WO2023010531A1 - Security enhancement method for radio resource control (rrc) connection resumption, and communication apparatus - Google Patents

Security enhancement method for radio resource control (rrc) connection resumption, and communication apparatus Download PDF

Info

Publication number
WO2023010531A1
WO2023010531A1 PCT/CN2021/111198 CN2021111198W WO2023010531A1 WO 2023010531 A1 WO2023010531 A1 WO 2023010531A1 CN 2021111198 W CN2021111198 W CN 2021111198W WO 2023010531 A1 WO2023010531 A1 WO 2023010531A1
Authority
WO
WIPO (PCT)
Prior art keywords
algorithm
integrity protection
rrc connection
protection algorithm
terminal device
Prior art date
Application number
PCT/CN2021/111198
Other languages
French (fr)
Chinese (zh)
Inventor
施饶
Original Assignee
北京小米移动软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京小米移动软件有限公司 filed Critical 北京小米移动软件有限公司
Priority to PCT/CN2021/111198 priority Critical patent/WO2023010531A1/en
Priority to CN202180002389.1A priority patent/CN115943724A/en
Publication of WO2023010531A1 publication Critical patent/WO2023010531A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/19Connection re-establishment

Definitions

  • the present application relates to the field of communication technologies, and in particular to a security enhancement method for radio resource control (RRC) connection recovery, a communication device and a storage medium.
  • RRC radio resource control
  • RRC Radio Resource Control, radio resource control
  • Embodiments of the present application provide a security enhancement method and communication device for radio resource control RRC connection recovery, which can be applied to NR networks, and perform capability negotiation through terminal equipment and network equipment, so that both parties have the same algorithm capability and message integrity
  • the verification information of the verification code resumeMAC-I can be correctly matched, which solves the problem of incompatibility of the integrity protection algorithm, so that the security of the RRC connection recovery request message can be enhanced.
  • the embodiment of the present application provides a security enhancement method for radio resource control RRC connection recovery, the method is applied to a terminal device, and the method includes:
  • the input parameter of the integrity verification code is used to perform integrity protection verification on the RRC connection recovery request message.
  • the integrity protection algorithm corresponding to the algorithm capabilities supported by the network equipment is selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties have the same Algorithm capabilities, so that the check information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of integrity protection algorithms is solved, so that the security of the RRC connection recovery request message can be enhanced.
  • the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
  • the determining the algorithm capability supported by the network device includes:
  • the network device determine the algorithm capability supported by the network device.
  • the determining the algorithm capability supported by the network device includes:
  • the first computing capability indication information is used to notify the terminal device whether the network device supports the first integrity protection algorithm; wherein, the The input parameters of the first integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable; response After receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device according to the first computing capability indication information.
  • the determining the algorithm capability supported by the network device further includes:
  • the algorithm capability supported by the network device is determined by judging whether the capability indication information sent by the network device is received, and thus the capability negotiation is performed between the terminal device and the network device so that both parties have the same algorithm capability , so that the check information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the security of the RRC connection recovery request message can be enhanced.
  • the first computing capability indication information is used to notify the terminal device that the network device supports a first integrity protection algorithm; according to the first computing capability indication information, Determine the algorithm capabilities supported by the network equipment, including:
  • the algorithm capability supported by the network device is to support the first integrity protection algorithm.
  • the terminal device supports the first integrity protection algorithm; according to the algorithm capability supported by the network device, the target integrity protection corresponding to the algorithm capability is selected Algorithms, including:
  • a first integrity protection algorithm corresponding to the algorithm capability is selected.
  • performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code includes:
  • the terminal device does not support the first integrity protection algorithm; according to the algorithm capability supported by the network device, select the target integrity protection algorithm corresponding to the algorithm capability Algorithms, including:
  • the input parameters of the second integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target Cell ID, source cell ID and temporary identifier C-RNTI.
  • performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters for calculating the message integrity verification code includes:
  • a message integrity verification code performing integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the first computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm; and according to the first computing capability indication information, determining the Algorithm capabilities supported by the above network devices, including:
  • the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; according to the algorithm capability supported by the network device, select The target integrity protection algorithm corresponding to the algorithm capability includes: selecting a second integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device.
  • performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters for calculating a message integrity verification code includes:
  • a message integrity verification code performing integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the increased variable at least includes any one of the following A) to F):
  • the method further includes:
  • the sending the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device includes:
  • the sending the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device includes:
  • the sending the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device includes:
  • the manner of sending the capability indication information to the network device includes at least any one of the following: sending the message through the security mode; sending the UE capability information message through the terminal device; sending through the UE auxiliary information; Incoming message 5Msg5; initial access message 3Msg3; initial access message 1Msg1.
  • the method further includes:
  • the embodiment of the present application provides another security enhancement method for radio resource control RRC connection recovery, wherein the method is applied to a network device, and the method includes:
  • the input parameters include at least one or more of the following: key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID , temporary identifier C-RNTI and increase variable.
  • the determining the algorithm capability supported by the terminal device includes:
  • the algorithm capability supported by the terminal device is determined.
  • the determining the algorithm capability supported by the terminal device includes:
  • the second computing capability indication information is used to notify the network device whether the terminal device supports the first integrity protection algorithm; wherein, the The input parameters of the first integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable; response After receiving the second computing capability indication information sent by the terminal device, determine the algorithm capability supported by the terminal device according to the second computing capability indication information.
  • the determining the algorithm capability supported by the terminal device further includes:
  • the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm; according to the second computing capability indication information, Determine the algorithm capabilities supported by the terminal device, including:
  • the algorithm capability supported by the terminal device is to support the first integrity protection algorithm.
  • the network device supports the first integrity protection algorithm; according to the algorithm capability supported by the terminal device, the target integrity protection corresponding to the algorithm capability is selected
  • the algorithm includes: selecting a first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
  • performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters for calculating a message integrity verification code includes:
  • the variable is to calculate a message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the network device does not support the first integrity protection algorithm; according to the algorithm capability supported by the terminal device, the target integrity protection algorithm corresponding to the algorithm capability is selected
  • the protection algorithm includes: selecting a second integrity protection algorithm as the target integrity protection algorithm; wherein, the input parameters of the second integrity protection algorithm include a key Key RRCint , a bearer ID, a data transmission direction, Count COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI.
  • performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters for calculating a message integrity verification code includes:
  • a message integrity verification code performing integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the second computing capability indication information is used to notify the network device that the terminal device does not support the first integrity protection algorithm;
  • the step of determining the algorithm capability supported by the terminal device includes: determining that the algorithm capability supported by the terminal device does not support the first integrity protection algorithm.
  • the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; according to the algorithm capability supported by the terminal device, select The target integrity protection algorithm corresponding to the algorithm capability includes: selecting a second integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
  • the performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code includes: using The second integrity protection algorithm calculates the message according to the key RRCint , the bearer ID, the data transmission direction, the COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI.
  • Integrity verification code performing integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the increased variable at least includes any one of the following A) to F):
  • the method further includes:
  • the network device send first computing capability indication information to the terminal device, where the first computing capability indication information is used to notify the terminal device whether the network device supports the first An integrity protection algorithm.
  • the sending the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device includes: responding to the algorithm capability supported by the network device The capability is to support the first integrity protection algorithm, sending capability indication information supporting the first integrity protection algorithm to the terminal device.
  • the sending the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device includes: responding to the algorithm capability supported by the network device The capability is that the first integrity protection algorithm is not supported, and capability indication information that the first integrity protection algorithm is not supported is sent to the terminal device.
  • the sending the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device includes: responding to the algorithm capability supported by the network device The capability is that the first integrity protection algorithm is not supported, and capability indication information for whether the first integrity protection algorithm is supported is not sent.
  • the manner of sending the capability indication information to the terminal includes at least any one of the following: sending through an RRC release message; broadcasting through a system message.
  • the method further includes:
  • the terminal device For the message integrity verification code calculated by using the first integrity protection algorithm when the terminal resides in the anchor cell where the network device is located, and when cell reselection occurs in the inactive state, respond to the The terminal device recovers the RRC connection in the non-anchor cell, and receives a request message for extracting the context of the terminal device sent by a new network device in the non-anchor cell; wherein the request message for extracting the context of the terminal device includes the first complete input parameters required by the integrity protection algorithm; using the first integrity protection algorithm and the input parameters required to perform integrity protection verification on the recovery of the RRC connection.
