性保护角度来说,无论第二安全保护方式为开启完整性保护还是不开启完整性保护,第二PDU会话都能够为第一终端设备提供服务。因此第二终端设备将第二PDU会话支持的第二安全保护方式中的完整性保护方式作为第一安全保护方式中的完整性保护方式。并且,第二终端设备确定通过第二PDU会话为第一终端设备提供服务。Since the first security policy indicates that the integrity protection tends to be preferred, the second terminal device determines that the integrity protection in the first security protection manner may be to enable integrity protection or not to enable integrity protection. Therefore, from the perspective of integrity protection, regardless of whether the second security protection mode is to enable integrity protection or not to enable integrity protection, the second PDU session can provide services for the first terminal device. Therefore, the second terminal device uses the integrity protection mode in the second security protection mode supported by the second PDU session as the integrity protection mode in the first security protection mode. And, the second terminal device determines to provide services for the first terminal device through the second PDU session.
需要说明的是,如果第二终端设备上多个PDU会话都满足上述实现方式1至实现方式6中的任一种实现方式的安全保护需求时,第二终端设备可以结合该多个PDU会话所对应的服务质量(quality of service,QoS)和切片信息等从该多个PDU会话选择该第二PDU会话。It should be noted that, if multiple PDU sessions on the second terminal device all meet the security protection requirements of any one of the foregoing implementation manners 1 to 6, the second terminal equipment may combine the multiple PDU sessions with the security protection requirements. Corresponding quality of service (QoS) and slice information, etc., select the second PDU session from the plurality of PDU sessions.
上述实现方式1至实现方式6仅仅从加密保护角度或完整性保护角度示出第二终端设备确定第一安全保护方式的过程。在实际应用中,第二终端设备在选择通过PDU会话为第一终端设备提供服务时,应当选择加密保护和完整性保护均满足第一终端设备的加密保护需求和完整性保护需求的PDU会话。即第二PDU会话支持的第二安全保护方式满足第一终端设备的加密保护需求和完整性保护需求。The foregoing implementation manners 1 to 6 only illustrate the process of determining the first security protection manner by the second terminal device from the perspective of encryption protection or integrity protection. In practical applications, when the second terminal device chooses to provide services for the first terminal device through the PDU session, it should select a PDU session whose encryption protection and integrity protection both meet the encryption protection requirements and integrity protection requirements of the first terminal device. That is, the second security protection mode supported by the second PDU session meets the encryption protection requirements and integrity protection requirements of the first terminal device.
情况b:下面示出第一安全保护方式与第二PDU会话支持的第二安全保护方式不一致的多种可能的实现方式。Case b: The following shows various possible implementations in which the first security protection mode is inconsistent with the second security protection mode supported by the second PDU session.
其中,第二PDU会话为该第二终端设备上已建立的且用于为远端UE或普通UE提供服务的PDU会话。Wherein, the second PDU session is a PDU session that has been established on the second terminal device and is used to provide services for a remote UE or a common UE.
实现方式1、若第一安全策略指示加密保护为倾向于需要preferred,且第二PDU会话支持的第二安全保护方式为不开启加密保护,则第二终端设备确定第一安全策略对应的第一安全保护方式与第二安全保护方式不一致。 Implementation mode 1. If the first security policy indicates that encryption protection is inclined to be preferred, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device determines the first security policy corresponding to the first security policy. The security protection method is inconsistent with the second security protection method.
由于preferred是倾向于开启加密保护,如果第二终端设备已建立的第二PDU会话支持的第二安全保护方式为不开启加密保护,那么第二终端设备确定第一安全策略对应的第一安全保护方式与第二安全保护方式不一致。第二终端设备可以请求修改该第二PDU会话或者请求建立新的第三PDU会话。Since the preferred is to enable encryption protection, if the second security protection mode supported by the second PDU session established by the second terminal device is not to enable encryption protection, then the second terminal device determines the first security protection corresponding to the first security policy. The method is inconsistent with the second security protection method. The second terminal device may request to modify the second PDU session or request to establish a new third PDU session.
实现方式2、若第一安全策略指示完整性保护为倾向于需要preferred,且第二PDU会话支持的第二安全保护方式为不开启完整性保护,则第二终端设备确定第一安全策略对应的第一安全保护方式与第二安全保护方式不一致。Implementation mode 2: If the first security policy indicates that the integrity protection is inclined to be preferred, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device determines the corresponding first security policy. The first security protection mode is inconsistent with the second security protection mode.
实现方式2与实现方式1类似,具体请参阅实现方式1的相关介绍。The implementation mode 2 is similar to the implementation mode 1. For details, please refer to the related introduction of the implementation mode 1.
实现方式3、若第二安全保护方式的加密保护与第一安全策略指示的加密保护不匹配,和/或,该第二安全保护的完整性保护与第一安全策略指示的完整性保护不匹配,则该第二终端设备确定该第一安全保护方式与第二安全保护方式不一致。Implementation mode 3: If the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy, and/or, the integrity protection of the second security protection mode does not match the integrity protection indicated by the first security policy , the second terminal device determines that the first security protection mode is inconsistent with the second security protection mode.
第二安全保护方式的加密保护与第一安全策略指示的加密保护不匹配包括多种可能的形式,下面举例介绍:The encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy, including many possible forms. The following examples are introduced:
1、第二安全保护方式为不开启加密保护,第一安全策略指示加密保护为required;1. The second security protection mode is not to enable encryption protection, and the first security policy indicates that encryption protection is required;
2、第二安全保护方式为开启加密保护,第一安全策略指示加密保护为not needed。2. The second security protection method is to enable encryption protection, and the first security policy indicates that the encryption protection is not needed.
该第二安全保护的完整性保护与第一安全策略指示的完整性保护不匹配包括多种可能的形式,下面举例介绍:The integrity protection of the second security protection does not match the integrity protection indicated by the first security policy, including multiple possible forms. The following examples are introduced:
1、第二安全保护方式为不开启完整性保护,第一安全策略指示完整性保护为required;1. The second security protection mode is not to enable integrity protection, and the first security policy indicates that integrity protection is required;
2、第二安全保护方式为开启完整性保护,第一安全策略指示完整性保护为not needed。2. The second security protection method is to enable integrity protection, and the first security policy indicates that integrity protection is not needed.
第二终端设备确定第一安全保护方式与第二安全保护方式不一致,第二终端设备可以请求修改该第二PDU会话或者请求建立新的第三PDU会话。The second terminal device determines that the first security protection mode is inconsistent with the second security protection mode, and the second terminal device may request to modify the second PDU session or request to establish a new third PDU session.
二、针对第二终端设备上未建立有PDU会话。2. A PDU session is not established on the second terminal device.
由于第二终端设备上未建立有PDU会话,所以第二终端设备确定第一安全保护方式后,第二终端设备可以请求建立新的第三PDU会话,以用于为第一终端设备提供服务。Since no PDU session is established on the second terminal device, after the second terminal device determines the first security protection mode, the second terminal device may request to establish a new third PDU session for providing services to the first terminal device.
303、第二终端设备将第一安全保护方式作为第一终端设备与第二终端设备之间的数据通信所采用的安全保护方式。303. The second terminal device uses the first security protection mode as a security protection mode used for data communication between the first terminal device and the second terminal device.
304、第二终端设备向第一终端设备发送第一安全保护方式。304. The second terminal device sends the first security protection mode to the first terminal device.
本申请实施例中,第一终端设备向第二终端设备发送第二消息,该第二消息携带第一安全策略;然后,第二终端设备根据该第一安全策略确定该第一安全保护方式,并将该第一安全保护方式作为该第一终端设备与第二终端设备之间的数据通信所采用的安全保护方式,再向第一终端设备发送该第一安全保护方式。这样,第一终端设备可以确定该第一终端设备与第二终端设备之间的第一安全保护方式,然后以该第一安全保护方式确定该第二终端设备与第一接入网设备之间的安全保护方式,实现第一终端设备与第二终端设备之间的安全保护方式和第二终端设备与第一接入网设备之间的安全保护方式保持一致,以提高数据传输的安全性。In this embodiment of the present application, the first terminal device sends a second message to the second terminal device, where the second message carries the first security policy; then, the second terminal device determines the first security protection mode according to the first security policy, The first security protection mode is used as the security protection mode used for data communication between the first terminal device and the second terminal device, and the first security protection mode is sent to the first terminal device. In this way, the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device The security protection mode is consistent with the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device, so as to improve the security of data transmission.
需要说明的是,上述步骤302中示出的是第二终端设备确定第一安全保护方式时考虑PDU会话建立的情况的实现方式。It should be noted that, what is shown in the foregoing step 302 is an implementation manner in which the second terminal device considers the establishment of a PDU session when determining the first security protection manner.
本申请实施例还提供另外一个实施例,该实施例与图3所示的实施例类似,不同的地方在于,步骤302替换为:第二终端设备根据第四安全策略和/或第二终端设备接收到的第一安全策略确定第一安全保护方式。该第四安全策略为该第二终端设备确定的该第一终端设备将使用的业务对应的安全策略。然后,第二终端设备再根据该第一安全保护方式和已建立的第二PDU会话支持的第二安全保护方式进行比较,如果不一致,则第二终端设备可以通过修改该第二PDU会话或新建PDU会话,得到修改后的第二PDU会话或新建的第三PDU会话;或者是,第二终端设备上未建立有PDU会话,那么第二终端设备新建该第三PDU会话。即第二终端设备先确定第一安全保护方式,再结合第二终端设备上的PDU会话建立情况选择对应的PDU会话,以为第一终端设备提供服务。This embodiment of the present application also provides another embodiment, which is similar to the embodiment shown in FIG. 3 , except that step 302 is replaced with: the second terminal device according to the fourth security policy and/or the second terminal device The received first security policy determines the first security protection mode. The fourth security policy is a security policy determined by the second terminal device and corresponding to the service to be used by the first terminal device. Then, the second terminal device compares the first security protection mode with the second security protection mode supported by the established second PDU session. If they are inconsistent, the second terminal device can modify the second PDU session or create a new PDU session, the modified second PDU session or the newly created third PDU session is obtained; or, if no PDU session is established on the second terminal device, then the second terminal device creates the third PDU session. That is, the second terminal device first determines the first security protection mode, and then selects a corresponding PDU session in combination with the establishment of the PDU session on the second terminal device to provide services for the first terminal device.
其中,修改后的第二PDU会话支持的第四安全保护方式与第一安全保护方式相同;或者,第三PDU会话支持的第四安全保护方式与第一安全保护方式相同。The fourth security protection mode supported by the modified second PDU session is the same as the first security protection mode; or, the fourth security protection mode supported by the third PDU session is the same as the first security protection mode.
可选的,基于上述情况b或第二终端设备上未建立有PDU会话的情况,本实施例还包括步骤305至步骤309,且步骤305至步骤309在步骤303之后执行。Optionally, based on the above situation b or the situation that no PDU session is established on the second terminal device, this embodiment further includes steps 305 to 309 , and steps 305 to 309 are executed after step 303 .
305、第二终端设备向SMF网元发送第一请求消息。305. The second terminal device sends the first request message to the SMF network element.
其中,第一请求消息用于请求修改第二PDU会话或用于请求建立第三PDU会话。该第一请求消息携带第三参数,第三参数用于指示第一终端设备与第二终端设备之间的数据通信的安全信息。Wherein, the first request message is used for requesting to modify the second PDU session or for requesting to establish a third PDU session. The first request message carries a third parameter, and the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device.
由上述情况b或第二终端设备上未建立有PDU会话的情况,第二终端设备可以向SMF网元请求修改第二PDU会话或请求建立新的第三PDU会话。这样,第二终端设备可以通过修改后的第二PDU会话为第一终端设备提供服务;或者,第二终端设备通过第三PDU会话为第一终端设备提供服务。From the above situation b or the situation that no PDU session is established on the second terminal device, the second terminal device may request the SMF network element to modify the second PDU session or request to establish a new third PDU session. In this way, the second terminal device may provide services for the first terminal device through the modified second PDU session; or, the second terminal device may provide services for the first terminal device through the third PDU session.
第三参数包括以下至少一项:The third parameter includes at least one of the following:
1、第一业务信息,该第一业务信息为该第一终端设备将使用的业务对应的业务信息。例如,业务标识、业务类型等。1. First service information, where the first service information is service information corresponding to a service to be used by the first terminal device. For example, business ID, business type, etc.
2、第二DNN,该第二DNN为该第一终端设备将接入的DNN。2. A second DNN, where the second DNN is a DNN to be accessed by the first terminal device.
3、第二切片信息,该第二切片信息为该第一终端设备将接入的切片的切片信息。3. Second slice information, where the second slice information is slice information of the slice to be accessed by the first terminal device.
4、第一安全策略。4. The first security policy.
5、第一安全保护方式。5. The first security protection method.
6、第一指示信息,该第一指示信息用于指示该第一请求消息为用于提供中继服务的PDU会话的请求消息。6. First indication information, where the first indication information is used to indicate that the first request message is a request message for a PDU session for providing a relay service.
7、第一保护指示,该第一保护指示用于指示该第一终端设备期望的第一终端设备与第一接入网设备之间进行数据通信时执行的保护机制。7. A first protection indication, where the first protection indication is used to indicate a protection mechanism that the first terminal device expects to execute during data communication between the first terminal device and the first access network device.
例如,该第一保护指示用于指示第一终端设备期望使用E2E保护机制或者hop-by-hop保护机制。For example, the first protection indication is used to indicate that the first terminal device expects to use the E2E protection mechanism or the hop-by-hop protection mechanism.
可选的,第二终端设备发送给SMF网元的第一请求消息可以是:第二终端设备通过第一接入设备和AMF网元向该SMF网元发送该第一请求消息,第一接入网设备和AMF网元对第一请求消息起到中转作用。例如,上述第三参数,第二终端设备先将第三参数发送给AMF网元,再由AMF网元将该第三参数发送给SMF网元。步骤305仅描述为最终SMF网元接收到的信息,对信息的传递方式不做限制。Optionally, the first request message sent by the second terminal device to the SMF network element may be: the second terminal device sends the first request message to the SMF network element through the first access device and the AMF network element, and the first access device sends the first request message to the SMF network element. The network access device and the AMF network element play a relay role for the first request message. For example, for the above third parameter, the second terminal device first sends the third parameter to the AMF network element, and then the AMF network element sends the third parameter to the SMF network element. Step 305 is only described as the information received by the final SMF network element, and there is no restriction on the transmission mode of the information.
306、SMF网元根据该第三参数确定第三安全策略。306. The SMF network element determines a third security policy according to the third parameter.
其中,第三安全策略为SMF网元确定的该第一终端设备将使用的业务对应的安全策略。第三安全策略与第一安全策略类似,具体可以参阅前述图2所示的实施例中第一安全策略的相关介绍来理解该第三安全策略。Wherein, the third security policy is the security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device. The third security policy is similar to the first security policy. Specifically, the third security policy may be understood by referring to the relevant introduction of the first security policy in the embodiment shown in FIG. 2 .
下面结合上述第三参数介绍SMF网元确定第三安全策略的方式。The following describes the manner in which the SMF network element determines the third security policy in combination with the above-mentioned third parameter.
方式一:第三参数携带第一安全策略,上述步骤306具体包括:Manner 1: The third parameter carries the first security policy, and the above step 306 specifically includes:
SMF网元根据第一安全策略确定第三安全策略。The SMF network element determines the third security policy according to the first security policy.
SMF网元设置该第三安全策略,使得该第三安全策略与该第一安全策略相同;或者,SMF网元直接将该第一安全策略作为该第三安全策略。The SMF network element sets the third security policy so that the third security policy is the same as the first security policy; or, the SMF network element directly uses the first security policy as the third security policy.
方式二:第三参数携带第一安全保护方式,上述步骤306具体包括:Mode 2: The third parameter carries the first security protection mode, and the above step 306 specifically includes:
SMF网元根据第一安全保护方式确定第三安全策略。The SMF network element determines the third security policy according to the first security protection manner.
具体的,SMF网元根据第一安全保护方式确定第一安全策略,然后SMF网元设置该第三安全策略设置与该第一安全策略相同。Specifically, the SMF network element determines the first security policy according to the first security protection manner, and then the SMF network element sets the third security policy to be the same as the first security policy.
例如,第一安全保护方式为开启加密保护和不开启完整性保护,SMF网元根据该第一安全保护方式确定第一安全策略指示的加密保护为required,第一安全策略指示的完整性保护为not needed。那么,SMF网元设置该第三安全策略,该第三安全策略与该第一安全策略相同,即第三安全策略指示的加密保护为required,第一安全策略指示的完整性保护为not needed。For example, the first security protection mode is to enable encryption protection and not to enable integrity protection, the SMF network element determines according to the first security protection mode that the encryption protection indicated by the first security policy is required, and the integrity protection indicated by the first security policy is not needed. Then, the SMF network element sets the third security policy, and the third security policy is the same as the first security policy, that is, the encryption protection indicated by the third security policy is required, and the integrity protection indicated by the first security policy is not needed.
方式三、下面结合步骤1至步骤3介绍方式三。在方式三中,第三参数包括以下至少一项信息:第一业务信息、第二DNN和第二切片信息。Mode 3. Mode 3 is described below in combination with steps 1 to 3. In manner 3, the third parameter includes at least one item of information: first service information, second DNN, and second slice information.
步骤1:SMF网元向UDM网元发送以下至少一项信息:第一业务信息、第二DNN和第二切片信息。Step 1: The SMF network element sends at least one of the following information to the UDM network element: first service information, second DNN and second slice information.
当第三参数包括第一业务信息、第二DNN和第二切片信息中的至少一项信息时,SMF网元向UDM网元发送该至少一项信息。When the third parameter includes at least one item of information among the first service information, the second DNN, and the second slice information, the SMF network element sends the at least one item of information to the UDM network element.
步骤2:SMF网元接收UDM网元发送的签约安全策略。Step 2: The SMF network element receives the subscription security policy sent by the UDM network element.
UDM网元获取该至少一项信息对应的签约安全策略,并向该SMF网元发送该签约安全策略。The UDM network element acquires the subscription security policy corresponding to the at least one piece of information, and sends the subscription security policy to the SMF network element.
步骤3:SMF网元将签约安全策略作为第三安全策略;或者,SMF网元根据签约安全策略和第一安全策略确定第三安全策略;或者,SMF网元根据签约安全策略和第一安全保护方式确定第三安全策略。Step 3: the SMF network element takes the signed security policy as the third security policy; or, the SMF network element determines the third security policy according to the signed security policy and the first security policy; or, the SMF network element determines the third security policy according to the signed security policy and the first security protection way to determine the third security policy.
当该第三参数还包括第一安全策略时,SMF网元可以根据该签约安全策略和第一安全策略确定第三安全策略。When the third parameter further includes the first security policy, the SMF network element may determine the third security policy according to the subscription security policy and the first security policy.
例如,如果签约安全策略与第一安全策略相同,则SMF网元可以将该签约安全策略作为该第三安全策略。或者,除了签约安全策略指示的加密保护与第一安全策略指示所指示的加密保护不匹配,和/或,签约安全策略指示的完整性保护与第一安全策略指示所指示的完整性保护不匹配的情况之外的其他情况,SMF网元可以将该签约安全策略作为该第三安全策略。例如,签约安全策略指示的加密保护为required且签约安全策略指示的完整性保护为not needed,第一安全策略指示的加密保护为required且第一安全策略指示的完整性保护为preferred,SMF网元可以将该签约安全策略作为该第三安全策略。For example, if the subscribed security policy is the same as the first security policy, the SMF network element may use the subscribed security policy as the third security policy. Or, except that the encryption protection indicated by the subscription security policy does not match the encryption protection indicated by the first security policy, and/or the integrity protection indicated by the subscription security policy does not match the integrity protection indicated by the first security policy In other cases than the above-mentioned situation, the SMF network element may use the subscription security policy as the third security policy. For example, the encryption protection indicated by the subscription security policy is required and the integrity protection indicated by the subscription security policy is not needed, the encryption protection indicated by the first security policy is required and the integrity protection indicated by the first security policy is preferred, and the SMF network element The contracted security policy may be used as the third security policy.
签约安全策略指示的加密保护与第一安全策略指示所指示的加密保护不匹配包括多种可能的形式,下面举例说明:The encryption protection indicated by the subscription security policy does not match the encryption protection indicated by the first security policy instruction, including multiple possible forms. The following examples illustrate:
1、签约安全策略指示的加密保护为required,第一安全策略指示所指示的加密保护为not needed;1. The encryption protection indicated by the contract security policy is required, and the encryption protection indicated by the first security policy instruction is not needed;
2、签约安全策略指示的加密保护为not needed,第一安全策略指示所指示的加密保护为required。2. The encryption protection indicated by the contract security policy is not needed, and the encryption protection indicated by the first security policy instruction is required.
签约安全策略指示的完整性保护与第一安全策略指示所指示的完整性保护不匹配包括 多种可能的形式,下面举例说明:The integrity protection indicated by the subscription security policy does not match the integrity protection indicated by the first security policy instruction, including multiple possible forms, and the following examples illustrate:
1、签约安全策略指示的完整性保护为required,第一安全策略指示所指示的完整性保护为not needed;1. The integrity protection indicated by the contract security policy is required, and the integrity protection indicated by the first security policy instruction is not needed;
2、签约安全策略指示的完整性保护为not needed,第一安全策略指示所指示的完整性保护为required。2. The integrity protection indicated by the contract security policy is not needed, and the integrity protection indicated by the first security policy indication is required.
需要说明的是,可选的,针对签约安全策略指示的加密保护与第一安全策略指示所指示的加密保护不匹配,和/或,签约安全策略指示的完整性保护与第一安全策略指示所指示的完整性保护不匹配的情况,SMF网元释放会话建立流程或会话修改流程,并向第一接入网设备发送拒绝消息,再由第一接入网设备向第二终端设备发送拒绝消息。It should be noted that, optionally, the encryption protection indicated by the subscription security policy does not match the encryption protection indicated by the first security policy indication, and/or the integrity protection indicated by the subscription security policy is the same as that indicated by the first security policy indication. In the case where the indicated integrity protection does not match, the SMF network element releases the session establishment process or the session modification process, and sends a reject message to the first access network device, and then the first access network device sends a reject message to the second terminal device .
