WO2022089314A1 - Procédé et appareil de traitement de données - Google Patents

Procédé et appareil de traitement de données Download PDF

Info

Publication number
WO2022089314A1
WO2022089314A1 PCT/CN2021/125668 CN2021125668W WO2022089314A1 WO 2022089314 A1 WO2022089314 A1 WO 2022089314A1 CN 2021125668 W CN2021125668 W CN 2021125668W WO 2022089314 A1 WO2022089314 A1 WO 2022089314A1
Authority
WO
WIPO (PCT)
Prior art keywords
integrity protection
indication information
pdu session
network device
terminal device
Prior art date
Application number
PCT/CN2021/125668
Other languages
English (en)
Chinese (zh)
Inventor
朱春晖
Original Assignee
展讯半导体(南京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 展讯半导体(南京)有限公司 filed Critical 展讯半导体(南京)有限公司
Publication of WO2022089314A1 publication Critical patent/WO2022089314A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Definitions

  • the embodiments of the present application relate to the field of communications technologies, and in particular, to a data processing method and apparatus.
  • Integrity is a necessary technical means to ensure that information or data is not tampered with by unauthorized devices or can be quickly discovered after tampering.
  • the receiver when the receiver receives the data sent by the sender, it can also receive the security parameters sent by the sender, and then the receiver calculates its own security parameters. When the two are equal, it indicates that the integrity protection is successful. The information data has not been tampered with. When the receiver finds that the two are not equal, it considers that the integrity protection fails and discards the corresponding data received.
  • the above solution can find the data packets with problems, but the subsequently received data packets may still be tampered with, and the security risk is relatively high.
  • Embodiments of the present application provide a data processing method and apparatus, so as to reduce the security risk of data transmission.
  • an embodiment of the present application provides a data processing method, including:
  • the terminal device After the integrity protection fails, the terminal device sends first indication information to the first network device, where the first indication information indicates that the integrity protection fails;
  • the terminal device receives a PDU session deactivation instruction from the first network device, and deactivates the PDU session according to the PDU session deactivation instruction.
  • the integrity protection failure includes all PDU integrity protection failures and partial PDU integrity protection failures.
  • the integrity protection failure is an integrity protection failure of all PDUs
  • the cell deregistration request includes the first indication information
  • the first indication information indicates that all PDU integrity protection fails
  • the cell deregistration request is used for Request to disconnect from the first cell and request the first network device to deactivate all PDU sessions.
  • the method further includes:
  • the cell registration request includes second indication information, and the second indication information indicates that the cell registration request is after the integrity protection fails. register again.
  • the integrity protection failure is a partial PDU integrity protection failure
  • sending the first indication information to the first network device includes:
  • the partial PDU session deactivation request includes the first indication information
  • the first indication information indicates that the integrity protection of the partial PDU fails
  • the partial PDU The session deactivation request is used for requesting the first network device to deactivate the PDU session that fails the integrity protection.
  • the method further includes:
  • the terminal device sends a PDU session re-establishment request to the first network device, where the PDU session re-establishment request includes third indication information, and the third indication information indicates that the PDU session re-establishment request is a re-establishment after integrity protection failure.
  • the method further includes:
  • the PDU session re-establishment response the PDU whose integrity protection fails is re-established.
  • the method further includes:
  • the method further includes:
  • sending a cell deregistration request to the first network device includes:
  • the cell de-registration request is sent to the first network device.
  • sending a partial PDU session deactivation request to the first network device includes:
  • the partial PDU session deactivation request is sent to the first network device.
  • an embodiment of the present application provides a data processing method, including:
  • the first network device receives first indication information from the terminal device, where the first indication information indicates that the integrity protection fails;
  • the first network device sends a PDU session deactivation instruction to the terminal device according to the first indication information, where the PDU session deactivation instruction instructs the terminal device to deactivate the PDU session.
  • the integrity protection failure includes all PDU integrity protection failures and partial PDU integrity protection failures.
  • the integrity protection failure is an integrity protection failure of all PDUs; receiving the first indication information from the terminal device includes:
  • a cell de-registration request is received from the terminal device, the cell de-registration request includes the first indication information, the first indication information indicates that all PDU integrity protection fails, and the cell de-registration request is used to request all The terminal device is disconnected from the first cell, and all PDU sessions are deactivated.
  • the method further includes:
  • a cell registration request is received from the terminal device, where the cell registration request is used to request the terminal device to establish a connection with a second cell, the cell registration request includes second indication information, and the second indication information indicates the The cell registration request is re-registration after the integrity protection fails.
  • the integrity protection failure is a partial PDU integrity protection failure; receiving the first indication information from the terminal device includes:
  • a partial PDU session deactivation request is received from the terminal device, the partial PDU session deactivation request includes the first indication information, the first indication information indicates that the partial PDU integrity protection fails, and the partial PDU session deactivation request Use request to request deactivation of integrity protection for failed PDU sessions.
  • the method further includes:
  • a PDU session re-establishment request is received from the terminal device, where the PDU session re-establishment request includes third indication information, where the third indication information indicates that the PDU session re-establishment request is a re-establishment after integrity protection failure.
  • the method further includes:
  • a PDU session re-establishment response is sent to the terminal device, where the PDU session re-establishment response instructs the terminal device to re-establish the PDU whose integrity protection fails.
  • the method further includes:
  • the method further includes:
  • an embodiment of the present application provides a data processing apparatus, including:
  • a sending module configured to send first indication information to the first network device after the integrity protection fails, where the first indication information indicates that the integrity protection fails;
  • a receiving module configured to receive a PDU session deactivation instruction from the first network device, and deactivate the PDU session according to the PDU session deactivation instruction.