  • the embodiment of this application provides a communication device, which has some or all functions of the terminal equipment in the method described in the first aspect above, for example, the functions of the communication device may have part or all of the functions in this application
  • the functions in the embodiments may also have the functions of independently implementing any one of the embodiments in the present application.
  • the functions described above may be implemented by hardware, or may be implemented by executing corresponding software on the hardware.
  • the hardware or software includes one or more units or modules corresponding to the above functions.
  • the structure of the communication device may include a determination module, a selection module, a transceiver module, and a processing module, and the determination module is configured to support the communication device to perform corresponding functions in the above methods.
  • the selection module is configured to support the communication device to perform corresponding functions in the above methods.
  • the processing module is configured to support the communication device to perform corresponding functions in the above methods.
  • the transceiver module is used to support communication between the communication device and other equipment.
  • the communication device may further include a storage module, which is used to be coupled with the transceiver module and the processing module, and stores necessary computer programs and data of the communication device.
  • the processing module may be a processor
  • the transceiver module may be a transceiver or a communication interface
  • the storage module may be a memory
  • the embodiment of the present application provides another communication device, which can implement some or all of the functions of the network equipment in the method example described in the second aspect above, for example, the functions of the communication device can have some of the functions in this application Or the functions in all the embodiments may also have the function of implementing any one embodiment in the present application alone.
  • the functions described above can be realized by hardware, and can also be realized by executing corresponding software by hardware.
  • the hardware or software includes one or more units or modules corresponding to the above functions.
  • the structure of the communication device may include a determination module, a selection module, a transceiver module, and a processing module, and the determination module is configured to support the communication device to perform corresponding functions in the above methods.
  • the selection module is configured to support the communication device to perform corresponding functions in the above methods.
  • the processing module is configured to support the communication device to perform corresponding functions in the above methods.
  • the transceiver module is used to support communication between the communication device and other devices.
  • the communication device may further include a storage module, which is used to be coupled with the transceiver module and the processing module, and stores necessary computer programs and data of the communication device.
  • the processing module may be a processor
  • the transceiver module may be a transceiver or a communication interface
  • the storage module may be a memory
  • an embodiment of the present application provides a communication device, where the communication device includes a processor, and when the processor invokes a computer program in a memory, it executes the method described in the first aspect above.
  • an embodiment of the present application provides a communication device, where the communication device includes a processor, and when the processor invokes a computer program in a memory, it executes the method described in the second aspect above.
  • the embodiment of the present application provides a communication device, the communication device includes a processor and a memory, and a computer program is stored in the memory; the processor executes the computer program stored in the memory, so that the communication device executes The method described in the first aspect above.
  • the embodiment of the present application provides a communication device, the communication device includes a processor and a memory, and a computer program is stored in the memory; the processor executes the computer program stored in the memory, so that the communication device executes The method described in the second aspect above.
  • the embodiment of the present application provides a communication device, the device includes a processor and an interface circuit, the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to make the The device executes the method described in the first aspect above.
  • the embodiment of the present application provides a communication device, the device includes a processor and an interface circuit, the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to make the The device executes the method described in the second aspect above.
  • the embodiment of the present application provides a communication system, the system includes the communication device described in the third aspect and the communication device described in the fourth aspect, or the system includes the communication device described in the fifth aspect and The communication device described in the sixth aspect, or, the system includes the communication device described in the seventh aspect and the communication device described in the eighth aspect, or, the system includes the communication device described in the ninth aspect and the communication device described in the tenth aspect the communication device described above.
  • the embodiment of the present invention provides a computer-readable storage medium, which is used to store instructions used by the above-mentioned terminal equipment, and when the instructions are executed, the terminal equipment executes the above-mentioned first aspect. method.
  • an embodiment of the present invention provides a readable storage medium for storing instructions used by the above-mentioned network equipment, and when the instructions are executed, the network equipment executes the method described in the above-mentioned second aspect .
  • the present application further provides a computer program product including a computer program, which, when run on a computer, causes the computer to execute the method described in the first aspect above.
  • the present application further provides a computer program product including a computer program, which, when run on a computer, causes the computer to execute the method described in the second aspect above.
  • the present application provides a computer program that, when run on a computer, causes the computer to execute the method described in the first aspect above.
  • the present application provides a computer program that, when run on a computer, causes the computer to execute the method described in the second aspect above.
  • FIG. 1 is a schematic structural diagram of a communication system provided by an embodiment of the present application.
  • FIG. 2 is a flowchart of a security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application
  • FIG. 3 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application
  • FIG. 4 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • FIG. 5 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • FIG. 6 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • FIG. 7 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • FIG. 8 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • FIG. 9 is a flowchart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • Fig. 11 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • the PDCP Packet Date Convergence Protocol, packet data convergence protocol
  • MAC-I Message Authentication Code Integrity, integrity authentication code
  • AS Access Stratum
  • the PDCP PDU Protocol Date Unit, protocol data unit
  • the receiving end receives the PDCP PDU, it calculates an XMAC-I based on the corresponding input parameters, and verifies the integrity of the received PDCP PDU by checking whether the XMAC-I is consistent with the MAC-I. If the calculated XMAC-I is consistent with the received MAC-I, it proves that the received data is complete and has not been tampered with, otherwise it indicates to the upper layer that the integrity verification fails.
  • the input parameters required for PDCP integrity protection include: 1, RRC message (whole segment data); 2, key Key RRCint ; 3, COUNT value; 4, bearer identification bearer ID; 5, Data transmission direction direction.
  • the above-mentioned MAC-I can protect the data integrity of the connected state UE (user equipment, user equipment), but for the UE of the RRC inactive state RRC_INACTIVE, when the RRC connection recovery (RRRCesumeRequest) is initiated to the network, use
  • the uplink common control channel UL_CCCH is carried on SRB0, but SRB0 does not have the aforementioned integrity protection mechanism. Therefore, when the UE initiates a connection recovery RRCResumeRequest, another set of similar mechanisms will be used to verify the resumeMAC-I.
  • the UE that initiates connection recovery still needs to calculate MAC-I
  • the input parameters that need to be used still include the old key Key RRCint , bearer ID, direction, and COUNT values, but they are different from the input parameters for calculating MAC-I in PDCP date PDU Yes
  • the calculation of MAC-I when the RRC connection resumes does not use the entire RRC message as an input parameter, but uses a UE variable VarResumeMAC-Input, which contains three sub-parameters: target cell ID, source cell ID and C- RNTI (cell radio network temporary identity, cell radio network temporary identity).
  • the UE calculates a 32-bit MAC-I, and takes the 16 least significant bits (ie, the rightmost 16 bits) and sets it as resumeMAC-I, which is included in the RRCResumeRequest for sending.
  • the base station also calculates the resumeMAC-I value through the same algorithm. If it successfully matches the resumeMAC-I sent by the UE, the authentication is successful, and the RRCResume can be sent to notify the UE to resume the RRC connection.
  • this application proposes a security enhancement method and communication device for radio resource control RRC connection recovery, which can be applied to NR networks, and perform capability negotiation through terminal equipment and network equipment, so that both parties have the same algorithm capability, so that the message
  • the verification information of the integrity verification code resumeMAC-I can be correctly matched, which solves the problem of incompatibility of the integrity protection algorithm, so that the security of the RRC connection recovery request message can be enhanced.
  • FIG. 1 is a schematic structural diagram of a communication system provided by an embodiment of the present application.
  • the communication system may include, but is not limited to, a network device and a terminal device.
  • the number and form of the devices shown in Figure 1 are for example only and do not constitute a limitation to the embodiment of the application. In practical applications, two or more network equipment, two or more terminal equipment.
  • the communication system shown in FIG. 1 includes one network device 101 and one terminal device 102 as an example.
  • long term evolution long term evolution, LTE
  • 5th generation 5th generation
  • 5G new radio interface new radio, NR
  • other future new mobile communication systems etc.
  • the network device 101 in the embodiment of the present application is an entity on the network side for transmitting or receiving signals.
  • the network device 101 may be an evolved base station (evolved NodeB, eNB), a transmission point (transmission reception point, TRP), a next generation base station (next generation NodeB, gNB) in an NR system, or a base station in other future mobile communication systems Or an access node in a wireless fidelity (wireless fidelity, WiFi) system, etc.
  • eNB evolved NodeB
  • TRP transmission reception point
  • gNB next generation base station
  • gNB next generation NodeB
  • the embodiment of the present application does not limit the specific technology and specific device form adopted by the network device.