当第三参数还包括第一安全保护方式时,SMF网元可以根据该签约安全策略和第一安全保护方式确定第三安全策略。具体的,SMF网元根据该第一安全保护方式确定第一安全策略,SMF网元执行上述第一安全策略和签约安全策略是否匹配的判定;如果匹配,SMF网元设置该第三安全策略,使得该第三安全策略与该第一安全策略相同。When the third parameter further includes the first security protection mode, the SMF network element may determine the third security policy according to the subscription security policy and the first security protection mode. Specifically, the SMF network element determines the first security policy according to the first security protection mode, and the SMF network element performs the determination of whether the first security policy and the subscription security policy match; if they match, the SMF network element sets the third security policy, Make the third security policy the same as the first security policy.
方式四:第三参数还包括第一安全保护方式;上述步骤306具体包括:SMF网元根据该第一安全策略和该第一安全保护方式确定第三安全策略。Mode 4: the third parameter further includes a first security protection mode; the above step 306 specifically includes: the SMF network element determines a third security policy according to the first security policy and the first security protection mode.
例如,第一安全保护方式为开启加密保护和不开启完整性保护。第一安全策略指示加密保护为required,第一安全策略指示完整性保护为preferred。那么该SMF网元可以设置该第三安全策略,例如第三安全策略指示加密保护为required,第一安全策略指示完整性保护为preferred;或者,第三安全策略指示加密保护required,第一安全策略指示完整性保护为not needed。For example, the first security protection mode is to enable encryption protection and disable integrity protection. The first security policy indicates that encryption protection is required, and the first security policy indicates that integrity protection is preferred. Then the SMF network element can set the third security policy, for example, the third security policy indicates that encryption protection is required, and the first security policy indicates that integrity protection is preferred; or, the third security policy indicates that encryption protection is required, and the first security policy Indicates that integrity protection is not needed.
需要说明的是,当第三参数包括第一指示信息时,SMF网元还可以根据该第一指示信息确定是为该第一终端设备建立PDU会话。当第三参数包括第一保护指示、第一业务信息、第二DNN和第二切片信息中至少一项信息时,该SMF网元根据该至少一项信息确定第二保护指示,并通过AMF网元向第二终端设备发送该第二保护指示。该第二保护指示为该SMF网元确定该第一终端设备与第一接入网设备之间进行数据通信时执行的保护机制。It should be noted that, when the third parameter includes the first indication information, the SMF network element may also determine that the PDU session is to be established for the first terminal device according to the first indication information. When the third parameter includes at least one item of information among the first protection indication, the first service information, the second DNN, and the second slice information, the SMF network element determines the second protection indication according to the at least one item of information, and transmits the information through the AMF network The element sends the second protection indication to the second terminal device. The second protection instruction is the protection mechanism executed by the SMF network element when determining the data communication between the first terminal device and the first access network device.
307、SMF网元向第一接入网设备发送第四消息。307. The SMF network element sends a fourth message to the first access network device.
其中,该第四消息携带该第三安全策略。Wherein, the fourth message carries the third security policy.
可选的,该第四消息还携带以下至少一项信息:第一安全保护方式、第一安全策略。Optionally, the fourth message further carries at least one of the following information: a first security protection mode and a first security policy.
需要说明的是,如果SMF网元在确定第三安全策略时已经参考了该第一安全保护方式和第一安全策略,则第四消息可以不携带该第一安全保护方式或第一安全策略。It should be noted that if the SMF network element has already referred to the first security protection mode and the first security policy when determining the third security policy, the fourth message may not carry the first security protection mode or the first security policy.
308、第一接入网设备根据第三安全策略确定第四安全保护方式。308. The first access network device determines a fourth security protection manner according to the third security policy.
例如,第三安全策略指示加密保护为需要required,第一安全策略指示完整性保护为倾向于需要preferred,那么第一接入网设备确定第四安全保护方式为开启加密保护和不开启完整性保护。For example, if the third security policy indicates that encryption protection is required, and the first security policy indicates that integrity protection is likely to be preferred, then the first access network device determines that the fourth security protection mode is to enable encryption protection and not enable integrity protection .
可选的,该第二消息还携带以下至少一项:第一安全策略、第一安全保护方式。Optionally, the second message further carries at least one of the following: a first security policy and a first security protection mode.
下面示出第一接入网设备确定第四安全保护方式的多种可能的实现方式。Multiple possible implementation manners for the first access network device to determine the fourth security protection manner are shown below.
1、第一接入网设备根据该第三安全策略和第一安全保护方式确定第四安全保护方式。1. The first access network device determines a fourth security protection mode according to the third security policy and the first security protection mode.
可选的,如果该第三安全策略指示加密保护为preferred,那么第一接入网设备确定的第四安全保护方式的加密保护方式应当也与第一安全保护方式中的加密保护方式相同。针对该第三安全策略指示完整性保护为preferred也类似,这里不一一说明。Optionally, if the third security policy indicates that encryption protection is preferred, the encryption protection mode of the fourth security protection mode determined by the first access network device should also be the same as the encryption protection mode in the first security protection mode. The same is true for the third security policy indicating that the integrity protection is preferred, which will not be described one by one here.
如果第三安全策略保护指示加密保护为required,而第一安全保护方式为不开启加密保护,那么第一接入网设备向SMF网元发送第六消息,该第六消息为失败消息或PDU会话释放请求消息。对于该第三安全策略指示完整性保护为required且该第一安全保护方式不开启完整性保护的情况、该第三安全策略指示加密保护为not needed且该第一安全保护方式为开启加密保护的情况,和第三安全策略指示完整性保护为not needed且该第一安全保护方式为开启完整性保护的情况也类似,这里不再一一说明。If the third security policy protection indicates that encryption protection is required and the first security protection mode is not to enable encryption protection, the first access network device sends a sixth message to the SMF network element, where the sixth message is a failure message or a PDU session Release request message. For the case where the third security policy indicates that integrity protection is required and the first security protection mode does not enable integrity protection, the third security policy indicates that encryption protection is not needed and the first security protection mode is to enable encryption protection The situation is similar to the situation where the third security policy indicates that the integrity protection is not needed and the first security protection mode is to enable the integrity protection, and will not be described one by one here.
可选的,该失败消息还携带拒绝原因,该拒绝原因为该第三安全策略与第一安全保护方式不匹配。第一接入网设备向第二终端设备发送该第六消息。Optionally, the failure message also carries a rejection reason, where the rejection reason is that the third security policy does not match the first security protection mode. The first access network device sends the sixth message to the second terminal device.
2、第一接入网设备根据该第三安全策略和第一安全策略确定该第四安全保护方式。2. The first access network device determines the fourth security protection mode according to the third security policy and the first security policy.
具体的,第一接入网设备根据该第三安全策略、第一安全策略和本地策略确定该第四安全保护方式,该本地策略为第一接入网设备确定的该第一终端设备将使用的业务对应的安全策略。Specifically, the first access network device determines the fourth security protection mode according to the third security policy, the first security policy and the local policy, where the local policy is determined by the first access network device to be used by the first terminal device The security policy corresponding to the business.
除了第三安全策略指示的加密保护与第一安全策略指示的加密保护不匹配,和/或,第一安全策略指示的完整性保护与第一安全策略指示的完整性保护不匹配的情况之外的其他情况,第一接入网设备可以确定该第四安全保护方式,即第二终端设备与第一接入网设备之间的安全保护方式。Except that the encryption protection indicated by the third security policy does not match the encryption protection indicated by the first security policy, and/or the integrity protection indicated by the first security policy does not match the integrity protection indicated by the first security policy In other cases, the first access network device may determine the fourth security protection mode, that is, the security protection mode between the second terminal device and the first access network device.
第三安全策略指示的加密保护与第一安全策略指示所指示的加密保护不匹配包括多种可能的形式,下面举例说明:The mismatch between the encryption protection indicated by the third security policy and the encryption protection indicated by the first security policy includes multiple possible forms. The following examples illustrate:
1、第三安全策略指示的加密保护为required,第一安全策略指示所指示的加密保护为not needed;1. The encryption protection indicated by the third security policy is required, and the encryption protection indicated by the first security policy instruction is not needed;
2、第三安全策略指示的加密保护为not needed,第一安全策略指示所指示的加密保护为required。2. The encryption protection indicated by the third security policy is not needed, and the encryption protection indicated by the first security policy is required.
第三安全策略指示的完整性保护与第一安全策略指示所指示的完整性保护不匹配包括多种可能的形式,下面举例说明:The integrity protection indicated by the third security policy does not match the integrity protection indicated by the first security policy. There are many possible forms. The following examples illustrate:
1、第三安全策略指示的完整性保护为required,第一安全策略指示所指示的完整性保护为not needed;1. The integrity protection indicated by the third security policy is required, and the integrity protection indicated by the first security policy is not needed;
2、第三安全策略指示的完整性保护为not needed,第一安全策略指示所指示的完整性保护为required。2. The integrity protection indicated by the third security policy is not needed, and the integrity protection indicated by the first security policy is required.
针对第三安全策略指示的加密保护与第一安全策略指示的加密保护不匹配,和/或,第一安全策略指示的完整性保护与第一安全策略指示的完整性保护不匹配的情况,第一接入网设备向SMF网元发送第七消息,该第七消息为失败消息或PDU会话释放请求消息。For the situation that the encryption protection indicated by the third security policy does not match the encryption protection indicated by the first security policy, and/or the integrity protection indicated by the first security policy does not match the integrity protection indicated by the first security policy, the first An access network device sends a seventh message to the SMF network element, where the seventh message is a failure message or a PDU session release request message.
可选的,该失败消息携带拒绝原因,该拒绝原因为该第三安全策略与第一安全策略不一致。该第一接入网设备还向第二终端设备发送该第七消息。Optionally, the failure message carries a rejection reason, and the rejection reason is that the third security policy is inconsistent with the first security policy. The first access network device also sends the seventh message to the second terminal device.
需要说明的是,除了上述两种可能的实现方式,第一接入网设备还可以仅根据该第一 安全策略确定该第四安全保护方式,或者是,仅根据该第一安全保护方式确定第四安全保护方式,以保证第四安全保护方式与第一安全保护方式一致。It should be noted that, in addition to the above two possible implementation manners, the first access network device may also determine the fourth security protection manner only according to the first security policy, or determine the fourth security protection manner only according to the first security protection manner. Four safety protection methods to ensure that the fourth safety protection method is consistent with the first safety protection method.
309、第一接入网设备向第二终端设备发送第四安全保护方式。309. The first access network device sends a fourth security protection mode to the second terminal device.
其中,该第四安全保护方式与第一安全保护方式相同,该第四安全保护方式为所述第二终端设备与第一接入网设备之间的进行数据通信时采用的安全保护方式。The fourth security protection mode is the same as the first security protection mode, and the fourth security protection mode is a security protection mode used during data communication between the second terminal device and the first access network device.
需要说明的是,第二终端设备接收到第四安全保护方式之后,如果在此之前还未向第一终端设备发送第一安全保护方式或还未确定第一安全保护方式,则第二终端设备可以将第四安全保护方式作为第一安全保护方式,并向第一终端设备发送该第一安全保护方式。上述步骤304可以是在步骤309之后执行,即第二终端设备可以在建立第三PDU会话完成或修改第二PDU会话完成后向第一终端设备发送第一安全保护方式。It should be noted that, after the second terminal device receives the fourth security protection mode, if the first security protection mode has not been sent to the first terminal device or the first security protection mode has not been determined before then, the second terminal device The fourth security protection mode may be used as the first security protection mode, and the first security protection mode is sent to the first terminal device. The above-mentioned step 304 may be performed after step 309, that is, the second terminal device may send the first security protection mode to the first terminal device after the establishment of the third PDU session or the modification of the second PDU session is completed.
本实施例中,第二终端设备确定第一安全保护方式和第四安全保护方式,从而实现第一终端设备与第二终端设备之间的第一安全保护方式和第二终端设备与第一接入网设备之间的第四安全保护方式达成一致(都开启加密保护或都不开启加密保护,以及都开启完整性保护或都不开启完整性保护)。In this embodiment, the second terminal device determines the first security protection mode and the fourth security protection mode, so as to realize the first security protection mode between the first terminal device and the second terminal device and the connection between the second terminal device and the first terminal device. A fourth security protection method is agreed between the network access devices (encryption protection is enabled or encryption protection is enabled at all, and integrity protection is enabled or integrity protection is enabled at all).
本实施例中,上述示出了第一安全保护方式与第四安全保护方式协商一致的过程。进一步地,可选的,第二终端设备可以对第一安全保护方式所对应的加密算法和完整性算法和第四安全保护方式所对应的加密算法和完整性算法进行协商。In this embodiment, the above shows the process of negotiating consensus between the first security protection mode and the fourth security protection mode. Further, optionally, the second terminal device may negotiate the encryption algorithm and the integrity algorithm corresponding to the first security protection mode and the encryption algorithm and the integrity algorithm corresponding to the fourth security protection mode.
需要说明的是,上述示出了在用户面上,第一安全保护方式与第四安全保护方式协商一致的过程。在实际应用中,在控制面上,第一终端设备与第二终端设备的控制面安全保护方式和第二终端设备与第一接入网设备的控制面保护方式的协商也可以通过本申请实施例的技术方案的协商方式进行协商。It should be noted that the above shows the process of negotiating consensus between the first security protection mode and the fourth security protection mode on the user plane. In practical applications, on the control plane, the negotiation of the control plane security protection mode between the first terminal device and the second terminal device and the control plane protection mode between the second terminal device and the first access network device can also be implemented through this application. The negotiation method of the technical solution of the example is negotiated.
本申请实施例还提供一种实施例,该实施例与图3所示的实施例类似,不同的地方在于:图3所示的实施例中步骤301至步骤304不执行,步骤305的第一请求消息用于请求第三安全策略,即第一参数中不携带该第一安全策略。该第三安全策略为SMF网元确定的该第一终端设备将使用的业务对应的安全策略。然后,第一接入网设备根据该第三安全策略确定第四安全保护方式,并发送给第二终端设备。第二终端设备将该第四安全保护方式作为该第一安全保护方式。This embodiment of the present application also provides an embodiment, which is similar to the embodiment shown in FIG. 3 , except that in the embodiment shown in FIG. 3 , steps 301 to 304 are not executed, and the first step of step 305 is not executed. The request message is used to request the third security policy, that is, the first security policy is not carried in the first parameter. The third security policy is the security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device. Then, the first access network device determines a fourth security protection mode according to the third security policy, and sends it to the second terminal device. The second terminal device uses the fourth security protection mode as the first security protection mode.
本申请实施例还提供一种实施例,该实施例与图3所示的实施例类似,不同的地方在于:在步骤305中,第二终端设备向第一接入网设备发送第一安全策略和/或第一安全保护方式,第二终端设备向SMF网元发送第一业务信息、第一DNN和第二切片信息中的至少一项信息。第一接入网设备保存该第一安全策略和/或第一安全保护方式。在步骤307中,第一接入网设备从SMF网元接收到第三安全策略;在步骤308中,第一终端设备根据第一安全策略、第一安全保护方式和第三安全策略的至少一项信息确定第四安全保护方式。具体确定的方法前述图3所示的实施例中的步骤308中第一终端设备确定第四安全保护方式类似,具体请参阅前述图3所示的实施例中的步骤308的相关介绍。This embodiment of the present application further provides an embodiment, which is similar to the embodiment shown in FIG. 3, except that in step 305, the second terminal device sends the first security policy to the first access network device And/or the first security protection manner, the second terminal device sends at least one item of information among the first service information, the first DNN and the second slice information to the SMF network element. The first access network device stores the first security policy and/or the first security protection manner. In step 307, the first access network device receives the third security policy from the SMF network element; in step 308, the first terminal device according to at least one of the first security policy, the first security protection mode and the third security policy The item information determines the fourth security protection method. The specific determination method is similar in step 308 in the embodiment shown in FIG. 3 above to determine the fourth security protection method by the first terminal device. For details, please refer to the related introduction of step 308 in the embodiment shown in FIG.
可选的,上述图3所示的实施例还包括步骤310至步骤312。并且,步骤310至步骤312与前述图3所示的实施例中的步骤301至步骤309没有固定的执行顺序。例如,步骤310至步 骤312可以在步骤301之前执行,也可以在步骤301至步骤309之间执行,或者在步骤309之后执行,具体本申请不做限定。Optionally, the embodiment shown in FIG. 3 further includes steps 310 to 312 . Furthermore, steps 310 to 312 and steps 301 to 309 in the aforementioned embodiment shown in FIG. 3 do not have a fixed execution order. For example, steps 310 to 312 may be performed before step 301, or may be performed between steps 301 to 309, or performed after step 309, which is not specifically limited in this application.
310、第一终端设备向第二终端设备发送第三消息。310. The first terminal device sends a third message to the second terminal device.
其中,第三消息携带第一保护指示。可选的,该第三消息还携带以下至少一项信息:第一业务信息、第二DNN和第二切片信息。The third message carries the first protection indication. Optionally, the third message further carries at least one item of information: first service information, second DNN, and second slice information.
第三消息携带的信息的相关介绍请参阅前述图3所示的实施例中的相关介绍,这里不再赘述。For a related introduction to the information carried in the third message, please refer to the related introduction in the embodiment shown in FIG. 3 , which will not be repeated here.
若图2所示的实施例是本实施例的基础,那么该第三消息可以理解为图2所示的实施例中的步骤204的第五消息。If the embodiment shown in FIG. 2 is the basis of this embodiment, the third message can be understood as the fifth message of step 204 in the embodiment shown in FIG. 2 .
311、第二终端设备根据第三消息确定第二保护指示。311. The second terminal device determines a second protection indication according to the third message.
该第二保护指示用于指示第一终端设备与第一接入网设备之间进行数据通信时执行的保护机制。The second protection indication is used to instruct a protection mechanism to be executed during data communication between the first terminal device and the first access network device.
具体的,第二终端设备根据接收到的第一保护指示确定执行哪种保护机制,并生成第二保护指示。Specifically, the second terminal device determines which protection mechanism to execute according to the received first protection instruction, and generates a second protection instruction.
可选的,第二终端设备根据第一保护指示和该第二终端设备确定的该第一终端设备将使用的业务对应的本地安全策略确定该第二保护指示。例如,该第二终端设备根据该第一业务信息、第二DNN和第二切片信息中至少一项信息确定保护机制,并和第一保护指示所指示的保护机制一起确定以哪个保护机制为主,再生成对应的保护指示。Optionally, the second terminal device determines the second protection instruction according to the first protection instruction and the local security policy determined by the second terminal device and corresponding to the service to be used by the first terminal device. For example, the second terminal device determines a protection mechanism according to at least one item of information in the first service information, the second DNN, and the second slice information, and determines which protection mechanism is the main protection mechanism together with the protection mechanism indicated by the first protection instruction , and then generate the corresponding protection indication.
312、第二终端设备向第一终端设备发送第二保护指示。312. The second terminal device sends a second protection indication to the first terminal device.
需要说明的是,如果第二终端设备未接收到该第二终端设备发送的第一保护指示,则第二终端设备根据第二终端设备确定的该第一终端设备将使用的业务对应的本地安全策略确定该第二保护指示,并向第一终端设备发送第二保护指示。It should be noted that if the second terminal device does not receive the first protection instruction sent by the second terminal device, the second terminal device determines the local security corresponding to the service to be used by the first terminal device determined by the second terminal device. The policy determines the second protection indication, and sends the second protection indication to the first terminal device.
上述图3所示的实施例示出第二终端设备先根据第一安全策略确定第一终端设备与第二终端设备之间的安全保护方式,再确定该第二终端设备与第一接入网设备之间的安全保护方式,从而实现第一终端设备与第二终端设备之间的安全保护方式和该第二终端设备与第一接入网设备之间的安全保护方式协商一致。The above-mentioned embodiment shown in FIG. 3 shows that the second terminal device first determines the security protection mode between the first terminal device and the second terminal device according to the first security policy, and then determines the second terminal device and the first access network device. The security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device are negotiated and agreed.
在实际应用中,第二终端设备也可以先根据第一安全策略和第四安全策略确定第三安全保护方式,并将该第三安全保护方式作为该第二终端设备与第一接入网设备之间的数据通信所采用的安全保护方式。其中,该第四安全策略为该第二终端设备确定的该第一终端设备将使用的业务对应的安全策略。然后,第二终端设备在确定第一终端设备与第二终端设备之间的安全保护方式,从而实现第一终端设备与第二终端设备之间的安全保护方式和该第二终端设备与第一接入网设备之间的安全保护方式协商一致。In practical applications, the second terminal device may first determine a third security protection mode according to the first security policy and the fourth security policy, and use the third security protection mode as the second terminal device and the first access network device The security protection method used for data communication between them. Wherein, the fourth security policy is a security policy determined by the second terminal device corresponding to the service to be used by the first terminal device. Then, the second terminal device determines the security protection mode between the first terminal device and the second terminal device, so as to realize the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first terminal device. The security protection mode between access network devices is negotiated.
需要说明的是,上述图3所示的实施例中示出了由第二终端设备确定第一安全保护方式的技术方案。在实际应用中,也可以是由第一终端设备确定第一安全保护方式,并由第一终端设备向第二终端设备发送该第一安全保护方式,以实现第一终端设备与第二终端设备之间的安全保护方式与第二终端设备与第一接入网设备之间的安全保护方式的协商一致。It should be noted that the above-mentioned embodiment shown in FIG. 3 shows a technical solution in which the first security protection mode is determined by the second terminal device. In practical applications, the first security protection mode may also be determined by the first terminal device, and the first security protection mode may be sent by the first terminal device to the second terminal device, so as to realize the connection between the first terminal device and the second terminal device. The security protection mode between them is consistent with the negotiation of the security protection mode between the second terminal device and the first access network device.