  • the integrity protection failure includes all PDU integrity protection failures and partial PDU integrity protection failures.
  • the integrity protection failure is an integrity protection failure of all PDUs; the sending module is specifically configured to:
  • the cell deregistration request includes the first indication information
  • the first indication information indicates that all PDU integrity protection fails
  • the cell deregistration request is used for Request to disconnect from the first cell and request the first network device to deactivate all PDU sessions.
  • the sending module is further configured to:
  • the cell registration request includes second indication information, and the second indication information indicates that the cell registration request is after the integrity protection failure. register again.
  • the integrity protection failure is a partial PDU integrity protection failure; the sending module is specifically configured to:
  • the partial PDU session deactivation request includes the first indication information
  • the first indication information indicates that the integrity protection of the partial PDU fails
  • the partial PDU The session deactivation request is used to request the first network device to deactivate the PDU session for which the integrity protection fails.
  • the sending module is further configured to:
  • the terminal device sends a PDU session re-establishment request to the first network device, where the PDU session re-establishment request includes third indication information, and the third indication information indicates that the PDU session re-establishment request is a re-establishment after integrity protection failure.
  • the receiving module is further configured to:
  • the PDU session re-establishment response the PDU whose integrity protection fails is re-established.
  • the receiving module is further configured to:
  • the receiving module is further configured to:
  • the sending module is specifically used for:
  • the cell de-registration request is sent to the first network device.
  • the sending module is specifically used for:
  • the partial PDU session deactivation request is sent to the first network device.
  • an embodiment of the present application provides a data processing device, including:
  • a receiving module configured to receive first indication information from the terminal device after the integrity protection fails, where the first indication information indicates that the integrity protection fails;
  • a sending module configured to send a PDU session deactivation instruction to the terminal device according to the first indication information, where the PDU session deactivation instruction instructs the terminal device to deactivate the PDU session.
  • the integrity protection failure includes all PDU integrity protection failures and partial PDU integrity protection failures.
  • the integrity protection failure is an integrity protection failure of all PDUs; the receiving module is specifically configured to:
  • a cell de-registration request is received from the terminal device, the cell de-registration request includes the first indication information, the first indication information indicates that all PDU integrity protection fails, and the cell de-registration request is used to request all The terminal device is disconnected from the first cell, and all PDU sessions are deactivated.
  • the receiving module is further configured to:
  • the cell registration request is used to request the terminal device to establish a connection with a second cell
  • the cell registration request includes second indication information
  • the second indication information indicates the The cell registration request is re-registration after the integrity protection fails.
  • the integrity protection failure is a partial PDU integrity protection failure; the receiving module is specifically configured to:
  • a partial PDU session deactivation request is received from the terminal device, the partial PDU session deactivation request includes the first indication information, the first indication information indicates that the partial PDU integrity protection fails, and the partial PDU session deactivation request Use request to request deactivation of integrity protection for failed PDU sessions.
  • the receiving module is further configured to:
  • a PDU session re-establishment request is received from the terminal device, where the PDU session re-establishment request includes third indication information, where the third indication information indicates that the PDU session re-establishment request is a re-establishment after integrity protection failure.
  • the sending module is further configured to:
  • a PDU session re-establishment response is sent to the terminal device, where the PDU session re-establishment response instructs the terminal device to re-establish the PDU whose integrity protection fails.
  • the receiving module is further configured to:
  • the sending module is further configured to:
  • an embodiment of the present application provides a terminal device, including:
  • a processor configured to execute the program stored in the memory, and when the program is executed, the processor is configured to execute the data processing method according to any one of the first aspects.
  • an embodiment of the present application provides a network device, including:
  • a processor configured to execute the program stored in the memory, and when the program is executed, the processor is configured to execute the data processing method according to any one of the second aspects.
  • embodiments of the present application provide a computer-readable storage medium, including instructions, which, when executed on a computer, cause the computer to execute the data processing method according to any one of the first to second aspects.
  • the terminal device after the integrity protection fails, the terminal device sends the first indication information to the first network device, and then receives the PDU session deactivation instruction from the first network device, and stops the session according to the PDU. Deactivate the PDU session with an instruction to deactivate the PDU. Therefore, in the subsequent data transmission process, the terminal device and the first network device will stop data transmission through the PDUs that fail the integrity protection, so as to avoid the data that fails to be integrity protection still be received in the subsequent data transmission process, reducing the need for Security risks during data transmission.
  • FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a data processing method provided by an embodiment of the present application.
  • FIG. 3 is a signaling diagram 1 of a data processing solution provided by an embodiment of the present application.
  • FIG. 4 is a signaling diagram 2 of the data processing solution provided by the embodiment of the present application.
  • FIG. 5 is a signaling diagram 3 of the data processing solution provided by the embodiment of the present application.
  • FIG. 6 is a signaling diagram 4 of the data processing solution provided by the embodiment of the present application.
  • FIG. 7 is a signaling diagram 5 of the data processing solution provided by the embodiment of the present application.
  • FIG. 8 is a signaling diagram 6 of the data processing solution provided by the embodiment of the present application.
  • FIG. 9 is a schematic flowchart of a data processing method provided by an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram 1 of a data processing apparatus provided by an embodiment of the present application.
  • FIG. 11 is a second schematic structural diagram of a data processing apparatus provided by an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a terminal device provided by an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of a network device provided by an embodiment of the present application.