  • the network device provided by the embodiment of the present application may be composed of a centralized unit (central unit, CU) and a distributed unit (distributed unit, DU), wherein the CU may also be called a control unit (control unit), using CU-DU
  • the structure of the network device such as the protocol layer of the base station, can be separated, and the functions of some protocol layers are placed in the centralized control of the CU, and the remaining part or all of the functions of the protocol layer are distributed in the DU, and the CU centrally controls the DU.
  • the terminal device 102 in the embodiment of the present application is an entity on the user side for receiving or transmitting signals, such as a mobile phone.
  • the terminal equipment may also be called terminal equipment (terminal), user equipment (user equipment, UE), mobile station (mobile station, MS), mobile terminal equipment (mobile terminal, MT) and so on.
  • the terminal device can be a car with communication functions, a smart car, a mobile phone, a wearable device, a tablet computer (Pad), a computer with a wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (augmented reality (AR) terminal equipment, wireless terminal equipment in industrial control (industrial control), wireless terminal equipment in self-driving (self-driving), wireless terminal equipment in remote medical surgery (remote medical surgery), smart grid ( Wireless terminal devices in smart grid, wireless terminal devices in transportation safety, wireless terminal devices in smart city, wireless terminal devices in smart home, etc.
  • the embodiment of the present application does not limit the specific technology and specific device form adopted by the terminal device.
  • FIG. 2 is a flowchart of a security enhancement method for RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a terminal device. As shown in FIG. 2 , the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
  • Step 201 determine the algorithm capabilities supported by the network equipment.
  • the terminal device and the network device may negotiate capabilities in advance, so that the terminal device can determine the algorithm capabilities that the network device can support.
  • the network device may send capability indication information to the terminal device.
  • the terminal device can determine the algorithm capability supported by the network device according to the indication information sent by the network device.
  • the capability indication information sent by the network device to the terminal device may be which integrity protection algorithm is supported, for example, the capability indication information may be the first integrity protection algorithm supported, and the terminal device according to the network
  • the capability indication information sent by the device may determine that the algorithm capability supported by the network device is to support the first integrity protection algorithm.
  • the specific indication method may be to use a certain field (or bit) to indicate the supported integrity protection algorithm type. When the value of this field (or bit) is X, it indicates that the first integrity protection algorithm is supported. When the value of bit) is Y, it indicates that the second integrity protection algorithm is supported.
  • the capability indication information may also be that the first integrity protection algorithm is not supported, and the terminal device may determine that the algorithm capability supported by the network device is that the first integrity protection algorithm is not supported according to the capability indication information sent by the network device. algorithm.
  • the capability indication information may also support an algorithm different from the first integrity protection algorithm, such as the second integrity protection algorithm, and the terminal device may determine the capabilities supported by the network device according to the capability indication information sent by the network device.
  • the algorithm capability of is to support the second integrity protection algorithm.
  • the first integrity protection algorithm and the second integrity protection algorithm in the embodiment of the present application are different algorithms, and the input parameters of the first integrity protection algorithm and the second integrity protection algorithm are different.
  • the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
  • the network device may send a MAC-I computing capability indication to the terminal device to notify the terminal device whether the network device supports the first integrity protection algorithm.
  • the terminal device may determine whether the first computing capability indication information sent by the network device is received, and the first computing capability indication information is used to notify the terminal device whether the network device supports the first integrity protection algorithm; the response After receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device according to the first computing capability indication information.
  • the first integrity protection algorithm is a set of new MAC-I calculation methods designed by the network device for the RRC connection recovery process, and is completed by adding input parameters in the UE storage variable VarResumeMAC-Input.
  • the input parameters of the first integrity protection algorithm may include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and Adding variables, wherein, the target cell ID, the source cell ID, the temporary identifier C-RNTI and the added variables can be used as the content of VarResumeMAC-Input in the first integrity protection algorithm.
  • the added variable is the variable added in the stored variable VarResumeMAC-Input.
  • the terminal device and the network device can perform capability negotiation in advance.
  • the terminal device may determine the algorithm capability supported by the network device by judging whether the first computing capability indication information sent by the network device is received.
  • the algorithm capability supported by the network device is determined according to the first computing capability indication information.
  • the first computing capability indication information is used to notify the terminal device that the network device supports the first integrity protection algorithm, and the terminal device can determine that the algorithm capability supported by the network device is to support the first integrity protection algorithm according to the first computing capability indication information.
  • An integrity protection algorithm is used to notify the terminal device that the network device does not support the first integrity protection algorithm, and the terminal device can determine that the network device supports the algorithm capability according to the first computing capability indication information.
  • the first integrity protection algorithm is not supported.
  • the terminal device may determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
  • the network device supports the second integrity protection algorithm but does not support the first integrity protection algorithm.
  • the input parameters of the second integrity protection algorithm include Key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI.
  • the target cell ID, the source cell ID and the temporary identifier C-RNTI can be used as the content of VarResumeMAC-Input in the second integrity protection algorithm.
  • the difference between the second integrity protection algorithm in the embodiment of the present application and the first integrity protection algorithm is that the required input parameters are different. More parameters have been added to increase variables.
  • the security of RRC connection recovery can be effectively enhanced.
  • the enhanced variable may include at least any one of the following A) to F):
  • the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
  • the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same.
  • the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields.
  • the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit.
  • the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit.
  • the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request.
  • the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
  • the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I.
  • the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
  • Step 202 Select a target integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device.
  • the terminal device may support the first integrity protection algorithm, that is, support a new MAC-I calculation manner. It can be understood that if the terminal device supports the first integrity protection algorithm, it can be considered that the terminal device can also support the second integrity protection algorithm.
  • the target integrity corresponding to the algorithm capability is selected. Protection algorithm, for example, if it is determined that the algorithm capability supported by the network device is to support the first integrity protection algorithm, then the terminal device can select the first integrity protection algorithm as the target integrity protection algorithm; determine the algorithm supported by the network device If the capability is that the first integrity protection algorithm is not supported, the terminal device may select the second integrity protection algorithm as the target integrity protection algorithm.
  • the terminal device may not support the first integrity protection algorithm, that is, support the old MAC-I calculation method, such as supporting the second integrity protection algorithm. At this time, no matter whether the network device supports the first integrity protection algorithm or not The integrity protection algorithm is supported. Since the terminal device does not support the first integrity protection algorithm, the terminal device may select the second integrity protection algorithm as the target integrity protection algorithm. Therefore, the terminal device can select an integrity protection algorithm that both the terminal device and the network device can support to perform integrity protection verification on the RRC connection recovery request message according to the algorithm capabilities supported by itself and the algorithm capabilities supported by the network device. To ensure that the terminal device and the network device use the same algorithm, and ensure that the resumeMAC-I verification information can be correctly matched.
  • Step 203 perform integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters for calculating the message integrity verification code.
  • the first integrity protection algorithm may be used, according to the key Key RRCint , bearer ID, data transmission direction, count COUNT value, The ID of the target cell, the ID of the source cell, the temporary identifier C-RNTI and the added variable, calculate the message integrity verification code, and perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the second integrity protection algorithm can be used, according to the key Key RRCint , the bearer ID, the direction of data transmission, and the count COUNT value , the target cell ID, the source cell ID and the temporary identifier C-RNTI, calculate a message integrity verification code, and perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the integrity protection algorithm corresponding to the algorithm capabilities supported by the network equipment can be selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties have With the same algorithm capability, the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of integrity protection algorithms is solved, so that the security of the RRC connection recovery request message can be enhanced.
  • FIG. 3 is a flowchart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a terminal device.
  • the terminal device learns that the network device supports the first integrity protection algorithm through the first computing capability indication information; assuming that the terminal device in this embodiment supports the first integrity protection algorithm, as shown in FIG. 3 , the The security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
  • Step 301 judging whether the first computing capability indication information sent by the network device is received; wherein the first computing capability indication information is used to notify the terminal device that the network device supports the first integrity protection algorithm.
  • the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
  • the enhanced variable may include at least any one of the following A) to F):
  • the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
  • the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same.
  • the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields.
  • the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit.
  • the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit.
  • the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request.
  • the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
  • the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I.
  • the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
  • Step 302 In response to receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device as supporting the first integrity protection algorithm according to the first computing capability indication information.
  • Step 303 Select a first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device.
  • Step 304 using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variables , to calculate the message integrity verification code.
