WO2022021198A1 - Procédé et appareil de communication - Google Patents

Procédé et appareil de communication Download PDF

Info

Publication number
WO2022021198A1
WO2022021198A1 PCT/CN2020/105761 CN2020105761W WO2022021198A1 WO 2022021198 A1 WO2022021198 A1 WO 2022021198A1 CN 2020105761 W CN2020105761 W CN 2020105761W WO 2022021198 A1 WO2022021198 A1 WO 2022021198A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
security
protection mode
protection
security protection
Prior art date
Application number
PCT/CN2020/105761
Other languages
English (en)
Chinese (zh)
Inventor
张博
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2020/105761 priority Critical patent/WO2022021198A1/fr
Publication of WO2022021198A1 publication Critical patent/WO2022021198A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/20Selecting an access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/04Terminal devices adapted for relaying to or from another terminal or user

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a communication method and device thereof.
  • a user equipment In short-range service communication, a user equipment (user equipment, UE1) communicates with the network through UE2, that is, the UE2 provides a relay service for UE1. UE1 needs to select a suitable UE2 and communicate with the network through the UE2. How to select UE2 is an urgent problem to be solved at present.
  • Embodiments of the present application provide a communication method and a device thereof, which are used by a first terminal device to select a second terminal device according to a first parameter, so as to meet the security requirements of communication between the first terminal device and the network.
  • a first aspect of the embodiments of the present application provides a communication method, the method includes:
  • the first terminal device receives a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; then, the first terminal device A second terminal device is selected according to the first parameter, where the second terminal device is configured to provide a relay service for the communication between the first terminal device and the first access network device.
  • the first terminal device can select the second terminal device according to the first The parameter selects a second terminal device that matches the security requirements of the first terminal device, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • the first parameter includes at least one of the following: a first security protection mode supported by a first protocol data unit (protocol data unit, PDU) session, the type of the first access network device, the first security protection mode supported by the first protocol data unit (protocol data unit, PDU) session an indication information, a second indication information, a digital signature, the identification of the second terminal device, the network identification ID of the second terminal device to which the second terminal device belongs or serves, the first data network name (DNN), or, the first All slice information; wherein, the first PDU session is an established PDU session on the second terminal device, the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode, the The second indication information is used to indicate that the first access network device has the capability to support integrity protection, and the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device Yes, the first DNN supports the DNN that provides the relay service for the second terminal device, and the first
  • the first parameter is used to indicate security information for communication between the second terminal device and the first access network device.
  • it may be the security protection method supported by the PDU session established by the second terminal device; or, the type of the first access network device connected to the second terminal device, or the second terminal device supports the relay service.
  • Slice information for DNN or slice It can be seen from this implementation that the parameters used to sign the security information for communication between the second terminal device and the first access network device are diversified, which can help the first terminal device to select a suitable second terminal device to meet the requirements of the first terminal device. The security requirements for communication between the device and the network improve the achievability and practicability of the solution.
  • the method before the first terminal device selects the second terminal device according to the first parameter, the method further includes: the first terminal device determines a first security policy, where the first security policy is the the security policy corresponding to the service to be used by the first terminal device determined by the first terminal device;
  • the first terminal device selects the second terminal device according to the first parameter, including:
  • the first terminal device selects the second terminal device according to the first security policy and the first parameter.
  • the first terminal device may first determine the corresponding first security policy through the service to be used by the first terminal device, and select the second terminal device in combination with the first security policy and the first parameter , thereby further enabling the first terminal device to select a suitable second terminal device to provide relay services for the first terminal device.
  • the first security policy indicates that integrity protection is required or tends to be preferred; the first terminal device selects the second terminal device according to the first security policy and the first parameter, include:
  • the first terminal device selects the second terminal device; or,
  • the first terminal device selects the the second terminal device;
  • the first terminal device selects the second terminal device; or,
  • the first terminal device selects the second terminal device.
  • the first terminal device selects the second terminal according to certain information carried by the first parameter.
  • the first security policy indicates that encryption protection is required or preferred; the first terminal device selects the second terminal device according to the first security policy and the first parameter, include:
  • the first terminal device selects the second terminal device; or,
  • the first terminal device selects the the second terminal device;
  • the first terminal device selects the second terminal device; or,
  • the first terminal device selects the second terminal device.
  • the first terminal device selects the second terminal according to certain information carried by the first parameter when the first security policy indicates that the encryption protection is required or is inclined to be preferred.
  • Multiple possible implementations of the device improve the achievability and diversity of the solution.
  • the first terminal device selects the second terminal device according to the first security policy and the first parameter, including: if the first security policy is consistent with the second security policy, the first A terminal device selects the second terminal device, and the second security policy is a security policy associated with the first DNN and/or the first slice information.
  • the first terminal device can determine the corresponding first terminal device through the first DNN and/or the first slice information carried by the first parameter. Two security policies, and then select the second terminal device in combination with the first security policy and the second security policy.
  • the method further includes: the first terminal device receives a second message, where the second message carries a second parameter, where the second parameter is used to indicate the connection between the third terminal device and the second access network Security information of communication between devices; selecting the second terminal device by the first terminal device according to the first parameter includes: selecting the second terminal device by the first terminal device according to the first parameter and the second parameter.
  • the first terminal device when the first terminal device receives multiple parameters that can be sent by terminal devices that can act as relay nodes, the first terminal device may select the second terminal device in combination with the multiple received parameters.
  • the first terminal device selects the second terminal device according to the first parameter and the second parameter, including:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection
  • the second parameter includes the second security protection mode supported by the second PDU session
  • the second security protection method is that integrity protection is not enabled
  • the first terminal device selects the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU session is the first PDU session.
  • the second parameter includes third indication information and the third indication information indicates the second If the access network device does not support the on-demand protection mode, the first terminal device selects the second terminal device.
  • the method further includes: the first terminal device sends a second message to the second terminal device, where the second message carries the first security policy.
  • the first terminal device sends the first security policy to the second terminal device, so that the second terminal device determines the first security protection mode between the first terminal device and the second terminal device.
  • the method further includes: the first terminal device sends a third message to the second terminal device, where the third message carries any one of the following: first service information, first protection indication, second DNN, second slice information, the first service information is service information corresponding to the service to be used by the first terminal device, and the first protection indication is used to indicate the first terminal device and the first terminal device expected by the first terminal device.
  • a protection mechanism implemented during data communication between access network devices then, the first terminal device receives a second protection instruction sent by the second terminal device, where the second protection instruction is used to instruct the first terminal device to communicate with The protection mechanism executed during data communication between the first access network devices.
  • the first terminal device and the second terminal device determine, through negotiation, a protection mechanism to be executed during data communication between the first terminal device and the first access network device.
  • the first security policy includes protection requirements for encryption protection and protection requirements for integrity protection; the first terminal device selects the second terminal device according to the first security policy and the first parameter , including: when the first terminal device determines through the first parameter that both the second terminal device meets the protection requirements of encryption protection and the protection requirements of integrity protection, the first terminal device selects the second terminal device.
  • the first terminal device when selecting the second terminal device, should select a second terminal device that satisfies both the encryption protection requirement and the integrity protection requirement of the first terminal device.
  • the method further includes: the first terminal device verifies the digital signature; if the verification is successful, the first terminal device executes that the first terminal device selects the digital signature according to the first security policy and the first parameter. The steps of the second terminal device.
  • the first terminal device verifies the digital signature carried in the first message, and if the verification is successful, the first terminal device selects the second terminal device according to the first parameter and the first security policy carried in the first message, In order to avoid that the first parameter is tampered with during the transmission process, which affects the selection of an appropriate second terminal device by the first terminal device.
  • the first message also carries the identifier of the second terminal device; the verification of the digital signature by the first terminal device includes: the first terminal device determines the second terminal according to the identifier of the second terminal device The public key corresponding to the private key of the device; then, the first terminal device verifies the digital signature through the public key.
  • the first message also carries the network identification ID that the second terminal device belongs to or serves; the first terminal device verifying the digital signature includes: the first terminal device determines the network identification ID according to the network identification ID. the root certificate corresponding to the second terminal device; then, the first terminal device verifies the digital signature through the root certificate.
  • a second aspect of the embodiments of the present application provides a communication method, the method comprising:
  • the second terminal device determines a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; Then, the second terminal device sends a first message, where the first message carries the first parameter.
  • the second terminal device sends the first parameter to the first terminal device, so that when the first terminal device selects the second terminal device, it can select the security with the first terminal device according to the first parameter
  • the second terminal device that matches the requirements, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • the first parameter includes at least one of the following: a first security protection mode supported by the first PDU session, a type of the first access network device, first indication information, second indication information, digital signature, the identifier of the second terminal device, the network identification ID of the second terminal device to which the second terminal device belongs or serves, the first DNN, or the first slice information; wherein, the first PDU session is the second terminal device
  • the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode
  • the second indication information is used to indicate that the first access network device has support integrity
  • the protection capability the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device, and the first DNN supports the relay service for the second terminal device.
  • the first slice information is information of a slice that the second terminal device supports to provide a relay service.
  • the first parameter is used to indicate security information for communication between the second terminal device and the first access network device.
  • it may be the security protection method supported by the PDU session established by the second terminal device; or, the type of the first access network device connected to the second terminal device, or the second terminal device supports the relay service.
  • Slice information for DNN or slice It can be seen from this implementation that the parameters used to sign the security information for communication between the second terminal device and the first access network device are diversified, which can help the first terminal device to select a suitable second terminal device to meet the requirements of the first terminal device. The security requirements for communication between the device and the network improve the achievability and practicability of the solution.
  • the method further includes: receiving, by the second terminal device, a second message sent by the first terminal device, where the second message carries a first security policy, and the first security policy is the first security policy.
  • the terminal device determines the security policy corresponding to the service to be used by the first terminal device; the second terminal device determines a first security protection mode according to the first security policy; the second terminal device uses the first security protection mode as the The security protection mode adopted for data communication between the first terminal device and the second terminal device; the second terminal device sends the first security protection mode to the first terminal device.
  • the second terminal device may determine a first security protection mode in combination with a first security policy sent by the first terminal device, and use the first security protection mode as the first terminal device and the second terminal The security protection mode adopted for data communication between devices, thereby determining the security protection mode between the first terminal device and the second terminal device.
  • the second terminal device and the first access network device may negotiate the security protection mode between the second terminal device and the first access network device, so as to realize the security protection mode between the first terminal device and the second terminal device, And the security protection mode is negotiated between the second terminal device and the first access network device.
  • the method further includes: receiving, by the second terminal device, a second message sent by the first terminal device, where the second message carries a first security policy, and the first security policy is the first security policy.
  • the security policy determined by the terminal device corresponding to the service to be used by the first terminal device; the second terminal device uses the third security protection mode as the data communication method between the second terminal device and the first access network device.
  • the adopted security protection mode; the second terminal device sends the third security protection mode to the first terminal device.
  • the second terminal device may determine a third security protection mode in combination with the third security policy and the first security policy sent by the first terminal device, and use the third security protection mode as the second terminal device
  • the security protection mode adopted for the data communication with the first access network device, so as to determine the security protection mode between the second terminal device and the first access network device.
  • a security protection mode is negotiated between the device and the first access network device.
  • the first security protection manner is consistent with the second security protection manner
  • the second security protection manner is an established first security protection manner between the second terminal device and the first access network device Two security protection methods supported by PDU sessions.
  • the second terminal device when the second terminal device determines the first security protection mode, it may consider the situation of the PDU session established by the second terminal device, and preferentially select a PDU session that supports the first security protection mode to use to provide services for the first terminal device.
  • the first security protection manner is consistent with the second security protection manner, including:
  • the second terminal device supports the second security protection mode of the second PDU session. as the first security protection method; or,
  • the second terminal device will use the second security protection method supported by the second PDU session.
  • the protection method is used as the first security protection method; or,
  • the second terminal device will use the second PDU session to support the second security protection mode.
  • the security protection method is used as the first security protection method; or,
  • the second terminal device supports the second PDU session.
  • the second security protection method is used as the first security protection method; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
  • the second terminal device selects a second PDU session on the second terminal device, and the second security protection mode supported by the second PDU session is consistent with the first security protection mode.
  • the method further includes: if the first security protection manner is inconsistent with the second security protection manner, the second terminal device sends the first security protection method to a session management function (session management function, SMF) network element request message; wherein the first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, and the third parameter is used to indicate the first terminal device
  • SMF session management function
  • the security information of the data communication with the second terminal device, the second security protection mode is the security protection mode supported by the established second PDU session between the second terminal device and the first access network device ; the second terminal device receives the fourth security protection mode sent by the first access network device, and the fourth security protection mode is used for data communication between the second terminal device and the first access network device.
  • Security protection mode, the fourth security protection mode is consistent with the first security protection mode.
  • the second terminal device when the second security protection mode supported by the second PDU session is inconsistent with the first security protection mode, the second terminal device sends a first request message to the SMF network element to request to modify the second PDU session Or create a third PDU session, and then receive the fourth security protection mode sent by the first access network device, so that the fourth security protection mode between the second terminal device and the first access network device is the same as the first security protection mode the same way.
  • the first security protection manner is inconsistent with the second security protection manner, including: if the first security policy indicates that the encryption protection is preferred, and the second PDU session supports the second security protection If the security protection mode is not to enable encryption protection, the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode; or,
  • the second terminal device determines the first security protection mode corresponding to the first security policy inconsistent with the second security protection method; or,
  • the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device.
  • the parameters of the security information of the data communication between the second terminal devices, so that the SMF network element determines the third security policy, and the first access network device determines the fourth security protection mode, so that the fourth security protection mode and the first security protection mode are determined The protection method is the same.
  • the method further includes: receiving, by the second terminal device, a third message sent by the first terminal device; wherein the third message carries at least one of the following information: first service information, first Two DNN, second slice information and first protection indication, the first service information is service information corresponding to the service to be used by the first terminal device, the second DNN is the DNN to be accessed by the first terminal device, the The second slice information is information of the slice to be accessed by the first terminal device, and the first protection indication is used to indicate that the first terminal device expects data to be performed between the first terminal device and the first access network device A protection mechanism executed during communication; the method further includes: the second terminal device determines a second protection indication according to the third message, where the second protection indication is used to indicate the relationship between the first terminal device and the first access network device The protection mechanism executed when data communication is performed between the two terminals; the second terminal device sends the second protection indication to the first terminal device.
  • the third message carries at least one of the following information: first service information, first Two DNN, second slice
  • a protection mechanism executed when a first terminal device, a second terminal device and a third terminal device negotiate data communication between the first terminal device and the first access network device is shown way of implementation.
  • the method further includes: if the second terminal device does not receive the protection indication sent by the first terminal device, the second terminal device determines a second protection indication, where the second protection indication is used for Instruct the protection mechanism to be executed during data communication between the first terminal device and the first access network device; then, the second terminal device sends the second protection instruction to the first terminal device.
  • a third aspect of the embodiments of the present application provides a communication method, the method comprising:
  • the SMF network element receives the first request message sent by the second terminal device.
  • the first request message is used to request to modify the second PDU session or to request to establish the third PDU session.
  • the first request message carries the third parameter, and the first request message
  • the three parameters are used to indicate the security information of the data communication between the first terminal device and the second terminal device; then, the SMF network element determines a third security policy according to the third parameter, and the third security policy is the SMF network
  • the security policy corresponding to the service to be used by the first terminal device determined by the element; the SMF network element sends a fourth message to the first access network device, where the fourth message carries the third security policy.
  • the SMF network element may A request message determines the third security policy, and sends the third security policy to the first access network device, so that the first access network device determines the fourth security protection mode according to the third security policy, so that the fourth security protection The mode is consistent with the first security protection mode, so as to realize the negotiation of the first security protection mode between the first terminal device and the second terminal device and the fourth security protection mode between the second terminal device and the first access network device Consistent.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device.