下面结合第一终端设备、第二终端设备和第一接入网设备之间的已有交互流程介绍本 申请实施例的技术方案。即在该已有交互流程中,实现第一终端设备与第二终端设备之间的安全保护方式和第二终端设备与第一接入网设备之间的安全保护方式的协商一致。下面分别结合图4所示的实施例和图5所示的实施例进行介绍。The following describes the technical solutions of the embodiments of the present application in combination with the existing interaction flow between the first terminal device, the second terminal device, and the first access network device. That is, in the existing interaction process, the negotiation of the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device is achieved. The following description will be given in conjunction with the embodiment shown in FIG. 4 and the embodiment shown in FIG. 5 respectively.
请参阅图4,图4为本申请实施例通信方法的另一个实施例示意图。在图4中,该方法包括:Please refer to FIG. 4 , which is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application. In Figure 4, the method includes:
401、第二终端设备向第一终端设备发送广播消息。401. The second terminal device sends a broadcast message to the first terminal device.
其中,该广播消息携带第一参数,第一参数的相关介绍请参阅前述图2所示的实施例中步骤201中第一参数的相关介绍,这里不再赘述。The broadcast message carries the first parameter. For the related introduction of the first parameter, please refer to the related introduction of the first parameter in step 201 in the embodiment shown in FIG. 2 , which will not be repeated here.
该广播消息可以理解为上述图2所示的实施例中步骤202的第一消息的一种可能的实现方式,对于该广播消息的理解请参阅前述图2所示的实施例中步骤202的第一消息的相关介绍。The broadcast message can be understood as a possible implementation of the first message in step 202 in the embodiment shown in FIG. 2. For the understanding of the broadcast message, please refer to the first message in step 202 in the embodiment shown in FIG. 2. An introduction to the news.
402、第一终端设备根据第一参数选择第二终端设备。402. The first terminal device selects the second terminal device according to the first parameter.
步骤402与前述图2所示的实施例中步骤203的相关介绍,具体请参阅前述图2所示的实施例中步骤203的相关介绍,这里不再赘述。For the related introduction of step 402 and step 203 in the embodiment shown in FIG. 2, please refer to the related introduction of step 203 in the embodiment shown in FIG. 2, which will not be repeated here.
403、第一终端设备向第二终端设备发送通信请求(communication request)消息。403. The first terminal device sends a communication request (communication request) message to the second terminal device.
可选的,该通信请求消息还携带以下至少一项信息:第一保护指示、第一终端设备的安全能力、第一业务信息、第二DNN、第二切片信息、第一安全策略、relay指示。Optionally, the communication request message also carries at least one of the following information: first protection indication, security capability of the first terminal device, first service information, second DNN, second slice information, first security policy, relay indication .
其中,该第一终端设备的安全能力指该第一终端设备支持的加密算法和完整性保护算法。relay指示用于指示由第二终端设备作为UE relay转发数据,或者,用于指示该通信请求消息是发送给UE relay的消息。对于其他参数请参阅图3所示的实施例中步骤305的相关介绍,这里不再赘述。The security capability of the first terminal device refers to an encryption algorithm and an integrity protection algorithm supported by the first terminal device. The relay indication is used to instruct the second terminal device to forward data as the UE relay, or, used to indicate that the communication request message is a message sent to the UE relay. For other parameters, please refer to the related introduction of step 305 in the embodiment shown in FIG. 3 , which will not be repeated here.
可选的,该通信请求消息可以理解为前述图3所示的实施例中的第三消息的一种具体的实现方式。Optionally, the communication request message may be understood as a specific implementation manner of the third message in the embodiment shown in FIG. 3 .
需要说明的是,第一业务信息、第二DNN和第二切片信息也可以是在后续步骤405的DSM Complete消息中发送给第二终端设备。It should be noted that, the first service information, the second DNN and the second slice information may also be sent to the second terminal device in the DSM Complete message in the subsequent step 405.
404、可选的,第二终端设备根据通信请求消息确定第二保护指示。404. Optionally, the second terminal device determines the second protection indication according to the communication request message.
需要说明的是,步骤404是可选的,第一终端设备与第一接入网设备之间的保护机制可以是预先配置的,或者,通过通信协议规定的。It should be noted that step 404 is optional, and the protection mechanism between the first terminal device and the first access network device may be pre-configured or specified through a communication protocol.
下面分为两种可能的情况介绍步骤404。Step 404 is described below in two possible cases.
一、该通信请求消息携带有第一保护指示。1. The communication request message carries the first protection indication.
在该情况下,该第二终端设备根据该第一保护指示确定执行哪种保护机制,并生成该第二保护指示。可选的,该第二终端设备根据该第二终端设备支持的业务的第二业务信息、第一DNN和第一切片信息中的至少一项信息确定第二保护指示,并与该第一保护指示一起确定最终选择哪个保护指示作为目标保护指示。例如,以第二保护指示为最终确定的保护指示。In this case, the second terminal device determines which protection mechanism to execute according to the first protection instruction, and generates the second protection instruction. Optionally, the second terminal device determines a second protection indication according to at least one item of information in the second service information, the first DNN, and the first slice information of the service supported by the second terminal device, and associates it with the first protection indication. Together the protection indications determine which protection indication is ultimately selected as the target protection indication. For example, the second protection indication is used as the finalized protection indication.
二、该通信请求消息未携带有第一保护指示。2. The communication request message does not carry the first protection indication.
在该情况下,该第二终端设备根据该第二业务信息、第一DNN和第一切片信息中的至少 一项信息确定第二保护指示。或者是,该通信请求消息携带第一业务信息、第二DNN和第二切片信息中的至少一项信息,该第二终端设备根据该第一业务信息、第二DNN和第二切片信息中的至少一项信息确定该第二保护指示。In this case, the second terminal device determines the second protection indication according to at least one item of information among the second service information, the first DNN and the first slice information. Or, the communication request message carries at least one item of information among the first service information, the second DNN, and the second slice information, and the second terminal device according to the first service information, the second DNN, and the second slice information. At least one item of information determines the second protection indication.
可选的,该通信请求消息可以理解为图3所示的实施例中步骤310中的第三消息的具体实现方式。Optionally, the communication request message may be understood as a specific implementation manner of the third message in step 310 in the embodiment shown in FIG. 3 .
该第二终端设备接收到该通信请求消息之后,该第二终端设备还执行以下操作:After the second terminal device receives the communication request message, the second terminal device further performs the following operations:
1、该通信请求消息还携带第一终端设备的安全能力。第二终端设备根据该第一终端设备的安全能力和该第二终端设备的安全能力确定第一加密算法和第一完整性保护算法。1. The communication request message also carries the security capability of the first terminal device. The second terminal device determines the first encryption algorithm and the first integrity protection algorithm according to the security capability of the first terminal device and the security capability of the second terminal device.
该第一加密算法可以用于第一终端设备与第一接入网设备之间的信令通信,该第一完整性保护算法可以用于第一终端设备与第一接入网设备之间的信令通信。The first encryption algorithm can be used for signaling communication between the first terminal device and the first access network device, and the first integrity protection algorithm can be used for the communication between the first terminal device and the first access network device. signaling communication.
2、该通信请求消息还携带第一业务信息、第二DNN和第二切片信息中的至少一项信息。该第二终端设备通过该至少一项信息确定该第二终端设备是否能够为该第一终端设备提供服务,如果能够提供服务,则第二终端设备执行步骤404;如果不能够提供服务,则第二终端设备向第一终端设备发送拒绝消息。2. The communication request message also carries at least one item of information among the first service information, the second DNN, and the second slice information. The second terminal device determines whether the second terminal device can provide the service for the first terminal device through the at least one item of information. If the second terminal device can provide the service, the second terminal device performs step 404; The second terminal device sends a rejection message to the first terminal device.
405、第二终端设备向第一终端设备发送直接安全模式指令(direct security mode command,DSM Command)消息。405. The second terminal device sends a direct security mode command (direct security mode command, DSM Command) message to the first terminal device.
其中,该DSM Command消息携带该第一加密算法和第一完整性保护算法。Wherein, the DSM Command message carries the first encryption algorithm and the first integrity protection algorithm.
可选的,该DSM Command消息还携带第一保护指示,以用于第一终端设备校验该DSM Command消息中的第一保护指示与步骤403的通信请求消息中的第一保护指示是否一致。具体该第二终端设备通过该第一终端设备与第二终端设备之间的共享密钥对该DSM Command消息执行完整性保护。Optionally, the DSM Command message also carries a first protection indication, for the first terminal device to verify whether the first protection indication in the DSM Command message is consistent with the first protection indication in the communication request message in step 403. Specifically, the second terminal device performs integrity protection on the DSM Command message through the shared key between the first terminal device and the second terminal device.
406、第一终端设备向第二终端设备发送直接安全模式完成(direct security mode complete,DSM Complete)消息。406. The first terminal device sends a direct security mode complete (direct security mode complete, DSM Complete) message to the second terminal device.
其中,该DSM Complete消息携带第一安全策略。Wherein, the DSM Complete message carries the first security policy.
第一终端设备接收该DSM Command消息携带的第二保护指示,并根据该第二保护指示确定对应的保护机制。可选的,第一终端设备执行步骤406之前,第一终端设备校验该DSM Command消息的完整性,如果校验成功,则第一终端设备执行步骤406;如果校验失败,则第一终端设备向第二终端设备发送拒接消息。该第一终端设备可以通过该第一终端设备与第二终端设备之间的共享密钥对该DSM Command消息携带的第一保护指示进行完整性验证。The first terminal device receives the second protection instruction carried in the DSM Command message, and determines a corresponding protection mechanism according to the second protection instruction. Optionally, before the first terminal device performs step 406, the first terminal device verifies the integrity of the DSM Command message, and if the verification succeeds, the first terminal device performs step 406; if the verification fails, the first terminal device The device sends a rejection message to the second terminal device. The first terminal device can perform integrity verification on the first protection indication carried in the DSM Command message through the shared key between the first terminal device and the second terminal device.
可选的,该第一安全策略也可以是携带在步骤403的通信请求消息中。如果第一安全策略携带在步骤403的通信请求消息中,则步骤406的DSM Complete消息可以不携带该第一安全策略。如果是在步骤403中携带该第一安全策略,则步骤407可以在步骤405之前执行。Optionally, the first security policy may also be carried in the communication request message in step 403 . If the first security policy is carried in the communication request message in step 403, the DSM Complete message in step 406 may not carry the first security policy. If the first security policy is carried in step 403 , step 407 may be performed before step 405 .
407、第二终端设备根据第一安全策略确定第一安全保护方式,并将第一安全保护方式作为第一终端设备与第二终端设备之间的通信所采用的安全保护方式。407. The second terminal device determines the first security protection mode according to the first security policy, and uses the first security protection mode as the security protection mode used for the communication between the first terminal device and the second terminal device.
步骤407与前述图3所示的实施例中的步骤302和步骤303类似,具体请参阅前述图3所示的实施例中的步骤302和步骤303的相关介绍,这里不再赘述。需要说明的是,本实施例中,第一安全保护方式为该第一终端设备与第二终端设备之间的UP安全保护方式。Step 407 is similar to step 302 and step 303 in the aforementioned embodiment shown in FIG. 3 . For details, please refer to the related introduction of step 302 and step 303 in the aforementioned embodiment shown in FIG. 3 , which will not be repeated here. It should be noted that, in this embodiment, the first security protection mode is an UP security protection mode between the first terminal device and the second terminal device.
408、第二终端设备判断第二终端设备是否有PDU会话支持的第二安全保护方式与第一安全保护方式一致,若是,则执行步骤409;若否,则执行步骤410。408. The second terminal device determines whether the second terminal device has a second security protection mode supported by the PDU session that is consistent with the first security protection mode, and if so, executes step 409; if not, executes step 410.
步骤408与前述图3所示的实施例中步骤302对第一安全保护方式与第二安全保护方式的两种可能的情况的介绍类似,具体请参阅前述图3所示的实施例中步骤302对第一安全保护方式与第二安全保护方式的两种可能的情况的相关介绍,这里不再赘述。Step 408 is similar to the description of the two possible situations of the first security protection mode and the second security protection mode in step 302 in the embodiment shown in FIG. 3. For details, please refer to step 302 in the embodiment shown in FIG. 3. The related introduction of the two possible situations of the first security protection mode and the second security protection mode will not be repeated here.
409、第二终端设备向第一终端设备发送第一安全保护方式。409. The second terminal device sends the first security protection mode to the first terminal device.
410、第二终端设备向SMF网元发送第一请求消息。410. The second terminal device sends a first request message to the SMF network element.
411、SMF网元根据第二参数确定第三安全策略。411. The SMF network element determines a third security policy according to the second parameter.
412、SMF网元向第一接入网设备发送第四消息。412. The SMF network element sends a fourth message to the first access network device.
413、第一接入网设备根据第三安全策略确定第四安全保护方式。413. The first access network device determines a fourth security protection mode according to the third security policy.
414、第一接入网设备向第二终端设备发送第四安全保护方式。414. The first access network device sends a fourth security protection mode to the second terminal device.
步骤409至步骤414与前述图3所示的实施例中的步骤304至步骤309类似,具体请参阅前述图3所示的实施例中的步骤304至步骤309类似的相关介绍,这里不再赘述。Steps 409 to 414 are similar to steps 304 to 309 in the aforementioned embodiment shown in FIG. 3 . For details, please refer to the related introductions similar to steps 304 to 309 in the aforementioned embodiment shown in FIG. 3 , which will not be repeated here. .
415、第二终端设备向第一终端设备发送第一安全保护方式。415. The second terminal device sends the first security protection mode to the first terminal device.
需要说明的是,步骤415也可以是在步骤410之前执行,即在第二终端设备建立第三PDU会话完成后或修改第二PDU会话完成后执行的。It should be noted that, step 415 may also be performed before step 410, that is, performed after the second terminal device completes the establishment of the third PDU session or after the modification of the second PDU session is completed.
本申请实施例中,第一终端设备接收第二终端设备发送的广播消息,该广播消息携带第一参数;然后,第一终端设备根据第一参数选择第二终端设备。由此可知,由于第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息,因此,第一终端设备在选择第二终端设备时,可以根据该第一参数选择与该第一终端设备的安全需求匹配的第二终端设备,这样一定程序能够满足后续第一终端设备与网络之间的通信所对应的安全需求。并且,第一终端设备向第二终端设备发送第一安全策略;然后,第二终端设备根据该第一安全策略确定该第一安全保护方式,并将该第一安全保护方式作为该第一终端设备与第二终端设备之间的数据通信所采用的安全保护方式,再向第一终端设备发送该第一安全保护方式。这样,第一终端设备可以确定该第一终端设备与第二终端设备之间的第一安全保护方式,然后以该第一安全保护方式确定该第二终端设备与第一接入网设备之间的安全保护方式,实现第一终端设备与第二终端设备之间的安全保护方式和第二终端设备与第一接入网设备之间的安全保护方式保持一致,以提高数据传输的安全性。In this embodiment of the present application, the first terminal device receives a broadcast message sent by the second terminal device, where the broadcast message carries the first parameter; then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device is selected, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network. And, the first terminal device sends the first security policy to the second terminal device; then, the second terminal device determines the first security protection mode according to the first security policy, and uses the first security protection mode as the first terminal The security protection mode used in the data communication between the device and the second terminal device, and then send the first security protection mode to the first terminal device. In this way, the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device The security protection mode of the first terminal device and the second terminal device is consistent with the security protection mode between the second terminal device and the first access network device, so as to improve the security of data transmission.
请参阅图5,图5为本申请实施例通信方法的另一个实施例示意图。在图5中,该通信方法包括:Please refer to FIG. 5 , which is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application. In Figure 5, the communication method includes:
501、第二终端设备向第一终端设备发送广播消息。501. The second terminal device sends a broadcast message to the first terminal device.
502、第一终端设备根据第一参数选择第二终端设备。502. The first terminal device selects the second terminal device according to the first parameter.
503、第一终端设备向第二终端设备发送通信请求消息。503. The first terminal device sends a communication request message to the second terminal device.
504、第二终端设备根据通信请求消息确定第二保护指示。504. The second terminal device determines a second protection indication according to the communication request message.
505、第二终端设备向第一终端设备发送DSM Command消息。505. The second terminal device sends a DSM Command message to the first terminal device.
506、第一终端设备向第二终端设备发送DSM Complete消息。506. The first terminal device sends a DSM Complete message to the second terminal device.
507、第二终端设备根据第一安全策略确定第一安全保护方式,并将该第一安全保护方 式作为第一终端设备与第二终端设备之间的通信所采用的安全保护方式。507. The second terminal device determines a first security protection mode according to the first security policy, and uses the first security protection mode as a security protection mode adopted for the communication between the first terminal device and the second terminal device.
508、第二终端设备判断第二终端设备是否有PDU会话支持的第二安全保护方式与第一安全保护方式一致,若是,则执行步骤509;若否,则执行步骤510。508. The second terminal device determines whether the second terminal device has a second security protection mode supported by the PDU session that is consistent with the first security protection mode, and if so, executes step 509; if not, executes step 510.
509、第二终端设备向第一终端设备发送第一安全保护方式。509. The second terminal device sends the first security protection mode to the first terminal device.
步骤501至步骤509与前述图4所示的实施例中的步骤401至步骤409类似,具体请参阅前述图4所示的实施例中的步骤401至步骤409的相关介绍,这里不再赘述。Steps 501 to 509 are similar to steps 401 to 409 in the embodiment shown in FIG. 4 . For details, please refer to the related introductions of steps 401 to 409 in the embodiment shown in FIG. 4 , which will not be repeated here.
510、第二终端设备向第一接入网设备发送第三请求消息。510. The second terminal device sends a third request message to the first access network device.
其中,第三请求消息与前述图3所示的实施例中步骤305中的第一请求消息类似,具体请参阅前述图3所示的实施例中步骤305中的第一请求消息的相关介绍,这里不再赘述。The third request message is similar to the first request message in step 305 in the embodiment shown in FIG. 3. For details, please refer to the relevant introduction of the first request message in step 305 in the embodiment shown in FIG. 3. I won't go into details here.
511、第一接入网设备向SMF网元发送第四请求消息。511. The first access network device sends a fourth request message to the SMF network element.
该第四请求消息携带第一业务信息、第二DNN和第二切片信息。The fourth request message carries the first service information, the second DNN and the second slice information.
具体的,本实施例中,第一接入网设备接收到第三请求消息之后,确定第三请求消息携带的第一安全策略、第一安全保护方式、第一业务信息、第二DNN和第二切片信息。然后,第一接入网设备向SMF网元发送第四请求消息,第四请求消息携带第一业务信息、第二DNN和第二切片信息,但不携带该第一安全策略和该第一安全保护方式。Specifically, in this embodiment, after receiving the third request message, the first access network device determines the first security policy, the first security protection mode, the first service information, the second DNN and the third request message carried in the third request message. Two slice information. Then, the first access network device sends a fourth request message to the SMF network element, where the fourth request message carries the first service information, the second DNN and the second slice information, but does not carry the first security policy and the first security way of protection.
512、SMF网元根据第一业务信息确定第三安全策略。512. The SMF network element determines a third security policy according to the first service information.
其中,第三安全策略为SMF网元确定的该第一终端设备将使用的业务对应的安全策略。第三安全策略与第一安全策略类似,具体可以参阅前述图2所示的实施例中第一安全策略的相关介绍来理解该第三安全策略。Wherein, the third security policy is the security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device. The third security policy is similar to the first security policy. Specifically, the third security policy may be understood by referring to the relevant introduction of the first security policy in the embodiment shown in FIG. 2 .
具体的,SMF网元向UDM网元发送以下信息中的至少一项:第一业务信息、第二DNN和第二切片信息。UDM网元通过该至少一项信息获取对应的签约安全策略,并向SMF网元发送该签约安全策略。SMF网元将签约安全策略作为第三安全策略。Specifically, the SMF network element sends at least one of the following information to the UDM network element: first service information, second DNN and second slice information. The UDM network element acquires the corresponding subscription security policy through the at least one piece of information, and sends the subscription security policy to the SMF network element. The SMF network element uses the subscription security policy as the third security policy.
513、第一接入网设备接收SMF网元发送的第八消息。513. The first access network device receives the eighth message sent by the SMF network element.
其中,该第八消息携带该第三安全策略。Wherein, the eighth message carries the third security policy.
514、第一接入网设备根据第三安全策略确定第四安全保护方式。514. The first access network device determines a fourth security protection mode according to the third security policy.
步骤510中的第三请求消息中还携带第一安全策略,第一安全保护方式,以及第三安全策略的至少一项信息。第一接入网设备根据该第一安全策略、第三安全策略、第一安全保护方式以及第三安全策略的至少一项信息确定第四安全保护方式。具体的确定方式与前述图3所示的实施例中第一接入设备的确定第四安全保护方式类似,具体可以参考前述图3所示的实施例中第一接入设备的确定第四安全保护方式的相关介绍,这里不再赘述。The third request message in step 510 also carries at least one item of information of the first security policy, the first security protection mode, and the third security policy. The first access network device determines a fourth security protection mode according to at least one item of information of the first security policy, the third security policy, the first security protection mode, and the third security policy. The specific determination method is similar to the determination method of the fourth security protection by the first access device in the embodiment shown in FIG. 3. For details, please refer to the determination of the fourth security protection by the first access device in the embodiment shown in FIG. 3. The relevant introduction of the protection method will not be repeated here.
515、第一接入网设备向第二终端设备发送第四安全保护方式。515. The first access network device sends a fourth security protection mode to the second terminal device.
步骤514至步骤515与前述图3所示的实施例中步骤308至步骤309类似,具体请参阅前述图3所示的实施例中步骤308至步骤309的相关介绍,这里不再赘述。Steps 514 to 515 are similar to steps 308 to 309 in the aforementioned embodiment shown in FIG. 3 . For details, please refer to the related introductions of steps 308 to 309 in the aforementioned embodiment shown in FIG. 3 , which will not be repeated here.
516、第二终端设备向第一终端设备发送第一安全保护方式。516. The second terminal device sends the first security protection mode to the first terminal device.
需要说明的是,步骤516也可以是在步骤510之前执行,即在第二终端设备建立第三PDU会话完成后或修改第二PDU会话完成后执行的。It should be noted that, step 516 may also be performed before step 510, that is, performed after the second terminal device completes the establishment of the third PDU session or after the modification of the second PDU session is completed.