  • Terminal equipment usually with wireless transceiver function, terminal equipment can be deployed on land, including indoor or outdoor, handheld, wearable or vehicle; can also be deployed on water (such as ships, etc.); can also be deployed in the air (such as aircraft, balloons, etc.) and satellites, etc.).
  • the terminal device may be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, industrial Wireless terminals in industrial control, in-vehicle terminal equipment, wireless terminals in self driving, wireless terminal equipment in remote medical, wireless terminal equipment in smart grid, Wireless terminal equipment in transportation safety, wireless terminal equipment in smart city, wireless terminal equipment in smart home, wearable terminal equipment, etc.
  • VR virtual reality
  • AR augmented reality
  • the terminal equipment involved in the embodiments of this application may also be referred to as terminal, user equipment (UE), access terminal equipment, vehicle-mounted terminal, industrial control terminal, UE unit, UE station, mobile station, mobile station, and remote station , remote terminal equipment, mobile equipment, UE terminal equipment, wireless communication equipment, UE proxy or UE device, etc.
  • Terminal devices can also be stationary or mobile.
  • Network device usually has a wireless transceiver function, and the network device may have mobile characteristics, for example, the network device may be a mobile device.
  • the network device may be a satellite or a balloon station.
  • the satellite may be a low earth orbit (LEO) satellite, a medium earth orbit (MEO) satellite, a geostationary earth orbit (GEO) satellite, a High Elliptical Orbit (HEO) ) satellite etc.
  • the network device may also be a base station located on land, water, etc.
  • the network device may be a next generation NodeB (gNB) or a next generation-evolved NodeB (ng-eNB) .
  • gNB next generation NodeB
  • ng-eNB next generation-evolved NodeB
  • the gNB provides the user plane function and control plane function of the new radio interface (NR) for the UE
  • the ng-eNB provides the user plane of the evolved universal terrestrial radio access (E-UTRA) for the UE.
  • Function and control plane function it should be noted that gNB and ng-eNB are only a name, which is used to indicate the base station supporting the 5G network system, and has no limiting significance.
  • the network device may also be a base station (base transceiver station, BTS) in a GSM system or a CDMA system, a base station (nodeB, NB) in a WCDMA system, or an evolutional node B (evolutional node B) in an LTE system, eNB or eNodeB).
  • BTS base transceiver station
  • NB base station
  • WCDMA WCDMA
  • evolutional node B evolutional node B
  • the network device may also be a relay station, an access point, a vehicle-mounted device, a wearable device, and a network-side device in a network after 5G or a network device in a future evolved PLMN network, a roadside site unit (RSU) )Wait.
  • RSU roadside site unit
  • Integrity protection is a necessary technical means to ensure that information or data is not tampered with without authorization or can be quickly discovered after tampering.
  • the integrity protection algorithm of the air interface is the same as the confidentiality protection algorithm, but the parameters are different from the calculation process.
  • the length of the security parameter required for integrity protection is 32 bits (4 bytes).
  • the receiver receives the security parameters sent by the sender, and the receiver calculates its own security parameters. If the two are equal, the surface integrity protection is successful, and the information data has not been tampered with.
  • PDCP Packet Data Convergence Protocol, Packet Data Convergence Protocol.
  • NAS Non-access stratum, non-access stratum.
  • PDU Packet Data Unit, packet data unit.
  • UPIP User Plane Integrity Protection, user plane integrity protection.
  • gNB gNodeB, base station.
  • AMF Access and Mobility Function, access and mobility function.
  • SMF Session Management Function, session management function.
  • UPF User Plane Function, user plane function.
  • FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application, as shown in FIG. 1 , including a terminal device 11 and a network device 12 .
  • Data transmission and interaction can be performed between the terminal device 11 and the network device 12.
  • the terminal device 11 can act as a receiver to receive data sent by the network device 12.
  • the network device 12 is the sender.
  • the terminal device 11 can also act as a sender to send data to the network device 12, and at this time, the network device acts as a receiver.
  • the terminal device 11 Take the terminal device 11 as the receiver and the network device 12 as the sender as an example for description.
  • the terminal device 11 receives the data and can also receive the security parameters sent by the network device 12 .
  • the terminal device 11 also calculates its own security parameters.
  • the own security parameters calculated by the terminal device 11 are equal to the security parameters received from the network device 12, it indicates that the integrity protection of the data is successful, the data has not been tampered with, and can be successfully received.
  • the solution adopted is to directly discard the tampered data. This processing method only finds problematic data, and the subsequent data still has a tampered request. This processing solution cannot solve the situation that the subsequent data may still be tampered with, and the security risk of data transmission still exists.
  • a reason for the failure of integrity protection is that the network device 12 connected to the terminal device 11 is a pseudo base station, so the data received by the terminal device 11 is tampered data. After the terminal device 11 detects that the data sent by the pseudo base station has been tampered with, if the data is directly discarded, the subsequent pseudo base station will still send the tampered data to the terminal device 11, and the security risk of data transmission still exists. Therefore, directly discarding the data cannot fundamentally solve the problem of integrity protection failure.
  • the embodiments of the present application provide a data processing method to reduce the security risk of data transmission.
  • FIG. 2 is a schematic flowchart of a data processing method provided by an embodiment of the present application. As shown in FIG. 2 , the method may include:
  • the terminal device After the integrity protection fails, the terminal device sends first indication information to the first network device, where the first indication information indicates that the integrity protection fails.
  • the terminal device may be a receiver of data, or may be a sender of data. If the terminal device is the receiver of the data, the terminal device can receive data from the network device and receive security parameters from the first network device at the same time, and then judge whether the integrity is protected according to the security parameters sent by the first network device and its own security parameters. fail. If the terminal device is the sender of the data and the first network device is the receiver of the data, after receiving the data sent by the terminal device, the first network device determines whether the integrity protection fails, and informs the terminal device of the result of the integrity protection .
  • the terminal device After the integrity protection fails, the terminal device sends first indication information to the first network device, indicating that the integrity protection fails.
  • the terminal device receives a PDU session deactivation instruction from the first network device, and deactivates the PDU session according to the PDU session deactivation instruction.
  • the first network device can learn that the integrity protection fails.
  • the integrity protection failure may be that the terminal device detects that the integrity protection of the data sent by the first network device fails. , it may also be that the first network device detects that the integrity protection of the data sent by the terminal device fails.