  • the parameters of the security information of the data communication between the second terminal devices, so that the SMF network element determines the third security policy, and the first access network device determines the fourth security protection mode, so that the fourth security protection mode and the first security protection mode are determined The protection method is the same.
  • the SMF network element determines the third security policy according to the third parameter, including: the SMF network element sends at least one of the following information to a unified data management (unified data management, UDM) network element Item: the first service information, the second DNN and the second slice information; the SMF network element receives the subscription security policy sent by the UDM network element; the SMF network element uses the subscription security policy as the third security policy, Alternatively, the SMF network element determines the third security policy according to the subscription security policy and the first security policy, or the SMF network element determines the third security policy according to the subscription security policy and the first security protection mode.
  • UDM unified data management
  • the specific process of determining the third security policy by the SMF network element according to at least one item of the first service information, the second DNN and the second slice information is shown, which improves the solution's performance. achievability.
  • the SMF network element determining the third security policy according to the third parameter includes: the SMF network element determining according to at least one item of information in the first security policy and the first security protection manner The third security policy.
  • the manner in which the SMF network element is based on the first security policy carried by the third parameter and the third security policy of at least one piece of information in the first security protection manner is shown, which improves the variety of solutions. sex.
  • the fourth message further carries at least one of the following: the first security policy and the first security protection manner.
  • a fourth aspect of the embodiments of the present application provides a communication method.
  • the method includes: a first access network device receives a second message sent by an SMF network element, where the second message carries a third security policy, and the third security policy is the The security policy corresponding to the service to be used by the first terminal device determined by the SMF network element; then, the first access network device determines a fourth security protection mode according to the third security policy, and the fourth security protection mode is used for The security protection mode used for data communication between the second terminal device and the first access network device; the first access network device sends the fourth security protection mode to the second terminal device.
  • the first access network device determines a fourth security protection mode according to the third security policy sent by the SMF network element, and sends the fourth security protection mode to the second terminal device, the fourth security protection mode is
  • the protection mode is a security protection mode used for data communication between the second terminal device and the first access network device, so that the negotiation of the first security protection mode and the fourth security protection mode is achieved.
  • the second message further carries at least one of the following: the first security policy, the first security protection mode; the first access network device determines the fourth security protection according to the third security policy ways, including:
  • the first access network device determines the fourth security protection mode according to the third security policy and the first security protection mode; or,
  • the first access network device determines a fourth security protection manner according to the third security policy and the first security policy; or,
  • the first access network device determines a fourth security protection manner according to the third security policy, the first security protection manner and the first security policy.
  • a fifth aspect of the embodiments of the present application provides a first terminal device, where the first terminal device includes:
  • a transceiver module configured to receive a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device;
  • the processing module is configured to select the second terminal device according to the first parameter, and the second terminal device is configured to provide a relay service for the communication between the first terminal device and the first access network device.
  • the first parameter includes at least one of the following:
  • the first PDU session is an established PDU session on the second terminal device
  • the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode
  • the second indication information is used for In order to indicate that the first access network device has the ability to support integrity protection
  • the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device
  • the first The DNN supports the DNN that provides the relay service for the second terminal device
  • the first slice information is information of the slice that the second terminal device supports to provide the relay service.
  • processing module is also used to:
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
  • This processing module is specifically used for:
  • the second terminal device is selected according to the first security policy and the first parameter.
  • the first security policy indicates that integrity protection is required or tends to be preferred;
  • the processing module is specifically used for:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, then select the second terminal device; or,
  • the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, select the second terminal device ;or,
  • the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, select the second terminal device; or,
  • the second terminal device is selected.
  • the first security policy indicates that encryption protection is required or tends to be preferred;
  • the processing module is specifically used for:
  • the second terminal device is selected.
  • processing module is specifically used for:
  • the second terminal device is selected, and the second security policy is the security policy associated with the first DNN and/or the first slice information.
  • the transceiver module is also used for:
  • the second message carries a second parameter, where the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device;
  • This processing module is specifically used for:
  • the second terminal device is selected according to the first parameter and the second parameter.
  • processing module is specifically used for:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection
  • the second parameter includes the second security protection mode supported by the second PDU session, and the The second security protection mode is to not enable integrity protection
  • select the second terminal device select the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU session is on the third terminal device. an established PDU session; or,
  • the second parameter includes third indication information and the third indication information indicates the second If the access network device does not support the on-demand protection mode, the second terminal device is selected.
  • the transceiver module is also used for:
  • the transceiver module is also used for:
  • the third message carries any of the following: first service information, first protection indication, second DNN, and second slice information, where the first service information is the first terminal Service information corresponding to the service to be used by the device, and the first protection indication is used to indicate the protection mechanism that the first terminal device expects to execute when performing data communication between the first terminal device and the first access network device;
  • a second protection indication sent by the second terminal device is received, where the second protection indication is used to indicate a protection mechanism executed during data communication between the first terminal device and the first access network device.
  • a sixth aspect of the embodiments of the present application provides a second terminal device, where the second terminal device includes:
  • a processing module configured to determine a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate the security of communication between the second terminal device and the first access network device information;
  • a transceiver module configured to send a first message, where the first message carries the first parameter.
  • the first parameter includes at least one of the following:
  • the first PDU session is an established PDU session on the second terminal device
  • the first indication information is the indication information that the first access network device supports the on-demand security protection mode
  • the second indication information is used for Indicates that the first access network device has the ability to support integrity protection
  • the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device
  • the first DNN The second terminal device supports the DNN that provides the relay service
  • the first slice information is information of the slice that the second terminal device supports to provide the relay service.
  • the transceiver module is also used for:
  • the second message carries a first security policy
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device
  • This processing module is also used to:
  • the first security protection mode as the security protection mode adopted for data communication between the first terminal device and the second terminal device;
  • the transceiver module is also used to:
  • the transceiver module is also used for:
  • the second message carries a first security policy
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device
  • This processing module is also used to:
  • the third security protection mode as the security protection mode adopted for the data communication between the second terminal device and the first access network device;
  • the transceiver module is also used to:
  • the first security protection manner is consistent with the second security protection manner
  • the second security protection manner is an established first security protection manner between the second terminal device and the first access network device Two security protection methods supported by PDU sessions.
  • the first security protection manner is consistent with the second security protection manner, including:
  • the second terminal device supports the second security protection mode of the second PDU session. as the first security protection method; or,
  • the second terminal device will use the second security protection method supported by the second PDU session.
  • the protection method is used as the first security protection method; or,
  • the second terminal device will use the second PDU session to support the second security protection mode.
  • the security protection method is used as the first security protection method; or,
  • the second terminal device supports the second PDU session.
  • the second security protection method is used as the first security protection method; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
  • the transceiver module is also used for:
  • the first request message is used to request to modify the second PDU session or to request to establish a third PDU session
  • the first request message carries a third parameter
  • the third parameter is used to indicate that the first terminal device communicates with the third PDU session.
  • the security information of the data communication between the two terminal devices, the second security protection mode is the security protection mode supported by the established second PDU session between the second terminal device and the first access network device;
  • the fourth security protection mode is used for the security protection mode adopted for data communication between the second terminal device and the first access network device, the The fourth security protection mode is consistent with the first security protection mode.
  • the first security protection manner is inconsistent with the second security protection manner, including:
  • the second terminal device determines the first security policy corresponding to the first security policy.
  • One security protection method is inconsistent with the second security protection method; or,
  • the second terminal device determines the first security protection mode corresponding to the first security policy inconsistent with the second security protection method; or,
  • the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • the transceiver module is also used for:
  • the third message carries at least one of the following information: first service information, second DNN, second slice information and first protection indication, and the first service information is a service corresponding to a service to be used by the first terminal device information, the second DNN is the DNN to be accessed by the first terminal device, the second slice information is the information of the slice to be accessed by the first terminal device, and the first protection indication is used to indicate the first terminal device the desired protection mechanism to be executed when data communication is performed between the first terminal device and the first access network device;
  • This processing module is also used to:
  • the second protection indication is used to indicate a protection mechanism to be executed during data communication between the first terminal device and the first access network device;
  • the transceiver module is also used to:
  • processing module is also used to:
  • the second terminal device does not receive the protection indication sent by the first terminal device, determine a second protection indication, where the second protection indication is used to instruct the first terminal device and the first access network device to perform data communication between the first terminal device and the first access network device. the protection mechanisms implemented when communicating;
  • the transceiver module is also used to:
  • a seventh aspect of the embodiments of the present application provides an SMF network element, where the SMF network element includes:
  • a transceiver module configured to receive a first request message sent by the second terminal device, where the first request message is used to request to modify the second PDU session or to request to establish a third PDU session, the first request message carries a third parameter, The third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device;
  • a processing module configured to determine a third security policy according to the third parameter, where the third security policy is a security policy corresponding to the service to be used by the first terminal device determined by the SMF network element;
  • the transceiver module is configured to send a fourth message to the first access network device, where the fourth message carries the third security policy.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • processing module is specifically used for:
  • the SMF network element receives the subscription security policy sent by the UDM network element;
  • processing module is specifically used for:
  • the third security policy is determined according to at least one item of information in the first security policy and the first security protection manner.
  • the fourth message further carries at least one of the following: the first security policy and the first security protection manner.
  • An eighth aspect of the embodiments of the present application provides a first access network device, where the first access network device includes:
  • a transceiver module configured to receive a second message sent by the SMF network element, where the second message carries a third security policy, where the third security policy is a security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device ;
  • a processing module configured to determine a fourth security protection mode according to the third security policy, where the fourth security protection mode is a security protection mode used for data communication between the second terminal device and the first access network device ;
  • the transceiver module is configured to send the fourth security protection mode to the second terminal device.
  • the second message also carries at least one of the following: the first security policy, the first security protection mode; the processing module is specifically used for:
  • the fourth security protection mode is determined according to the third security policy and the first security protection mode; or,
  • a fourth security protection mode is determined according to the third security policy and the first security policy.
  • the fourth security protection mode is determined according to the third security policy, the first security protection mode and the first security policy.
  • a ninth aspect of an embodiment of the present application provides a first terminal device, where the first terminal device includes: a processor and a memory; a computer program is stored in the memory; the processor is further configured to call and run a computer stored in the memory The program enables the processor to implement any one of the implementation manners of the first aspect.
  • the first terminal device includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
  • a tenth aspect of an embodiment of the present application provides a second terminal device, where the first terminal device includes: a processor and a memory; a computer program is stored in the memory; the processor is further configured to call and run a computer stored in the memory The program enables the processor to implement any one of the implementation manners of the second aspect.
  • the second terminal device includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
  • An eleventh aspect of an embodiment of the present application provides an SMF network element, where the SMF network element includes: a processor and a memory; a computer program is stored in the memory; the processor is further configured to call and run the computer program stored in the memory , so that the processor implements any one of the implementation manners of the third aspect.
  • the SMF network element includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
  • a twelfth aspect of an embodiment of the present application provides a first access network device, where the first access network device includes: a processor and a memory; the memory stores a computer program; the processor is further configured to call and run the The computer program stored in the memory enables the processor to implement any one of the implementation manners of the fourth aspect.
  • the first access network device includes a transceiver; the processor is configured to control the transceiver to send and receive signals.
  • a thirteenth aspect of the embodiments of the present application provides a computer program product including instructions, characterized in that, when the computer program product is run on a computer, the computer is caused to perform the implementation of any one of the first to fourth aspects.
  • a fourteenth aspect of the embodiments of the present application provides a computer-readable storage medium, including computer instructions, which, when the computer instructions are executed on a computer, cause the computer to execute any one of the implementations of the first to fourth aspects.
  • a fifteenth aspect of an embodiment of the present application provides a chip device, including a processor, which is connected to a memory and calls a program stored in the memory, so that the processor executes any one of the first to fourth aspects above an implementation.
  • a sixteenth aspect of an embodiment of the present application provides a communication system, where the communication system includes the first terminal device of the first aspect and the second terminal device of the second aspect.
  • the communication system further includes the SMF network element of the third aspect and the first access network device of the fourth aspect.
  • the first terminal device receives a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; Then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. The second terminal device that matches the security requirements of the first terminal device is selected, so that the second terminal device can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • FIG. 1A is a schematic structural diagram of a communication system according to an embodiment of the present application.
  • FIG. 1B is a schematic diagram of a network system according to an embodiment of the present application.
  • FIG. 1C is another schematic diagram of a network system according to an embodiment of the present application.
  • FIG. 2 is a schematic diagram of an embodiment of a communication method according to an embodiment of the present application.
  • FIG. 3 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • FIG. 4 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • FIG. 5 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a first terminal device according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of a second terminal device according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of an SMF network element according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a first access network device according to an embodiment of the present application.
  • FIG. 10 is another schematic structural diagram of a first terminal device according to an embodiment of the present application.
  • FIG. 11 is another schematic structural diagram of an SMF network element according to an embodiment of the present application.
  • FIG. 12 is another schematic structural diagram of a first access network device according to an embodiment of the present application.
  • FIG. 13 is a schematic diagram of a communication system according to an embodiment of the present application.
  • the communication system applied in this application is introduced as follows:
  • PLMN public land mobile network
  • MNO public mobile network operator
  • 3GPP 3rd generation partnership project
  • 3GPP networks generally include, but are not limited to, a fifth-generation (5th-generation, 5G) network (referred to as a 5G network), a fourth-generation (4th-generation, 4G) network (referred to as a 4G network), and the like.
  • 5G fifth-generation
  • 4G fourth-generation
  • 3GPP networks generally include, but are not limited to, a fifth-generation (5th-generation, 5G) network (referred to as a 5G network), a fourth-generation (4th-generation, 4G) network (referred to as a 4G network), and the like.
  • a PLMN is used as an example for description in this embodiment of the present application.
  • the technical solutions provided in this application can also be applied to long term evolution (long term evolution, LTE) systems, LTE frequency division duplex (frequency division duplex, FDD) systems, LTE time division duplex (time division duplex, TDD), general Mobile communication system (universal mobile telecommunication system, UMTS), worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5th generation, 5G) communication system, device to device (device to device, D2D) ) communication system, vehicle to everything (V2X) communication system, new radio (NR) or other communication systems in the future, such as 6G communication systems.
  • LTE long term evolution
  • FDD frequency division duplex
  • TDD time division duplex
  • UMTS general Mobile communication system
  • WiMAX worldwide interoperability for microwave access
  • 5G fifth generation
  • device to device device to device
  • D2D vehicle to everything
  • NR new radio
  • the 5G network has made network architecture adjustments compared to the 4G network.
  • the 5G network splits the mobility management entity (MME) in the 4G network into two parts including the access and mobility management function (AMF) and the session management function (session management function). , SMF) and other network functions.
  • MME mobility management entity
  • AMF access and mobility management function
  • SMF session management function
  • FIG. 1A is a schematic diagram of a network architecture according to an embodiment of the present application, which takes a 5G network architecture based on a service-oriented architecture in a non-roaming scenario defined in the 3GPP standardization process as an example.
  • the network architecture can include three parts, namely the terminal equipment part, the PLMN and the data network (DN).
  • the terminal equipment part may include a terminal equipment 110, which may also be referred to as user equipment (user equipment, UE).
  • the terminal device 110 in this application is a device with a wireless transceiver function, which can communicate with an access network device (or also referred to as an access device) in a radio access network (RAN) 140 with one or more A plurality of core network (core network, CN) devices (or may also be referred to as core devices) communicate.
  • Terminal equipment 110 may also be referred to as an access terminal, terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, user agent, user device, or the like.
  • the terminal device 110 can be deployed on land, including indoor or outdoor, handheld or vehicle; can also be deployed on water (such as ships, etc.); and can also be deployed in the air (such as planes, balloons, satellites, etc.).
  • the terminal device 110 may be a cellular phone (cellular phone), a cordless phone, a session initiation protocol (SIP) phone, a smart phone (smart phone), a mobile phone (mobile phone), a wireless local loop (WLL) ) station, personal digital assistant (personal digital assistant, PDA), etc.