  • step 307 may be performed, that is, to perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • Step 305 in response to not receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
  • the terminal device may select the second integrity protection algorithm to perform security verification of the RRC connection recovery request message.
  • the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
  • Step 306 according to the algorithm capabilities supported by the network equipment, choose to use the second integrity protection algorithm according to the key Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID and the temporary identifier C-RNTI to calculate the message integrity verification code.
  • step 307 may be performed, that is, to perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • Step 307 perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the integrity protection algorithm corresponding to the algorithm capabilities supported by the network equipment is selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties With the same algorithm capability, the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the security of the RRC connection recovery request message can be enhanced.
  • FIG. 4 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a terminal device.
  • the terminal device learns that the network device supports the first integrity protection algorithm through the first computing capability indication information; assuming that the terminal device in this embodiment does not support the first integrity protection algorithm, as shown in FIG. 4,
  • the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
  • Step 401 judging whether the first computing capability indication information sent by the network device is received; the first computing capability indication information is used to notify the terminal device that the network device supports the first integrity protection algorithm;
  • the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable .
  • the enhanced variable may include at least any one of the following A) to F):
  • the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
  • the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same.
  • the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields.
  • the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit.
  • the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit.
  • the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request.
  • the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
  • the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I.
  • the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
  • Step 402 in response to not receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
  • the terminal device can select the second integrity protection algorithm Carry out the security verification of the RRC connection recovery request message, that is, in this embodiment, after determining that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm, step 404 can be performed, that is, the second integrity protection algorithm is selected
  • the algorithm calculates the message integrity verification code according to the key RRCint , the bearer ID, the direction of data transmission, the COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI.
  • the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
  • Step 403 In response to receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is to support the first integrity protection algorithm according to the first computing capability indication information.
  • step 404 in response to receiving the first computing capability indication information sent by the network device, after determining that the algorithm capability supported by the network device is to support the first integrity protection algorithm according to the first computing capability indication information, since the terminal device does not The first integrity protection algorithm is supported, so the second integrity protection algorithm needs to be used to perform integrity protection verification on the RRC connection recovery request message, that is, step 404 is performed.
  • Step 404 choose to adopt the second integrity protection algorithm , and calculate Message integrity verification code.
  • Step 405 perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the capability negotiation between the terminal device and the network device is carried out so that both parties have the same algorithm capability, so that the message integrity verification
  • the verification information of code resumeMAC-I can be correctly matched, which solves the problem of incompatibility of the integrity protection algorithm, so that the security of the RRC connection recovery request message can be enhanced.
  • FIG. 5 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a terminal device.
  • the terminal device determines that the network device does not support the first integrity protection algorithm, no matter whether the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the second integrity protection algorithm is adopted.
  • the protection algorithm performs integrity protection verification on the RRC connection recovery request message.
  • the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
  • Step 501 judging whether the first computing capability indication information sent by the network device is received; the first computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm.
  • the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable .
  • the enhanced variable may include at least any one of the following A) to F):
  • the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
  • the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same.
  • the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields.
  • the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit.
  • the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit.
  • the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request.
  • the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
  • the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I.
  • the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
  • Step 502 in response to not receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
  • the terminal The device selects the second integrity protection algorithm to verify the security of the RRC connection recovery request message, that is, in this embodiment, after determining that the algorithm capability supported by the network device does not support the first integrity protection algorithm, step 504 can be performed , that is, select the second integrity protection algorithm, and calculate the message integrity according to the key Key RRCint , the bearer ID, the data transmission direction direction, the count COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI gender verification code.
  • the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
  • Step 503 In response to receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm according to the first computing capability indication information.
  • the terminal device in response to receiving the first computing capability indication information sent by the network device, when it is determined according to the first computing capability indication information that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm, no matter what Whether the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the terminal device chooses to use the second integrity protection algorithm to perform integrity protection verification on the RRC connection recovery request message, that is, step 504 is executed.
  • Step 504 choose to adopt the second integrity protection algorithm , and calculate Message integrity verification code.
  • Step 505 perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the capability negotiation between the terminal device and the network device is performed to Make both parties have the same algorithm capability, make the check information of the message integrity verification code resumeMAC-I match correctly, solve the problem of incompatibility of the integrity protection algorithm, and thus realize the enhancement of the security of the RRC connection recovery request message .
  • the terminal device may determine the algorithm capabilities supported by itself, and send the second computing capability indication information to the network device according to the algorithm capabilities supported by the terminal device, wherein the second computing capability indication information It is used to notify the network device whether the terminal device supports the first integrity protection algorithm.
  • the terminal device may report its supported algorithm capabilities to the network device through the indication information.
  • the terminal device in response to the algorithm capability supported by the terminal device supporting the first integrity protection algorithm, sending capability indication information supporting the first integrity protection algorithm to the network device.
  • the terminal device may send capability indication information supporting the first integrity protection algorithm to the network device.
  • the terminal device in response to the algorithm capability supported by the terminal device not supporting the first integrity protection algorithm, sending capability indication information not supporting the first integrity protection algorithm to the network device. For example, assuming that the terminal device does not support the first integrity protection algorithm, the terminal device may send capability indication information not supporting the first integrity protection algorithm to the network device.
  • no capability indication information about whether the first integrity protection algorithm is supported is not sent. For example, assuming that the terminal device does not support the first integrity protection algorithm, it does not report the capability indication information. Wherein, if the network device does not receive the capability indication information sent by the terminal device, the network device may determine that the terminal device does not support the first integrity protection algorithm.
  • the way of sending the capability indication information to the network device includes at least any one of the following: sending the message through the security mode; sending the UE capability information message through the terminal device; sending through the UE auxiliary information; through the initial access Sent by message 5Msg5; sent by initial access message 3Msg3; sent by initial access message 1Msg1.
  • the terminal device can report the capability indication information in the following ways: send the capability indication information through the security mode complete (SecurityModeComplete) message; send the capability indication information through the terminal device UE capability information (UECapabilityInformation) message; Send capability indication information; send capability indication information through initial access message 5Msg5 (RRCSetupComplete); send capability indication information through initial access message 3Msg3 (RRCSetupRequest); send capability indication information through initial access message 1Msg1 (preamble).
  • security mode complete SecurityModeComplete
  • UECapabilityInformation UECapabilityInformation
  • Send capability indication information send capability indication information through initial access message 5Msg5 (RRCSetupComplete); send capability indication information through initial access message 3Msg3 (RRCSetupRequest); send capability indication information through initial access message 1Msg1 (preamble).
  • a possible implementation method when a UE that supports the first integrity protection algorithm initially accesses the network and enters the connection state through RRCSetup connection establishment, the network device needs to perform AS security authentication through the SecurityModeCommand (security mode command), and the UE When replying to the SecurityModeComplete message, the capability indication information supporting the first integrity protection algorithm is carried to support reporting to the network device.
  • a possible implementation method when a UE that does not support the first integrity protection algorithm initially accesses the network and enters the connection state through RRCSetup connection establishment, the network device needs to perform AS security authentication through the SecurityModeCommand (security mode command). When the UE replies to the SecurityModeComplete message, it carries capability indication information that does not support the first integrity protection algorithm to report to the network device.
  • a possible implementation manner for a UE that does not support the first integrity protection algorithm to initially access the network, after entering the connected state, it will not report any indication of the ability to support the first integrity protection algorithm.
  • the capability negotiation between the terminal device and the network device can be performed in advance, so that when the terminal device initiates an RRC connection recovery request, the terminal device can adopt the integrity protection that both the terminal device and the network device can support based on the negotiation result with the network device
  • the algorithm performs integrity protection verification on the RRC connection recovery request, so that the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the RRC connection recovery request message can be realized.
  • the message integrity verification code calculated by the first integrity protection algorithm is used when the terminal camps on the anchor cell, and when cell reselection occurs in the inactive state, the response to When the RRC connection resumes in the non-anchor cell, the terminal device may use the first integrity protection algorithm and the input parameters for calculating the message integrity verification code to perform integrity protection verification on the RRC connection restoration.
  • the anchor cell may be understood as the cell where the serving network device of the terminal device is located;
  • the non-anchor cell may be understood as the cell where the terminal device is located when cell reselection is triggered.
  • the terminal equipment at this time
  • the original algorithm capability can be kept unchanged, and the new network device in the non-anchor cell needs to send a new request message to extract the terminal device context to notify the old network device to perform ResumeMAC-I verification.