  • the first network device will send a PDU session deactivation instruction to the terminal device, and after receiving the PDU session deactivation instruction, the terminal device deactivates the PDU session, that is, performs a PDU deactivation operation.
  • the terminal device can deactivate all PDU sessions, that is, perform deactivation operations on all PDUs.
  • the terminal device may only deactivate the part of the PDU sessions whose integrity protection fails, that is, perform a deactivation operation on some PDUs.
  • the terminal device sends the first indication information to the first network device, and then receives the PDU session deactivation instruction from the first network device, and according to the PDU session deactivation instruction Deactivate the PDU session and perform a deactivation operation on the PDU. Therefore, in the subsequent data transmission process, the terminal device and the first network device will stop data transmission through the PDU that fails the integrity protection, so as to avoid the data that fails to be integrity protection still be received in the subsequent data transmission process. Security risks during data transmission.
  • Integrity protection failure including all PDU integrity protection failures and partial PDU integrity protection failures.
  • the terminal device may send a cell de-registration request to the first network device, and the cell de-registration request includes first indication information indicating that all PDU integrity protection fails.
  • the cell de-registration request is used to request to disconnect from the first cell, where the first cell is the cell to which the terminal device initially connects. After the terminal device is disconnected from the first cell and performs the deregistration operation, all PDU sessions are deactivated, that is, the deactivation operation is performed on all PDUs.
  • cell reselection and re-registration may be performed.
  • the terminal device may send a cell registration request to the first network device, establish a connection with the second cell, and perform a re-registration operation.
  • the cell registration request may include second indication information, indicating that the cell registration request is re-registration after integrity protection failure.
  • the terminal device may send a partial PDU session deactivation request to the first network device, and the partial PDU session deactivation request may include first indication information indicating the partial PDU integrity Protection failed.
  • the terminal device may deactivate the partial PDU sessions whose integrity protection fails, that is, perform a deactivation operation on the PDUs whose integrity protection fails.
  • the user can also control the terminal device to perform PDU session reconstruction according to actual needs.
  • the terminal device may send a PDU session re-establishment request to the first network device, where the PDU session re-establishment request includes third indication information, indicating that the PDU session re-establishment request is a re-establishment after integrity protection failure.
  • the third indication information may indicate that the PDU session re-establishment request is the re-establishment after the integrity protection of all PDU sessions fails.
  • the third indication information may indicate that the PDU session re-establishment request is for the re-establishment of the PDU session whose partial integrity protection has failed.
  • the terminal device may initiate the above process after detecting the integrity protection failure, or the first network device may instruct the terminal device to initiate the above process after detecting the integrity protection failure.
  • the data transmission direction is the downlink data direction from the first network device to the terminal device
  • the terminal device needs to notify the NAS layer after detecting that the PDCP integrity protection fails, and the NAS layer initiates cell deregistration or PDU session deactivation.
  • the data transmission direction is the uplink data direction from the terminal device to the first network device, after the first network device detects that the PDCP integrity protection fails, it needs to notify the terminal device or the second network device, and the terminal device or the second network device initiates Cell deregistration or PDU session deactivation
  • the detection process may be that when the first network device sends data to the terminal device, it also sends the first security parameter to the network device.
  • the terminal device receives the first security parameter from the first network device, and calculates its own second security parameter. When the first security parameter is different from the second security parameter, it is determined that the integrity protection of the terminal device fails.
  • the first network device may send fourth indication information to the terminal device, and the terminal device learns that the integrity protection of the first network device fails after receiving the fourth indication information from the first network device .
  • the integrity protection failure of the first network device may be a partial PDU integrity protection failure, or a complete PDU integrity protection failure.
  • the terminal device may initiate the process of reestablishing the partial PDU session.
  • the terminal device may initiate cell de-registration, cell reselection, and cell re-registration procedures.
  • the first network device may also notify the AMF, and the AMF controls the terminal device to perform the above operations.
  • the first network device may notify the second network device, the second network device sends a cell deregistration instruction to the terminal device, and the terminal device sends a cell deregistration instruction to the terminal device according to the cell deregistration instruction.
  • the first network device sends a cell de-registration request, and performs a cell de-registration operation.
  • the first network device may notify the second network device, the second network device sends a PDU session deactivation instruction to the terminal device, and the terminal device receives the instruction from the second network device
  • the PDU session deactivation instruction and according to the PDU session deactivation instruction, a partial PDU session deactivation request is sent to the first network device, and a partial PDU session deactivation operation is performed.
  • both the UE and the gNB may be the receiver or the sender of data, the following will describe in detail an example where the UE and the gNB are the receiver or the sender respectively.
  • UE represents the terminal device
  • gNB represents the first network device
  • AMF/SMF/UPF represents the second network device.
  • the UE is used as the receiver of data and the gNB is used as the sender of data as an example to be described with reference to FIG. 3 and FIG. 4 .
  • Fig. 3 is a signaling diagram 1 of the data processing solution provided by the embodiment of the present application, which illustrates the situation when the UE acts as the receiver, the gNB acts as the sender, and the UE detects that all PDU sessions have failed integrity protection, such as As shown in Figure 3, including:
  • the UE sends a cell de-registration request to the gNB.
  • the cell de-registration request may include first indication information, where the first indication information indicates that integrity protection failure has occurred in all PDU sessions of the UE.
  • the gNB sends a cell de-registration request to the AMF.
  • the gNB After receiving the cell de-registration request sent by the UE, the gNB forwards the cell de-registration request to the AMF.
  • the AMF sends a PDU session deactivation request to the SMF/UPF.