  • the terminal device 110 may also be a handheld device with a wireless communication function, a computing device or other device connected to a wireless modem, a vehicle-mounted device, a wearable device, a drone device or a terminal in the Internet of Things, the Internet of Vehicles, a 5G network And any form of terminal in the future network, relay user equipment or terminal in the future evolved PLMN, etc.
  • the relay user equipment may be, for example, a 5G home gateway (residential gateway, RG).
  • the terminal device 110 may be a virtual reality (VR) terminal, an augmented reality (AR) terminal, a wireless terminal in industrial control, a wireless terminal in self driving, a remote terminal Wireless terminal in medical (remote medical), wireless terminal in smart grid (smart grid), wireless terminal in transportation safety (transportation safety), wireless terminal in smart city, wireless terminal in smart home (smart home) wireless terminals, etc.
  • VR virtual reality
  • AR augmented reality
  • WLAN wireless terminal in industrial control
  • wireless terminal in self driving a remote terminal
  • Wireless terminal in medical remote medical
  • wireless terminal in smart grid smart grid
  • transportation safety transportation safety
  • wireless terminal in smart city wireless terminal in smart home (smart home) wireless terminals, etc.
  • This embodiment of the present application does not limit the type or type of the terminal device.
  • PLMN can include: network exposure function (NEF) 131, network storage function (network function repository function, NRF) 132, policy control function (policy control function, PCF) 133, UDM 134, application function (application function, AF) ) 135, authentication server function (AUSF) 136, access and mobility management function (AMF) 137, SMF 138, user plane function (UPF) 139 and (wireless) Access network ((radio) access network, (R)AN) 140, etc.
  • NRF network exposure function
  • PCF policy control function
  • PCF policy control function
  • UDM application function
  • AMF access and mobility management function
  • SMF user plane function
  • UPF user plane function
  • the data network DN 120 which may also be referred to as a packet data network (PDN), is usually a network located outside the PLMN, such as a third-party network.
  • the PLMN can access multiple data networks DN 120, and multiple services can be deployed on the data network DN 120, so as to provide the terminal device 110 with services such as data and/or voice.
  • the data network DN 120 can be a private network of a smart factory, the sensors installed in the workshop of the smart factory can be the terminal equipment 110, and the control server of the sensor is deployed in the data network DN 120, and the control server can provide services for the sensors.
  • the sensor can communicate with the control server, obtain the instruction of the control server, and transmit the collected sensor data to the control server according to the instruction.
  • the data network DN 120 may be an internal office network of a company, and the mobile phones or computers of employees of the company may be terminal devices 110, and the mobile phones or computers of the employees can access information, data resources, etc. on the internal office network of the company.
  • the terminal device 110 may establish a connection with the PLMN through an interface provided by the PLMN (for example, the N1 interface in FIG. 1A , etc.), and use services such as data and/or voice provided by the PLMN.
  • the terminal device 110 can also access the data network DN 120 through the PLMN, and use the operator services deployed on the data network DN 120, and/or services provided by third parties.
  • the above-mentioned third party may be a service party other than the PLMN and the terminal device 110 , and may provide other data and/or voice services for the terminal device 110 .
  • the specific expression form of the above third party can be specifically determined according to the actual application scenario, and is not limited here.
  • the (R)AN 140 is a sub-network of the PLMN and is the implementation system between the service nodes (or network functions) and the terminal equipment 110 in the PLMN.
  • the terminal device 110 To access the PLMN, the terminal device 110 first passes through the (R)AN 140, and then connects with the service node in the PLMN through the (R)AN 140.
  • the access network device in the embodiment of the present application is a device that provides a wireless communication function for the terminal device 110, and may also be referred to as an access device, a (R)AN device, or a network device.
  • the access device includes but is not limited to: next generation node basestation (gNB) in 5G system, evolved node B (eNB) in LTE system, radio network controller (radio network controller, RNC), node B (node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (home evolved nodeB, or home node B, HNB), baseband unit (base band unit, BBU), transmitting and receiving point (TRP), transmitting point (transmitting point, TP), small base station equipment (pico), mobile switching center, or network equipment in future networks, etc.
  • gNB next generation node basestation
  • eNB evolved node B
  • RNC radio network controller
  • node B node B
  • BSC base station controller
  • BTS base transceiver station
  • BTS home base station
  • home evolved nodeB home evolved nodeB, or home node B, HNB
  • baseband unit base band unit
  • TRP transmitting and receiving
  • the access device may include a centralized unit (centralized unit, CU), a distributed unit (distributed unit, DU), and the like.
  • the CU can also be divided into CU-control plane (CP) and CU-user plan (UP), etc.
  • the access device may also be an open radio access network (open radio access network, ORAN) architecture, etc. This application does not limit the specific deployment method of the access device.
  • the network open function NEF (also referred to as NEF network function or NEF network function entity) 131 is a control plane function provided by the operator.
  • the NEF network opening function 131 opens the external interface of the PLMN to a third party in a secure manner.
  • the SMF network function 138 needs to communicate with a third-party network function
  • the NEF network open function 131 can act as a relay for the SMF network function 138 to communicate with a third-party network entity.
  • the NEF network opening function 131 acts as a relay, it can be used as a translation of the identification information of the subscriber and translation of the identification information of a third-party network function.
  • the NEF network opening function 131 when the NEF network opening function 131 sends the subscriber permanent identifier (SUPI) of the subscriber from the PLMN to the third party, the SUPI can be translated into its corresponding external identity (identity, ID). Conversely, when the NEF network opening function 131 sends the external ID (the third party's network entity ID) to the PLMN, it can be translated into SUPI.
  • SUPI subscriber permanent identifier
  • ID identity
  • Network storage function NRF 132 which can be used to maintain real-time information of all network function services in the network.
  • the policy control function PCF 133 is a control plane function provided by the operator for providing the session management function SMF 138 with policies for PDU sessions.
  • the policies may include charging-related policies, QoS-related policies, authorization-related policies, and the like.
  • the unified data management UDM 134 is a control plane function provided by the operator, and is responsible for storing information such as subscriber permanent identifier (SUPI), security context (security context), and subscription data of subscribers in the PLMN.
  • PLMN subscribers may specifically be users who use services provided by the PLMN, such as users who use the terminal equipment core card of China Telecom, or users who use the terminal equipment core card of China Mobile.
  • the SUPI of the subscriber may be the number of the core card of the terminal device, or the like.
  • the above-mentioned security context may be data (cookie) or token (token) stored on a local terminal device (for example, a mobile phone).
  • the contract data of the above-mentioned contract user may be the supporting services of the terminal device chip card, such as the data package of the mobile phone chip card, and the like.
  • the application function AF 135 is used to perform data routing affected by the application, access the network opening function, and interact with the policy framework for policy control, etc.
  • the authentication server function AUSF 136 is a control plane function provided by the operator, and is usually used for first-level authentication, that is, the authentication between the terminal device 110 (subscriber) and the PLMN.
  • Access and Mobility Management Function AMF 137 is a control plane network function provided by the PLMN, responsible for the access control and mobility management of the terminal device 110 accessing the PLMN, including, for example, mobility status management, assignment of user temporary identities, authentication and authorization user functions.
  • the session management function SMF 138 is a control plane network function provided by the PLMN, and is responsible for managing the protocol data unit (protocol data unit, PDU) session of the terminal device 110.
  • the PDU session is a channel for transmitting PDUs, and the terminal device needs to transmit PDUs to and from the DN 120 through the PDU session.
  • PDU sessions may be established, maintained, deleted, etc. by the SMF 138.
  • SMF 138 includes session management (such as session establishment, modification and release, including tunnel maintenance between UPF 139 and (R)AN 140, etc.), selection and control of UPF 139, service and session continuity (SSC) ) mode selection, roaming and other session-related functions.
  • session management such as session establishment, modification and release, including tunnel maintenance between UPF 139 and (R)AN 140, etc.
  • SSC service and session continuity
  • the user plane function UPF 139 is a gateway provided by the operator and is the gateway for the PLMN to communicate with the DN 120.
  • UPF 139 includes user plane-related functions such as packet routing and transmission, packet detection, service usage reporting, quality of service (QoS) processing, legal interception, upstream packet detection, and downstream packet storage.
  • QoS quality of service
  • the network function in the PLMN shown in FIG. 1A may also include a network slice selection function (NSSF) (not shown in FIG. 1 ), which is responsible for determining the network slice instance, selecting the AMF network function 137, and the like.
  • NSSF network slice selection function
  • the network function in the PLMN shown in FIG. 1A may also include a unified data repository (unified data repository, UDR), etc.
  • UDR unified data repository
  • Nnef, Nausf, Nnrf, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • the meaning of the above-mentioned interface serial number reference may be made to the meaning defined in the 3GPP standard protocol, and this application does not limit the meaning of the above-mentioned interface serial number.
  • the terminal device 110 is used as an example for the UE, and the interface names between various network functions in FIG. 1A are only an example.
  • the interface names of the system architecture Other names may also be used, which are not limited in this application.
  • the mobility management network function in this application may be the AMF 137 shown in FIG. 1A , or may be other network functions having the above-mentioned access and mobility management function AMF 137 in the future communication system.
  • the mobility management network function in this application may also be a mobility management entity (mobility management entity, MME) or the like in the LTE system.
  • MME mobility management entity
  • the session management function SMF138 is abbreviated as SMF network element
  • the unified data management UDM134 is abbreviated as UDM network element.
  • Function, UDM network elements can be replaced by unified data management, and UE can be replaced by terminal equipment. It should be understood that other network functions not shown are equally applicable to this alternative method.
  • the network architecture (eg, 5G network architecture) shown in FIG. 1A adopts a service-based architecture and common interfaces, and traditional network element functions are divided into several self-contained and self-managed based on network function virtualization (NFV) technology.
  • NFV network function virtualization
  • Reusable network function service module by flexibly defining the service module set, customized network function reconstruction can be realized, and the external business process can be formed through a unified service invocation interface.
  • the schematic diagram of the network architecture shown in FIG. 1A can be understood as a schematic diagram of a service-based 5G network architecture in a non-roaming scenario.
  • Network slicing technology can enable operators to respond more flexibly and quickly to customer needs and support flexible allocation of network resources.
  • FIG. 1B is a schematic diagram of a network system according to an embodiment of the present application.
  • the network system includes UE1, UE2, UE3 and RAN1.
  • UE1 and UE2 are connected through a proximity communication 5 (prose communication 5, PC5) interface
  • UE2 and RAN1 are connected through a direct wireless interface (the radio interface between UTRAN and the user equipment, Uu) interface of the user equipment.
  • UE1 selects UE2 and communicates with the network through UE2.
  • UE2 plays the role of a UE-to-network relay.
  • the PC5 interface between UE1 and UE2 and the Uu interface between UE2 and RAN1 have corresponding security definitions (on demand security). That is, the security protection mode corresponding to the PC5 interface between UE1 and UE2 and the security protection mode corresponding to the Uu interface between UE2 and RAN1 are determined based on the security policy and can be determined through negotiation.
  • the security policy includes the security policy of the control plane and the security policy of the user plane, and each security policy includes two characteristics of encryption protection and integrity protection.
  • the encryption protection requirements of each security policy are divided into three levels: encryption protection is required for encryption protection, encryption protection is desired or preferred, and encryption protection is not needed.
  • the integrity protection requirements of each security policy are divided into three levels, namely: integrity protection is required for integrity protection, integrity protection is desired or is inclined to use integrity protection preferred, and integrity protection is not needed.
  • the security protection methods include enabling encryption protection or not enabling encryption protection, and enabling integrity protection or not enabling integrity protection.
  • the UE1 sends data or signaling to the RAN1 through the UE2, and the data is sent as an example for description here. If encryption protection is used for data between UE1 and UE2, but encryption protection is not used between UE2 and RAN1. Then an attacker can tamper or eavesdrop on the data sent by UE1 to RAN1 by eavesdropping on the Uu interface between UE2 and RAN1. Although the data between UE1 and UE2 is protected by encryption, the data of UE1 is still leaked during the transmission process between UE2 and RAN1.
  • the embodiments of this application are directed to the security protection mode between UE1 and UE2 and the security protection mode between UE2 and RAN
  • a corresponding negotiation solution is proposed in the negotiation of
  • UE1 and UE3 may be remote UEs (remote UEs) or common UEs.
  • the common UE can complete the communication with the network through the UE relay.
  • the UE in FIG. 1B is a terminal device.
  • the terminal device and the access network device please refer to the related introduction in the aforementioned FIG. 1A , which will not be repeated here.
  • FIG. 1C is another schematic diagram of a network system according to an embodiment of the present application.
  • the network system includes UE1, UE2, UE4, gNB and eNB.
  • FIG. 1C shows a scenario in which UE1 selects a UE to enable communication with the network.
  • UE3 is connected to the gNB, which is the 5G base station of the 5G communication system, and the gNB supports encryption protection and integrity protection.
  • UE3 can provide relay services for UE1 to realize the connection between UE1 and the gNB in the 5G network.
  • the UE4 is connected to the eNB.
  • the eNB is a 4G base station of the 4G communication system.
  • the eNB supports encryption protection but does not support integrity protection.
  • UE4 can provide relay service for UE1, so as to realize the connection between UE1 and the gNB in the 4G network.
  • the embodiment of the present application proposes the technical solution of the embodiment shown in FIG. 2 , and for details, refer to the technical solution of the embodiment shown in FIG. 2 later.
  • FIG. 1B and FIG. 1C above are only to illustrate the applicable scenarios of the technical solutions of the embodiments of the present application.
  • FIG. 1B and FIG. 1C may also include more UEs, base stations, etc., which are not specifically limited in the present application.
  • FIG. 1B shows a scenario in which UE4 is connected to a long-term evolution node eNB.
  • UE4 can also be connected to the next generation evolved Node B (ng-eNB), and ng-NB is an LTE base station connected to the 5G core network.
  • ng-eNB next generation evolved Node B
  • Both eNB and ng-NB support encryption protection but Neither supports integrity protection.
  • the short-range service communication scenario shown in FIG. 1B and the short-range service communication scenario shown in FIG. 1C are only application scenarios shown to illustrate the technical solutions of the embodiments of the present application, except for the above-mentioned FIG. 1B and FIG. 1C .
  • the technical solutions of the embodiments of the present application are also applicable to the selection of relay nodes and the negotiation of security protection modes in any other relay scenarios.
  • FIG. 2 is a schematic diagram of an embodiment of a communication method according to an embodiment of the present application.
  • the communication method includes:
  • the second terminal device determines a first parameter.
  • the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device.
  • the second terminal device is UE2
  • the first access network device is RAN1
  • UE2 can provide relay services for remote UEs (eg, UE1 and UE3 in FIG. 1A ), so as to realize remote Communication between the end UE and the network.
  • remote UEs eg, UE1 and UE3 in FIG. 1A
  • the first parameter includes at least one of the following:
  • the first security protection mode supported by the first PDU session (PDU session1), where the first PDU session is a PDU session established on the second terminal device to be used to provide services for a remote UE or a common UE.
  • the first security protection mode supported by the first PDU session may also be referred to as the first security protection mode of the air interface corresponding to the first PDU session, or the first security protection mode of the bearer of the air interface corresponding to the first PDU session Way.
  • the first security protection manner includes whether to enable encryption protection and whether to enable integrity protection.
  • a first PDU session for transmitting data for the remote UE has been established on the second terminal device, and the first PDU session has a corresponding first security protection mode.
  • the first PDU session has activated data protection between the second terminal device and the base station.
  • encryption protection is enabled by default, or encryption protection is not enabled by default.
  • integrity protection may be enabled by default or not enabled by default.
  • the first parameter further includes the PDU sessions supported by the multiple PDU sessions.
  • the security protection mode or the intersection of the security protection modes supported by the multiple PDU sessions. For example, if PDU session1 supports encryption protection, but PDU session2 does not support encryption protection, the first parameter includes a security protection mode that supports enabling encryption protection.
  • the first parameter may include the DNN and/or NSSAI related to each PDU session, and The security protection methods supported by each PDU session.
  • the type of the first access network device for example, as shown in FIG. 1C, UE3 is connected to gNB, and UE4 is connected to eNB; if the second terminal device is UE3, then the first access network device is gNB, Then the type of the first access network device is a gNB base station or a 5G base station. If the second terminal device is UE4, the first access network device is an eNB, and the type of the first access network device is an eNB base station or a 4G base station. If the second terminal device is UE5, the first access network device is an ng-eNB, and the type of the first access network device is an ng-eNB base station or an evolved 4G base station. There are no restrictions on other base station types here.
  • First indication information where the first indication information is indication information of whether the first access network device supports the on-demand protection mode.
  • the first indication information indicates that the first The access network device supports the on-demand protection mode; if the RAN1 to which the UE2 is connected does not support the on-demand protection mode, the first indication information indicates that the first access network device does not support the on-demand protection mode.
  • Second indication information where the second indication information is used to indicate that the first access network device has the capability of supporting integrity protection. For example, as shown in FIG. 1C , if the second terminal device is UE3, and the gNB connected to UE3 supports integrity protection, the first parameter includes the second indication information.
  • a digital signature is calculated by the second terminal device through the private key of the second terminal device and/or the certificate of the second terminal device, and the content of the digital signature includes the second terminal device and the first terminal device. Security information between access network devices.
  • the first parameter when the digital signature is calculated by the second terminal device through the certificate of the second terminal device, the first parameter also carries the certificate of the second terminal device, and the root certificate of the second terminal device carries the certificate of the second terminal device.
  • the public key corresponding to the private key of the second terminal device.
  • the process for the second terminal device to obtain the private key of the second terminal device is as follows: in the registration process of the second terminal device, the UE obtains the private key of the second terminal device from the PCF network element, the UDM network element, and the unified data repository (unified data repository, UDR network element). , key management entities, or network devices such as proximity-based services functions (prose functions).
  • the configuration process of the private key of the second terminal device and/or the root certificate of the second terminal device is introduced by taking the PCF network element as an example.
  • the PCF network element sends first configuration information to the AMF network element, where the first configuration information carries the private key of the second terminal device and/or the certificate of the second terminal device.
  • the AMF network element sends the private key of the second terminal device and/or the certificate of the second terminal device to the second terminal device through a non-access stratum (non access stratum, NAS) message.
  • non-access stratum non access stratum
  • the identity of the second terminal device that is, the user equipment identity (user equipment identity, UE ID) of the second terminal device.
  • the user equipment identity user equipment identity, UE ID
  • SUPI subscriber permanent identifier
  • publicly available subscription identifier generator public subscription identifier
  • GPSI Global System for Mobile communications
  • the network identification ID that the second terminal device belongs to or serves For example, PLMN ID, non-public network identity (NPN ID), PLMN ID
  • the name of the first data network (data network name, DNN), the first DNN supports the DNN that provides the relay service for the second terminal device, and is used to indicate that the second terminal device supports providing services for the first DNN. Relay service.
  • First slice information where the first slice information is information of a slice that the second terminal device supports to provide a relay service.
  • the first slice information is used to indicate that the second terminal device supports providing a relay service for the service corresponding to the slice.
  • the first slice information is single network slice selection assistance information (single network slice selection assistance information, S-NSSAI).
  • the above-mentioned first parameter can be understood as the current protection status of the second terminal device and the first access network device or the security protection mode that can be executed in the future, so that the first terminal device can determine whether to select this parameter according to the security requirements of the first terminal device. second terminal equipment.
  • the second terminal device sends a first message to the first terminal device.
  • the first message carries the first parameter.
  • the related introduction of the first parameter please refer to the related introduction of the foregoing step 201, which will not be repeated here.
  • the first message carries the identity information of the second terminal device as the UE relay.