本申请实施例中,第一终端设备接收第二终端设备发送的广播消息,该广播消息携带 第一参数;然后,第一终端设备根据第一参数选择第二终端设备。由此可知,由于第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息,因此,第一终端设备在选择第二终端设备时,可以根据该第一参数选择与该第一终端设备的安全需求匹配的第二终端设备,这样一定程序能够满足后续第一终端设备与网络之间的通信所对应的安全需求。并且,第一终端设备向第二终端设备发送第一安全策略;然后,第二终端设备根据该第一安全策略确定该第一安全保护方式,并将该第一安全保护方式作为该第一终端设备与第二终端设备之间的数据通信所采用的安全保护方式,再向第一终端设备发送该第一安全保护方式。这样,第一终端设备可以确定该第一终端设备与第二终端设备之间的第一安全保护方式,然后以该第一安全保护方式确定该第二终端设备与第一接入网设备之间的安全保护方式,实现第一终端设备与第二终端设备之间的安全保护方式和第二终端设备与第一接入网设备之间的安全保护方式保持一致,以提高第一终端设备与第一接入网设备之间的数据传输的安全性。In the embodiment of the present application, the first terminal device receives a broadcast message sent by the second terminal device, and the broadcast message carries the first parameter; then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device is selected, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network. And, the first terminal device sends the first security policy to the second terminal device; then, the second terminal device determines the first security protection mode according to the first security policy, and uses the first security protection mode as the first terminal The security protection mode used in the data communication between the device and the second terminal device, and then send the first security protection mode to the first terminal device. In this way, the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device The security protection mode of the first terminal device and the second terminal device is consistent with the security protection mode between the second terminal device and the first access network device, so as to improve the security protection mode between the first terminal device and the second terminal device. Security of data transmission between devices in an access network.
下面对本申请实施例提供的第一终端设备进行描述。请参阅图6,图6为本申请实施例第一终端设备的一个结构示意图。该第一终端设备可以用于执行图2、图3、图4、图5所示的实施例中第一终端设备执行的步骤,可以参考上述方法实施例中的相关描述。The first terminal device provided by the embodiment of the present application is described below. Please refer to FIG. 6 , which is a schematic structural diagram of a first terminal device according to an embodiment of the present application. The first terminal device may be configured to perform the steps performed by the first terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
该第一终端设备包括收发模块601和处理模块602;The first terminal device includes a transceiver module 601 and a processing module 602;
收发模块601,用于接收第一消息,该第一消息携带第一参数,该第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息;A transceiver module 601, configured to receive a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device;
处理模块602,用于根据该第一参数选择该第二终端设备,该第二终端设备用于为该第一终端设备与该第一接入网设备之间的通信提供中继服务。The processing module 602 is configured to select the second terminal device according to the first parameter, where the second terminal device is configured to provide a relay service for the communication between the first terminal device and the first access network device.
一种可能的实现方式中,该第一参数包括以下至少一项:In a possible implementation manner, the first parameter includes at least one of the following:
第一PDU会话支持的第一安全保护方式、该第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、该第二终端设备的标识、该第二终端设备归属的或服务的网络标识ID、第一数据网络名称DNN、或者、第一切片信息;The first security protection mode supported by the first PDU session, the type of the first access network device, the first indication information, the second indication information, the digital signature, the identifier of the second terminal device, the belonging of the second terminal device Or the network identification ID of the service, the first data network name DNN, or, the first slice information;
其中,该第一PDU会话为该第二终端设备上已建立的PDU会话,该第一指示信息为该第一接入网设备是否支持按需安全保护方式的指示信息,该第二指示信息用于指示该第一接入网设备具备支持完整性保护的能力,该数字签名为该第二终端设备通过该第二终端设备的私钥或该第二终端设备的根证书生成的,该第一DNN为该第二终端设备支持提供中继服务的DNN,该第一切片信息为该第二终端设备支持提供中继服务的切片的信息。The first PDU session is an established PDU session on the second terminal device, the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode, and the second indication information is used for To indicate that the first access network device has the ability to support integrity protection, the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device, the first The DNN supports the DNN that provides the relay service for the second terminal device, and the first slice information is information of the slice that the second terminal device supports to provide the relay service.
另一种可能的实现方式中,该处理模块602还用于:In another possible implementation manner, the processing module 602 is further configured to:
确定第一安全策略,该第一安全策略为该第一终端设备确定的该第一终端设备将使用的业务对应的安全策略;determining a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
该处理模块602具体用于:The processing module 602 is specifically used for:
根据该第一安全策略和该第一参数选择该第二终端设备。The second terminal device is selected according to the first security policy and the first parameter.
另一种可能的实现方式中,该第一安全策略指示完整性保护为需要required或者倾向于需要preferred;该处理模块602具体用于:In another possible implementation manner, the first security policy indicates that integrity protection is required or tends to be preferred; the processing module 602 is specifically configured to:
若该第一参数包括该第一PDU会话支持的第一安全保护方式,且该第一安全保护方式 为开启完整性保护,则选择该第二终端设备;或者,If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, then select the second terminal device; or,
若该第一参数包括该第一接入网设备的类型,且该第一接入网设备的类型指示该第一接入网设备具备支持开启完整性保护的能力,则选择该第二终端设备;或者,If the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, select the second terminal device ;or,
若该第一参数包括该第一指示信息,且该第一指示信息指示该第一接入网设备支持按需保护方式,则选择该第二终端设备;或者,If the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, select the second terminal device; or,
若该第一参数包括该第二指示信息,则选择该第二终端设备。If the first parameter includes the second indication information, the second terminal device is selected.
另一种可能的实现方式中,该第一安全策略指示加密保护为需要required或者为倾向于需要preferred;该处理模块602具体用于:In another possible implementation manner, the first security policy indicates that encryption protection is required or tends to be preferred; the processing module 602 is specifically configured to:
若该第一参数包括该第一PDU会话支持的第一安全保护方式,且该第一安全保护方式为开启加密保护,则选择该第二终端设备。If the first parameter includes a first security protection mode supported by the first PDU session, and the first security protection mode is to enable encryption protection, the second terminal device is selected.
另一种可能的实现方式中,该处理模块602具体用于:In another possible implementation manner, the processing module 602 is specifically used for:
若该第一安全策略与第二安全策略一致时,则选择该第二终端设备,该第二安全策略为该第一DNN和/或该第一切片信息关联的安全策略。If the first security policy is consistent with the second security policy, the second terminal device is selected, and the second security policy is the security policy associated with the first DNN and/or the first slice information.
另一种可能的实现方式中,该收发模块601还用于:In another possible implementation manner, the transceiver module 601 is further used for:
接收第二消息,该第二消息携带第二参数,该第二参数用于指示第三终端设备与第二接入网设备之间的通信的安全信息;receiving a second message, where the second message carries a second parameter, where the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device;
该处理模块602具体用于:The processing module 602 is specifically used for:
根据该第一参数和该第二参数选择该第二终端设备。The second terminal device is selected according to the first parameter and the second parameter.
另一种可能的实现方式中,该处理模块602具体用于:In another possible implementation manner, the processing module 602 is specifically used for:
若该第一参数包括第一PDU会话支持的第一安全保护方式,且该第一安全保护方式为开启完整性保护,该第二参数包括第二PDU会话支持的第二安全保护方式,且该第二安全保护方式为不开启完整性保护,则选择该第二终端设备,该第一PDU会话为该第二终端设备上已建立的PDU会话,该第二PDU会话为该第三终端设备上已建立的PDU会话;或者,If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, the second parameter includes the second security protection mode supported by the second PDU session, and the The second security protection mode is to not enable integrity protection, then select the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU session is on the third terminal device. an established PDU session; or,
若该第一参数包括该第一指示信息且该第一指示信息指示该第一接入网设备支持按需保护方式,该第二参数包括第三指示信息且该第三指示信息指示该第二接入网设备不支持按需保护方式,则选择该第二终端设备。If the first parameter includes the first indication information and the first indication information indicates that the first access network device supports the on-demand protection mode, the second parameter includes third indication information and the third indication information indicates the second If the access network device does not support the on-demand protection mode, the second terminal device is selected.
另一种可能的实现方式中,该收发模块601还用于:In another possible implementation manner, the transceiver module 601 is further used for:
向该第二终端设备发送第二消息,该第二消息携带第一安全策略。Send a second message to the second terminal device, where the second message carries the first security policy.
另一种可能的实现方式中,该收发模块601还用于:In another possible implementation manner, the transceiver module 601 is further used for:
向该第二终端设备发送第三消息,该第三消息携带以下任一项:第一业务信息、第一保护指示、第二DNN、第二切片信息,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第一保护指示用于指示该第一终端设备期望的该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;Send a third message to the second terminal device, where the third message carries any of the following: first service information, first protection indication, second DNN, and second slice information, where the first service information is the first terminal Service information corresponding to the service to be used by the device, and the first protection indication is used to indicate the protection mechanism that the first terminal device expects to execute when performing data communication between the first terminal device and the first access network device;
接收该第二终端设备发送的第二保护指示,该第二保护指示用于指示该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制。A second protection indication sent by the second terminal device is received, where the second protection indication is used to indicate a protection mechanism executed during data communication between the first terminal device and the first access network device.
本申请实施例中,收发模块601接收第一消息,该第一消息携带第一参数,该第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息;然后,处理模块602 根据该第一参数选择第二终端设备。由此可知,由于第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息,因此,处理模块602在选择第二终端设备时,可以根据该第一参数选择与该第一终端设备的安全需求匹配的第二终端设备,这样一定程序能够满足后续第一终端设备与网络之间的通信所对应的安全需求。In this embodiment of the present application, the transceiver module 601 receives a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; then , the processing module 602 selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the processing module 602 can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
下面对本申请实施例提供的第二终端设备进行描述。请参阅图7,图7为本申请实施例第二终端设备的一个结构示意图。该第二终端设备可以用于执行图2、图3、图4、图5所示的实施例中第二终端设备执行的步骤,可以参考上述方法实施例中的相关描述。The second terminal device provided by the embodiment of the present application is described below. Please refer to FIG. 7 , which is a schematic structural diagram of a second terminal device according to an embodiment of the present application. The second terminal device may be configured to perform the steps performed by the second terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
该第二终端设备包括处理模块701和收发模块702。The second terminal device includes a processing module 701 and a transceiver module 702 .
处理模块701,用于确定第一参数,其中,该第二终端设备支持提供中继服务的功能,该第一参数用于指示该第二终端设备与第一接入网设备之间进行通信的安全信息;The processing module 701 is configured to determine a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate the communication between the second terminal device and the first access network device. Security Information;
收发模块702,用于发送第一消息,该第一消息携带该第一参数。The transceiver module 702 is configured to send a first message, where the first message carries the first parameter.
一种可能的实现方式中,该第一参数包括以下至少一项:In a possible implementation manner, the first parameter includes at least one of the following:
第一PDU会话支持的第一安全保护方式、该第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、该第二终端设备的标识、该第二终端设备归属的或服务的网络标识ID、第一数据网络名称DNN、或者、第一切片信息;The first security protection mode supported by the first PDU session, the type of the first access network device, the first indication information, the second indication information, the digital signature, the identifier of the second terminal device, the belonging of the second terminal device Or the network identification ID of the service, the first data network name DNN, or, the first slice information;
其中,该第一PDU会话为该第二终端设备上已建立的PDU会话,该第一指示信息为该第一接入网设备支持按需安全保护方式的指示信息,该第二指示信息用于指示该第一接入网设备具备支持完整性保护的能力,该数字签名为该第二终端设备通过该第二终端设备的私钥或该第二终端设备的根证书生成的,该第一DNN为该第二终端设备支持提供中继服务的DNN,该第一切片信息为该第二终端设备支持提供中继服务的切片的信息。The first PDU session is an established PDU session on the second terminal device, the first indication information is the indication information that the first access network device supports the on-demand security protection mode, and the second indication information is used for Indicates that the first access network device has the ability to support integrity protection, the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device, the first DNN The second terminal device supports the DNN that provides the relay service, and the first slice information is information of the slice that the second terminal device supports to provide the relay service.
另一种可能的实现方式中,该收发模块702还用于:In another possible implementation manner, the transceiver module 702 is further configured to:
接收该第一终端设备发送的第二消息,该第二消息携带第一安全策略,该第一安全策略为该第一终端设备确定的该第一终端设备将使用的业务对应的安全策略;receiving a second message sent by the first terminal device, where the second message carries a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
该处理模块701还用于:The processing module 701 is also used for:
根据该第一安全策略确定第一安全保护方式;determining a first security protection mode according to the first security policy;
将该第一安全保护方式作为该第一终端设备与该第二终端设备之间的数据通信所采用的安全保护方式;Using the first security protection mode as the security protection mode adopted for data communication between the first terminal device and the second terminal device;
该收发模块702还用于:The transceiver module 702 is also used for:
向该第一终端设备发送该第一安全保护方式。Send the first security protection mode to the first terminal device.
另一种可能的实现方式中,该收发模块702还用于:In another possible implementation manner, the transceiver module 702 is further configured to:
接收该第一终端设备发送的第二消息,该第二消息携带第一安全策略,该第一安全策略为该第一终端设备确定的该第一终端设备将使用的业务对应的安全策略;receiving a second message sent by the first terminal device, where the second message carries a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
该处理模块701还用于:The processing module 701 is also used for:
根据该第一安全策略和第二安全策略确定第三安全保护方式,该第二安全策略为该第二终端设备确定的该第一终端设备将使用的业务对应的安全策略;Determine a third security protection mode according to the first security policy and the second security policy, where the second security policy is a security policy determined by the second terminal device corresponding to the service to be used by the first terminal device;
将该第三安全保护方式作为该第二终端设备与该第一接入网设备之间的数据通信所采用的安全保护方式;Using the third security protection mode as the security protection mode adopted for data communication between the second terminal device and the first access network device;
该收发模块702还用于:The transceiver module 702 is also used for:
向该第一终端设备发送该第三安全保护方式。Send the third security protection mode to the first terminal device.
另一种可能的实现方式中,该第一安全保护方式与第二安全保护方式一致,该第二安全保护方式为该第二终端设备与该第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式。In another possible implementation manner, the first security protection manner is consistent with the second security protection manner, and the second security protection manner is an established first security protection manner between the second terminal device and the first access network device Two security protection methods supported by PDU sessions.
另一种可能的实现方式中,该第一安全保护方式与第二安全保护方式一致,包括:In another possible implementation manner, the first security protection manner is consistent with the second security protection manner, including:
若该第一安全策略指示加密保护为需要required,且该第二PDU会话支持的第二安全保护方式为开启加密保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that encryption protection is required, and the second security protection mode supported by the second PDU session is to enable encryption protection, the second terminal device supports the second security protection mode of the second PDU session. as the first security protection method; or,
若该第一安全策略指示完整性保护为需要required,且该第二PDU会话支持的第二安全保护方式为开启完整性保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that integrity protection is required, and the second security protection mode supported by the second PDU session is to enable integrity protection, the second terminal device will use the second security protection method supported by the second PDU session. The protection method is used as the first security protection method; or,
若该第一安全策略指示加密保护为不需要not needed,且该第二PDU会话支持的第二安全保护方式为不开启加密保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that the encryption protection is not needed, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device will use the second PDU session to support the second security protection mode. The security protection method is used as the first security protection method; or,
若该第一安全策略指示完整性保护为不需要not needed,且该第二PDU会话支持的第二安全保护方式为不开启完整性保护,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that the integrity protection is not needed, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device supports the second PDU session. The second security protection method is used as the first security protection method; or,
若该第一安全策略指示加密保护为倾向于需要preferred,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式;或者,If the first security policy indicates that encryption protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode; or,
若该第一安全策略指示完整性保护为倾向于需要preferred,则该第二终端设备将该第二PDU会话支持的第二安全保护方式作为该第一安全保护方式。If the first security policy indicates that integrity protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
另一种可能的实现方式中,该收发模块702还用于:In another possible implementation manner, the transceiver module 702 is further configured to:
若该第一安全保护方式与第二安全保护方式不一致,向SMF网元发送第一请求消息;If the first security protection mode is inconsistent with the second security protection mode, send a first request message to the SMF network element;
其中,该第一请求消息用于请求修改第二PDU会话或用于请求建立第三PDU会话,该第一请求消息携带第三参数,该第三参数用于指示该第一终端设备与该第二终端设备之间的数据通信的安全信息,该第二安全保护方式为该第二终端设备与该第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式;Wherein, the first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, and the third parameter is used to indicate that the first terminal device communicates with the third PDU session. The security information of the data communication between the two terminal devices, the second security protection mode is the security protection mode supported by the established second PDU session between the second terminal device and the first access network device;
接收该第一接入网设备发送的第四安全保护方式,该第四安全保护方式用于该第二终端设备与该第一接入网设备之间的数据通信所采用的安全保护方式,该第四安全保护方式与该第一安全保护方式一致。receiving a fourth security protection mode sent by the first access network device, where the fourth security protection mode is used for the security protection mode adopted for data communication between the second terminal device and the first access network device, the The fourth security protection mode is consistent with the first security protection mode.
另一种可能的实现方式中,该第一安全保护方式与该第二安全保护方式不一致,包括:In another possible implementation manner, the first security protection manner is inconsistent with the second security protection manner, including:
若该第一安全策略指示加密保护为倾向于需要preferred,且该第二PDU会话支持的第二安全保护方式为不开启加密保护,则该第二终端设备确定该第一安全策略对应的该第一安全保护方式与该第二安全保护方式不一致;或者,If the first security policy indicates that encryption protection tends to be preferred, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device determines the first security policy corresponding to the first security policy. One security protection method is inconsistent with the second security protection method; or,
若该第一安全策略指示完整性保护为倾向于需要preferred,且该第二安全保护方式为不开启完整性保护,则该第二终端设备确定该第一安全策略对应的该第一安全保护方式 与该第二安全保护方式不一致;或者,If the first security policy indicates that integrity protection tends to be preferred, and the second security protection mode is not to enable integrity protection, the second terminal device determines the first security protection mode corresponding to the first security policy inconsistent with the second security protection method; or,
若该第二安全保护方式的加密保护与该第一安全策略指示的加密保护不匹配且该第二安全保护方式的完整性保护与该第一安全策略指示的完整性保护不匹配,则该第二终端设备确定该第一安全策略对应的该第一安全保护方式与该第二安全保护方式不一致。If the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy and the integrity protection of the second security protection mode does not match the integrity protection of the first security policy The second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
另一种可能的实现方式中,该第三参数包括以下至少一项:In another possible implementation manner, the third parameter includes at least one of the following:
第一业务信息、第二DNN、第二切片信息、该第一安全策略和该第一安全保护方式;the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode;
其中,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第二DNN为该第一终端设备将接入的DNN,该第二切片信息为该第一终端设备将接入的切片的信息。The first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, and the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
另一种可能的实现方式中,该收发模块702还用于:In another possible implementation manner, the transceiver module 702 is further configured to:
接收该第一终端设备发送的第三消息;receiving a third message sent by the first terminal device;
其中,该第三消息携带以下至少一项信息:第一业务信息、第二DNN、第二切片信息和第一保护指示,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第二DNN为该第一终端设备将接入的DNN,该第二切片信息为该第一终端设备将接入的切片的信息,该第一保护指示用于指示该第一终端设备期望的该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;Wherein, the third message carries at least one of the following information: first service information, second DNN, second slice information and first protection indication, and the first service information is a service corresponding to a service to be used by the first terminal device information, the second DNN is the DNN to be accessed by the first terminal device, the second slice information is the information of the slice to be accessed by the first terminal device, and the first protection indication is used to indicate the first terminal device the desired protection mechanism to be executed when data communication is performed between the first terminal device and the first access network device;
该处理模块701还用于:The processing module 701 is also used for:
根据该第三消息确定第二保护指示,该第二保护指示用于指示该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;determining a second protection indication according to the third message, where the second protection indication is used to indicate a protection mechanism to be executed during data communication between the first terminal device and the first access network device;
该收发模块702还用于:The transceiver module 702 is also used for:
向该第一终端设备发送该第二保护指示。Send the second protection indication to the first terminal device.
另一种可能的实现方式中,该处理模块701还用于:In another possible implementation manner, the processing module 701 is further used for:
若该第二终端设备未接收到该第一终端设备发送的保护指示,确定第二保护指示,该第二保护指示用于指示该第一终端设备与该第一接入网设备之间进行数据通信时执行的保护机制;If the second terminal device does not receive the protection indication sent by the first terminal device, determine a second protection indication, where the second protection indication is used to instruct the first terminal device and the first access network device to perform data communication between the first terminal device and the first access network device. the protection mechanisms implemented when communicating;