  • the AMF After receiving the cell de-registration request, the AMF can learn that the integrity protection failure has occurred in all PDU sessions of the UE according to the first indication information.
  • the AMF sends a PDU session deactivation request to the SMF/UPF, requesting that all PDUs be deactivated.
  • the SMF/UPF sends a PDU session deactivation response to the AMF.
  • the UE can deactivate all PDU sessions, that is, perform deactivation operations on all PDUs.
  • the AMF sends a cell de-registration response to the gNB.
  • the gNB sends a cell de-registration response to the UE.
  • the UE performs cell deregistration.
  • the UE After receiving the cell de-registration response, the UE can perform the cell de-registration operation and start cell reselection.
  • the UE initiates cell reselection, and reselects to access a new cell.
  • the UE initiates cell re-registration.
  • the UE may send a cell registration request to the gNB, for example, may register with the second cell and establish a connection with the second cell.
  • the reason for re-registering the cell may be carried in the cell registration request.
  • the second indication information may be carried in the cell registration request, indicating that the cell registration request is re-registration after integrity protection failure.
  • the UE initiates PDU session re-establishment.
  • the UE may initiate PDU session re-establishment. Specifically, the UE may send a PDU session re-establishment request to the gNB to re-establish all PDU sessions.
  • the reason for the PDU session re-establishment may be carried in the PDU session re-establishment request.
  • the third indication information may be carried in the PDU session re-establishment request, indicating that the PDU session re-establishment request is the re-establishment after the integrity protection failure.
  • Fig. 4 is the signaling diagram 2 of the data processing solution provided by the embodiment of the present application, which illustrates the situation when the UE acts as the receiver, the gNB acts as the sender, and the UE detects that some PDU sessions have failed integrity protection, as shown in the figure 4, including:
  • the UE sends a partial PDU session deactivation request to the gNB.
  • the gNB sends a partial PDU session deactivation request to the AMF.
  • the AMF sends a partial PDU session deactivation request to the SMF/UPF.
  • the SMF/UPF sends a partial PDU session deactivation response to the AMF.
  • the partial PDU session deactivation request includes first indication information, indicating that the partial PDU integrity protection fails.
  • the AMF sends a partial PDU session deactivation response to the gNB.
  • the PDU session whose integrity protection fails may be deactivated, that is, a deactivation operation is performed on the PDU whose integrity protection fails.
  • the UE initiates partial PDU session re-establishment.
  • the UE may be controlled by the user to initiate partial PDU session re-establishment according to actual needs. Specifically, the UE may send a PDU session re-establishment request to the gNB to re-establish part of the PDU session.
  • the reason for the PDU session re-establishment may be carried in the PDU session re-establishment request.
  • the third indication information may be carried in the PDU session re-establishment request, indicating that the PDU session re-establishment request is the re-establishment after the integrity protection fails.
  • Fig. 5 is the signaling diagram 3 of the data processing solution provided by the embodiment of the present application, which illustrates the situation when the UE acts as the sender, the gNB acts as the receiver, and the gNB detects that the integrity protection fails in all PDU sessions, as shown in the figure 5, including:
  • the gNB sends fourth indication information to the UE.
  • the gNB is the uplink data direction in which the UE sends data to the gNB.
  • the gNB may send fourth indication information to the UE, indicating that the gNB detects that the integrity protection fails.
  • the UE receives fourth indication information.
  • the UE After receiving the fourth indication information, the UE learns that the integrity protection failure has occurred in all PDU sessions.
  • the UE performs a cell de-registration operation.
  • the UE may initiate a cell de-registration operation. For specific steps, reference may be made to the embodiment illustrated in FIG. 3 , which will not be repeated here.
  • FIG. 6 is the signaling diagram 4 of the data processing scheme provided by the embodiment of the present application, which illustrates the situation when the UE acts as the sender, the gNB acts as the receiver, and the gNB detects that the integrity protection fails in all PDU sessions, as shown in the figure 6, including:
  • the gNB sends fourth indication information to the AMF.
  • the gNB After the gNB receives the data sent by the UE, if it detects that the integrity protection fails, the gNB can send a fourth indication message to the AMF in addition to sending the fourth indication message to the UE to notify the AMF that the integrity of all PDU sessions has occurred. Protection failed.
  • the AMF receives the fourth indication information.
  • the AMF learns that the integrity protection failure has occurred in all PDU sessions.
  • the AMF sends a cell de-registration instruction to the UE.
  • the AMF sends a cell de-registration instruction to the UE, instructing the UE to perform the de-registration operation.
  • the UE receives a cell de-registration instruction.
  • the UE performs a cell de-registration operation.
  • the UE After receiving the cell de-registration instruction, the UE sends a cell de-registration request to the gNB according to the cell de-registration instruction, and performs the cell de-registration operation.
  • the UE After receiving the cell de-registration instruction, the UE sends a cell de-registration request to the gNB according to the cell de-registration instruction, and performs the cell de-registration operation.
  • the UE After receiving the cell de-registration instruction, the UE sends a cell de-registration request to the gNB according to the cell de-registration instruction, and performs the cell de-registration operation.
  • FIG. 3 For specific steps, reference may be made to the embodiment illustrated in FIG. 3 , which will not be repeated here.
  • Fig. 7 is a signaling diagram 5 of the data processing solution provided by the embodiment of the present application, which illustrates the situation when the UE acts as the sender, the gNB acts as the receiver, and the gNB detects that some PDU sessions have failed integrity protection, as shown in Fig. 7 shown, including:
  • the gNB sends fourth indication information to the UE.
  • the gNB is the uplink data direction in which the UE sends data to the gNB.
  • the gNB may send fourth indication information to the UE, indicating that the gNB detects that the integrity protection fails.
  • the UE receives fourth indication information.
  • the UE After receiving the fourth indication information, the UE learns that the integrity protection failure occurs in some PDU sessions.
  • the UE performs a partial PDU session deactivation operation.
  • the UE may initiate a partial PDU session deactivation operation after learning that the integrity protection failure occurs in all of the PDU sessions. For specific steps, reference may be made to the embodiment illustrated in FIG. 4 , which will not be repeated here.
  • Fig. 8 is the signaling diagram 6 of the data processing solution provided by the embodiment of the present application, which illustrates the situation when the UE acts as the sender, the gNB acts as the receiver, and the gNB detects that the integrity protection fails for some PDU sessions, as shown in Fig. 8 shown, including:
  • the gNB sends fourth indication information to the AMF.
  • the gNB After the gNB receives the data sent by the UE, if it detects that the integrity protection fails, the gNB can send the fourth indication message to the UE, and the gNB can also choose to send the fourth indication message to the AMF to notify the AMF that the integrity of some PDU sessions has occurred. Protection failed.