  • the first parameter is added to the first message in this embodiment.
  • the first terminal device is configured to communicate with the network through the UE relay
  • the second terminal device is configured to perform the role of the UE relay.
  • the specific configuration manner is not limited in this application.
  • the first terminal device in the registration process of the first terminal device, is configured from a PCF network element (it may also be a UDM network element, a UDR network element, a key management entity or a network device such as a prose function) Obtain second configuration information.
  • the second configuration information includes the capability of the first terminal device to use UE relay.
  • the second terminal device obtains the third configuration information from a PCF network element (which may also be a network device such as a UDM network element, a UDR network element, a key management entity, or a prose function).
  • the third configuration information includes that the second terminal device can perform the function of UE relay.
  • the following describes the configuration process by taking the process of acquiring the second configuration information by the first terminal device and taking the PCF network element as an example.
  • the PCF network element sends the second configuration information to the AMF network element, and the AMF network element sends the second configuration information to the first terminal device through a NAS message.
  • the first message is a broadcast message or a multicast message of the second terminal device, or is a response message sent by the second terminal device to the first terminal device.
  • this embodiment further includes step 202 a , and step 202 a is performed before step 202 .
  • Step 202a The first terminal device sends a second request message.
  • the second request message is used to indicate that the first terminal device needs UE-to-network relay; or, the second request message is used to request a service.
  • the second terminal device after the second terminal device receives the second request message, the second terminal device sends a response message to the first terminal device.
  • the response message carries the first parameter and the identity information of the second terminal device as the UE relay.
  • the first terminal device selects the first terminal device according to the first parameter.
  • the first terminal device determines whether to select the second terminal device as a relay node for subsequent connection to the network through the first parameter. For example, as shown in FIG. 1B , UE1 determines whether to select UE2 as a relay node connecting to RAN1.
  • this embodiment further includes step 203 a, and this step 203 a is performed before step 203 .
  • Step 203a The first terminal device determines a first security policy.
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device.
  • the first security policy includes protection requirements for encryption protection and protection requirements for integrity protection.
  • the service to be used by the first terminal device may be characterized by at least one of the following pieces of information: first service information, second DNN, and second slice information.
  • the first service information is service information corresponding to a service to be used by the first terminal device.
  • the second DNN is the DNN corresponding to the service to be used by the first terminal device.
  • the second slice information is slice information corresponding to the service to be used by the first terminal device.
  • the first service information is used to identify service information.
  • the first service information includes at least one of the following: service type, service identifier, application type, and application identifier.
  • the first terminal device determines the first security policy by at least one item of information among the first service information, the second DNN and the second slice information, that is, the first terminal device determines its security requirements.
  • the first security policy includes encryption protection as required and integrity protection as preferred.
  • step 203 specifically includes:
  • the first terminal device selects the second terminal device according to the first security policy and the first parameter.
  • Step 203 is described below with reference to the specific content of the first security policy.
  • the first terminal device performs at least one of the following operations:
  • the first terminal device selects the second terminal device.
  • the first terminal device can select the second terminal device.
  • the first terminal device can select the message that has established the PDU session.
  • the second terminal device and the PDU session supports enabling integrity protection.
  • the first terminal device may select a PDU session that supports enabling integrity protection to provide the first terminal device. Serve.
  • the first terminal device selects the first access network device. Two terminal equipment.
  • UE1 when UE1 selects UE relay, since UE3 is connected to gNB, gNB supports integrity protection.
  • the UE4 is connected to the eNB, and the eNB does not support integrity protection. Therefore, UE1 selects the UE3 as the UE relay according to the indication information carried in the message broadcast by UE3, and the indication information indicates that the gNB supports integrity protection. That is, the UE1 communicates with the network through the UE3.
  • the first terminal device selects the second terminal device.
  • the gNB connected to the UE3 supports the on-demand protection mode, it can be understood that the gNB supports flexibly turning on encryption protection and flexibly turning on integrity protection, and then UE1 selects UE3.
  • the first terminal device selects the second terminal device.
  • the first parameter includes the second indication information.
  • the first terminal device selects the second terminal device, so that the gNB can provide the integrity protection service subsequently.
  • the first security policy indicates that the integrity protection is preferred
  • the preferred means that the integrity protection can be enabled the integrity protection may not be enabled. Therefore, when the first terminal device selects the second terminal device, there is no restriction on whether the second terminal device can provide integrity protection. For example, regardless of whether the second terminal device is connected to a 5G base station or a 4G base station, the first terminal device can select the second terminal device.
  • the first terminal device performs at least one of the following operations:
  • the first terminal device selects the second terminal device.
  • the first terminal device can select the second terminal device.
  • the first terminal device receives multiple messages broadcast by terminal devices that can be used as UE relays, and PDU sessions are established on the multiple terminal devices, the first terminal device can select the second terminal device, and The PDU session on the second terminal device supports enabling encryption protection.
  • the first terminal device selects the second terminal equipment.
  • the first terminal device selects the second terminal device.
  • the gNB connected to UE3 supports on-demand protection, it can be understood that the gNB supports flexibly enabling encryption protection and flexibly enabling integrity protection, and UE1 selects UE3.
  • the first terminal device selects the second terminal device.
  • the first security policy indicates that the encryption protection is preferred
  • the preferred means that the encryption protection can be enabled, or the encryption protection may not be enabled. Therefore, when the first terminal device selects the second terminal device, it does not limit whether the second terminal device is capable of providing encryption protection. For example, regardless of whether the established PDU session on the second terminal device supports encryption protection, the first terminal device can select the second terminal device.
  • the first security policy indicates that encryption protection is required
  • other capabilities of the second terminal device are not limited except that the first terminal device selects a PDU session that supports encryption protection when selecting an established PDU session. Because no matter what type of base station the second terminal device is connected to, encryption protection is supported.
  • the second terminal device is not required.
  • ability is not limited.
  • the first terminal device preferentially selects the second terminal device that has established a PDU session, and the encryption protection or integrity protection of the PDU session is not enabled.
  • the first terminal device selects the second terminal device.
  • Consistency of the first DNN and the second DNN includes: the first DNN is the same as the second DNN, or the first DNN includes (covers) the second DNN.
  • the first slice information being consistent with the second slice information includes: the first slice information is the same as the second slice information, or the first slice information includes (covers) the second slice information.
  • the first terminal device Select the second terminal device.
  • the first security policy is consistent with the second security policy can be understood as the security policy corresponding to the second DNN and/or the second slice information to be accessed by the first terminal device can be provided by the second security policy.
  • the first security policy indicates that encryption protection is required, then the encryption protection in the second security policy must be required.
  • the first security policy indicates that the encryption protection is preferred, then the encryption protection in the second security policy is required or preferred.
  • the same is true for the integrity protection indicated by the first security policy, and details are not repeated here.
  • the first security policy indicates that the encryption protection is not needed, then there is no restriction on the second security policy. If the first security policy indicates that the integrity protection is not needed, there is no restriction on the second security policy.
  • the above shows the process of selecting the second terminal device by the first terminal device according to certain information carried by the first parameter.
  • the first terminal device may select the second terminal device according to one or more parameters in the first parameters, that is, the first terminal device performs the above-mentioned multiple processes of selecting the second terminal device by the first terminal device .
  • the first terminal device determines through the first parameter that both the second terminal device meets the protection requirements of the encryption protection and the protection requirements of the integrity protection of the first security policy, and the first terminal device selects the second terminal device .
  • the scenario where relay is selected in this embodiment is applicable to the hop-by-hop protection mechanism and the end-to-end protection mechanism.
  • the first terminal device selects the second terminal device according to the type of the base station connected to the second terminal device, or whether the base station supports integrity protection, or whether the base station supports on-demand protection and other parameters. terminal device; then, the first terminal device implements end-to-end security protection between the first terminal device and the base station through the second terminal device.
  • the first parameter includes a digital signature.
  • the first terminal device verifies the correctness of the digital signature, if the verification is correct, the first terminal device performs the step of selecting the second terminal device; if the verification is incorrect , the first terminal device determines that the first message is an illegal message, and discards the first message.
  • the first terminal device verifies the digital signature by using the public key corresponding to the private key of the second terminal device.
  • the first terminal device obtains the public key of the second terminal device. Specifically, the first terminal device obtains the public key of the second terminal device in the following manner: the first message also carries the identifier of the second terminal device, and the first terminal device determines the first terminal device through the identifier of the second terminal device. 2. The public key of the terminal device.
  • the first terminal device verifies the digital signature through the certificate of the second terminal device.
  • the first message carries the certificate of the second terminal device and the digital signature.
  • the first terminal device verifies the certificate of the second terminal device, and when the verification is successful, the first terminal device uses the certificate of the second terminal device to verify the digital signature. Specifically, the first terminal device may verify the certificate of the second terminal device received by the first terminal device by using the root certificate of the second terminal device.
  • the first terminal device obtains the root certificate in the following manner.
  • the first message also carries a network identifier (for example, PLMN ID and/or NPN ID) to which the second terminal device belongs, and the first terminal device determines the root certificate of the second terminal device according to the network identifier.
  • a network identifier for example, PLMN ID and/or NPN ID
  • the first terminal device when the first terminal device receives multiple messages broadcast by terminal devices serving as UE relays, if multiple terminal devices meet the security requirements of the first terminal device, the first terminal device will The priority of the broadcast parameters selects the second terminal device.
  • the PDU session that supports enabling integrity protection has a higher priority.
  • the type of access network devices capable of supporting integrity protection has a higher priority.
  • the process of selecting the second terminal device by the first terminal device is performed by taking the first terminal device receiving two messages broadcast by the terminal device serving as the UE relay as an example.
  • This embodiment further includes step 203b, and step 203b is performed before step 203.
  • Step 203b The first terminal device receives the second message.
  • the second message carries a second parameter
  • the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device.
  • UE1 receives the first message broadcasted by UE3, where the first message carries the first parameter.
  • UE1 receives the second message broadcasted by UE4, where the second message carries the second parameter.
  • the above step 203 specifically includes: the first terminal device selects the second terminal device according to the first parameter and the second parameter.
  • the first terminal device may select the second terminal device according to the first security policy, the first parameter and the second parameter. Two possible options are shown below:
  • first parameter includes the first security protection mode supported by the first PDU session and the first security protection mode is to enable integrity protection
  • the second parameter includes the second security protection mode supported by the second PDU session
  • the second security protection mode is that integrity protection is not enabled
  • the first terminal device selects the second terminal device.
  • the first PDU session is an established PDU session on the second terminal device
  • the second PDU session is an established PDU session on the third terminal device.
  • the first security protection mode supports turning on integrity protection, but the second security protection mode does not support turning on integrity protection, it can be understood that the priority of the first security protection mode is higher, and the first terminal device can select the first security protection mode. Two terminal equipment.
  • the first terminal device selects the second terminal device.
  • the priority of the first indication information is higher than the priority of the third indication information, so the first terminal device selects the second terminal device.
  • the first terminal device may also select the second terminal device according to other parameters. For example, the first terminal device selects the second terminal device according to the types of access network devices to which the multiple terminal devices are connected.
  • the 5G base station supports integrity protection, while the 4G base station does not support integrity protection, so the first terminal device preferentially selects the second terminal device connected to the 5G base station.
  • the above shows a solution in which the first terminal device selects the second terminal device from the plurality of terminal devices according to the priority of a parameter broadcast by the plurality of terminal devices.
  • the first terminal device comprehensively selects the second terminal device according to the priorities of multiple parameters.
  • the first terminal device sends a fifth message to the second terminal device.
  • the first terminal device may send a message to the second terminal device to facilitate communication with the network.
  • the first terminal device receives a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; Then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device is selected, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • FIG. 3 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • the communication method includes:
  • the first terminal device sends a second message to the second terminal device.
  • the second message carries a first security policy, where the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device.
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device.
  • the related introduction of the first security policy please refer to the related introduction to the first security policy in step 203a in the above-mentioned embodiment shown in FIG. 2 , and details are not repeated here.
  • the first terminal device is configured to implement communication with the network through the UE relay, while the second terminal device is configured to perform the role of the UE relay.
  • the relevant introduction of the specific configuration method please refer to the steps in the embodiment shown in the aforementioned FIG. 2 The relevant introduction in 202 will not be repeated here.
  • this embodiment may be implemented on the basis of the embodiment shown in FIG. 2 , that is, the first terminal device selects the second terminal device as the UE relay through the method of the embodiment shown in FIG. 2 .
  • the first security policy is a user plane (user plane, UP) security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device.
  • UP user plane
  • the second terminal device determines a first security protection mode according to the first security policy.
  • the second terminal device may determine that the first security protection mode is to enable encryption protection and enable integrity protection.
  • the second terminal device may determine the first security protection mode in combination with the established PDU session of the second terminal device, so as to solve the problem between the second terminal device and the established PDU session.
  • the problem is that the security protection mode adopted in the data communication between the first access network devices and the first security protection mode are negotiated.
  • Case a The following shows multiple possible implementations in which the first security protection mode is consistent with the second security protection mode supported by the second PDU session.
  • the second PDU session is a PDU session that has been established on the second terminal device and is used to provide services for a remote UE or a common UE.
  • Implementation mode 1 If the first security policy indicates that encryption protection is required, and the second security protection mode supported by the second PDU session is to enable encryption protection, the second terminal device will use the second security protection mode supported by the second PDU session.
  • the encryption protection mode in the first security protection mode is used as the encryption protection mode in the first security protection mode.
  • the second terminal device determines that the encryption protection requirement in the first security protection mode should be to enable encryption protection, and the second security protection mode supported by the second PDU session is to enable encryption protection. From the perspective of encryption protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the encryption protection mode in the second security protection mode as the encryption protection mode in the first security protection mode, That is, the encryption protection mode in the first security protection mode is consistent with the encryption protection mode in the second security protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the second terminal device for the first terminal device.
  • Implementation mode 2 If the first security policy indicates that integrity protection is required, and the second security protection mode supported by the second PDU session is to enable integrity protection, the second terminal device will use the second security protection mode supported by the second PDU session to be enabled. The integrity protection mode in the protection mode is used as the integrity protection mode in the first security protection mode.
  • the second terminal device determines that the integrity protection requirement in the first security protection mode should be to enable integrity protection, and the second security protection mode supported by the second PDU session is enabled Integrity protection. From the perspective of integrity protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the integrity protection mode in the second security protection mode as the integrity protection mode in the first security protection mode The security protection mode, that is, the integrity protection mode in the first security protection mode is consistent with the integrity protection mode in the second security protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the first terminal device for the first terminal device.
  • Implementation mode 3 If the first security policy indicates that encryption protection is not needed, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device will use the second security protection mode supported by the second PDU session. The encryption protection mode in the security protection mode is used as the encryption protection mode in the first security protection mode.
  • the second terminal device determines that the encryption protection requirement in the first security protection mode may be not to enable encryption protection. From the perspective of encryption protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the encryption protection mode in the second security protection mode supported by the second PDU session as the first security protection The encryption protection mode in the mode, that is, the encryption protection mode in the first security protection mode is consistent with the encryption protection mode in the second security protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the first terminal device for the first terminal device.
  • Implementation mode 4 If the first security policy indicates that the integrity protection is not needed, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device supports the second PDU session. The integrity protection mode in the second security protection mode is used as the integrity protection mode in the first security protection mode.
  • the second terminal device determines that the integrity protection requirement in the first security protection mode may be not to enable integrity protection. From the perspective of integrity protection, the second PDU session can provide services for the first terminal device, so the second terminal device can use the integrity protection mode in the second security protection mode supported by the second PDU session as the first security mode Integrity protection mode in protection mode. And, the second terminal device determines to provide a service for the first terminal device through the second PDU session, so as to transmit the data of the first terminal device for the first terminal device.
  • Implementation mode 5 If the first security policy indicates that the encryption protection is inclined to be preferred, the second terminal device uses the encryption protection mode in the second security protection mode supported by the second PDU session as the encryption protection mode in the first security protection mode. Encryption protection method.
  • the second terminal device determines that the encryption protection in the first security protection mode can be enabled or disabled. Therefore, from the perspective of encryption protection, the second PDU session can provide services for the first terminal device regardless of whether the second security protection mode is to enable encryption protection or not to enable encryption protection. Therefore, the second terminal device uses the encryption protection mode in the second security protection mode supported by the second PDU session as the encryption protection mode in the first security protection mode. And, the second terminal device determines to provide services for the first terminal device through the second PDU session.
  • Implementation mode 6 If the first security policy indicates that the integrity protection is inclined to be preferred, the second terminal device uses the integrity protection mode in the second security protection mode supported by the second PDU session as the first security protection mode Integrity protection method in .
  • the second terminal device determines that the integrity protection in the first security protection manner may be to enable integrity protection or not to enable integrity protection. Therefore, from the perspective of integrity protection, regardless of whether the second security protection mode is to enable integrity protection or not to enable integrity protection, the second PDU session can provide services for the first terminal device. Therefore, the second terminal device uses the integrity protection mode in the second security protection mode supported by the second PDU session as the integrity protection mode in the first security protection mode. And, the second terminal device determines to provide services for the first terminal device through the second PDU session.