  • the anchor cell broadcasts support for the first Integrity protection algorithm, assuming that the terminal device recovers the RRC connection in a non-anchor cell, the terminal device can adopt the first integrity protection algorithm, according to the key RRCint , bearer ID, data transmission direction, count COUNT value, The ID of the target cell, the ID of the source cell, the temporary identifier C-RNTI and the added variable, calculate the message integrity verification code, and perform integrity protection verification on the RRC connection recovery according to the calculated message integrity verification code.
  • the message integrity verification code calculated by using the first integrity protection algorithm when the terminal is camped on the anchor cell, the message integrity verification code calculated by using the first integrity protection algorithm, and in the case of cell reselection in the inactive state, the anchor cell broadcast does not support the message integrity verification code.
  • the first integrity protection algorithm although the anchor cell does not support the first integrity protection algorithm, the ResumeMAC-I check is performed by the serving network device of the anchor cell, and the serving network device of the anchor cell supports the first Integrity protection algorithm, so the terminal device can use the first integrity protection algorithm to perform integrity protection verification on RRC connection recovery.
  • the serving cell in the last connection state of the terminal device refers to the primary cell that can receive system messages for the first time: PCell (Primary cell) or PSCell (Primary cell) Primary secondary cell, PrimarySecondary cell).
  • FIG. 6 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a network device. As shown in FIG. 6 , the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
  • Step 601 in response to receiving the RRC connection recovery request message sent by the terminal device, determine the algorithm capability supported by the terminal device.
  • the network device when the network device receives the RRC connection recovery request message sent by the terminal device, it needs to perform integrity protection verification on the RRC connection recovery request message, wherein the algorithm capability supported by the terminal device can be determined first, and the terminal Algorithm capability of the device to select the corresponding integrity protection algorithm for complete verification.
  • the network device and the terminal device may negotiate capabilities in advance, so that the network device may determine the algorithm capabilities that the terminal device can support.
  • the terminal device may send capability indication information to the network device.
  • the network device can determine the algorithm capability supported by the terminal device according to the indication information sent by the terminal device.
  • the capability indication information sent by the terminal device to the network device may be which integrity protection algorithm is supported, for example, the capability indication information may support the first integrity protection algorithm, and the network device The sent capability indication information may determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm.
  • the capability indication information may also be that the first integrity protection algorithm is not supported, and the network device may determine that the algorithm capability supported by the terminal device is that the first integrity protection algorithm is not supported according to the capability indication information sent by the terminal device. algorithm.
  • the capability indication information may also support an algorithm different from the first integrity protection algorithm, such as the second integrity protection algorithm, and the network device may determine the capabilities supported by the terminal device according to the capability indication information sent by the terminal device.
  • the algorithm capability of is to support the second integrity protection algorithm.
  • the first integrity protection algorithm and the second integrity protection algorithm in the embodiment of the present application are different algorithms, and the input parameters of the first integrity protection algorithm and the second integrity protection algorithm are different.
  • the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
  • the terminal device may send the MAC-I computing capability indication to the network device to notify the network device whether the terminal device supports the first integrity protection algorithm.
  • the network device may determine the algorithm capability supported by the terminal device by judging whether the capability indication information sent by the terminal device is received.
  • the second computing capability indication information sent by the terminal device is received; the second computing capability indication information is used to notify the network device whether the terminal device supports the first integrity protection algorithm; wherein, the first The input parameters of the integrity protection algorithm include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable;
  • the second computing capability indication information sent by the terminal device determine the algorithm capability supported by the terminal device according to the second computing capability indication information.
  • the first integrity protection algorithm is a set of new MAC-I calculation methods designed by the network device for the RRC connection recovery process, and is completed by adding input parameters in the UE storage variable VarResumeMAC-Input.
  • the input parameters of the first integrity protection algorithm may include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and Add variables.
  • the added variable is the variable added in the stored variable VarResumeMAC-Input.
  • the network device and the terminal device can perform capability negotiation in advance.
  • the network device may determine the algorithm capability supported by the terminal device by judging whether the second computing capability indication information sent by the terminal device is received.
  • the algorithm capability supported by the terminal device is determined according to the second computing capability indication information.
  • the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm, and the network device can determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm according to the second computing capability indication information.
  • An integrity protection algorithm is used to notify the network device that the terminal device does not support the first integrity protection algorithm, and the network device may determine that the terminal device supports the algorithm capability according to the second computing capability indication information.
  • the first integrity protection algorithm is not supported.
  • the network device may determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm. For example, the terminal device supports the second integrity protection algorithm but does not support the first integrity protection algorithm.
  • the input parameters of the second integrity protection algorithm include Key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI.
  • the difference between the second integrity protection algorithm in the embodiment of the present application and the first integrity protection algorithm is that the required input parameters are different. More parameters have been added to increase variables.
  • the security of RRC connection recovery can be effectively enhanced.
  • the enhanced variable may include at least any one of the following A) to F):
  • the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
  • the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same.
  • the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields.
  • the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit.
  • the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit.
  • the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request.
  • the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
  • the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I.
  • the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
  • Step 602 Select a target integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
  • the network device may support the first integrity protection algorithm, that is, support a new MAC-I calculation manner. It can be understood that if the network device supports the first integrity protection algorithm, it can be considered that the network device can also support the second integrity protection algorithm.
  • the network device select the target integrity value corresponding to the algorithm capability Protection algorithm, for example, if it is determined that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm, then the network device can select the first integrity protection algorithm as the target integrity protection algorithm; determine the algorithm supported by the terminal device If the capability is that the first integrity protection algorithm is not supported, the network device may select the second integrity protection algorithm as the target integrity protection algorithm.
  • the network device may not support the first integrity protection algorithm, that is, support the old MAC-I calculation method, such as supporting the second integrity protection algorithm. At this time, no matter whether the terminal device supports the first integrity protection algorithm or not The integrity protection algorithm is supported. Since the network device does not support the first integrity protection algorithm, the network device may select the second integrity protection algorithm as the target integrity protection algorithm. Therefore, the network device can select an integrity protection algorithm that both the terminal device and the network device can support to perform integrity protection verification on the RRC connection recovery request message according to the algorithm capabilities supported by itself and the algorithm capabilities supported by the terminal. , to ensure that the terminal device and the network device use the same algorithm, and ensure that the resumeMAC-I verification information can be correctly matched.
  • the first integrity protection algorithm that is, support the old MAC-I calculation method, such as supporting the second integrity protection algorithm.
  • Step 603 according to the target integrity protection algorithm and the input parameters for calculating the message integrity verification code, perform integrity protection verification on the RRC connection recovery request message.
  • the first integrity protection algorithm may be used, according to the key Key RRCint , bearer ID, data transmission direction, count COUNT value, The ID of the target cell, the ID of the source cell, the temporary identifier C-RNTI and the added variable, calculate the message integrity verification code, and perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the second integrity protection algorithm can be used, according to the key Key RRCint , the bearer ID, the direction of data transmission, and the count COUNT value , the target cell ID, the source cell ID and the temporary identifier C-RNTI, calculate a message integrity verification code, and perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the integrity protection algorithm corresponding to the algorithm capability supported by the terminal device can be selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties have With the same algorithm capability, the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of integrity protection algorithms is solved, so that the security of the RRC connection recovery request message can be enhanced.
  • FIG. 7 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application.
  • the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a network device.
  • the network device learns that the terminal device supports the first integrity protection algorithm through the second computing capability indication information; assuming that the network device in this embodiment supports the first integrity protection algorithm, as shown in FIG. 7, the The security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
  • Step 701 judging whether the second computing capability indication information sent by the terminal device is received; wherein, the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm.
  • the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
  • the enhanced variable may include at least any one of the following A) to F):
  • the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
  • the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same.
  • the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields.
  • the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit.
  • the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit.
  • the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request.
  • the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
  • the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I.
  • the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
  • Step 702 In response to receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm according to the second computing capability indication information.
  • Step 703 Select a first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
  • Step 704 using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variables , to calculate the message integrity verification code.
  • step 707 may be performed, that is, to perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • Step 705 In response to not receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
  • the network device may select the second integrity protection algorithm to verify the security of the RRC connection recovery request message.
  • the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
  • Step 706 according to the algorithm capability supported by the terminal equipment, choose to adopt the second integrity protection algorithm according to the key Key RRCint , the bearer ID, the direction of data transmission, the count COUNT value, the target cell ID, and the source cell ID and the temporary identifier C-RNTI to calculate the message integrity verification code.