  • the AMF receives the fourth indication information.
  • the AMF learns that integrity protection failures occur in some PDU sessions.
  • the AMF sends a PDU session deactivation instruction to the UE.
  • the AMF sends a PDU session deactivation instruction to the UE, instructing the UE to perform a PDU session deactivation operation for integrity protection failure.
  • the UE receives the PDU session deactivation instruction.
  • the UE performs a PDU session deactivation operation.
  • the UE After receiving the PDU session deactivation instruction, the UE sends a partial PDU session deactivation request to the gNB according to the PDU session deactivation instruction, and performs a partial PDU session deactivation operation.
  • a partial PDU session deactivation request to the gNB according to the PDU session deactivation instruction, and performs a partial PDU session deactivation operation.
  • FIG. 9 is a schematic flowchart of a data processing method provided by an embodiment of the present application. As shown in FIG. 9 , the method may include:
  • the first network device receives first indication information from the terminal device, where the first indication information indicates that the integrity protection fails;
  • the first network device sends a PDU session deactivation instruction to the terminal device according to the first indication information, where the PDU session deactivation instruction instructs the terminal device to deactivate the PDU session.
  • the integrity protection failure includes all PDU integrity protection failures and partial PDU integrity protection failures.
  • the integrity protection failure is an integrity protection failure of all PDUs; receiving the first indication information from the terminal device includes:
  • a cell de-registration request is received from the terminal device, the cell de-registration request includes the first indication information, the first indication information indicates that all PDU integrity protection fails, and the cell de-registration request is used to request all The terminal device is disconnected from the first cell, and all PDU sessions are deactivated.
  • the method further includes:
  • the cell registration request is used to request the terminal device to establish a connection with a second cell
  • the cell registration request includes second indication information
  • the second indication information indicates the The cell registration request is re-registration after the integrity protection fails.
  • the integrity protection failure is a partial PDU integrity protection failure; receiving the first indication information from the terminal device includes:
  • the partial PDU session deactivation request includes the first indication information, the first indication information indicates that the partial PDU integrity protection fails, and the partial PDU session deactivation request Used to request deactivation of integrity protection for failed PDU sessions.
  • the method further includes:
  • a PDU session re-establishment request is received from the terminal device, where the PDU session re-establishment request includes third indication information, where the third indication information indicates that the PDU session re-establishment request is a re-establishment after integrity protection failure.
  • the method further includes:
  • a PDU session re-establishment response is sent to the terminal device, where the PDU session re-establishment response instructs the terminal device to re-establish the PDU whose integrity protection fails.
  • the method further includes:
  • the method further includes:
  • the solution illustrated in FIG. 9 corresponds to the execution steps on the first network device side corresponding to the solution illustrated in FIG. 2 .
  • the solution illustrated in FIG. 9 corresponds to the execution steps on the first network device side corresponding to the solution illustrated in FIG. 2 .
  • the terminal device sends the first indication information to the first network device, and then receives the PDU session deactivation instruction from the first network device, and stops the session according to the PDU. Deactivate the PDU session with an instruction to deactivate the PDU. Therefore, in the subsequent data transmission process, the terminal device and the first network device will stop data transmission through the PDU that fails the integrity protection, so as to prevent the data of which the integrity protection fails to be still received in the subsequent data transmission process. At the same time, if all PDU session integrity protection fails, cell de-registration and cell reselection can also be performed to avoid connecting to the original problematic cell.
  • the terminal device can also initiate PDU connection re-establishment, and by carrying the indication information in the PDU connection re-establishment to indicate that the PDU is re-established after the integrity protection fails, the network device can know the reason for the PDU re-establishment and take corresponding security measures to reduce the risk of PDU re-establishment. Security risks during data transmission.
  • FIG. 10 is a schematic structural diagram 1 of a data processing apparatus provided by an embodiment of the present application. As shown in FIG. 10 , the data processing apparatus 100 includes:
  • a sending module 101 configured to send first indication information to a first network device after the integrity protection fails, where the first indication information indicates that the integrity protection fails;
  • the receiving module 102 is configured to receive a PDU session deactivation instruction from the first network device, and deactivate the PDU session according to the PDU session deactivation instruction.
  • the integrity protection failure includes all PDU integrity protection failures and partial PDU integrity protection failures.
  • the integrity protection failure is an integrity protection failure of all PDUs; the sending module 101 is specifically configured to:
  • the cell deregistration request includes the first indication information
  • the first indication information indicates that all PDU integrity protection fails
  • the cell deregistration request is used for Request to disconnect from the first cell and request the first network device to deactivate all PDU sessions.
  • the sending module 101 is further configured to:
  • the cell registration request includes second indication information, and the second indication information indicates that the cell registration request is after the integrity protection failure. register again.
  • the integrity protection failure is a partial PDU integrity protection failure; the sending module 101 is specifically configured to:
  • the partial PDU session deactivation request includes the first indication information
  • the first indication information indicates that the integrity protection of the partial PDU fails
  • the partial PDU The session deactivation request is used to request the first network device to deactivate the PDU session for which the integrity protection fails.
  • the sending module 101 is further configured to:
  • the terminal device sends a PDU session re-establishment request to the first network device, where the PDU session re-establishment request includes third indication information, and the third indication information indicates that the PDU session re-establishment request is a re-establishment after an integrity protection failure.
  • the receiving module 102 is further configured to:
  • the PDU session re-establishment response the PDU whose integrity protection fails is re-established.
  • the receiving module 102 is further configured to:
  • the receiving module 102 is further configured to:
  • the sending module 101 is specifically configured to:
  • the cell de-registration request is sent to the first network device.