  • the second terminal equipment may combine the multiple PDU sessions with the security protection requirements.
  • Corresponding quality of service (QoS) and slice information, etc. select the second PDU session from the plurality of PDU sessions.
  • the foregoing implementation manners 1 to 6 only illustrate the process of determining the first security protection manner by the second terminal device from the perspective of encryption protection or integrity protection.
  • the second terminal device when the second terminal device chooses to provide services for the first terminal device through the PDU session, it should select a PDU session whose encryption protection and integrity protection both meet the encryption protection requirements and integrity protection requirements of the first terminal device. That is, the second security protection mode supported by the second PDU session meets the encryption protection requirements and integrity protection requirements of the first terminal device.
  • Case b The following shows various possible implementations in which the first security protection mode is inconsistent with the second security protection mode supported by the second PDU session.
  • the second PDU session is a PDU session that has been established on the second terminal device and is used to provide services for a remote UE or a common UE.
  • Implementation mode 1 If the first security policy indicates that encryption protection is inclined to be preferred, and the second security protection mode supported by the second PDU session is not to enable encryption protection, the second terminal device determines the first security policy corresponding to the first security policy. The security protection method is inconsistent with the second security protection method.
  • the second terminal device determines the first security protection corresponding to the first security policy. The method is inconsistent with the second security protection method.
  • the second terminal device may request to modify the second PDU session or request to establish a new third PDU session.
  • Implementation mode 2 If the first security policy indicates that the integrity protection is inclined to be preferred, and the second security protection mode supported by the second PDU session is not to enable integrity protection, the second terminal device determines the corresponding first security policy. The first security protection mode is inconsistent with the second security protection mode.
  • the implementation mode 2 is similar to the implementation mode 1. For details, please refer to the related introduction of the implementation mode 1.
  • Implementation mode 3 If the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy, and/or, the integrity protection of the second security protection mode does not match the integrity protection indicated by the first security policy , the second terminal device determines that the first security protection mode is inconsistent with the second security protection mode.
  • the encryption protection of the second security protection mode does not match the encryption protection indicated by the first security policy, including many possible forms.
  • the following examples are introduced:
  • the second security protection mode is not to enable encryption protection, and the first security policy indicates that encryption protection is required;
  • the second security protection method is to enable encryption protection, and the first security policy indicates that the encryption protection is not needed.
  • the integrity protection of the second security protection does not match the integrity protection indicated by the first security policy, including multiple possible forms.
  • the following examples are introduced:
  • the second security protection mode is not to enable integrity protection, and the first security policy indicates that integrity protection is required;
  • the second security protection method is to enable integrity protection, and the first security policy indicates that integrity protection is not needed.
  • the second terminal device determines that the first security protection mode is inconsistent with the second security protection mode, and the second terminal device may request to modify the second PDU session or request to establish a new third PDU session.
  • a PDU session is not established on the second terminal device.
  • the second terminal device may request to establish a new third PDU session for providing services to the first terminal device.
  • the second terminal device uses the first security protection mode as a security protection mode used for data communication between the first terminal device and the second terminal device.
  • the second terminal device sends the first security protection mode to the first terminal device.
  • the first terminal device sends a second message to the second terminal device, where the second message carries the first security policy; then, the second terminal device determines the first security protection mode according to the first security policy, The first security protection mode is used as the security protection mode used for data communication between the first terminal device and the second terminal device, and the first security protection mode is sent to the first terminal device.
  • the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device
  • the security protection mode is consistent with the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device, so as to improve the security of data transmission.
  • step 302 is an implementation manner in which the second terminal device considers the establishment of a PDU session when determining the first security protection manner.
  • This embodiment of the present application also provides another embodiment, which is similar to the embodiment shown in FIG. 3 , except that step 302 is replaced with: the second terminal device according to the fourth security policy and/or the second terminal device
  • the received first security policy determines the first security protection mode.
  • the fourth security policy is a security policy determined by the second terminal device and corresponding to the service to be used by the first terminal device. Then, the second terminal device compares the first security protection mode with the second security protection mode supported by the established second PDU session.
  • the second terminal device can modify the second PDU session or create a new PDU session, the modified second PDU session or the newly created third PDU session is obtained; or, if no PDU session is established on the second terminal device, then the second terminal device creates the third PDU session. That is, the second terminal device first determines the first security protection mode, and then selects a corresponding PDU session in combination with the establishment of the PDU session on the second terminal device to provide services for the first terminal device.
  • the fourth security protection mode supported by the modified second PDU session is the same as the first security protection mode; or, the fourth security protection mode supported by the third PDU session is the same as the first security protection mode.
  • this embodiment further includes steps 305 to 309 , and steps 305 to 309 are executed after step 303 .
  • the second terminal device sends the first request message to the SMF network element.
  • the first request message is used for requesting to modify the second PDU session or for requesting to establish a third PDU session.
  • the first request message carries a third parameter, and the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device.
  • the second terminal device may request the SMF network element to modify the second PDU session or request to establish a new third PDU session.
  • the second terminal device may provide services for the first terminal device through the modified second PDU session; or, the second terminal device may provide services for the first terminal device through the third PDU session.
  • the third parameter includes at least one of the following:
  • First service information where the first service information is service information corresponding to a service to be used by the first terminal device. For example, business ID, business type, etc.
  • a second DNN where the second DNN is a DNN to be accessed by the first terminal device.
  • Second slice information where the second slice information is slice information of the slice to be accessed by the first terminal device.
  • First indication information where the first indication information is used to indicate that the first request message is a request message for a PDU session for providing a relay service.
  • a first protection indication where the first protection indication is used to indicate a protection mechanism that the first terminal device expects to execute during data communication between the first terminal device and the first access network device.
  • the first protection indication is used to indicate that the first terminal device expects to use the E2E protection mechanism or the hop-by-hop protection mechanism.
  • the first request message sent by the second terminal device to the SMF network element may be: the second terminal device sends the first request message to the SMF network element through the first access device and the AMF network element, and the first access device sends the first request message to the SMF network element.
  • the network access device and the AMF network element play a relay role for the first request message.
  • the second terminal device first sends the third parameter to the AMF network element, and then the AMF network element sends the third parameter to the SMF network element.
  • Step 305 is only described as the information received by the final SMF network element, and there is no restriction on the transmission mode of the information.
  • the SMF network element determines a third security policy according to the third parameter.
  • the third security policy is the security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device.
  • the third security policy is similar to the first security policy.
  • the third security policy may be understood by referring to the relevant introduction of the first security policy in the embodiment shown in FIG. 2 .
  • the following describes the manner in which the SMF network element determines the third security policy in combination with the above-mentioned third parameter.
  • the third parameter carries the first security policy, and the above step 306 specifically includes:
  • the SMF network element determines the third security policy according to the first security policy.
  • the SMF network element sets the third security policy so that the third security policy is the same as the first security policy; or, the SMF network element directly uses the first security policy as the third security policy.
  • the third parameter carries the first security protection mode, and the above step 306 specifically includes:
  • the SMF network element determines the third security policy according to the first security protection manner.
  • the SMF network element determines the first security policy according to the first security protection manner, and then the SMF network element sets the third security policy to be the same as the first security policy.
  • the first security protection mode is to enable encryption protection and not to enable integrity protection
  • the SMF network element determines according to the first security protection mode that the encryption protection indicated by the first security policy is required, and the integrity protection indicated by the first security policy is not needed. Then, the SMF network element sets the third security policy, and the third security policy is the same as the first security policy, that is, the encryption protection indicated by the third security policy is required, and the integrity protection indicated by the first security policy is not needed.
  • Mode 3 is described below in combination with steps 1 to 3.
  • the third parameter includes at least one item of information: first service information, second DNN, and second slice information.
  • Step 1 The SMF network element sends at least one of the following information to the UDM network element: first service information, second DNN and second slice information.
  • the SMF network element sends the at least one item of information to the UDM network element.
  • Step 2 The SMF network element receives the subscription security policy sent by the UDM network element.
  • the UDM network element acquires the subscription security policy corresponding to the at least one piece of information, and sends the subscription security policy to the SMF network element.
  • Step 3 the SMF network element takes the signed security policy as the third security policy; or, the SMF network element determines the third security policy according to the signed security policy and the first security policy; or, the SMF network element determines the third security policy according to the signed security policy and the first security protection way to determine the third security policy.
  • the SMF network element may determine the third security policy according to the subscription security policy and the first security policy.
  • the SMF network element may use the subscribed security policy as the third security policy.
  • the SMF network element may use the subscription security policy as the third security policy.
  • the SMF network element may use the subscription security policy as the third security policy.
  • the encryption protection indicated by the subscription security policy is required and the integrity protection indicated by the subscription security policy is not needed, the encryption protection indicated by the first security policy is required and the integrity protection indicated by the first security policy is preferred, and the SMF network element
  • the contracted security policy may be used as the third security policy.
  • the encryption protection indicated by the subscription security policy does not match the encryption protection indicated by the first security policy instruction, including multiple possible forms.
  • the following examples illustrate:
  • the encryption protection indicated by the contract security policy is not needed, and the encryption protection indicated by the first security policy instruction is required.
  • the integrity protection indicated by the subscription security policy does not match the integrity protection indicated by the first security policy instruction, including multiple possible forms, and the following examples illustrate:
  • the integrity protection indicated by the contract security policy is not needed, and the integrity protection indicated by the first security policy indication is required.
  • the encryption protection indicated by the subscription security policy does not match the encryption protection indicated by the first security policy indication, and/or the integrity protection indicated by the subscription security policy is the same as that indicated by the first security policy indication.
  • the SMF network element releases the session establishment process or the session modification process, and sends a reject message to the first access network device, and then the first access network device sends a reject message to the second terminal device .
  • the SMF network element may determine the third security policy according to the subscription security policy and the first security protection mode. Specifically, the SMF network element determines the first security policy according to the first security protection mode, and the SMF network element performs the determination of whether the first security policy and the subscription security policy match; if they match, the SMF network element sets the third security policy, Make the third security policy the same as the first security policy.
  • Mode 4 the third parameter further includes a first security protection mode; the above step 306 specifically includes: the SMF network element determines a third security policy according to the first security policy and the first security protection mode.
  • the first security protection mode is to enable encryption protection and disable integrity protection.
  • the first security policy indicates that encryption protection is required, and the first security policy indicates that integrity protection is preferred.
  • the SMF network element can set the third security policy, for example, the third security policy indicates that encryption protection is required, and the first security policy indicates that integrity protection is preferred; or, the third security policy indicates that encryption protection is required, and the first security policy Indicates that integrity protection is not needed.
  • the SMF network element may also determine that the PDU session is to be established for the first terminal device according to the first indication information.
  • the third parameter includes at least one item of information among the first protection indication, the first service information, the second DNN, and the second slice information
  • the SMF network element determines the second protection indication according to the at least one item of information, and transmits the information through the AMF network
  • the element sends the second protection indication to the second terminal device.
  • the second protection instruction is the protection mechanism executed by the SMF network element when determining the data communication between the first terminal device and the first access network device.
  • the SMF network element sends a fourth message to the first access network device.
  • the fourth message carries the third security policy.
  • the fourth message further carries at least one of the following information: a first security protection mode and a first security policy.
  • the fourth message may not carry the first security protection mode or the first security policy.
  • the first access network device determines a fourth security protection manner according to the third security policy.
  • the first access network device determines that the fourth security protection mode is to enable encryption protection and not enable integrity protection .
  • the second message further carries at least one of the following: a first security policy and a first security protection mode.
  • the first access network device determines a fourth security protection mode according to the third security policy and the first security protection mode.
  • the encryption protection mode of the fourth security protection mode determined by the first access network device should also be the same as the encryption protection mode in the first security protection mode.
  • the third security policy indicating that the integrity protection is preferred, which will not be described one by one here.
  • the first access network device sends a sixth message to the SMF network element, where the sixth message is a failure message or a PDU session Release request message.
  • the third security policy indicates that integrity protection is required and the first security protection mode does not enable integrity protection
  • the third security policy indicates that encryption protection is not needed and the first security protection mode is to enable encryption protection.
  • the situation is similar to the situation where the third security policy indicates that the integrity protection is not needed and the first security protection mode is to enable the integrity protection, and will not be described one by one here.
  • the failure message also carries a rejection reason, where the rejection reason is that the third security policy does not match the first security protection mode.
  • the first access network device sends the sixth message to the second terminal device.
  • the first access network device determines the fourth security protection mode according to the third security policy and the first security policy.
  • the first access network device determines the fourth security protection mode according to the third security policy, the first security policy and the local policy, where the local policy is determined by the first access network device to be used by the first terminal device The security policy corresponding to the business.
  • the first access network device may determine the fourth security protection mode, that is, the security protection mode between the second terminal device and the first access network device.
  • the mismatch between the encryption protection indicated by the third security policy and the encryption protection indicated by the first security policy includes multiple possible forms.
  • the following examples illustrate:
  • the encryption protection indicated by the third security policy is not needed, and the encryption protection indicated by the first security policy is required.
  • the integrity protection indicated by the third security policy does not match the integrity protection indicated by the first security policy.
  • the following examples illustrate:
  • the integrity protection indicated by the third security policy is not needed, and the integrity protection indicated by the first security policy is required.
  • the first An access network device sends a seventh message to the SMF network element, where the seventh message is a failure message or a PDU session release request message.
  • the failure message carries a rejection reason, and the rejection reason is that the third security policy is inconsistent with the first security policy.
  • the first access network device also sends the seventh message to the second terminal device.
  • the first access network device may also determine the fourth security protection manner only according to the first security policy, or determine the fourth security protection manner only according to the first security protection manner.
  • Four safety protection methods to ensure that the fourth safety protection method is consistent with the first safety protection method.
  • the first access network device sends a fourth security protection mode to the second terminal device.
  • the fourth security protection mode is the same as the first security protection mode, and the fourth security protection mode is a security protection mode used during data communication between the second terminal device and the first access network device.
  • the second terminal device receives the fourth security protection mode, if the first security protection mode has not been sent to the first terminal device or the first security protection mode has not been determined before then, the second terminal device The fourth security protection mode may be used as the first security protection mode, and the first security protection mode is sent to the first terminal device.
  • the above-mentioned step 304 may be performed after step 309, that is, the second terminal device may send the first security protection mode to the first terminal device after the establishment of the third PDU session or the modification of the second PDU session is completed.
  • the second terminal device determines the first security protection mode and the fourth security protection mode, so as to realize the first security protection mode between the first terminal device and the second terminal device and the connection between the second terminal device and the first terminal device.
  • a fourth security protection method is agreed between the network access devices (encryption protection is enabled or encryption protection is enabled at all, and integrity protection is enabled or integrity protection is enabled at all).
  • the above shows the process of negotiating consensus between the first security protection mode and the fourth security protection mode.
  • the second terminal device may negotiate the encryption algorithm and the integrity algorithm corresponding to the first security protection mode and the encryption algorithm and the integrity algorithm corresponding to the fourth security protection mode.
  • the above shows the process of negotiating consensus between the first security protection mode and the fourth security protection mode on the user plane.
  • the negotiation of the control plane security protection mode between the first terminal device and the second terminal device and the control plane protection mode between the second terminal device and the first access network device can also be implemented through this application.
  • the negotiation method of the technical solution of the example is negotiated.
  • This embodiment of the present application also provides an embodiment, which is similar to the embodiment shown in FIG. 3 , except that in the embodiment shown in FIG. 3 , steps 301 to 304 are not executed, and the first step of step 305 is not executed.
  • the request message is used to request the third security policy, that is, the first security policy is not carried in the first parameter.
  • the third security policy is the security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device.
  • the first access network device determines a fourth security protection mode according to the third security policy, and sends it to the second terminal device.
  • the second terminal device uses the fourth security protection mode as the first security protection mode.
  • This embodiment of the present application further provides an embodiment, which is similar to the embodiment shown in FIG. 3, except that in step 305, the second terminal device sends the first security policy to the first access network device And/or the first security protection manner, the second terminal device sends at least one item of information among the first service information, the first DNN and the second slice information to the SMF network element.
  • the first access network device stores the first security policy and/or the first security protection manner.