该收发模块702还用于:The transceiver module 702 is also used for:
向该第一终端设备发送该第二保护指示。Send the second protection indication to the first terminal device.
本申请实施例中,处理模块701确定第一参数,其中,该第二终端设备支持提供中继服务的功能,该第一参数用于指示该第二终端设备与第一接入网设备之间进行通信的安全信息;收发模块702发送第一消息,该第一消息携带该第一参数。这样,第一终端设备可以确定该第一终端设备与第二终端设备之间的第一安全保护方式,然后以该第一安全保护方式确定该第二终端设备与第一接入网设备之间的安全保护方式,实现第一终端设备与第二终端设备之间的安全保护方式和第二终端设备与第一接入网设备之间的安全保护方式保持一致,以提高数据传输的安全性。In this embodiment of the present application, the processing module 701 determines a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate the relationship between the second terminal device and the first access network device Security information for communication; the transceiver module 702 sends a first message, where the first message carries the first parameter. In this way, the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device The security protection mode is consistent with the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device, so as to improve the security of data transmission.
下面对本申请实施例提供的SMF网元进行描述。请参阅图8,图8为本申请实施例SMF网元的一个结构示意图。该SMF网元可以用于执行图3、图4、图5所示的实施例中SMF网元执行的全部或部分步骤,可以参考上述方法实施例中的相关描述。The following describes the SMF network element provided by the embodiment of the present application. Please refer to FIG. 8 , which is a schematic structural diagram of an SMF network element according to an embodiment of the present application. The SMF network element may be used to perform all or part of the steps performed by the SMF network element in the embodiments shown in FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
该SMF网元包括收发模块801和处理模块802。The SMF network element includes a transceiver module 801 and a processing module 802 .
收发模块801,用于接收第二终端设备发送的第一请求消息,该第一请求消息用于请求修改第二PDU会话或用于请求建立第三PDU会话,该第一请求消息携带第三参数,该第三参数用于指示第一终端设备与该第二终端设备之间的数据通信的安全信息;A transceiver module 801, configured to receive a first request message sent by a second terminal device, where the first request message is used to request to modify the second PDU session or to request the establishment of a third PDU session, and the first request message carries a third parameter , the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device;
处理模块802,用于根据该第三参数确定第三安全策略,该第三安全策略为该SMF网元确定的该第一终端设备将使用的业务对应的安全策略;A processing module 802, configured to determine a third security policy according to the third parameter, where the third security policy is a security policy corresponding to the service to be used by the first terminal device determined by the SMF network element;
该收发模块801,用于向该第一接入网设备发送第四消息,该第四消息携带该第三安全策略。The transceiver module 801 is configured to send a fourth message to the first access network device, where the fourth message carries the third security policy.
一种可能的实现方式中,该第三参数包括以下至少一项:In a possible implementation manner, the third parameter includes at least one of the following:
第一业务信息、第二DNN、第二切片信息、该第一安全策略和该第一安全保护方式;the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode;
其中,该第一业务信息为该第一终端设备将使用的业务对应的业务信息,该第二DNN为该第一终端设备将接入的DNN,该第二切片信息为该第一终端设备将接入的切片的信息。The first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, and the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
另一种可能的实现方式中,该处理模块802具体用于:In another possible implementation manner, the processing module 802 is specifically used for:
向UDM网元发送以下信息中的至少一项:该第一业务信息、该第二DNN和该第二切片信息;该SMF网元接收该UDM网元发送的签约安全策略;Send at least one of the following information to the UDM network element: the first service information, the second DNN and the second slice information; the SMF network element receives the subscription security policy sent by the UDM network element;
将该签约安全策略作为该第三安全策略,或者,根据该签约安全策略和该第一安全策略确定该第三安全策略,或者,根据该签约安全策略和该第一安全保护方式确定该第三安全策略。Use the contracted security policy as the third security policy, or determine the third security policy according to the contracted security policy and the first security policy, or determine the third security policy according to the contracted security policy and the first security protection mode security strategy.
另一种可能的实现方式中,该处理模块802具体用于:In another possible implementation manner, the processing module 802 is specifically used for:
根据该第一安全策略和该第一安全保护方式中的至少一项信息确定该第三安全策略。The third security policy is determined according to at least one item of information in the first security policy and the first security protection manner.
另一种可能的实现方式中,该第四消息还携带以下至少一项:该第一安全策略、该第一安全保护方式。In another possible implementation manner, the fourth message further carries at least one of the following: the first security policy and the first security protection manner.
本申请实施例中,当第一安全保护方式与第二安全保护方式不一致时,或者,该第二终端设备上未建立有PDU会话时,收发模块801接收第二终端设备发送的第一请求消息,处理模块802根据第二终端设备发送的第一请求消息确定第三安全策略,并将该第三安全策略发送给第一接入网设备,以便于第一接入网设备根据第三安全策略确定第四安全保护方式,使得第四安全保护方式与第一安全保护方式一致,从而实现第一终端设备与第二终端设备之间的第一安全保护方式和第二终端设备与第一接入网设备之间的第四安全保护方式的协商一致。In this embodiment of the present application, when the first security protection mode is inconsistent with the second security protection mode, or when no PDU session is established on the second terminal device, the transceiver module 801 receives the first request message sent by the second terminal device , the processing module 802 determines a third security policy according to the first request message sent by the second terminal device, and sends the third security policy to the first access network device, so that the first access network device can follow the third security policy Determine the fourth security protection mode, so that the fourth security protection mode is consistent with the first security protection mode, so as to realize the first security protection mode between the first terminal device and the second terminal device and the second terminal device and the first access The fourth security protection mode between network devices is negotiated.
下面对本申请实施例提供的第一接入网设备进行描述。请参阅图9,图9为本申请实施例第一接入网设备的一个结构示意图。该第一接入网设备可以用于执行图3、图4、图5所示的实施例中第一接入网设备执行的步骤,可以参考上述方法实施例中的相关描述。The first access network device provided by the embodiment of the present application is described below. Please refer to FIG. 9 , which is a schematic structural diagram of a first access network device according to an embodiment of the present application. The first access network device may be configured to perform the steps performed by the first access network device in the embodiments shown in FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
该第一接入网设备包括收发模块901和处理模块902。The first access network device includes a transceiver module 901 and a processing module 902 .
收发模块901,用于接收SMF网元发送的第二消息,该第二消息携带第三安全策略,该第三安全策略为该SMF网元确定的该第一终端设备将使用的业务对应的安全策略;The transceiver module 901 is configured to receive a second message sent by the SMF network element, where the second message carries a third security policy, and the third security policy is the security corresponding to the service to be used by the first terminal device determined by the SMF network element Strategy;
处理模块902,用于根据该第三安全策略确定第四安全保护方式,该第四安全保护方式为用于该第二终端设备与第一接入网设备之间的数据通信所采用的安全保护方式;A processing module 902, configured to determine a fourth security protection mode according to the third security policy, where the fourth security protection mode is the security protection adopted for data communication between the second terminal device and the first access network device Way;
收发模块901,用于向第二终端设备发送该第四安全保护方式。The transceiver module 901 is configured to send the fourth security protection mode to the second terminal device.
一种可能的实现方式中,该第二消息还携带以下至少一项:该第一安全策略、该第一安全保护方式;该处理模块902具体用于:In a possible implementation manner, the second message also carries at least one of the following: the first security policy, the first security protection mode; the processing module 902 is specifically configured to:
根据该第三安全策略和该第一安全保护方式确定该第四安全保护方式;或者,The fourth security protection mode is determined according to the third security policy and the first security protection mode; or,
根据该第三安全策略和该第一安全策略确定第四安全保护方式;或者,A fourth security protection mode is determined according to the third security policy and the first security policy; or,
根据该第三安全策略、该第一安全保护方式和该第一安全策略确定第四安全保护方式A fourth security protection mode is determined according to the third security policy, the first security protection mode and the first security policy
本申请实施例中,收发模块901接收SMF网元发送的第二消息,该第二消息携带第三安全策略,该第三安全策略为该SMF网元确定的该第一终端设备将使用的业务对应的安全策略;处理模块902根据该第三安全策略确定第四安全保护方式,该第四安全保护方式为用于该第二终端设备与第一接入网设备之间的数据通信所采用的安全保护方式;收发模块901向第二终端设备发送该第四安全保护方式。该第四安全保护方式为用于该第二终端设备与第一接入网设备之间的数据通信所采用的安全保护方式,从而实现第一安全保护方式与第四安全保护方式的协商一致。In this embodiment of the present application, the transceiver module 901 receives a second message sent by an SMF network element, where the second message carries a third security policy, and the third security policy is a service determined by the SMF network element to be used by the first terminal device Corresponding security policy; the processing module 902 determines a fourth security protection mode according to the third security policy, where the fourth security protection mode is used for data communication between the second terminal device and the first access network device Security protection mode; the transceiver module 901 sends the fourth security protection mode to the second terminal device. The fourth security protection mode is a security protection mode used for data communication between the second terminal device and the first access network device, so that the negotiation of the first security protection mode and the fourth security protection mode is achieved.
下面通过图10示出第一终端设备的一种可能的结构示意图。A possible schematic structural diagram of the first terminal device is shown below through FIG. 10 .
图10示出了一种简化的第一终端设备的结构示意图。为了便于理解和图示方式,图10中,第一终端设备以手机作为例子。如图10所示,第一终端设备包括处理器、存储器、射频电路、天线及输入输出装置。处理器主要用于对通信协议以及通信数据进行处理,以及对终端设备进行控制,执行软件程序,处理软件程序的数据等。存储器主要用于存储软件程序和数据。射频电路主要用于基带信号与射频信号的转换以及对射频信号的处理。天线主要用于收发电磁波形式的射频信号。输入输出装置,例如触摸屏、显示屏,键盘等主要用于接收用户输入的数据以及对用户输出数据。需要说明的是,有些种类的第一终端设备可以不具有输入输出装置。FIG. 10 shows a schematic structural diagram of a simplified first terminal device. For ease of understanding and illustration, in FIG. 10 , the first terminal device takes a mobile phone as an example. As shown in FIG. 10 , the first terminal device includes a processor, a memory, a radio frequency circuit, an antenna, and an input and output device. The processor is mainly used to process communication protocols and communication data, control terminal equipment, execute software programs, and process data of software programs. The memory is mainly used to store software programs and data. The radio frequency circuit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal. Antennas are mainly used to send and receive radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users. It should be noted that some types of first terminal devices may not have input and output devices.
当需要发送数据时,处理器对待发送的数据进行基带处理后,输出基带信号至射频电路,射频电路将基带信号进行射频处理后将射频信号通过天线以电磁波的形式向外发送。当有数据发送到第一终端设备时,射频电路通过天线接收到射频信号,将射频信号转换为基带信号,并将基带信号输出至处理器,处理器将基带信号转换为数据并对该数据进行处理。为便于说明,图10中仅示出了一个存储器和处理器。在实际的终端设备产品中,可以存在一个或多个处理器和一个或多个存储器。存储器也可以称为存储介质或者存储设备等。存储器可以是独立于处理器设置,也可以是与处理器集成在一起,本申请实施例对此不做限制。When data needs to be sent, the processor performs baseband processing on the data to be sent, and outputs the baseband signal to the radio frequency circuit. The radio frequency circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal through the antenna in the form of electromagnetic waves. When data is sent to the first terminal device, the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data. deal with. For ease of illustration, only one memory and processor are shown in FIG. 10 . In an actual end device product, there may be one or more processors and one or more memories. The memory may also be referred to as a storage medium or a storage device or the like. The memory may be set independently of the processor, or may be integrated with the processor, which is not limited in this embodiment of the present application.
在本申请实施例中,可以将具有收发功能的天线和射频电路视为第一终端设备的收发单元,将具有处理功能的处理器视为第一终端设备的处理单元。如图10所示,第一终端设备包括收发单元1010和处理单元1020。收发单元也可以称为收发器、收发机、收发装置等。处理单元也可以称为处理器,处理单板,处理模块、处理装置等。可选的,可以将收发单元1010中用于实现接收功能的器件视为接收单元,将收发单元1010中用于实现发送功能的器件视为发送单元,即收发单元1010包括接收单元和发送单元。收发单元有时也可以称为收发机、收发器、或收发电路等。接收单元有时也可以称为接收机、接收器、或接 收电路等。发送单元有时也可以称为发射机、发射器或者发射电路等。In this embodiment of the present application, the antenna and radio frequency circuit with a transceiver function can be regarded as a transceiver unit of the first terminal device, and the processor with a processing function can be regarded as a processing unit of the first terminal device. As shown in FIG. 10 , the first terminal device includes a transceiver unit 1010 and a processing unit 1020 . The transceiving unit may also be referred to as a transceiver, a transceiver, a transceiving device, or the like. The processing unit may also be referred to as a processor, a processing single board, a processing module, a processing device, and the like. Optionally, the device for implementing the receiving function in the transceiver unit 1010 may be regarded as a receiving unit, and the device for implementing the transmitting function in the transceiver unit 1010 may be regarded as a transmitting unit, that is, the transceiver unit 1010 includes a receiving unit and a transmitting unit. The transceiver unit may also sometimes be referred to as a transceiver, a transceiver, or a transceiver circuit. The receiving unit may also sometimes be referred to as a receiver, receiver, or receiving circuit, or the like. The transmitting unit may also sometimes be referred to as a transmitter, a transmitter, or a transmitting circuit, or the like.
应理解,收发单元1010用于执行上述方法实施例中第一终端设备的发送操作和接收操作,处理单元1020用于执行上述方法实施例中第一终端设备上除了收发操作之外的其他操作。It should be understood that the transceiving unit 1010 is configured to perform the sending and receiving operations of the first terminal device in the above method embodiments, and the processing unit 1020 is configured to perform other operations on the first terminal device in the above method embodiments except the transceiving operations.
例如,一种可能的实现方式中,该收发单元1010用于执行图2中的步骤202第一终端设备的收发操作,和/或收发单元1010还用于执行本申请实施例中第一终端设备的其他收发步骤。For example, in a possible implementation manner, the transceiver unit 1010 is configured to perform the transceiver operation of the first terminal device in step 202 in FIG. 2 , and/or the transceiver unit 1010 is further configured to execute the first terminal device in this embodiment of the present application. other sending and receiving steps.
当该终端设备为芯片时,该芯片包括收发单元和处理单元。其中,该收发单元可以是输入输出电路或通信接口;处理单元为该芯片上集成的处理器或者微处理器或者集成电路或者逻辑电路。When the terminal device is a chip, the chip includes a transceiver unit and a processing unit. Wherein, the transceiver unit may be an input/output circuit or a communication interface; the processing unit may be a processor or a microprocessor or an integrated circuit or a logic circuit integrated on the chip.
复用图10,图10还可以用于执行上述方法实施例中第二终端设备执行的全部或部分步骤,可以参考上述方法实施例中的相关描述。Fig. 10 is multiplexed, and Fig. 10 may also be used to perform all or part of the steps performed by the second terminal device in the foregoing method embodiments, and reference may be made to the relevant descriptions in the foregoing method embodiments.
本申请还提供一种SMF网元,请参阅图11,本申请实施例中SMF网元的另一个结构示意图,该SMF网元可以用于执行图3、图4和图5所示实施例中SMF网元执行的步骤,可以参考上述方法实施例中的相关描述。The present application also provides an SMF network element. Please refer to FIG. 11 , which is another schematic structural diagram of the SMF network element in the embodiment of the present application. For the steps performed by the SMF network element, reference may be made to the relevant descriptions in the foregoing method embodiments.
该SMF网元包括:处理器1101和存储器1102。可选的,该SMF网元还包括收发器1103。The SMF network element includes: a processor 1101 and a memory 1102 . Optionally, the SMF network element further includes a transceiver 1103 .
一种可能的实现方式中,该处理器1101、存储器1102和收发器1103分别通过总线相连,该存储器中存储有计算机指令。In a possible implementation manner, the processor 1101, the memory 1102 and the transceiver 1103 are respectively connected through a bus, and the memory stores computer instructions.
前述实施例中的处理模块802具体可以是本实施例中的处理器1101,因此该处理器1101的具体实现不再赘述。前述实施例中的收发模块801则具体可以是本实施例中的收发器1103,因此收发器1103的具体实现不再赘述。The processing module 802 in the foregoing embodiment may specifically be the processor 1101 in this embodiment, so the specific implementation of the processor 1101 will not be described again. The transceiver module 801 in the foregoing embodiment may specifically be the transceiver 1103 in this embodiment, so the specific implementation of the transceiver 1103 will not be described again.
本申请还提供一种第一接入网设备,请参阅图12,本申请实施例中第一接入网设备的另一个结构示意图,该第一接入网设备可以用于执行图3、图4和图5所示实施例中第一接入网设备执行的步骤,可以参考上述方法实施例中的相关描述。The present application also provides a first access network device. Please refer to FIG. 12 , which is another schematic structural diagram of the first access network device in the embodiment of the present application. For the steps performed by the first access network device in the embodiments shown in FIG. 4 and FIG. 5 , reference may be made to the relevant descriptions in the foregoing method embodiments.
该第一接入网设备包括:处理器1201和存储器1202。可选的,该第一接入网设备还包括收发器1203。The first access network device includes: a processor 1201 and a memory 1202 . Optionally, the first access network device further includes a transceiver 1203 .
一种可能的实现方式中,该处理器1201、存储器1202和收发器1203分别通过总线相连,该存储器中存储有计算机指令。In a possible implementation manner, the processor 1201, the memory 1202 and the transceiver 1203 are respectively connected through a bus, and the memory stores computer instructions.
前述实施例中的处理模块902具体可以是本实施例中的处理器1201,因此该处理器1201的具体实现不再赘述。前述实施例中的收发模块901则具体可以是本实施例中的收发器1203,因此收发器1203的具体实现不再赘述。The processing module 902 in the foregoing embodiment may specifically be the processor 1201 in this embodiment, so the specific implementation of the processor 1201 will not be described again. The transceiver module 901 in the foregoing embodiment may specifically be the transceiver 1203 in this embodiment, so the specific implementation of the transceiver 1203 will not be described again.
请参阅图13,本申请实施例还提供了一种通信系统,该通信系统包括如图6所示的第一终端设备和如图7所示的第二终端设备。其中,图6所示的第一终端设备用于执行图2、图3、图4和图5所示的实施例中第一终端设备执行的全部或部分步骤,图7所示的第二终端设备用于执行图2、图3、图4和图5所示的实施例中第二终端设备执行的全部或部分步骤。Referring to FIG. 13 , an embodiment of the present application further provides a communication system, where the communication system includes a first terminal device as shown in FIG. 6 and a second terminal device as shown in FIG. 7 . The first terminal device shown in FIG. 6 is used to perform all or part of the steps performed by the first terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 and FIG. 5 , and the second terminal device shown in FIG. 7 The device is configured to perform all or part of the steps performed by the second terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 and FIG. 5 .
可选的,该通信系统还包括如图8所示的SMF网元和如图9所示的第一接入网设备。 其中,图8所示的SMF网元用于执行图3、图4和图5所示的实施例中SMF网元执行的全部或部分步骤,图9所示的第一接入网设备用于执行图3、图4和图5所示的实施例中第一接入网设备执行的全部或部分步骤。Optionally, the communication system further includes the SMF network element shown in FIG. 8 and the first access network device shown in FIG. 9 . The SMF network element shown in FIG. 8 is used to perform all or part of the steps performed by the SMF network element in the embodiments shown in FIG. 3 , FIG. 4 and FIG. 5 , and the first access network device shown in FIG. 9 is used for Perform all or part of the steps performed by the first access network device in the embodiments shown in FIG. 3 , FIG. 4 and FIG. 5 .
本申请实施例还提供一种包括指令的计算机程序产品,当其在计算机上运行时,使得该计算机执行如上述图2、图3、图4和图5所示的实施例的通信方法。Embodiments of the present application also provide a computer program product including instructions, which, when executed on a computer, cause the computer to execute the communication methods of the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 .
本申请实施例还提供了一种计算机可读存储介质,包括计算机指令,当该计算机指令在计算机上运行时,使得计算机执行如上述图2、图3、图4和图5所示的实施例的通信方法。Embodiments of the present application further provide a computer-readable storage medium, including computer instructions, when the computer instructions are executed on a computer, the computer can execute the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 . communication method.
本申请实施例还提供一种芯片装置,包括处理器,用于与存储器相连,调用该存储器中存储的程序,以使得该处理器执行上述图2、图3、图4和图5所示的实施例的通信方法。An embodiment of the present application further provides a chip device, which includes a processor, which is connected to a memory and calls a program stored in the memory, so that the processor executes the above-mentioned steps shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 . The communication method of an embodiment.
其中,上述任一处提到的处理器,可以是一个通用中央处理器,微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制上述图2、图3、图4和图5所示的实施例的通信方法的程序执行的集成电路。上述任一处提到的存储器可以为只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)等。Wherein, the processor mentioned in any of the above can be a general-purpose central processing unit, a microprocessor, an application-specific integrated circuit (ASIC), or one or more of the above-mentioned Fig. 2, An integrated circuit for executing the program of the communication method of the embodiment shown in FIG. 3 , FIG. 4 and FIG. 5 . The memory mentioned in any one of the above can be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (random access memory, RAM), and the like.
本申请中出现的术语“和/或”,可以是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本申请中字符“/”,一般表示前后关联对象是一种“或”的关系。The term "and/or" that appears in this application can be an association relationship to describe associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, it can mean that A exists alone, and A and B exist at the same time , there are three cases of B alone. In addition, the character "/" in this application generally indicates that the related objects are an "or" relationship.
本申请的说明书和权利要求书的术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或模块的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或模块,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或模块。The terms "comprising" and "having" and any variations thereof in the description and claims of this application are intended to cover non-exclusive inclusion, eg, a process, method, system, product or device comprising a series of steps or modules It is not necessary to be limited to those steps or modules expressly listed, but may include other steps or modules not expressly listed or inherent to the process, method, product or apparatus.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above may refer to the corresponding process in the foregoing method embodiments, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可 以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器、随机存取存储器、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: a U disk, a removable hard disk, a read-only memory, a random access memory, a magnetic disk or an optical disk and other media that can store program codes.
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: The technical solutions described in the embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions scope of the embodiments of the present application.