  • the sending module 101 is specifically configured to:
  • the partial PDU session deactivation request is sent to the first network device.
  • the data processing apparatus provided in the embodiment of the present application is used to execute the above method embodiments, and the implementation principle and technical effect thereof are similar, and details are not described herein again in this embodiment.
  • FIG. 11 is a second schematic structural diagram of a data processing apparatus provided by an embodiment of the present application. As shown in FIG. 10 , the data processing apparatus 110 includes:
  • a receiving module 111 configured to receive first indication information from the terminal device after the integrity protection fails, where the first indication information indicates that the integrity protection fails;
  • the sending module 112 is configured to send a PDU session deactivation instruction to the terminal device according to the first indication information, where the PDU session deactivation instruction instructs the terminal device to deactivate the PDU session.
  • the integrity protection failure includes all PDU integrity protection failures and partial PDU integrity protection failures.
  • the integrity protection failure is an integrity protection failure of all PDUs; the receiving module 111 is specifically configured to:
  • a cell de-registration request is received from the terminal device, the cell de-registration request includes the first indication information, the first indication information indicates that all PDU integrity protection fails, and the cell de-registration request is used to request all The terminal device is disconnected from the first cell, and all PDU sessions are deactivated.
  • the receiving module 111 is further configured to:
  • a cell registration request is received from the terminal device, where the cell registration request is used to request the terminal device to establish a connection with a second cell, the cell registration request includes second indication information, and the second indication information indicates the The cell registration request is re-registration after the integrity protection fails.
  • the integrity protection failure is a partial PDU integrity protection failure; the receiving module 111 is specifically configured to:
  • a partial PDU session deactivation request is received from the terminal device, the partial PDU session deactivation request includes the first indication information, the first indication information indicates that the partial PDU integrity protection fails, and the partial PDU session deactivation request Use request to request deactivation of integrity protection for failed PDU sessions.
  • the receiving module 111 is further configured to:
  • a PDU session re-establishment request is received from the terminal device, where the PDU session re-establishment request includes third indication information, where the third indication information indicates that the PDU session re-establishment request is a re-establishment after integrity protection failure.
  • the sending module 112 is further configured to:
  • a PDU session re-establishment response is sent to the terminal device, where the PDU session re-establishment response instructs the terminal device to re-establish the PDU whose integrity protection fails.
  • the receiving module 111 is further configured to:
  • the sending module 112 is further configured to:
  • the data processing apparatus provided in the embodiment of the present application is used to execute the above method embodiments, and the implementation principle and technical effect thereof are similar, and details are not described herein again in this embodiment.
  • FIG. 12 is a schematic structural diagram of a terminal device provided by an embodiment of the present application.
  • the terminal device 120 may include: a transceiver 121 , a memory 122 , and a processor 123 .
  • the transceiver 121 may include: a transmitter and/or a receiver.
  • the transmitter may also be referred to as a transmitter, transmitter, transmit port, or transmit interface, or the like, and the receiver may be referred to as a receiver, receiver, receive port, or receive interface, or the like.
  • the transceiver 121 , the memory 122 , and the processor 123 are connected to each other through the bus 124 .
  • memory 122 for storing program instructions
  • the processor 123 is configured to execute the program instructions stored in the memory, so as to make the terminal device 120 execute any of the data processing methods shown above.
  • the receiver of the transceiver 121 may be used to perform the receiving function of the terminal device in the above data processing method.
  • FIG. 13 is a schematic structural diagram of a network device provided by an embodiment of the present application.
  • the network device 130 may include: a transceiver 131 , a memory 132 , and a processor 133 .
  • the transceiver 131 may include: a transmitter and/or a receiver.
  • the transmitter may also be referred to as a transmitter, transmitter, transmit port, or transmit interface, or the like, and the receiver may be referred to as a receiver, receiver, receive port, or receive interface, or the like.
  • the transceiver 131 , the memory 132 , and the processor 133 are connected to each other through the bus 134 .
  • memory 132 for storing program instructions
  • the processor 133 is configured to execute the program instructions stored in the memory, so as to make the terminal device 130 execute any of the data processing methods shown above.
  • the receiver of the transceiver 131 may be used to perform the receiving function of the network device in the above data processing method.
  • Embodiments of the present application provide a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, are used to implement the above data processing method.
  • Embodiments of the present application provide a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, are used to implement the above data processing method.
  • Embodiments of the present application may further provide a computer program product, which can be executed by a processor, and when the computer program product is executed, can implement any of the data processing methods performed by the terminal device shown above.
  • the data transmission device, the computer-readable storage medium, and the computer program product of the embodiments of the present application can execute the data processing method executed by the terminal device or the network device.
  • the specific implementation process and beneficial effects thereof are referred to above, and are not repeated here.
  • the disclosed system, apparatus and method may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
  • the aforementioned computer program may be stored in a computer-readable storage medium.
  • the computer program When the computer program is executed by the processor, it implements the steps including the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other mediums that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Les modes de réalisation de la présente demande concernent un procédé et un appareil de traitement de données. Le procédé comprend les étapes suivantes : après une défaillance de la protection d'intégrité, un dispositif terminal envoie des premières informations d'indication à un premier dispositif réseau, les premières informations d'indication indiquant que la protection d'intégrité a échoué ; le dispositif terminal reçoit une instruction de désactivation de session PDU du premier dispositif réseau, et conformément à l'instruction de désactivation de session PDU, désactive la session PDU. Le procédé réduit le risque de sécurité de la transmission de données.
PCT/CN2021/125668 2020-10-28 2021-10-22 Procédé et appareil de traitement de données WO2022089314A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011173738.X 2020-10-28
CN202011173738.XA CN114513319B (zh) 2020-10-28 2020-10-28 数据处理方法及装置