  • the first access network device receives the third security policy from the SMF network element; in step 308, the first terminal device according to at least one of the first security policy, the first security protection mode and the third security policy
  • the item information determines the fourth security protection method.
  • the specific determination method is similar in step 308 in the embodiment shown in FIG. 3 above to determine the fourth security protection method by the first terminal device. For details, please refer to the related introduction of step 308 in the embodiment shown in FIG.
  • the embodiment shown in FIG. 3 further includes steps 310 to 312 .
  • steps 310 to 312 and steps 301 to 309 in the aforementioned embodiment shown in FIG. 3 do not have a fixed execution order.
  • steps 310 to 312 may be performed before step 301, or may be performed between steps 301 to 309, or performed after step 309, which is not specifically limited in this application.
  • the first terminal device sends a third message to the second terminal device.
  • the third message carries the first protection indication.
  • the third message further carries at least one item of information: first service information, second DNN, and second slice information.
  • the third message can be understood as the fifth message of step 204 in the embodiment shown in FIG. 2 .
  • the second terminal device determines a second protection indication according to the third message.
  • the second protection indication is used to instruct a protection mechanism to be executed during data communication between the first terminal device and the first access network device.
  • the second terminal device determines which protection mechanism to execute according to the received first protection instruction, and generates a second protection instruction.
  • the second terminal device determines the second protection instruction according to the first protection instruction and the local security policy determined by the second terminal device and corresponding to the service to be used by the first terminal device. For example, the second terminal device determines a protection mechanism according to at least one item of information in the first service information, the second DNN, and the second slice information, and determines which protection mechanism is the main protection mechanism together with the protection mechanism indicated by the first protection instruction , and then generate the corresponding protection indication.
  • the second terminal device sends a second protection indication to the first terminal device.
  • the second terminal device determines the local security corresponding to the service to be used by the first terminal device determined by the second terminal device.
  • the policy determines the second protection indication, and sends the second protection indication to the first terminal device.
  • the above-mentioned embodiment shown in FIG. 3 shows that the second terminal device first determines the security protection mode between the first terminal device and the second terminal device according to the first security policy, and then determines the second terminal device and the first access network device.
  • the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device are negotiated and agreed.
  • the second terminal device may first determine a third security protection mode according to the first security policy and the fourth security policy, and use the third security protection mode as the second terminal device and the first access network device The security protection method used for data communication between them.
  • the fourth security policy is a security policy determined by the second terminal device corresponding to the service to be used by the first terminal device. Then, the second terminal device determines the security protection mode between the first terminal device and the second terminal device, so as to realize the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first terminal device.
  • the security protection mode between access network devices is negotiated.
  • the above-mentioned embodiment shown in FIG. 3 shows a technical solution in which the first security protection mode is determined by the second terminal device.
  • the first security protection mode may also be determined by the first terminal device, and the first security protection mode may be sent by the first terminal device to the second terminal device, so as to realize the connection between the first terminal device and the second terminal device.
  • the security protection mode between them is consistent with the negotiation of the security protection mode between the second terminal device and the first access network device.
  • FIG. 4 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • the method includes:
  • the second terminal device sends a broadcast message to the first terminal device.
  • the broadcast message carries the first parameter.
  • the related introduction of the first parameter please refer to the related introduction of the first parameter in step 201 in the embodiment shown in FIG. 2 , which will not be repeated here.
  • the broadcast message can be understood as a possible implementation of the first message in step 202 in the embodiment shown in FIG. 2.
  • the broadcast message please refer to the first message in step 202 in the embodiment shown in FIG. 2.
  • the first terminal device selects the second terminal device according to the first parameter.
  • step 402 and step 203 in the embodiment shown in FIG. 2 please refer to the related introduction of step 203 in the embodiment shown in FIG. 2, which will not be repeated here.
  • the first terminal device sends a communication request (communication request) message to the second terminal device.
  • the communication request message also carries at least one of the following information: first protection indication, security capability of the first terminal device, first service information, second DNN, second slice information, first security policy, relay indication .
  • the security capability of the first terminal device refers to an encryption algorithm and an integrity protection algorithm supported by the first terminal device.
  • the relay indication is used to instruct the second terminal device to forward data as the UE relay, or, used to indicate that the communication request message is a message sent to the UE relay.
  • the communication request message may be understood as a specific implementation manner of the third message in the embodiment shown in FIG. 3 .
  • the first service information, the second DNN and the second slice information may also be sent to the second terminal device in the DSM Complete message in the subsequent step 405.
  • the second terminal device determines the second protection indication according to the communication request message.
  • step 404 is optional, and the protection mechanism between the first terminal device and the first access network device may be pre-configured or specified through a communication protocol.
  • Step 404 is described below in two possible cases.
  • the communication request message carries the first protection indication.
  • the second terminal device determines which protection mechanism to execute according to the first protection instruction, and generates the second protection instruction.
  • the second terminal device determines a second protection indication according to at least one item of information in the second service information, the first DNN, and the first slice information of the service supported by the second terminal device, and associates it with the first protection indication. Together the protection indications determine which protection indication is ultimately selected as the target protection indication. For example, the second protection indication is used as the finalized protection indication.
  • the communication request message does not carry the first protection indication.
  • the second terminal device determines the second protection indication according to at least one item of information among the second service information, the first DNN and the first slice information.
  • the communication request message carries at least one item of information among the first service information, the second DNN, and the second slice information, and the second terminal device according to the first service information, the second DNN, and the second slice information. At least one item of information determines the second protection indication.
  • the communication request message may be understood as a specific implementation manner of the third message in step 310 in the embodiment shown in FIG. 3 .
  • the second terminal device After the second terminal device receives the communication request message, the second terminal device further performs the following operations:
  • the communication request message also carries the security capability of the first terminal device.
  • the second terminal device determines the first encryption algorithm and the first integrity protection algorithm according to the security capability of the first terminal device and the security capability of the second terminal device.
  • the first encryption algorithm can be used for signaling communication between the first terminal device and the first access network device
  • the first integrity protection algorithm can be used for the communication between the first terminal device and the first access network device. signaling communication.
  • the communication request message also carries at least one item of information among the first service information, the second DNN, and the second slice information.
  • the second terminal device determines whether the second terminal device can provide the service for the first terminal device through the at least one item of information. If the second terminal device can provide the service, the second terminal device performs step 404; The second terminal device sends a rejection message to the first terminal device.
  • the second terminal device sends a direct security mode command (direct security mode command, DSM Command) message to the first terminal device.
  • a direct security mode command direct security mode command, DSM Command
  • the DSM Command message carries the first encryption algorithm and the first integrity protection algorithm.
  • the DSM Command message also carries a first protection indication, for the first terminal device to verify whether the first protection indication in the DSM Command message is consistent with the first protection indication in the communication request message in step 403.
  • the second terminal device performs integrity protection on the DSM Command message through the shared key between the first terminal device and the second terminal device.
  • the first terminal device sends a direct security mode complete (direct security mode complete, DSM Complete) message to the second terminal device.
  • a direct security mode complete direct security mode complete, DSM Complete
  • the DSM Complete message carries the first security policy.
  • the first terminal device receives the second protection instruction carried in the DSM Command message, and determines a corresponding protection mechanism according to the second protection instruction.
  • the first terminal device verifies the integrity of the DSM Command message, and if the verification succeeds, the first terminal device performs step 406; if the verification fails, the first terminal device The device sends a rejection message to the second terminal device.
  • the first terminal device can perform integrity verification on the first protection indication carried in the DSM Command message through the shared key between the first terminal device and the second terminal device.
  • the first security policy may also be carried in the communication request message in step 403 . If the first security policy is carried in the communication request message in step 403, the DSM Complete message in step 406 may not carry the first security policy. If the first security policy is carried in step 403 , step 407 may be performed before step 405 .
  • the second terminal device determines the first security protection mode according to the first security policy, and uses the first security protection mode as the security protection mode used for the communication between the first terminal device and the second terminal device.
  • Step 407 is similar to step 302 and step 303 in the aforementioned embodiment shown in FIG. 3 .
  • the first security protection mode is an UP security protection mode between the first terminal device and the second terminal device.
  • the second terminal device determines whether the second terminal device has a second security protection mode supported by the PDU session that is consistent with the first security protection mode, and if so, executes step 409; if not, executes step 410.
  • Step 408 is similar to the description of the two possible situations of the first security protection mode and the second security protection mode in step 302 in the embodiment shown in FIG. 3. For details, please refer to step 302 in the embodiment shown in FIG. 3. The related introduction of the two possible situations of the first security protection mode and the second security protection mode will not be repeated here.
  • the second terminal device sends the first security protection mode to the first terminal device.
  • the second terminal device sends a first request message to the SMF network element.
  • the SMF network element determines a third security policy according to the second parameter.
  • the SMF network element sends a fourth message to the first access network device.
  • the first access network device determines a fourth security protection mode according to the third security policy.
  • the first access network device sends a fourth security protection mode to the second terminal device.
  • Steps 409 to 414 are similar to steps 304 to 309 in the aforementioned embodiment shown in FIG. 3 .
  • steps 304 to 309 in the aforementioned embodiment shown in FIG. 3 please refer to the related introductions similar to steps 304 to 309 in the aforementioned embodiment shown in FIG. 3 , which will not be repeated here. .
  • the second terminal device sends the first security protection mode to the first terminal device.
  • step 415 may also be performed before step 410, that is, performed after the second terminal device completes the establishment of the third PDU session or after the modification of the second PDU session is completed.
  • the first terminal device receives a broadcast message sent by the second terminal device, where the broadcast message carries the first parameter; then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device is selected, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • the first terminal device sends the first security policy to the second terminal device; then, the second terminal device determines the first security protection mode according to the first security policy, and uses the first security protection mode as the first terminal The security protection mode used in the data communication between the device and the second terminal device, and then send the first security protection mode to the first terminal device.
  • the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device
  • the security protection mode of the first terminal device and the second terminal device is consistent with the security protection mode between the second terminal device and the first access network device, so as to improve the security of data transmission.
  • FIG. 5 is a schematic diagram of another embodiment of the communication method according to the embodiment of the present application.
  • the communication method includes:
  • the second terminal device sends a broadcast message to the first terminal device.
  • the first terminal device selects the second terminal device according to the first parameter.
  • the first terminal device sends a communication request message to the second terminal device.
  • the second terminal device determines a second protection indication according to the communication request message.
  • the second terminal device sends a DSM Command message to the first terminal device.
  • the first terminal device sends a DSM Complete message to the second terminal device.
  • the second terminal device determines a first security protection mode according to the first security policy, and uses the first security protection mode as a security protection mode adopted for the communication between the first terminal device and the second terminal device.
  • the second terminal device determines whether the second terminal device has a second security protection mode supported by the PDU session that is consistent with the first security protection mode, and if so, executes step 509; if not, executes step 510.
  • the second terminal device sends the first security protection mode to the first terminal device.
  • Steps 501 to 509 are similar to steps 401 to 409 in the embodiment shown in FIG. 4 .
  • steps 501 to 509 are similar to steps 401 to 409 in the embodiment shown in FIG. 4 .
  • the second terminal device sends a third request message to the first access network device.
  • the third request message is similar to the first request message in step 305 in the embodiment shown in FIG. 3.
  • the first access network device sends a fourth request message to the SMF network element.
  • the fourth request message carries the first service information, the second DNN and the second slice information.
  • the first access network device after receiving the third request message, determines the first security policy, the first security protection mode, the first service information, the second DNN and the third request message carried in the third request message. Two slice information. Then, the first access network device sends a fourth request message to the SMF network element, where the fourth request message carries the first service information, the second DNN and the second slice information, but does not carry the first security policy and the first security way of protection.
  • the SMF network element determines a third security policy according to the first service information.
  • the third security policy is the security policy determined by the SMF network element and corresponding to the service to be used by the first terminal device.
  • the third security policy is similar to the first security policy.
  • the third security policy may be understood by referring to the relevant introduction of the first security policy in the embodiment shown in FIG. 2 .
  • the SMF network element sends at least one of the following information to the UDM network element: first service information, second DNN and second slice information.
  • the UDM network element acquires the corresponding subscription security policy through the at least one piece of information, and sends the subscription security policy to the SMF network element.
  • the SMF network element uses the subscription security policy as the third security policy.
  • the first access network device receives the eighth message sent by the SMF network element.
  • the eighth message carries the third security policy.
  • the first access network device determines a fourth security protection mode according to the third security policy.
  • the third request message in step 510 also carries at least one item of information of the first security policy, the first security protection mode, and the third security policy.
  • the first access network device determines a fourth security protection mode according to at least one item of information of the first security policy, the third security policy, the first security protection mode, and the third security policy.
  • the specific determination method is similar to the determination method of the fourth security protection by the first access device in the embodiment shown in FIG. 3. For details, please refer to the determination of the fourth security protection by the first access device in the embodiment shown in FIG. 3. The relevant introduction of the protection method will not be repeated here.
  • the first access network device sends a fourth security protection mode to the second terminal device.
  • Steps 514 to 515 are similar to steps 308 to 309 in the aforementioned embodiment shown in FIG. 3 .
  • steps 308 to 309 in the aforementioned embodiment shown in FIG. 3 please refer to the related introductions of steps 308 to 309 in the aforementioned embodiment shown in FIG. 3 , which will not be repeated here.
  • the second terminal device sends the first security protection mode to the first terminal device.
  • step 516 may also be performed before step 510, that is, performed after the second terminal device completes the establishment of the third PDU session or after the modification of the second PDU session is completed.
  • the first terminal device receives a broadcast message sent by the second terminal device, and the broadcast message carries the first parameter; then, the first terminal device selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the first terminal device can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device is selected, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • the first terminal device sends the first security policy to the second terminal device; then, the second terminal device determines the first security protection mode according to the first security policy, and uses the first security protection mode as the first terminal The security protection mode used in the data communication between the device and the second terminal device, and then send the first security protection mode to the first terminal device.
  • the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device
  • the security protection mode of the first terminal device and the second terminal device is consistent with the security protection mode between the second terminal device and the first access network device, so as to improve the security protection mode between the first terminal device and the second terminal device. Security of data transmission between devices in an access network.
  • FIG. 6 is a schematic structural diagram of a first terminal device according to an embodiment of the present application.
  • the first terminal device may be configured to perform the steps performed by the first terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the first terminal device includes a transceiver module 601 and a processing module 602;
  • a transceiver module 601 configured to receive a first message, where the first message carries a first parameter, where the first parameter is used to indicate security information for communication between the second terminal device and the first access network device;
  • the processing module 602 is configured to select the second terminal device according to the first parameter, where the second terminal device is configured to provide a relay service for the communication between the first terminal device and the first access network device.
  • the first parameter includes at least one of the following:
  • the first PDU session is an established PDU session on the second terminal device
  • the first indication information is the indication information of whether the first access network device supports the on-demand security protection mode
  • the second indication information is used for To indicate that the first access network device has the ability to support integrity protection
  • the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device
  • the first The DNN supports the DNN that provides the relay service for the second terminal device
  • the first slice information is information of the slice that the second terminal device supports to provide the relay service.
  • processing module 602 is further configured to:
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device;
  • the processing module 602 is specifically used for:
  • the second terminal device is selected according to the first security policy and the first parameter.
  • the first security policy indicates that integrity protection is required or tends to be preferred; the processing module 602 is specifically configured to:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection, then select the second terminal device; or,
  • the first parameter includes the type of the first access network device, and the type of the first access network device indicates that the first access network device has the ability to support enabling integrity protection, select the second terminal device ;or,
  • the first parameter includes the first indication information, and the first indication information indicates that the first access network device supports the on-demand protection mode, select the second terminal device; or,
  • the second terminal device is selected.
  • the first security policy indicates that encryption protection is required or tends to be preferred;
  • the processing module 602 is specifically configured to:
  • the second terminal device is selected.
  • processing module 602 is specifically used for:
  • the second terminal device is selected, and the second security policy is the security policy associated with the first DNN and/or the first slice information.
  • the transceiver module 601 is further used for:
  • the second message carries a second parameter, where the second parameter is used to indicate the security information of the communication between the third terminal device and the second access network device;
  • the processing module 602 is specifically used for:
  • the second terminal device is selected according to the first parameter and the second parameter.
  • processing module 602 is specifically used for:
  • the first parameter includes the first security protection mode supported by the first PDU session, and the first security protection mode is to enable integrity protection
  • the second parameter includes the second security protection mode supported by the second PDU session, and the The second security protection mode is to not enable integrity protection
  • select the second terminal device select the second terminal device, the first PDU session is an established PDU session on the second terminal device, and the second PDU session is on the third terminal device. an established PDU session; or,
  • the second parameter includes third indication information and the third indication information indicates the second If the access network device does not support the on-demand protection mode, the second terminal device is selected.