Claims (42)

  1. 一种通信方法,其特征在于,所述方法包括:A communication method, characterized in that the method comprises:
    第一终端设备接收第一消息,所述第一消息携带第一参数,所述第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息;The first terminal device receives a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device;
    所述第一终端设备根据所述第一参数选择所述第二终端设备,所述第二终端设备用于为所述第一终端设备与所述第一接入网设备之间的通信提供中继服务。The first terminal device selects the second terminal device according to the first parameter, and the second terminal device is used to provide a medium for communication between the first terminal device and the first access network device. continue service.
  2. 根据权利要求1所述的方法,其特征在于,所述第一参数包括以下至少一项:The method according to claim 1, wherein the first parameter comprises at least one of the following:
    第一协议数据单元PDU会话支持的第一安全保护方式、所述第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、所述第二终端设备的标识、所述第二终端设备归属的或服务的网络标识ID、第一数据网络名称DNN、或者、第一切片信息;The first security protection mode supported by the first protocol data unit PDU session, the type of the first access network device, the first indication information, the second indication information, the digital signature, the identifier of the second terminal device, the The network identifier ID, the first data network name DNN, or the first slice information to which the second terminal device belongs or serves;
    其中,所述第一PDU会话为所述第二终端设备上已建立的PDU会话,所述第一指示信息为所述第一接入网设备是否支持按需安全保护方式的指示信息,所述第二指示信息用于指示所述第一接入网设备具备支持完整性保护的能力,所述数字签名为所述第二终端设备通过所述第二终端设备的私钥或所述第二终端设备的根证书生成的,所述第一DNN为所述第二终端设备支持提供中继服务的DNN,所述第一切片信息为所述第二终端设备支持提供中继服务的切片的信息。The first PDU session is an established PDU session on the second terminal device, the first indication information is indication information of whether the first access network device supports an on-demand security protection mode, and the The second indication information is used to indicate that the first access network device has the ability to support integrity protection, and the digital signature is the second terminal device using the private key of the second terminal device or the second terminal The root certificate of the device is generated, the first DNN is the DNN that the second terminal device supports to provide relay services, and the first slice information is the information of the slice that the second terminal device supports to provide relay services .
  3. 根据权利要求2所述的方法,其特征在于,所述第一终端设备根据所述第一参数选择所述第二终端设备之前,所述方法还包括:The method according to claim 2, wherein before the first terminal device selects the second terminal device according to the first parameter, the method further comprises:
    所述第一终端设备确定第一安全策略,所述第一安全策略为所述第一终端设备确定的所述第一终端设备将使用的业务对应的安全策略;determining, by the first terminal device, a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
    所述第一终端设备根据所述第一参数选择所述第二终端设备,包括:The first terminal device selects the second terminal device according to the first parameter, including:
    所述第一终端设备根据所述第一安全策略和所述第一参数选择所述第二终端设备。The first terminal device selects the second terminal device according to the first security policy and the first parameter.
  4. 根据权利要求3所述的方法,其特征在于,所述第一安全策略指示完整性保护为需要required或者倾向于需要preferred;所述第一终端设备根据所述第一安全策略和所述第一参数选择所述第二终端设备,包括:The method according to claim 3, wherein the first security policy indicates that integrity protection is required or tends to be preferred; the first terminal device is based on the first security policy and the first The parameter selection of the second terminal device includes:
    若所述第一参数包括所述第一PDU会话支持的第一安全保护方式,且所述第一安全保护方式为开启完整性保护,则所述第一终端设备选择所述第二终端设备;If the first parameter includes a first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, the first terminal device selects the second terminal device;
    或者,or,
    若所述第一参数包括所述第一接入网设备的类型,且所述第一接入网设备的类型指示所述第一接入网设备具备支持开启完整性保护的能力,则所述第一终端设备选择所述第二终端设备;If the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the capability to support enabling integrity protection, the the first terminal device selects the second terminal device;
    或者,or,
    若所述第一参数包括所述第一指示信息,且所述第一指示信息指示所述第一接入网设备支持按需保护方式,则所述第一终端设备选择所述第二终端设备;If the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, the first terminal device selects the second terminal device ;
    或者,or,
    若所述第一参数包括所述第二指示信息,所述第一终端设备选择所述第二终端设备。If the first parameter includes the second indication information, the first terminal device selects the second terminal device.
  5. 根据权利要求3所述的方法,其特征在于,所述第一安全策略指示加密保护为需要 required或者为倾向于需要preferred;所述第一终端设备根据所述第一安全策略和所述第一参数选择所述第二终端设备,包括:The method according to claim 3, wherein the first security policy indicates that encryption protection is required or is inclined to be preferred; the first terminal device is based on the first security policy and the first The parameter selection of the second terminal device includes:
    若所述第一参数包括所述第一PDU会话支持的第一安全保护方式,且所述第一安全保护方式为开启加密保护,则所述第一终端设备选择所述第二终端设备。If the first parameter includes a first security protection mode supported by the first PDU session, and the first security protection mode is to enable encryption protection, the first terminal device selects the second terminal device.
  6. 根据权利要求3所述的方法,其特征在于,所述第一终端设备根据所述第一安全策略和所述第一参数选择所述第二终端设备,包括:The method according to claim 3, wherein the first terminal device selects the second terminal device according to the first security policy and the first parameter, comprising:
    若所述第一安全策略与第二安全策略一致时,则所述第一终端设备选择所述第二终端设备,所述第二安全策略为所述第一DNN和/或所述第一切片信息关联的安全策略。If the first security policy is consistent with the second security policy, the first terminal device selects the second terminal device, and the second security policy is the first DNN and/or the first security policy The security policy associated with the slice information.
  7. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, wherein the method further comprises:
    所述第一终端设备接收第二消息,所述第二消息携带第二参数,所述第二参数用于指示第三终端设备与第二接入网设备之间的通信的安全信息;the first terminal device receives a second message, where the second message carries a second parameter, and the second parameter is used to indicate security information for communication between the third terminal device and the second access network device;
    所述第一终端设备根据所述第一参数选择所述第二终端设备,包括:The first terminal device selects the second terminal device according to the first parameter, including:
    所述第一终端设备根据所述第一参数和所述第二参数选择所述第二终端设备。The first terminal device selects the second terminal device according to the first parameter and the second parameter.
  8. 根据权利要求7所述的方法,其特征在于,所述第一终端设备根据所述第一参数和所述第二参数选择所述第二终端设备,包括:The method according to claim 7, wherein the selecting, by the first terminal device, the second terminal device according to the first parameter and the second parameter comprises:
    若所述第一参数包括第一PDU会话支持的第一安全保护方式,且所述第一安全保护方式为开启完整性保护,所述第二参数包括第二PDU会话支持的第二安全保护方式,且所述第二安全保护方式为不开启完整性保护,则所述第一终端设备选择所述第二终端设备,所述第一PDU会话为所述第二终端设备上已建立的PDU会话,所述第二PDU会话为所述第三终端设备上已建立的PDU会话;If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, the second parameter includes the second security protection mode supported by the second PDU session , and the second security protection mode is not to enable integrity protection, then the first terminal device selects the second terminal device, and the first PDU session is an established PDU session on the second terminal device , the second PDU session is an established PDU session on the third terminal device;
    或者,or,
    若所述第一参数包括所述第一指示信息且所述第一指示信息指示所述第一接入网设备支持按需保护方式,所述第二参数包括第三指示信息且所述第三指示信息指示所述第二接入网设备不支持按需保护方式,则所述第一终端设备选择所述第二终端设备。If the first parameter includes the first indication information and the first indication information indicates that the first access network device supports an on-demand protection mode, the second parameter includes third indication information and the third indication information The indication information indicates that the second access network device does not support the on-demand protection mode, and the first terminal device selects the second terminal device.
  9. 根据权利要求1至8中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 8, wherein the method further comprises:
    所述第一终端设备向所述第二终端设备发送第二消息,所述第二消息携带第一安全策略。The first terminal device sends a second message to the second terminal device, where the second message carries the first security policy.
  10. 根据权利要求1至8中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 8, wherein the method further comprises:
    所述第一终端设备向所述第二终端设备发送第三消息,所述第三消息携带以下任一项:第一业务信息、第一保护指示、第二DNN、第二切片信息,所述第一业务信息为所述第一终端设备将使用的业务对应的业务信息,所述第一保护指示用于指示所述第一终端设备期望的所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制;The first terminal device sends a third message to the second terminal device, where the third message carries any one of the following: first service information, first protection indication, second DNN, and second slice information, the The first service information is service information corresponding to a service to be used by the first terminal device, and the first protection indication is used to indicate that the first terminal device desired by the first terminal device and the first access The protection mechanism implemented during data communication between network devices;
    所述第一终端设备接收所述第二终端设备发送的第二保护指示,所述第二保护指示用于指示所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制。The first terminal device receives a second protection indication sent by the second terminal device, where the second protection indication is used to indicate that when data communication is performed between the first terminal device and the first access network device Implemented protection mechanisms.
  11. 一种通信方法,其特征在于,所述方法包括:A communication method, characterized in that the method comprises:
    第二终端设备确定第一参数,其中,所述第二终端设备支持提供中继服务的功能,所述第一参数用于指示所述第二终端设备与第一接入网设备之间进行通信的安全信息;The second terminal device determines a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to instruct the second terminal device to communicate with the first access network device safety information;
    所述第二终端设备发送第一消息,所述第一消息携带所述第一参数。The second terminal device sends a first message, where the first message carries the first parameter.
  12. 根据权利要求11所述的方法,其特征在于,所述第一参数包括以下至少一项:The method according to claim 11, wherein the first parameter comprises at least one of the following:
    第一协议数据单元PDU会话支持的第一安全保护方式、所述第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、所述第二终端设备的标识、所述第二终端设备归属的或服务的网络标识ID、第一数据网络名称DNN、或者、第一切片信息;The first security protection mode supported by the first protocol data unit PDU session, the type of the first access network device, the first indication information, the second indication information, the digital signature, the identifier of the second terminal device, the The network identifier ID, the first data network name DNN, or the first slice information to which the second terminal device belongs or serves;
    其中,所述第一PDU会话为所述第二终端设备上已建立的PDU会话,所述第一指示信息为所述第一接入网设备支持按需安全保护方式的指示信息,所述第二指示信息用于指示所述第一接入网设备具备支持完整性保护的能力,所述数字签名为所述第二终端设备通过所述第二终端设备的私钥或所述第二终端设备的根证书生成的,所述第一DNN为所述第二终端设备支持提供中继服务的DNN,所述第一切片信息为所述第二终端设备支持提供中继服务的切片的信息。The first PDU session is an established PDU session on the second terminal device, the first indication information is indication information that the first access network device supports an on-demand security protection mode, and the first The second indication information is used to indicate that the first access network device has the ability to support integrity protection, and the digital signature is the second terminal device using the private key of the second terminal device or the second terminal device. The first DNN is the DNN that the second terminal device supports to provide the relay service, and the first slice information is the information of the slice that the second terminal device supports to provide the relay service.
  13. 根据权利要求11或12所述的方法,其特征在于,所述方法还包括:The method according to claim 11 or 12, wherein the method further comprises:
    所述第二终端设备接收所述第一终端设备发送的第二消息,所述第二消息携带第一安全策略,所述第一安全策略为所述第一终端设备确定的所述第一终端设备将使用的业务对应的安全策略;The second terminal device receives a second message sent by the first terminal device, where the second message carries a first security policy, and the first security policy is the first terminal determined by the first terminal device The security policy corresponding to the service that the device will use;
    所述第二终端设备根据所述第一安全策略确定第一安全保护方式;determining, by the second terminal device, a first security protection mode according to the first security policy;
    所述第二终端设备将所述第一安全保护方式作为所述第一终端设备与所述第二终端设备之间的数据通信所采用的安全保护方式;The second terminal device uses the first security protection mode as a security protection mode adopted for data communication between the first terminal device and the second terminal device;
    所述第二终端设备向所述第一终端设备发送所述第一安全保护方式。The second terminal device sends the first security protection mode to the first terminal device.
  14. 根据权利要求11或12所述的方法,其特征在于,所述方法还包括:The method according to claim 11 or 12, wherein the method further comprises:
    所述第二终端设备接收所述第一终端设备发送的第二消息,所述第二消息携带第一安全策略,所述第一安全策略为所述第一终端设备确定的所述第一终端设备将使用的业务对应的安全策略;The second terminal device receives a second message sent by the first terminal device, where the second message carries a first security policy, and the first security policy is the first terminal determined by the first terminal device The security policy corresponding to the service that the device will use;
    所述第二终端设备根据所述第一安全策略和第二安全策略确定第三安全保护方式,所述第二安全策略为所述第二终端设备确定的所述第一终端设备将使用的业务对应的安全策略;The second terminal device determines a third security protection mode according to the first security policy and the second security policy, where the second security policy is a service determined by the second terminal device to be used by the first terminal device the corresponding security policy;
    所述第二终端设备将所述第三安全保护方式作为所述第二终端设备与所述第一接入网设备之间的数据通信所采用的安全保护方式;The second terminal device uses the third security protection mode as a security protection mode used for data communication between the second terminal device and the first access network device;
    所述第二终端设备向所述第一终端设备发送所述第三安全保护方式。The second terminal device sends the third security protection mode to the first terminal device.
  15. 根据权利要求13所述的方法,其特征在于,所述第一安全保护方式与第二安全保护方式一致,所述第二安全保护方式为所述第二终端设备与所述第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式。The method according to claim 13, wherein the first security protection mode is consistent with a second security protection mode, and the second security protection mode is the second terminal device and the first access network The security protection mode supported by the established second PDU session between devices.
  16. 根据权利要求15所述的方法,其特征在于,所述第一安全保护方式与第二安全保护方式一致,包括:The method according to claim 15, wherein the first security protection mode is consistent with the second security protection mode, comprising:
    若所述第一安全策略指示加密保护为需要required,且所述第二PDU会话支持的第二安全保护方式为开启加密保护,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that encryption protection is required, and the second security protection mode supported by the second PDU session is to enable encryption protection, the second terminal device converts the first security protection mode supported by the second PDU session to 2. The safety protection method is used as the first safety protection method;
    或者,or,
    若所述第一安全策略指示完整性保护为需要required,且所述第二PDU会话支持的第二安全保护方式为开启完整性保护,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that integrity protection is required, and the second security protection mode supported by the second PDU session is to enable integrity protection, the second terminal device supports the second PDU session The second security protection mode is used as the first security protection mode;
    或者,or,
    若所述第一安全策略指示加密保护为不需要not needed,且所述第二PDU会话支持的第二安全保护方式为不开启加密保护,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that encryption protection is not needed, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device sends the second PDU session to the The supported second security protection mode is used as the first security protection mode;
    或者,or,
    若所述第一安全策略指示完整性保护为不需要not needed,且所述第二PDU会话支持的第二安全保护方式为不开启完整性保护,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that integrity protection is not needed, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device will The second security protection mode supported by the PDU session is used as the first security protection mode;
    或者,or,
    若所述第一安全策略指示加密保护为倾向于需要preferred,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that encryption protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode;
    或者,or,
    若所述第一安全策略指示完整性保护为倾向于需要preferred,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式。If the first security policy indicates that integrity protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
  17. 根据权利要求13所述的方法,其特征在于,所述方法还包括:The method of claim 13, wherein the method further comprises:
    若所述第一安全保护方式与第二安全保护方式不一致,所述第二终端设备向会话管理功能SMF网元发送第一请求消息;If the first security protection mode is inconsistent with the second security protection mode, the second terminal device sends a first request message to the session management function SMF network element;
    其中,所述第一请求消息用于请求修改第二PDU会话或用于请求建立第三PDU会话,所述第一请求消息携带第三参数,所述第三参数用于指示所述第一终端设备与所述第二终端设备之间的数据通信的安全信息,所述第二安全保护方式为所述第二终端设备与所述第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式;The first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, and the third parameter is used to indicate the first terminal Security information for data communication between the device and the second terminal device, where the second security protection mode is the established second PDU session between the second terminal device and the first access network device Supported security protection methods;
    所述第二终端设备接收所述第一接入网设备发送的第四安全保护方式,所述第四安全保护方式用于所述第二终端设备与所述第一接入网设备之间的数据通信所采用的安全保护方式,所述第四安全保护方式与所述第一安全保护方式一致。The second terminal device receives a fourth security protection mode sent by the first access network device, where the fourth security protection mode is used for communication between the second terminal device and the first access network device. The security protection mode adopted for data communication, the fourth security protection mode is consistent with the first security protection mode.
  18. 根据权利要求17所述的方法,其特征在于,所述第一安全保护方式与所述第二安全保护方式不一致,包括:The method according to claim 17, wherein the first security protection mode is inconsistent with the second security protection mode, comprising:
    若所述第一安全策略指示加密保护为倾向于需要preferred,且所述第二PDU会话支持的第二安全保护方式为不开启加密保护,则所述第二终端设备确定所述第一安全策略对应的所述第一安全保护方式与所述第二安全保护方式不一致;If the first security policy indicates that encryption protection is likely to be preferred, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device determines the first security policy The corresponding first security protection mode is inconsistent with the second security protection mode;
    或者,or,
    若所述第一安全策略指示完整性保护为倾向于需要preferred,且所述第二安全保护方式为不开启完整性保护,则所述第二终端设备确定所述第一安全策略对应的所述第一安全保护方式与所述第二安全保护方式不一致;If the first security policy indicates that integrity protection is likely to be preferred, and the second security protection mode is not to enable integrity protection, the second terminal device determines that the first security policy corresponds to the The first security protection mode is inconsistent with the second security protection mode;
    或者,or,
    若所述第二安全保护方式的加密保护与所述第一安全策略指示的加密保护不匹配且所述第二安全保护方式的完整性保护与所述第一安全策略指示的完整性保护不匹配,则所述第二终端设备确定所述第一安全策略对应的所述第一安全保护方式与所述第二安全保护方式不一致。If the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy and the integrity protection of the second security protection mode does not match the integrity protection of the first security policy , the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
  19. 根据权利要求17或18所述的方法,其特征在于,所述第三参数包括以下至少一项:The method according to claim 17 or 18, wherein the third parameter includes at least one of the following:
    第一业务信息、第二DNN、第二切片信息、所述第一安全策略和所述第一安全保护方式;the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode;
    其中,所述第一业务信息为所述第一终端设备将使用的业务对应的业务信息,所述第二DNN为所述第一终端设备将接入的DNN,所述第二切片信息为所述第一终端设备将接入的切片的信息。The first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, and the second slice information is the information about the slice to be accessed by the first terminal device.
  20. 根据权利要求13至19中的任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 13 to 19, wherein the method further comprises:
    所述第二终端设备接收所述第一终端设备发送的第三消息;receiving, by the second terminal device, a third message sent by the first terminal device;
    其中,所述第三消息携带以下至少一项信息:第一业务信息、第二DNN、第二切片信息和第一保护指示,所述第一业务信息为所述第一终端设备将使用的业务对应的业务信息,所述第二DNN为所述第一终端设备将接入的DNN,所述第二切片信息为所述第一终端设备将接入的切片的信息,所述第一保护指示用于指示所述第一终端设备期望的所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制;Wherein, the third message carries at least one of the following information: first service information, second DNN, second slice information and first protection indication, and the first service information is a service to be used by the first terminal device Corresponding service information, the second DNN is the DNN to be accessed by the first terminal device, the second slice information is the information of the slice to be accessed by the first terminal device, and the first protection indication a protection mechanism for instructing the first terminal device to perform data communication between the first terminal device and the first access network device expected by the first terminal device;
    所述方法还包括:The method also includes:
    所述第二终端设备根据所述第三消息确定第二保护指示,所述第二保护指示用于指示所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制;The second terminal device determines a second protection indication according to the third message, where the second protection indication is used to instruct the first terminal device to perform data communication with the first access network device. protection mechanism;
    所述第二终端设备向所述第一终端设备发送所述第二保护指示。The second terminal device sends the second protection indication to the first terminal device.
  21. 根据权利要求13至19中的任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 13 to 19, wherein the method further comprises:
    若所述第二终端设备未接收到所述第一终端设备发送的保护指示,所述第二终端设备确定第二保护指示,所述第二保护指示用于指示所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制;If the second terminal device does not receive the protection indication sent by the first terminal device, the second terminal device determines a second protection indication, where the second protection indication is used to instruct the first terminal device to communicate with the Describe the protection mechanism performed during data communication between the first access network devices;