  • step 707 may be performed, that is, to perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • Step 707 perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the integrity protection algorithm corresponding to the algorithm capability supported by the terminal device is selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties With the same algorithm capability, the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the security of the RRC connection recovery request message can be enhanced.
  • FIG. 8 is a flow chart of another security enhancement method for RRC connection recovery provided by an embodiment of the present application.
  • the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a network device.
  • the network device learns that the terminal device supports the first integrity protection algorithm through the second computing capability indication information; assuming that the network device in this embodiment does not support the first integrity protection algorithm, as shown in FIG. 8,
  • the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
  • Step 801 judging whether the second computing capability indication information sent by the terminal device is received; the second computing capability indicating information is used to notify the network device that the terminal device supports the first integrity protection algorithm.
  • the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increment variable.
  • the enhanced variable may include at least any one of the following A) to F):
  • the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
  • the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same.
  • the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields.
  • the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit.
  • the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit.
  • the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request.
  • the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
  • the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I.
  • the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
  • Step 802 in response to not receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
  • the network device can select the second integrity protection algorithm Perform security verification of the RRC connection recovery request message, that is, in this embodiment, after determining that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm, step 804 can be performed, that is, the second integrity protection algorithm is selected
  • the algorithm calculates the message integrity verification code according to the key RRCint , the bearer ID, the direction of data transmission, the COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI.
  • the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
  • Step 803 In response to receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm according to the second computing capability indication information.
  • step 804 in response to receiving the second computing capability indication information sent by the terminal device, after determining according to the second computing capability indication information that the algorithm capability supported by the network device is to support the first integrity protection algorithm, since the network device does not The first integrity protection algorithm is supported, so the second integrity protection algorithm needs to be used to perform integrity protection verification on the RRC connection recovery request message, that is, step 804 is executed.
  • Step 804 choose to adopt the second integrity protection algorithm , and calculate Message integrity verification code.
  • Step 805 perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • FIG. 9 is a flow chart of another security enhancement method for RRC connection recovery provided by an embodiment of the present application.
  • the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a network device.
  • the network device determines that the terminal device does not support the first integrity protection algorithm, no matter whether the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the second integrity protection algorithm is adopted.
  • the protection algorithm performs integrity protection verification on the RRC connection recovery request message.
  • the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
  • Step 901 judging whether the second computing capability indication information sent by the terminal device is received; the second computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm.
  • the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable .
  • the enhanced variable may include at least any one of the following A) to F):
  • the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
  • the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same.
  • the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields.
  • the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit.
  • the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit.
  • the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request.
  • the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
  • the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
  • the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
  • the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I.
  • the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
  • Step 902 In response to not receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
  • the network The device selects the second integrity protection algorithm to verify the security of the RRC connection recovery request message, that is, in this embodiment, after determining that the algorithm capability supported by the terminal device does not support the first integrity protection algorithm, step 904 can be performed , that is, select the second integrity protection algorithm, and calculate the message integrity according to the key Key RRCint , the bearer ID, the data transmission direction direction, the count COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI gender verification code.
  • the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
  • Step 903 In response to receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm according to the second computing capability indication information.
  • the network device in response to receiving the second computing capability indication information sent by the terminal device, when it is determined according to the second computing capability indication information that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm, regardless of Whether the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the network device chooses to use the second integrity protection algorithm to perform integrity protection verification on the RRC connection recovery request message, that is, step 904 is executed.
  • Step 904 choose to adopt the second integrity protection algorithm , and calculate Message integrity verification code.
  • Step 905 perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the capability negotiation between the terminal device and the network device is performed to Make both parties have the same algorithm capability, make the check information of the message integrity verification code resumeMAC-I match correctly, solve the problem of incompatibility of the integrity protection algorithm, and thus realize the enhancement of the security of the RRC connection recovery request message .
  • the network device may determine the algorithm capabilities supported by itself, and send the first computing capability indication information to the terminal device according to the algorithm capabilities supported by the network device, wherein the first computing capability indication information It is used to notify the terminal device whether the network device supports the first integrity protection algorithm.
  • the network device may send the algorithm capability supported by itself to the terminal device through the indication information.
  • capability indication information supporting the first integrity protection algorithm is sent to the terminal device.
  • the network device may send capability indication information supporting the first integrity protection algorithm to the terminal device.
  • capability indication information not supporting the first integrity protection algorithm is sent to the terminal device.
  • the network device may send capability indication information that the terminal device does not support the first integrity protection algorithm.
  • no capability indication information on whether to support the first integrity protection algorithm is not sent. For example, assuming that the network device does not support the first integrity protection algorithm, the terminal device is not notified that the network device does not support the capability indication information of the first integrity protection algorithm. Wherein, if the terminal device does not receive the capability indication information sent by the network device, the terminal device may determine that the network device does not support the first integrity protection algorithm.
  • the manner of sending the capability indication information to the terminal device includes at least any one of the following: sending through an RRC release message; broadcasting through a system message.
  • a possible implementation method For broadcasting, network devices that support the first integrity protection algorithm need to broadcast the ability indication of supporting the first integrity protection algorithm in the system message (SIBX), and at the same time support the first integrity protection algorithm The network equipment must also support the second integrity protection algorithm (such as the old MAC-I algorithm).
  • SIBX system message
  • the network equipment must also support the second integrity protection algorithm (such as the old MAC-I algorithm).
  • a possible implementation method For broadcasting, network devices that do not support the first integrity protection algorithm need to broadcast a capability indication that does not support the first integrity protection algorithm in the system message (SIBX). At this time, only the old MAC- I algorithm, such as the second integrity protection algorithm mentioned herein.
  • a possible implementation method for broadcasting, the broadcast parameter of whether to support the first integrity protection algorithm is area specific (area-level parameter).
  • the network devices in the area have the same algorithm capability, the network devices in the area
  • the party may broadcast a capability indication of whether to support the first integrity protection algorithm in a system message (SIBX).
  • SIBX system message
  • a possible implementation method For the RRCRelease (RRC Release) message, the network device that supports the first integrity protection algorithm, when the UE in the connected state is released to the INACTIVE state, carries the information that supports the first integrity protection algorithm in the RRCRelease message.
  • the capability indication is used to inform the UE that the first integrity protection algorithm can be used for RRC connection recovery.
  • the RRCRelease message For the RRCRelease message, a network device that does not support the first integrity protection algorithm, when the UE in the connected state is released to the INACTIVE state, the RRCRelease message carries a capability indication that does not support the first integrity protection algorithm In order to notify the UE to use the old algorithm (such as the second integrity protection algorithm mentioned in this document) to perform RRC connection recovery.
  • a possible implementation manner For any manner, a network device that does not support the first integrity protection algorithm will not perform any capability indication of supporting the first integrity protection algorithm.
  • the capability negotiation between the terminal device and the network device can be performed in advance, so that when the terminal device initiates an RRC connection recovery request, the terminal device can adopt the integrity protection that both the terminal device and the network device can support based on the negotiation result with the network device
  • the algorithm performs integrity protection verification on the RRC connection recovery request, so that the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the RRC connection recovery request message can be realized.
  • the network device when the terminal resides in the anchor cell where the network device is located, the message integrity verification code calculated by the first integrity protection algorithm is used, and when cell reselection occurs in the inactive state , in response to the RRC connection recovery of the terminal device in the non-anchor cell, the network device may receive an extract terminal device context request message sent by a new network device in the non-anchor cell; wherein the extract terminal device context request message includes the first integrity The input parameters required by the protection algorithm; using the first integrity protection algorithm and the input parameters required to perform integrity protection verification on RRC connection recovery.
  • the terminal equipment at this time
  • the original algorithm capability can be kept unchanged, and the new network device in the non-anchor cell needs to send a new request message to extract the terminal device context to notify the old network device to perform ResumeMAC-I verification.
  • the anchor cell broadcasts support for the first Integrity protection algorithm, assuming that the terminal device recovers the RRC connection in a non-anchor cell, the terminal device can adopt the first integrity protection algorithm, according to the key RRCint , bearer ID, data transmission direction, count COUNT value, The ID of the target cell, the ID of the source cell, the temporary identifier C-RNTI and the added variable, calculate the message integrity verification code, and perform integrity protection verification on the RRC connection recovery according to the calculated message integrity verification code.