Publications (1)

Publication Number Publication Date
WO2022089314A1 true WO2022089314A1 (fr) 2022-05-05

Family

ID=81383600

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/125668 WO2022089314A1 (fr) 2020-10-28 2021-10-22 Procédé et appareil de traitement de données

Country Status (2)

Country Link
CN (1) CN114513319B (fr)
WO (1) WO2022089314A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810899A (zh) * 2017-04-28 2018-11-13 维沃移动通信有限公司 完整性检测方法、终端及网络侧设备
CN110651491A (zh) * 2017-06-14 2020-01-03 三星电子株式会社 用于处理pdcp pdu的完整性检查失败的方法和用户设备
US20200169887A1 (en) * 2017-06-16 2020-05-28 Telefonaktiebolaget Lm Ericsson (Publ) Systems and methods for the handling of data radio bearer integrity protection failure in nr
CN111315039A (zh) * 2018-12-24 2020-06-19 维沃移动通信有限公司 一种完整性保护失败的处理方法及终端

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108400997A (zh) * 2017-02-06 2018-08-14 电信科学技术研究院 会话管理方法、终端、管理功能实体及接入网节点
CN110035437B (zh) * 2018-01-11 2021-02-23 电信科学技术研究院 一种用户面数据安全保护方法及装置
CN111031571B (zh) * 2018-10-09 2022-01-14 华为技术有限公司 一种网络切片接入控制的方法及装置
WO2020183236A1 (fr) * 2019-03-08 2020-09-17 Lenovo (Singapore) Pte. Ltd. Vérification d'intégrité de mode de sécurité

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810899A (zh) * 2017-04-28 2018-11-13 维沃移动通信有限公司 完整性检测方法、终端及网络侧设备
CN110651491A (zh) * 2017-06-14 2020-01-03 三星电子株式会社 用于处理pdcp pdu的完整性检查失败的方法和用户设备
US20200169887A1 (en) * 2017-06-16 2020-05-28 Telefonaktiebolaget Lm Ericsson (Publ) Systems and methods for the handling of data radio bearer integrity protection failure in nr
CN111315039A (zh) * 2018-12-24 2020-06-19 维沃移动通信有限公司 一种完整性保护失败的处理方法及终端

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAWEI, HISILICON: "Integrity protection and Counter Check Procedure for NR", 3GPP DRAFT; R2-1807979, vol. RAN WG2, 11 May 2018 (2018-05-11), Busan, Korea, pages 1 - 2, XP051465048 *

Also Published As

Publication number Publication date
CN114513319A (zh) 2022-05-17
CN114513319B (zh) 2023-11-07

Similar Documents

Publication Publication Date Title
US9432847B2 (en) Method and apparatus for reconfiguring connection to base station at relay node in a wireless communication system
EP2900033B1 (fr) Procédé, appareil et système de transmission de données
EP3136801B1 (fr) Procédé et dispositif de gestion de la mobilité d'une connexion mptcp
TWI770549B (zh) 減少行動中斷之方法和使用者設備
CN110198556B (zh) 无线资源控制rrc消息处理方法、装置和系统
AU2017424739B2 (en) Switching method, access network device and terminal device
US9832699B2 (en) Communication control method, user terminal, cellular base station, and access point
KR102320568B1 (ko) 데이터 처리 방법과 장치, 및 컴퓨터 저장 매체
KR101959937B1 (ko) 무선 자원 제어(rrc) 접속 방법 및 장치 그리고 rrc 재접속 방법 및 장치
EP3629538B1 (fr) Procédé et appareil de communication
WO2019095840A1 (fr) Procédé de traitement de couche 2, unité centrale, et unité distribuée
US20160270143A1 (en) Communication control method, user terminal, and processor
US20200229048A1 (en) Information transmission method and apparatus
US20230180074A1 (en) Network switching method and apparatus, device and storage medium
WO2022089314A1 (fr) Procédé et appareil de traitement de données
CN114449538A (zh) 一种被用于中继无线通信中的方法和装置
WO2022083478A1 (fr) Procédé et appareil d'acquisition d'informations de configuration
KR20200112616A (ko) 차세대 이동 통신 시스템에서 네트워크와 연결 실패를 복구하는 방법 및 장치
EP4145880A1 (fr) Procédé et appareil de communication
US20240179783A1 (en) Communication device triggered aggregation operations
WO2024007175A1 (fr) Procédé et appareil de commande de répéteur commandé par réseau, procédé et appareil de communication de station de base, et support de stockage
US20240162978A1 (en) Methods for satellite hard feeder link switchover
WO2021203318A1 (fr) Procédés, dispositifs, et support lisible par ordinateur pour la communication
CN116980973A (zh) 保持数据压缩连续性的方法、基站、终端、系统及介质
CN115334692A (zh) 一种被用于无线通信的方法和设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21885041

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21885041

Country of ref document: EP

Kind code of ref document: A1