  • the transceiver module 601 is further used for:
  • the transceiver module 601 is further used for:
  • the third message carries any of the following: first service information, first protection indication, second DNN, and second slice information, where the first service information is the first terminal Service information corresponding to the service to be used by the device, and the first protection indication is used to indicate the protection mechanism that the first terminal device expects to execute when performing data communication between the first terminal device and the first access network device;
  • a second protection indication sent by the second terminal device is received, where the second protection indication is used to indicate a protection mechanism executed during data communication between the first terminal device and the first access network device.
  • the transceiver module 601 receives a first message, where the first message carries a first parameter, and the first parameter is used to indicate security information for communication between the second terminal device and the first access network device; then , the processing module 602 selects the second terminal device according to the first parameter. It can be seen from this that since the first parameter is used to indicate the security information for communication between the second terminal device and the first access network device, the processing module 602 can select the second terminal device according to the first parameter when selecting the second terminal device. A second terminal device that matches the security requirements of the first terminal device, so that a certain program can meet the security requirements corresponding to the subsequent communication between the first terminal device and the network.
  • FIG. 7 is a schematic structural diagram of a second terminal device according to an embodiment of the present application.
  • the second terminal device may be configured to perform the steps performed by the second terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the second terminal device includes a processing module 701 and a transceiver module 702 .
  • the processing module 701 is configured to determine a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate the communication between the second terminal device and the first access network device.
  • the transceiver module 702 is configured to send a first message, where the first message carries the first parameter.
  • the first parameter includes at least one of the following:
  • the first PDU session is an established PDU session on the second terminal device
  • the first indication information is the indication information that the first access network device supports the on-demand security protection mode
  • the second indication information is used for Indicates that the first access network device has the ability to support integrity protection
  • the digital signature is generated by the second terminal device through the private key of the second terminal device or the root certificate of the second terminal device
  • the first DNN The second terminal device supports the DNN that provides the relay service
  • the first slice information is information of the slice that the second terminal device supports to provide the relay service.
  • the transceiver module 702 is further configured to:
  • the second message carries a first security policy
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device
  • the processing module 701 is also used for:
  • the first security protection mode as the security protection mode adopted for data communication between the first terminal device and the second terminal device;
  • the transceiver module 702 is also used for:
  • the transceiver module 702 is further configured to:
  • the second message carries a first security policy
  • the first security policy is a security policy determined by the first terminal device and corresponding to a service to be used by the first terminal device
  • the processing module 701 is also used for:
  • the third security protection mode as the security protection mode adopted for data communication between the second terminal device and the first access network device;
  • the transceiver module 702 is also used for:
  • the first security protection manner is consistent with the second security protection manner
  • the second security protection manner is an established first security protection manner between the second terminal device and the first access network device Two security protection methods supported by PDU sessions.
  • the first security protection manner is consistent with the second security protection manner, including:
  • the second terminal device supports the second security protection mode of the second PDU session. as the first security protection method; or,
  • the second terminal device will use the second security protection method supported by the second PDU session.
  • the protection method is used as the first security protection method; or,
  • the second terminal device will use the second PDU session to support the second security protection mode.
  • the security protection method is used as the first security protection method; or,
  • the second terminal device supports the second PDU session.
  • the second security protection method is used as the first security protection method; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode; or,
  • the second terminal device uses the second security protection mode supported by the second PDU session as the first security protection mode.
  • the transceiver module 702 is further configured to:
  • the first request message is used to request to modify the second PDU session or to request to establish a third PDU session
  • the first request message carries a third parameter
  • the third parameter is used to indicate that the first terminal device communicates with the third PDU session.
  • the security information of the data communication between the two terminal devices, the second security protection mode is the security protection mode supported by the established second PDU session between the second terminal device and the first access network device;
  • the fourth security protection mode is used for the security protection mode adopted for data communication between the second terminal device and the first access network device, the The fourth security protection mode is consistent with the first security protection mode.
  • the first security protection manner is inconsistent with the second security protection manner, including:
  • the second terminal device determines the first security policy corresponding to the first security policy.
  • One security protection method is inconsistent with the second security protection method; or,
  • the second terminal device determines the first security protection mode corresponding to the first security policy inconsistent with the second security protection method; or,
  • the second terminal device determines that the first security protection mode corresponding to the first security policy is inconsistent with the second security protection mode.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • the transceiver module 702 is further configured to:
  • the third message carries at least one of the following information: first service information, second DNN, second slice information and first protection indication, and the first service information is a service corresponding to a service to be used by the first terminal device information, the second DNN is the DNN to be accessed by the first terminal device, the second slice information is the information of the slice to be accessed by the first terminal device, and the first protection indication is used to indicate the first terminal device the desired protection mechanism to be executed when data communication is performed between the first terminal device and the first access network device;
  • the processing module 701 is also used for:
  • the second protection indication is used to indicate a protection mechanism to be executed during data communication between the first terminal device and the first access network device;
  • the transceiver module 702 is also used for:
  • processing module 701 is further used for:
  • the second terminal device does not receive the protection indication sent by the first terminal device, determine a second protection indication, where the second protection indication is used to instruct the first terminal device and the first access network device to perform data communication between the first terminal device and the first access network device. the protection mechanisms implemented when communicating;
  • the transceiver module 702 is also used for:
  • the processing module 701 determines a first parameter, wherein the second terminal device supports the function of providing a relay service, and the first parameter is used to indicate the relationship between the second terminal device and the first access network device Security information for communication; the transceiver module 702 sends a first message, where the first message carries the first parameter.
  • the first terminal device can determine the first security protection mode between the first terminal device and the second terminal device, and then use the first security protection mode to determine the relationship between the second terminal device and the first access network device
  • the security protection mode is consistent with the security protection mode between the first terminal device and the second terminal device and the security protection mode between the second terminal device and the first access network device, so as to improve the security of data transmission.
  • FIG. 8 is a schematic structural diagram of an SMF network element according to an embodiment of the present application.
  • the SMF network element may be used to perform all or part of the steps performed by the SMF network element in the embodiments shown in FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the SMF network element includes a transceiver module 801 and a processing module 802 .
  • a transceiver module 801 configured to receive a first request message sent by a second terminal device, where the first request message is used to request to modify the second PDU session or to request the establishment of a third PDU session, and the first request message carries a third parameter , the third parameter is used to indicate the security information of the data communication between the first terminal device and the second terminal device;
  • a processing module 802 configured to determine a third security policy according to the third parameter, where the third security policy is a security policy corresponding to the service to be used by the first terminal device determined by the SMF network element;
  • the transceiver module 801 is configured to send a fourth message to the first access network device, where the fourth message carries the third security policy.
  • the third parameter includes at least one of the following:
  • the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode the first service information, the second DNN, the second slice information, the first security policy, and the first security protection mode
  • the first service information is service information corresponding to the service to be used by the first terminal device
  • the second DNN is the DNN to be accessed by the first terminal device
  • the second slice information is the first terminal device to access the service information. Information about the slices being accessed.
  • processing module 802 is specifically used for:
  • the SMF network element receives the subscription security policy sent by the UDM network element;
  • processing module 802 is specifically used for:
  • the third security policy is determined according to at least one item of information in the first security policy and the first security protection manner.
  • the fourth message further carries at least one of the following: the first security policy and the first security protection manner.
  • the transceiver module 801 receives the first request message sent by the second terminal device , the processing module 802 determines a third security policy according to the first request message sent by the second terminal device, and sends the third security policy to the first access network device, so that the first access network device can follow the third security policy Determine the fourth security protection mode, so that the fourth security protection mode is consistent with the first security protection mode, so as to realize the first security protection mode between the first terminal device and the second terminal device and the second terminal device and the first access
  • the fourth security protection mode between network devices is negotiated.
  • FIG. 9 is a schematic structural diagram of a first access network device according to an embodiment of the present application.
  • the first access network device may be configured to perform the steps performed by the first access network device in the embodiments shown in FIG. 3 , FIG. 4 , and FIG. 5 , and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the first access network device includes a transceiver module 901 and a processing module 902 .
  • the transceiver module 901 is configured to receive a second message sent by the SMF network element, where the second message carries a third security policy, and the third security policy is the security corresponding to the service to be used by the first terminal device determined by the SMF network element Strategy;
  • a processing module 902 configured to determine a fourth security protection mode according to the third security policy, where the fourth security protection mode is the security protection adopted for data communication between the second terminal device and the first access network device Way;
  • the transceiver module 901 is configured to send the fourth security protection mode to the second terminal device.
  • the second message also carries at least one of the following: the first security policy, the first security protection mode; the processing module 902 is specifically configured to:
  • the fourth security protection mode is determined according to the third security policy and the first security protection mode; or,
  • a fourth security protection mode is determined according to the third security policy and the first security policy.
  • a fourth security protection mode is determined according to the third security policy, the first security protection mode and the first security policy
  • the transceiver module 901 receives a second message sent by an SMF network element, where the second message carries a third security policy, and the third security policy is a service determined by the SMF network element to be used by the first terminal device Corresponding security policy; the processing module 902 determines a fourth security protection mode according to the third security policy, where the fourth security protection mode is used for data communication between the second terminal device and the first access network device Security protection mode; the transceiver module 901 sends the fourth security protection mode to the second terminal device.
  • the fourth security protection mode is a security protection mode used for data communication between the second terminal device and the first access network device, so that the negotiation of the first security protection mode and the fourth security protection mode is achieved.
  • FIG. 10 A possible schematic structural diagram of the first terminal device is shown below through FIG. 10 .
  • FIG. 10 shows a schematic structural diagram of a simplified first terminal device.
  • the first terminal device takes a mobile phone as an example.
  • the first terminal device includes a processor, a memory, a radio frequency circuit, an antenna, and an input and output device.
  • the processor is mainly used to process communication protocols and communication data, control terminal equipment, execute software programs, and process data of software programs.
  • the memory is mainly used to store software programs and data.
  • the radio frequency circuit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal.
  • Antennas are mainly used to send and receive radio frequency signals in the form of electromagnetic waves.
  • Input and output devices such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users. It should be noted that some types of first terminal devices may not have input and output devices.
  • the processor When data needs to be sent, the processor performs baseband processing on the data to be sent, and outputs the baseband signal to the radio frequency circuit.
  • the radio frequency circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal through the antenna in the form of electromagnetic waves.
  • the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data. deal with.
  • only one memory and processor are shown in FIG. 10 . In an actual end device product, there may be one or more processors and one or more memories.
  • the memory may also be referred to as a storage medium or a storage device or the like.
  • the memory may be set independently of the processor, or may be integrated with the processor, which is not limited in this embodiment of the present application.
  • the antenna and radio frequency circuit with a transceiver function can be regarded as a transceiver unit of the first terminal device
  • the processor with a processing function can be regarded as a processing unit of the first terminal device.
  • the first terminal device includes a transceiver unit 1010 and a processing unit 1020 .
  • the transceiving unit may also be referred to as a transceiver, a transceiver, a transceiving device, or the like.
  • the processing unit may also be referred to as a processor, a processing single board, a processing module, a processing device, and the like.
  • the device for implementing the receiving function in the transceiver unit 1010 may be regarded as a receiving unit, and the device for implementing the transmitting function in the transceiver unit 1010 may be regarded as a transmitting unit, that is, the transceiver unit 1010 includes a receiving unit and a transmitting unit.
  • the transceiver unit may also sometimes be referred to as a transceiver, a transceiver, or a transceiver circuit.
  • the receiving unit may also sometimes be referred to as a receiver, receiver, or receiving circuit, or the like.
  • the transmitting unit may also sometimes be referred to as a transmitter, a transmitter, or a transmitting circuit, or the like.
  • transceiving unit 1010 is configured to perform the sending and receiving operations of the first terminal device in the above method embodiments
  • processing unit 1020 is configured to perform other operations on the first terminal device in the above method embodiments except the transceiving operations.
  • the transceiver unit 1010 is configured to perform the transceiver operation of the first terminal device in step 202 in FIG. 2 , and/or the transceiver unit 1010 is further configured to execute the first terminal device in this embodiment of the present application. other sending and receiving steps.
  • the chip When the terminal device is a chip, the chip includes a transceiver unit and a processing unit.
  • the transceiver unit may be an input/output circuit or a communication interface
  • the processing unit may be a processor or a microprocessor or an integrated circuit or a logic circuit integrated on the chip.
  • Fig. 10 is multiplexed, and Fig. 10 may also be used to perform all or part of the steps performed by the second terminal device in the foregoing method embodiments, and reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the present application also provides an SMF network element. Please refer to FIG. 11 , which is another schematic structural diagram of the SMF network element in the embodiment of the present application. For the steps performed by the SMF network element, reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the SMF network element includes: a processor 1101 and a memory 1102 .
  • the SMF network element further includes a transceiver 1103 .
  • the processor 1101, the memory 1102 and the transceiver 1103 are respectively connected through a bus, and the memory stores computer instructions.
  • the processing module 802 in the foregoing embodiment may specifically be the processor 1101 in this embodiment, so the specific implementation of the processor 1101 will not be described again.
  • the transceiver module 801 in the foregoing embodiment may specifically be the transceiver 1103 in this embodiment, so the specific implementation of the transceiver 1103 will not be described again.
  • the present application also provides a first access network device. Please refer to FIG. 12 , which is another schematic structural diagram of the first access network device in the embodiment of the present application.
  • FIG. 12 is another schematic structural diagram of the first access network device in the embodiment of the present application.
  • FIG. 4 and FIG. 5 For the steps performed by the first access network device in the embodiments shown in FIG. 4 and FIG. 5 , reference may be made to the relevant descriptions in the foregoing method embodiments.
  • the first access network device includes: a processor 1201 and a memory 1202 .
  • the first access network device further includes a transceiver 1203 .
  • the processor 1201, the memory 1202 and the transceiver 1203 are respectively connected through a bus, and the memory stores computer instructions.
  • the processing module 902 in the foregoing embodiment may specifically be the processor 1201 in this embodiment, so the specific implementation of the processor 1201 will not be described again.
  • the transceiver module 901 in the foregoing embodiment may specifically be the transceiver 1203 in this embodiment, so the specific implementation of the transceiver 1203 will not be described again.
  • an embodiment of the present application further provides a communication system, where the communication system includes a first terminal device as shown in FIG. 6 and a second terminal device as shown in FIG. 7 .
  • the first terminal device shown in FIG. 6 is used to perform all or part of the steps performed by the first terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 and FIG. 5
  • the second terminal device shown in FIG. 7 The device is configured to perform all or part of the steps performed by the second terminal device in the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 and FIG. 5 .
  • the communication system further includes the SMF network element shown in FIG. 8 and the first access network device shown in FIG. 9 .
  • the SMF network element shown in FIG. 8 is used to perform all or part of the steps performed by the SMF network element in the embodiments shown in FIG. 3 , FIG. 4 and FIG. 5
  • the first access network device shown in FIG. 9 is used for Perform all or part of the steps performed by the first access network device in the embodiments shown in FIG. 3 , FIG. 4 and FIG. 5 .
  • Embodiments of the present application also provide a computer program product including instructions, which, when executed on a computer, cause the computer to execute the communication methods of the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 .
  • Embodiments of the present application further provide a computer-readable storage medium, including computer instructions, when the computer instructions are executed on a computer, the computer can execute the embodiments shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 . communication method.
  • An embodiment of the present application further provides a chip device, which includes a processor, which is connected to a memory and calls a program stored in the memory, so that the processor executes the above-mentioned steps shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 .
  • the communication method of an embodiment is not limited to a chip device, which includes a processor, which is connected to a memory and calls a program stored in the memory, so that the processor executes the above-mentioned steps shown in FIG. 2 , FIG. 3 , FIG. 4 , and FIG. 5 .
  • the processor mentioned in any of the above can be a general-purpose central processing unit, a microprocessor, an application-specific integrated circuit (ASIC), or one or more of the above-mentioned Fig. 2, An integrated circuit for executing the program of the communication method of the embodiment shown in FIG. 3 , FIG. 4 and FIG. 5 .
  • the memory mentioned in any one of the above can be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (random access memory, RAM), and the like.
  • the disclosed system, apparatus and method may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable storage medium.
  • the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: a U disk, a removable hard disk, a read-only memory, a random access memory, a magnetic disk or an optical disk and other media that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Des modes de réalisation de la présente demande concernent un procédé et un appareil de communication. Le procédé comprend les étapes suivantes : un premier dispositif terminal acquiert un premier paramètre, le premier paramètre étant utilisé pour indiquer des informations de sécurité de communication entre un second dispositif terminal et un premier dispositif de réseau d'accès ; et le premier dispositif terminal sélectionne le second dispositif terminal en fonction du premier paramètre. Par la mise en œuvre de la solution proposée dans la présente invention, le premier terminal peut sélectionner, en fonction du premier paramètre, le second terminal qui fournit un service de relais pour le premier dispositif terminal et le premier dispositif de réseau d'accès, de manière à satisfaire l'exigence du premier terminal pour communiquer avec le réseau au moyen du second terminal.
PCT/CN2020/105761 2020-07-30 2020-07-30 Procédé et appareil de communication WO2022021198A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/105761 WO2022021198A1 (fr) 2020-07-30 2020-07-30 Procédé et appareil de communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/105761 WO2022021198A1 (fr) 2020-07-30 2020-07-30 Procédé et appareil de communication