  • the message integrity verification code calculated by using the first integrity protection algorithm when the terminal is camped on the anchor cell, the message integrity verification code calculated by using the first integrity protection algorithm, and in the case of cell reselection in the inactive state, the anchor cell broadcast does not support the message integrity verification code.
  • the first integrity protection algorithm although the anchor cell does not support the first integrity protection algorithm, the ResumeMAC-I check is performed by the serving network device of the anchor cell, and the serving network device of the anchor cell supports the first Integrity protection algorithm, so the terminal device can use the first integrity protection algorithm to perform integrity protection verification on RRC connection recovery.
  • the network device needs to extract the added content in the terminal device context request message, and the added content may include input parameters required by the first integrity protection algorithm.
  • the new network device needs to send a context request to the original network device to obtain the context of the UE.
  • the original network device needs to perform ResumeMAC-I verification before responding to the context reply. Since the new MAC-I algorithm is introduced, it is necessary to expand the fields in the Retrieve UE context request (extracting the terminal device context request message) to ensure that it can
  • the input parameters of the new and old algorithms are provided for the old network equipment to use, and the old network equipment selects an appropriate algorithm according to the capabilities of the UE.
  • the methods provided in the embodiments of the present application are introduced from the perspectives of the terminal device and the network device respectively.
  • the network device and the terminal device may include a hardware structure and a software module, and realize the above functions in the form of a hardware structure, a software module, or a hardware structure plus a software module.
  • a certain function among the above-mentioned functions may be implemented in the form of a hardware structure, a software module, or a hardware structure plus a software module.
  • FIG. 10 is a schematic structural diagram of a communication device 1000 provided in an embodiment of the present application.
  • the communication device 1000 shown in FIG. 10 may include a determination module 1001 , a selection module 1002 , and a processing module 1003 .
  • the communication device 1000 may further include a transceiver module 1004 .
  • the transceiver module 1004 may include a sending module and/or a receiving module, the sending module is used to realize the sending function, the receiving module is used to realize the receiving function, and the sending and receiving module 1004 can realize the sending function and/or the receiving function.
  • the communication device 1000 may be a network device, or a device in the network device, or a device that can be matched with the network device.
  • the communication device 1000 may be a terminal device, may also be a device in a terminal device, and may also be a device that can be matched and used with the terminal device.
  • the communication device 1000 is a terminal device: in the embodiment of this application, the determination module 1001 is used to determine the algorithm capability supported by the network device; the selection module 1002 is used to select the corresponding algorithm capability according to the algorithm capability supported by the network device. Target integrity protection algorithm; the processing module 1003 is configured to perform integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used for calculating the message integrity verification code.
  • the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increasing variables.
  • the determining module 1001 is configured to determine the algorithm capability supported by the network device according to the capability indication information sent by the network device.
  • the determination module 1001 is specifically configured to: determine whether the first computing capability indication information sent by the network device is received; the first computing capability indication information is used to notify the terminal device whether the network device supports the first integrity protection Algorithm; wherein, the input parameters of the first integrity protection algorithm include key Key RRCint , bearer identification bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and Add a variable; in response to receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device according to the first computing capability indication information.
  • the determining module 1001 is further configured to: in response to not receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm .
  • the first computing capability indication information is used to notify the terminal device that the network device supports the first integrity protection algorithm; the determining module 1001 is specifically configured to: determine that the algorithm capability supported by the network device is to support the first integrity protection algorithm An integrity protection algorithm.
  • the terminal device supports the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device.
  • the processing module 1003 is specifically configured to: adopt the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source The cell identification ID, the temporary identifier C-RNTI and the added variable calculate the message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the terminal device does not support the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the second integrity protection algorithm as the target integrity protection algorithm; wherein, the second integrity protection algorithm
  • the input parameters include key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI.
  • the processing module 1003 is specifically configured to: adopt the second integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source
  • the cell identification ID and the temporary identifier C-RNTI calculate the message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the first computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm; the determining module 1001 is specifically configured to: determine that the algorithm capability supported by the network device is not Supports the first integrity protection algorithm.
  • the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; the selection module 1002 is specifically configured to: select an algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device.
  • the processing module 1003 is specifically configured to: adopt the second integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source
  • the cell identification ID and the temporary identifier C-RNTI calculate the message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • increasing variables at least includes any one of the following A) to F):
  • the transceiver module 1004 is configured to send the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device, wherein the second computing capability indication information is used to notify the network device whether the terminal device Supports the first integrity protection algorithm.
  • the transceiver module 1004 is specifically configured to: in response to the algorithm capability supported by the terminal device supporting the first integrity protection algorithm, send capability indication information supporting the first integrity protection algorithm to the network device .
  • the transceiver module 1004 is specifically configured to: in response to the fact that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm, send the capability of not supporting the first integrity protection algorithm to the network device Instructions.
  • the transceiver module 1004 is specifically configured to: respond to the fact that the algorithm capability supported by the terminal device does not support the first integrity protection algorithm, not sending a capability indication on whether to support the first integrity protection algorithm information.
  • the manner in which the transceiver module 1004 sends the capability indication information to the network device includes at least any one of the following:
  • the message is sent through the security mode; through the terminal equipment UE capability information message; through the UE auxiliary information; through the initial access message 5Msg5; through the initial access message 3Msg3; through the initial access message 1Msg1.
  • the processing module 1003 is further configured to: use the message integrity verification code calculated by the first integrity protection algorithm when the terminal camps on the anchor cell, and the cell In the case of reselection, in response to the RRC connection recovery occurring in the non-anchor cell, the first integrity protection algorithm and the input parameters for calculating the message integrity verification code are used to perform integrity protection verification on the RRC connection recovery.
  • the communication device 1000 is a network device.
  • the determination module 1001 is used to determine the algorithm capability supported by the terminal device in response to receiving the RRC connection recovery request message sent by the terminal device; According to the algorithm capability supported by the device, select the target integrity protection algorithm corresponding to the algorithm capability; the processing module 1003 is used to process the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code Perform integrity protection verification.
  • the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increasing variables.
  • the determining module 1001 is configured to determine the algorithm capability supported by the terminal device according to the capability indication information sent by the terminal device.
  • the determination module 1001 is specifically configured to: determine whether the second computing capability indication information sent by the terminal device is received; the second computing capability indication information is used to notify the network device whether the terminal device supports the first integrity protection Algorithm; wherein, the input parameters of the first integrity protection algorithm include key Key RRCint , bearer identification bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and Add a variable; in response to receiving the second computing capability indication information sent by the terminal device, determine the algorithm capability supported by the terminal device according to the second computing capability indication information.
  • the determining module 1001 is further configured to: in response to not receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm .
  • the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm; the determining module 1001 is specifically configured to: determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm An integrity protection algorithm.
  • the network device supports the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
  • the processing module 1003 is specifically configured to: adopt the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary The identifier C-RNTI and variable are added, and the message integrity verification code is calculated; the integrity protection verification of the RRC connection recovery request message is performed according to the calculated message integrity verification code.
  • the network device does not support the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the second integrity protection algorithm as the target integrity protection algorithm; wherein, the second integrity protection algorithm
  • the input parameters include key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI.
  • the processing module 1003 is specifically configured to: adopt the second integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, and temporary
  • the identifier C-RNTI calculates a message integrity verification code; and performs integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • the second computing capability indication information is used to notify the network device that the terminal device does not support the first integrity protection algorithm; the determining module 1001 is specifically configured to: determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm An integrity protection algorithm.
  • the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
  • the processing module 1003 is specifically configured to: adopt the second integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source
  • the cell identification ID and the temporary identifier C-RNTI calculate the message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  • increasing variables at least includes any one of the following A) to F):
  • the transceiver module 1004 is configured to send the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device, wherein the first computing capability indication information is used to notify the terminal device whether the network device Supports the first integrity protection algorithm.
  • the transceiver module 1004 is specifically configured to: send capability indication information supporting the first integrity protection algorithm to the terminal device in response to the algorithm capability supported by the network device supporting the first integrity protection algorithm .
  • the transceiver module 1004 is specifically configured to: in response to the fact that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm, send the capability of not supporting the first integrity protection algorithm to the terminal device Instructions.
  • the transceiver module 1004 is specifically configured to: respond to the fact that the algorithm capability supported by the network device does not support the first integrity protection algorithm, not sending a capability indication on whether to support the first integrity protection algorithm information.