    所述第二终端设备向所述第一终端设备发送所述第二保护指示。The second terminal device sends the second protection indication to the first terminal device.
  22. 一种第一终端设备,其特征在于,所述第一终端设备包括:A first terminal device, characterized in that the first terminal device comprises:
    收发模块,用于接收第一消息,所述第一消息携带第一参数,所述第一参数用于指示第二终端设备与第一接入网设备之间进行通信的安全信息;a transceiver module, configured to receive a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device;
    处理模块,用于根据所述第一参数选择所述第二终端设备,所述第二终端设备用于为所述第一终端设备与所述第一接入网设备之间的通信提供中继服务。a processing module, configured to select the second terminal device according to the first parameter, and the second terminal device is configured to provide a relay for communication between the first terminal device and the first access network device Serve.
  23. 根据权利要求22所述的第一终端设备,其特征在于,所述第一参数包括以下至少一项:The first terminal device according to claim 22, wherein the first parameter includes at least one of the following:
    第一协议数据单元PDU会话支持的第一安全保护方式、所述第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、所述第二终端设备的标识、所述第二终端设备 归属的或服务的网络标识ID、第一数据网络名称DNN、或者、第一切片信息;The first security protection mode supported by the first protocol data unit PDU session, the type of the first access network device, the first indication information, the second indication information, the digital signature, the identifier of the second terminal device, the The network identifier ID, the first data network name DNN, or the first slice information to which the second terminal device belongs or serves;
    其中,所述第一PDU会话为所述第二终端设备上已建立的PDU会话,所述第一指示信息为所述第一接入网设备是否支持按需安全保护方式的指示信息,所述第二指示信息用于指示所述第一接入网设备具备支持完整性保护的能力,所述数字签名为所述第二终端设备通过所述第二终端设备的私钥或所述第二终端设备的根证书生成的,所述第一DNN为所述第二终端设备支持提供中继服务的DNN,所述第一切片信息为所述第二终端设备支持提供中继服务的切片的信息。The first PDU session is an established PDU session on the second terminal device, the first indication information is indication information of whether the first access network device supports an on-demand security protection mode, and the The second indication information is used to indicate that the first access network device has the ability to support integrity protection, and the digital signature is the second terminal device using the private key of the second terminal device or the second terminal The root certificate of the device is generated, the first DNN is the DNN that the second terminal device supports to provide relay services, and the first slice information is the information of the slice that the second terminal device supports to provide relay services .
  24. 根据权利要求23所述的第一终端设备,其特征在于,所述处理模块还用于:The first terminal device according to claim 23, wherein the processing module is further configured to:
    确定第一安全策略,所述第一安全策略为所述第一终端设备确定的所述第一终端设备将使用的业务对应的安全策略;determining a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
    所述处理模块具体用于:The processing module is specifically used for:
    根据所述第一安全策略和所述第一参数选择所述第二终端设备。The second terminal device is selected according to the first security policy and the first parameter.
  25. 根据权利要求24所述的第一终端设备,其特征在于,所述第一安全策略指示完整性保护为需要required或者倾向于需要preferred;所述处理模块具体用于:The first terminal device according to claim 24, wherein the first security policy indicates that integrity protection is required or tends to be preferred; and the processing module is specifically configured to:
    若所述第一参数包括所述第一PDU会话支持的第一安全保护方式,且所述第一安全保护方式为开启完整性保护,则选择所述第二终端设备;If the first parameter includes a first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, selecting the second terminal device;
    或者,or,
    若所述第一参数包括所述第一接入网设备的类型,且所述第一接入网设备的类型指示所述第一接入网设备具备支持开启完整性保护的能力,则选择所述第二终端设备;If the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, select the the second terminal device;
    或者,or,
    若所述第一参数包括所述第一指示信息,且所述第一指示信息指示所述第一接入网设备支持按需保护方式,则选择所述第二终端设备;If the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports an on-demand protection mode, selecting the second terminal device;
    或者,or,
    若所述第一参数包括所述第二指示信息,则选择所述第二终端设备。If the first parameter includes the second indication information, the second terminal device is selected.
  26. 根据权利要求24所述的第一终端设备,其特征在于,所述第一安全策略指示加密保护为需要required或者为倾向于需要preferred;所述处理模块具体用于:The first terminal device according to claim 24, wherein the first security policy indicates that encryption protection is required or tends to be preferred; and the processing module is specifically configured to:
    若所述第一参数包括所述第一PDU会话支持的第一安全保护方式,且所述第一安全保护方式为开启加密保护,则选择所述第二终端设备。If the first parameter includes a first security protection mode supported by the first PDU session, and the first security protection mode is to enable encryption protection, the second terminal device is selected.
  27. 根据权利要求24所述的第一终端设备,其特征在于,所述处理模块具体用于:The first terminal device according to claim 24, wherein the processing module is specifically configured to:
    若所述第一安全策略与第二安全策略一致时,则选择所述第二终端设备,所述第二安全策略为所述第一DNN和/或所述第一切片信息关联的安全策略。If the first security policy is consistent with the second security policy, the second terminal device is selected, and the second security policy is the security policy associated with the first DNN and/or the first slice information .
  28. 根据权利要求22所述的第一终端设备,其特征在于,所述收发模块还用于:The first terminal device according to claim 22, wherein the transceiver module is further configured to:
    接收第二消息,所述第二消息携带第二参数,所述第二参数用于指示第三终端设备与第二接入网设备之间的通信的安全信息;receiving a second message, where the second message carries a second parameter, where the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device;
    所述处理模块具体用于:The processing module is specifically used for:
    根据所述第一参数和所述第二参数选择所述第二终端设备。The second terminal device is selected according to the first parameter and the second parameter.
  29. 根据权利要求28所述的第一终端设备,其特征在于,所述处理模块具体用于:The first terminal device according to claim 28, wherein the processing module is specifically configured to:
    若所述第一参数包括第一PDU会话支持的第一安全保护方式,且所述第一安全保护方式为开启完整性保护,所述第二参数包括第二PDU会话支持的第二安全保护方式,且所述第二安全保护方式为不开启完整性保护,则选择所述第二终端设备,所述第一PDU会话为所述第二终端设备上已建立的PDU会话,所述第二PDU会话为所述第三终端设备上已建立的PDU会话;If the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, the second parameter includes the second security protection mode supported by the second PDU session , and the second security protection mode is not to enable integrity protection, select the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU The session is an established PDU session on the third terminal device;
    或者,or,
    若所述第一参数包括所述第一指示信息且所述第一指示信息指示所述第一接入网设备支持按需保护方式,所述第二参数包括第三指示信息且所述第三指示信息指示所述第二接入网设备不支持按需保护方式,则选择所述第二终端设备。If the first parameter includes the first indication information and the first indication information indicates that the first access network device supports an on-demand protection mode, the second parameter includes third indication information and the third indication information The indication information indicates that the second access network device does not support the on-demand protection mode, and the second terminal device is selected.
  30. 根据权利要求22至29中任一项所述的第一终端设备,其特征在于,所述收发模块还用于:The first terminal device according to any one of claims 22 to 29, wherein the transceiver module is further configured to:
    向所述第二终端设备发送第二消息,所述第二消息携带第一安全策略。Send a second message to the second terminal device, where the second message carries the first security policy.
  31. 根据权利要求22至29中任一项所述的第一终端设备,其特征在于,所述收发模块还用于:The first terminal device according to any one of claims 22 to 29, wherein the transceiver module is further configured to:
    向所述第二终端设备发送第三消息,所述第三消息携带以下任一项:第一业务信息、第一保护指示、第二DNN、第二切片信息,所述第一业务信息为所述第一终端设备将使用的业务对应的业务信息,所述第一保护指示用于指示所述第一终端设备期望的所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制;Send a third message to the second terminal device, where the third message carries any of the following: first service information, first protection indication, second DNN, and second slice information, where the first service information is all the service information corresponding to the service to be used by the first terminal device, and the first protection indication is used to indicate that the first terminal device expects data to be performed between the first terminal device and the first access network device the protection mechanisms implemented when communicating;
    接收所述第二终端设备发送的第二保护指示,所述第二保护指示用于指示所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制。A second protection indication sent by the second terminal device is received, where the second protection indication is used to indicate a protection mechanism executed during data communication between the first terminal device and the first access network device.
  32. 一种第二终端设备,其特征在于,所述第二终端设备包括:A second terminal device, characterized in that the second terminal device comprises:
    处理模块,用于确定第一参数,其中,所述第二终端设备支持提供中继服务的功能,所述第一参数用于指示所述第二终端设备与第一接入网设备之间进行通信的安全信息;A processing module, configured to determine a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to instruct the second terminal device to perform communication between the second terminal device and the first access network device security information for communications;
    收发模块,用于发送第一消息,所述第一消息携带所述第一参数。A transceiver module, configured to send a first message, where the first message carries the first parameter.
  33. 根据权利要求32所述的第二终端设备,其特征在于,所述第一参数包括以下至少一项:The second terminal device according to claim 32, wherein the first parameter comprises at least one of the following:
    第一协议数据单元PDU会话支持的第一安全保护方式、所述第一接入网设备的类型、第一指示信息、第二指示信息、数字签名、所述第二终端设备的标识、所述第二终端设备归属的或服务的网络标识ID、第一数据网络名称DNN、或者、第一切片信息;The first security protection mode supported by the first protocol data unit PDU session, the type of the first access network device, the first indication information, the second indication information, the digital signature, the identifier of the second terminal device, the The network identifier ID, the first data network name DNN, or the first slice information to which the second terminal device belongs or serves;
    其中,所述第一PDU会话为所述第二终端设备上已建立的PDU会话,所述第一指示信息为所述第一接入网设备支持按需安全保护方式的指示信息,所述第二指示信息用于指示所述第一接入网设备具备支持完整性保护的能力,所述数字签名为所述第二终端设备通过所述第二终端设备的私钥或所述第二终端设备的根证书生成的,所述第一DNN为所述第二终端设备支持提供中继服务的DNN,所述第一切片信息为所述第二终端设备支持提供中继服务的切片的信息。The first PDU session is an established PDU session on the second terminal device, the first indication information is indication information that the first access network device supports an on-demand security protection mode, and the first The second indication information is used to indicate that the first access network device has the ability to support integrity protection, and the digital signature is the second terminal device using the private key of the second terminal device or the second terminal device. The first DNN is the DNN that the second terminal device supports to provide the relay service, and the first slice information is the information of the slice that the second terminal device supports to provide the relay service.
  34. 根据权利要求32或33所述的第二终端设备,其特征在于,所述收发模块还用于:The second terminal device according to claim 32 or 33, wherein the transceiver module is further configured to:
    接收所述第一终端设备发送的第二消息,所述第二消息携带第一安全策略,所述第一 安全策略为所述第一终端设备确定的所述第一终端设备将使用的业务对应的安全策略;Receive a second message sent by the first terminal device, where the second message carries a first security policy, where the first security policy corresponds to a service determined by the first terminal device to be used by the first terminal device security policy;
    所述处理模块还用于:The processing module is also used for:
    根据所述第一安全策略确定第一安全保护方式;determining a first security protection mode according to the first security policy;
    将所述第一安全保护方式作为所述第一终端设备与所述第二终端设备之间的数据通信所采用的安全保护方式;using the first security protection mode as the security protection mode adopted for the data communication between the first terminal device and the second terminal device;
    所述收发模块还用于:The transceiver module is also used for:
    向所述第一终端设备发送所述第一安全保护方式。Send the first security protection mode to the first terminal device.
  35. 根据权利要求32或33所述的第二终端设备,其特征在于,所述收发模块还用于:The second terminal device according to claim 32 or 33, wherein the transceiver module is further configured to:
    接收所述第一终端设备发送的第二消息,所述第二消息携带第一安全策略,所述第一安全策略为所述第一终端设备确定的所述第一终端设备将使用的业务对应的安全策略;Receive a second message sent by the first terminal device, where the second message carries a first security policy, where the first security policy corresponds to a service determined by the first terminal device to be used by the first terminal device security policy;
    所述处理模块还用于:The processing module is also used for:
    根据所述第一安全策略和第二安全策略确定第三安全保护方式,所述第二安全策略为所述第二终端设备确定的所述第一终端设备将使用的业务对应的安全策略;Determine a third security protection mode according to the first security policy and the second security policy, where the second security policy is a security policy determined by the second terminal device corresponding to the service to be used by the first terminal device;
    将所述第三安全保护方式作为所述第二终端设备与所述第一接入网设备之间的数据通信所采用的安全保护方式;using the third security protection mode as the security protection mode adopted for the data communication between the second terminal device and the first access network device;
    所述收发模块还用于:The transceiver module is also used for:
    向所述第一终端设备发送所述第三安全保护方式。Send the third security protection mode to the first terminal device.
  36. 根据权利要求34所述的第二终端设备,其特征在于,所述第一安全保护方式与第二安全保护方式一致,所述第二安全保护方式为所述第二终端设备与所述第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式。The second terminal device according to claim 34, wherein the first security protection mode is consistent with a second security protection mode, and the second security protection mode is the second terminal device and the first security protection mode. The security protection mode supported by the established second PDU session between the access network devices.
  37. 根据权利要求36所述的第二终端设备,其特征在于,所述第一安全保护方式与第二安全保护方式一致,包括:The second terminal device according to claim 36, wherein the first security protection mode is consistent with the second security protection mode, comprising:
    若所述第一安全策略指示加密保护为需要required,且所述第二PDU会话支持的第二安全保护方式为开启加密保护,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that encryption protection is required, and the second security protection mode supported by the second PDU session is to enable encryption protection, the second terminal device converts the first security protection mode supported by the second PDU session to 2. The safety protection method is used as the first safety protection method;
    或者,or,
    若所述第一安全策略指示完整性保护为需要required,且所述第二PDU会话支持的第二安全保护方式为开启完整性保护,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that integrity protection is required, and the second security protection mode supported by the second PDU session is to enable integrity protection, the second terminal device supports the second PDU session The second security protection mode is used as the first security protection mode;
    或者,or,
    若所述第一安全策略指示加密保护为不需要not needed,且所述第二PDU会话支持的第二安全保护方式为不开启加密保护,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that encryption protection is not needed, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device sends the second PDU session to the The supported second security protection mode is used as the first security protection mode;
    或者,or,
    若所述第一安全策略指示完整性保护为不需要not needed,且所述第二PDU会话支持的第二安全保护方式为不开启完整性保护,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that integrity protection is not needed, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device will The second security protection mode supported by the PDU session is used as the first security protection mode;
    或者,or,
    若所述第一安全策略指示加密保护为倾向于需要preferred,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式;If the first security policy indicates that encryption protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode;
    或者,or,
    若所述第一安全策略指示完整性保护为倾向于需要preferred,则所述第二终端设备将所述第二PDU会话支持的第二安全保护方式作为所述第一安全保护方式。If the first security policy indicates that integrity protection tends to be preferred, the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
  38. 根据权利要求34所述的第二终端设备,其特征在于,所述收发模块还用于:The second terminal device according to claim 34, wherein the transceiver module is further configured to:
    若所述第一安全保护方式与第二安全保护方式不一致,向SMF网元发送第一请求消息;If the first security protection mode is inconsistent with the second security protection mode, send a first request message to the SMF network element;
    其中,所述第一请求消息用于请求修改第二PDU会话或用于请求建立第三PDU会话,所述第一请求消息携带第三参数,所述第三参数用于指示所述第一终端设备与所述第二终端设备之间的数据通信的安全信息,所述第二安全保护方式为所述第二终端设备与所述第一接入网设备之间的已建立的第二PDU会话支持的安全保护方式;The first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, and the third parameter is used to indicate the first terminal Security information for data communication between the device and the second terminal device, where the second security protection mode is the established second PDU session between the second terminal device and the first access network device Supported security protection methods;
    接收所述第一接入网设备发送的第四安全保护方式,所述第四安全保护方式用于所述第二终端设备与所述第一接入网设备之间的数据通信所采用的安全保护方式,所述第四安全保护方式与所述第一安全保护方式一致。Receive a fourth security protection mode sent by the first access network device, where the fourth security protection mode is used for security adopted in data communication between the second terminal device and the first access network device protection mode, the fourth security protection mode is consistent with the first security protection mode.
  39. 根据权利要求38所述的第二终端设备,其特征在于,所述第一安全保护方式与所述第二安全保护方式不一致,包括:The second terminal device according to claim 38, wherein the first security protection mode is inconsistent with the second security protection mode, comprising:
    若所述第一安全策略指示加密保护为倾向于需要preferred,且所述第二PDU会话支持的第二安全保护方式为不开启加密保护,则所述第二终端设备确定所述第一安全策略对应的所述第一安全保护方式与所述第二安全保护方式不一致;If the first security policy indicates that encryption protection is likely to be preferred, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device determines the first security policy The corresponding first security protection mode is inconsistent with the second security protection mode;
    或者,or,
    若所述第一安全策略指示完整性保护为倾向于需要preferred,且所述第二安全保护方式为不开启完整性保护,则所述第二终端设备确定所述第一安全策略对应的所述第一安全保护方式与所述第二安全保护方式不一致;If the first security policy indicates that integrity protection is likely to be preferred, and the second security protection mode is not to enable integrity protection, the second terminal device determines that the first security policy corresponds to the The first security protection mode is inconsistent with the second security protection mode;
    或者,or,
    若所述第二安全保护方式的加密保护与所述第一安全策略指示的加密保护不匹配且所述第二安全保护方式的完整性保护与所述第一安全策略指示的完整性保护不匹配,则所述第二终端设备确定所述第一安全策略对应的所述第一安全保护方式与所述第二安全保护方式不一致。If the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy and the integrity protection of the second security protection mode does not match the integrity protection of the first security policy , the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
  40. 根据权利要求38或39所述的第二终端设备,其特征在于,所述第三参数包括以下至少一项:The second terminal device according to claim 38 or 39, wherein the third parameter includes at least one of the following:
    第一业务信息、第二DNN、第二切片信息、所述第一安全策略和所述第一安全保护方式;the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode;
    其中,所述第一业务信息为所述第一终端设备将使用的业务对应的业务信息,所述第二DNN为所述第一终端设备将接入的DNN,所述第二切片信息为所述第一终端设备将接入的切片的信息。The first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, and the second slice information is the information about the slice to be accessed by the first terminal device.
  41. 根据权利要求34至40中任一项所述的第二终端设备,其特征在于,所述收发模 块还用于:The second terminal device according to any one of claims 34 to 40, wherein the transceiver module is also used for:
    接收所述第一终端设备发送的第三消息;receiving a third message sent by the first terminal device;
    其中,所述第三消息携带以下至少一项信息:第一业务信息、第二DNN、第二切片信息和第一保护指示,所述第一业务信息为所述第一终端设备将使用的业务对应的业务信息,所述第二DNN为所述第一终端设备将接入的DNN,所述第二切片信息为所述第一终端设备将接入的切片的信息,所述第一保护指示用于指示所述第一终端设备期望的所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制;Wherein, the third message carries at least one of the following information: first service information, second DNN, second slice information and first protection indication, and the first service information is a service to be used by the first terminal device Corresponding service information, the second DNN is the DNN to be accessed by the first terminal device, the second slice information is the information of the slice to be accessed by the first terminal device, and the first protection indication a protection mechanism for instructing the first terminal device to perform data communication between the first terminal device and the first access network device expected by the first terminal device;
    所述处理模块还用于:The processing module is also used for:
    根据所述第三消息确定第二保护指示,所述第二保护指示用于指示所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制;determining a second protection indication according to the third message, where the second protection indication is used to indicate a protection mechanism to be executed during data communication between the first terminal device and the first access network device;
    所述收发模块还用于:The transceiver module is also used for:
    向所述第一终端设备发送所述第二保护指示。Sending the second protection indication to the first terminal device.
  42. 根据权利要求34至40中任一项所述的第二终端设备,其特征在于,所述处理模块还用于:The second terminal device according to any one of claims 34 to 40, wherein the processing module is further configured to:
    若所述第二终端设备未接收到所述第一终端设备发送的保护指示,确定第二保护指示,所述第二保护指示用于指示所述第一终端设备与所述第一接入网设备之间进行数据通信时执行的保护机制;If the second terminal device does not receive the protection indication sent by the first terminal device, determine a second protection indication, where the second protection indication is used to instruct the first terminal device to communicate with the first access network Protection mechanisms implemented during data communication between devices;
    所述收发模块还用于:The transceiver module is also used for:
    向所述第一终端设备发送所述第二保护指示。Sending the second protection indication to the first terminal device.
PCT/CN2020/105761 2020-07-30 2020-07-30 Communication method and apparatus WO2022021198A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/105761 WO2022021198A1 (en) 2020-07-30 2020-07-30 Communication method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/105761 WO2022021198A1 (en) 2020-07-30 2020-07-30 Communication method and apparatus