Publications (1)

Publication Number Publication Date
WO2022021198A1 true WO2022021198A1 (fr) 2022-02-03

Family

ID=80036921

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/105761 WO2022021198A1 (fr) 2020-07-30 2020-07-30 Procédé et appareil de communication

Country Status (1)

Country Link
WO (1) WO2022021198A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105848083A (zh) * 2015-01-13 2016-08-10 中兴通讯股份有限公司 一种实现通信的方法、终端及系统
CN105992275A (zh) * 2015-02-13 2016-10-05 联想(北京)有限公司 信息处理方法及电子设备
EP3282719A1 (fr) * 2015-04-08 2018-02-14 China Academy of Telecommunications Technology Procédé et dispositif pour déterminer et utiliser un noeud de relais de dispositif à dispositif (d2d)
CN111277963A (zh) * 2014-11-07 2020-06-12 华为技术有限公司 一种建立连接的方法、设备及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277963A (zh) * 2014-11-07 2020-06-12 华为技术有限公司 一种建立连接的方法、设备及系统
CN105848083A (zh) * 2015-01-13 2016-08-10 中兴通讯股份有限公司 一种实现通信的方法、终端及系统
CN105992275A (zh) * 2015-02-13 2016-10-05 联想(北京)有限公司 信息处理方法及电子设备
EP3282719A1 (fr) * 2015-04-08 2018-02-14 China Academy of Telecommunications Technology Procédé et dispositif pour déterminer et utiliser un noeud de relais de dispositif à dispositif (d2d)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on system enhancement for Proximity based Services (ProSe) in the 5G System (5GS) (Release 17)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 23.752, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V0.4.0, 25 June 2020 (2020-06-25), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 121, XP051924131 *

Similar Documents

Publication Publication Date Title
EP3493601B1 (fr) Sélection d'une tranche de réseau
US20240179118A1 (en) Edge Service Obtaining Method and Apparatus
US20240064514A1 (en) Delegated data connection
US11871223B2 (en) Authentication method and apparatus and device
WO2021136211A1 (fr) Procédé et dispositif pour déterminer un résultat d'autorisation
WO2020253408A1 (fr) Appareil et procédé d'authentification secondaire
CN114423029B (zh) 服务质量参数调整方法、设备及存储介质
TWI799064B (zh) 一種金鑰標識的生成方法以及相關裝置
CN113038590B (zh) 时间同步方法、电子设备及存储介质
US20230048066A1 (en) Slice authentication method and apparatus
WO2021254172A1 (fr) Procédé de communication et appareil associé
EP4135376A1 (fr) Procédé et dispositif de communication sécurisée
EP3654726B1 (fr) Procédé et dispositif de transmission répétée de données
EP4147065A1 (fr) Génération d'un rapport de mesure à partir de signaux de référence de positionnement
WO2021195900A1 (fr) Procédé et appareil de vérification de dispositifs terminaux
CN112789896B (zh) 切换传输路径的方法及装置
WO2023016160A1 (fr) Procédé d'établissement de session et appareil associé
WO2022021198A1 (fr) Procédé et appareil de communication
WO2022048265A1 (fr) Procédé de détermination de clé de couche application, terminal, dispositif côté réseau et appareil
WO2023246457A1 (fr) Procédé de négociation de décision de sécurité et élément de réseau
EP4156741A1 (fr) Procédé et appareil de vérification de service de tranche
WO2022067769A1 (fr) Procédé de communication et dispositif associé
WO2024067398A1 (fr) Procédé et dispositif de traitement de service d'urgence
CN117223303A (zh) 通信方法、设备及存储介质
CN117062055A (zh) 安全保护方法及通信装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20946547

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20946547

Country of ref document: EP

Kind code of ref document: A1