Publications (1)

Publication Number Publication Date
WO2022021198A1 true WO2022021198A1 (en) 2022-02-03

Family

ID=80036921

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/105761 WO2022021198A1 (en) 2020-07-30 2020-07-30 Communication method and apparatus

Country Status (1)

Country Link
WO (1) WO2022021198A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105848083A (en) * 2015-01-13 2016-08-10 中兴通讯股份有限公司 Method, terminal and system for realizing communication
CN105992275A (en) * 2015-02-13 2016-10-05 联想(北京)有限公司 Information processing method and electronic device
EP3282719A1 (en) * 2015-04-08 2018-02-14 China Academy of Telecommunications Technology Method and device for determining and using d2d relay node
CN111277963A (en) * 2014-11-07 2020-06-12 华为技术有限公司 Method, equipment and system for establishing connection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277963A (en) * 2014-11-07 2020-06-12 华为技术有限公司 Method, equipment and system for establishing connection
CN105848083A (en) * 2015-01-13 2016-08-10 中兴通讯股份有限公司 Method, terminal and system for realizing communication
CN105992275A (en) * 2015-02-13 2016-10-05 联想(北京)有限公司 Information processing method and electronic device
EP3282719A1 (en) * 2015-04-08 2018-02-14 China Academy of Telecommunications Technology Method and device for determining and using d2d relay node

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on system enhancement for Proximity based Services (ProSe) in the 5G System (5GS) (Release 17)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 23.752, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V0.4.0, 25 June 2020 (2020-06-25), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 121, XP051924131 *

Similar Documents

Publication Publication Date Title
EP3493601B1 (en) Selecting a network slice
CN113016215A (en) Access network selection for a UE that does not support NAS through non-3GPP access
US11871223B2 (en) Authentication method and apparatus and device
WO2021136211A1 (en) Method and device for determining authorization result
US20240064514A1 (en) Delegated data connection
CN114423029B (en) Quality of service parameter adjustment method, equipment and storage medium
CN113038590B (en) Time synchronization method, electronic device, and storage medium
US20230048066A1 (en) Slice authentication method and apparatus
EP3654726B1 (en) Data repeat transmission method and device
KR20220150951A (en) Prioritization of uplink and sidelink transmissions
WO2020253408A1 (en) Secondary authentication method and apparatus
WO2023016160A1 (en) Session establishment method and related apparatus
US20230018378A1 (en) Parameter configuration method, apparatus and system, device and storage medium
TWI799064B (en) Method and related device for generating key identification
WO2022021198A1 (en) Communication method and apparatus
EP4135376A1 (en) Method and device for secure communication
WO2021195900A1 (en) Terminal device verification method and apparatus
EP4147065A1 (en) Generating a measurement report from positioning reference signals
CN112789896B (en) Method and device for switching transmission path
WO2023246457A1 (en) Security decision negotiation method and network element
EP4156741A1 (en) Slice service verification method and apparatus
CN113873492B (en) Communication method and related device
WO2022067769A1 (en) Communication method and related device
WO2024067398A1 (en) Emergency service processing method and device
WO2022048265A1 (en) Application layer key determination method, terminal, network side device, and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20946547

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20946547

Country of ref document: EP

Kind code of ref document: A1