  • the manner of sending the capability indication information to the terminal by the transceiver module 1004 includes at least any one of the following: sending through an RRC release message; broadcasting through a system message.
  • the transceiver module 1004 is also configured to use the message integrity verification code calculated by the first integrity protection algorithm when the terminal resides in the anchor cell where the network device is located, and the verification code is generated when the terminal is in an inactive state.
  • the terminal device context extraction request message sent by the new network device in the non-anchor cell is received; wherein, the extraction terminal device context request message includes Input parameters required by the first integrity protection algorithm; the processing module 1003 is also configured to perform integrity protection verification on RRC connection recovery by using the first integrity protection algorithm and its required input parameters.
  • FIG. 11 is a schematic structural diagram of another communication device 1100 provided in an embodiment of the present application.
  • the communication device 1100 may be a network device, or a terminal device, or a chip, a chip system, or a processor that supports the network device to implement the above method, or a chip, a chip system, or a chip that supports the terminal device to implement the above method. processor etc.
  • the device can be used to implement the methods described in the above method embodiments, and for details, refer to the descriptions in the above method embodiments.
  • the communication device 1100 may include one or more processors 1101 .
  • the processor 1101 may be a general-purpose processor or a special-purpose processor. For example, it can be a baseband processor or a central processing unit.
  • the baseband processor can be used to process communication protocols and communication data
  • the central processing unit can be used to control communication devices (such as base stations, baseband chips, terminal equipment, terminal equipment chips, DU or CU, etc.) and execute computer programs , to process data for computer programs.
  • the communication device 1100 may further include one or more memories 1102, on which a computer program 1104 may be stored, and the processor 1101 executes the computer program 1104, so that the communication device 1100 executes the method described in the foregoing method embodiments. method.
  • data may also be stored in the memory 1102 .
  • the communication device 1100 and the memory 1102 can be set separately or integrated together.
  • the communication device 1100 may further include a transceiver 1105 and an antenna 1106 .
  • the transceiver 1105 may be called a transceiver unit, a transceiver, or a transceiver circuit, etc., and is used to implement a transceiver function.
  • the transceiver 1105 may include a receiver and a transmitter, and the receiver may be called a receiver or a receiving circuit, etc., for realizing a receiving function; the transmitter may be called a transmitter, or a sending circuit, for realizing a sending function.
  • the communication device 1100 may further include one or more interface circuits 1107 .
  • the interface circuit 1107 is used to receive code instructions and transmit them to the processor 1101 .
  • the processor 1101 executes the code instructions to enable the communication device 1100 to execute the methods described in the foregoing method embodiments.
  • the communication device 1100 is a terminal device: the processor 1101 runs the code instructions to enable the communication device 1100 to execute the methods described in the embodiments shown in FIGS. 2 to 5 above.
  • the communication device 1100 is a network device: the processor 1101 runs the code instructions to enable the communication device 1100 to execute the methods described in the embodiments shown in FIGS. 6 to 9 above.
  • the processor 1101 may include a transceiver for implementing receiving and sending functions.
  • the transceiver may be a transceiver circuit, or an interface, or an interface circuit.
  • the transceiver circuits, interfaces or interface circuits for realizing the functions of receiving and sending can be separated or integrated together.
  • the above-mentioned transceiver circuit, interface or interface circuit may be used for reading and writing code/data, or the above-mentioned transceiver circuit, interface or interface circuit may be used for signal transmission or transfer.
  • the processor 1101 may store a computer program 1103 , and the computer program 1103 runs on the processor 1101 to enable the communication device 1100 to execute the methods described in the foregoing method embodiments.
  • the computer program 1103 may be solidified in the processor 1101, and in this case, the processor 1101 may be implemented by hardware.
  • the communication device 1100 may include a circuit, and the circuit may implement the function of sending or receiving or communicating in the foregoing method embodiments.
  • the processors and transceivers described in this application can be implemented in integrated circuits (integrated circuits, ICs), analog ICs, radio frequency integrated circuits (RFICs), mixed-signal ICs, application specific integrated circuits (ASICs), printed circuit boards ( printed circuit board, PCB), electronic equipment, etc.
  • the processor and transceiver can also be fabricated using various IC process technologies, such as complementary metal oxide semiconductor (CMOS), nMetal-oxide-semiconductor (NMOS), P-type Metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (bipolar junction transistor, BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
  • CMOS complementary metal oxide semiconductor
  • NMOS nMetal-oxide-semiconductor
  • PMOS P-type Metal oxide semiconductor
  • BJT bipolar junction transistor
  • BiCMOS bipolar CMOS
  • SiGe silicon germanium
  • GaAs gallium arsenide
  • the communication device described in the above embodiments may be a network device or a terminal device (such as the first terminal device in the foregoing method embodiments), but the scope of the communication device described in this application is not limited thereto, and the structure of the communication device can be Not limited by Figure 11.
  • a communication device may be a stand-alone device or may be part of a larger device.
  • the communication device may be:
  • a set of one or more ICs may also include storage components for storing data and computer programs;
  • ASIC such as modem (Modem);
  • the embodiment of the present application also provides a system for determining the duration of the side link.
  • the system includes the communication device as the terminal device and the communication device as the network device in the aforementioned embodiment in FIG.
  • the present application also provides a readable storage medium on which instructions are stored, and when the instructions are executed by a computer, the functions of any one of the above method embodiments are realized.
  • the present application also provides a computer program product, which implements the functions of any one of the above method embodiments when executed by a computer.
  • all or part of them may be implemented by software, hardware, firmware or any combination thereof.
  • software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product comprises one or more computer programs. When the computer program is loaded and executed on the computer, all or part of the processes or functions according to the embodiments of the present application will be generated.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
  • the computer program can be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer program can be downloaded from a website, computer, server or data center Transmission to another website site, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media.
  • the available medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (solid state disk, SSD)) etc.
  • a magnetic medium for example, a floppy disk, a hard disk, a magnetic tape
  • an optical medium for example, a high-density digital video disc (digital video disc, DVD)
  • a semiconductor medium for example, a solid state disk (solid state disk, SSD)
  • At least one in this application can also be described as one or more, and multiple can be two, three, four or more, and this application does not make a limitation.
  • the technical feature is distinguished by "first”, “second”, “third”, “A”, “B”, “C” and “D”, etc.
  • the technical features described in the “first”, “second”, “third”, “A”, “B”, “C” and “D” have no sequence or order of magnitude among the technical features described.
  • the corresponding relationships shown in the tables in this application can be configured or predefined.
  • the values of the information in each table are just examples, and may be configured as other values, which are not limited in this application.
  • the corresponding relationship shown in some rows may not be configured.
  • appropriate deformation adjustments can be made based on the above table, for example, splitting, merging, and so on.
  • the names of the parameters shown in the titles of the above tables may also adopt other names understandable by the communication device, and the values or representations of the parameters may also be other values or representations understandable by the communication device.
  • other data structures can also be used, for example, arrays, queues, containers, stacks, linear tables, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables or hash tables can be used wait.
  • Predefined in this application can be understood as defining, predefining, storing, prestoring, prenegotiating, preconfiguring, curing, or prefiring.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed in embodiments of the present application are a security enhancement method for radio resource control (RRC) connection resumption, a communications apparatus, and a storage medium, which can be applied to an NR network. The method comprises: determining an algorithm capability supported by a network device; selecting, according to the algorithm capability supported by the network device, a target integrity protection algorithm corresponding to the algorithm capability; and performing integrity protection verification on a RRC connection resumption request message according to the target integrity protection algorithm and an input parameter for calculating a message integrity verification code. By implementing the embodiments of the present application, the problem that the integrity protection algorithm is incompatible can be solved, such that the security of the RRC connection resumption request message can be enhanced.

Description

无线资源控制RRC连接恢复的安全增强方法和通信装置Security enhancement method and communication device for radio resource control RRC connection recovery 技术领域technical field
本申请涉及通信技术领域,尤其涉及一种无线资源控制RRC连接恢复的安全增强方法、通信装置和存储介质。The present application relates to the field of communication technologies, and in particular to a security enhancement method for radio resource control (RRC) connection recovery, a communication device and a storage medium.
背景技术Background technique
随着无线移动网络的高速发展,目前的NR(New Radio,新空口5G)网络已经具备较高的可靠性和安全性,但是开发框架的漏洞、伪基站的攻击等威胁仍然层出不穷,寻找更可靠的安全加密算法,以及更可靠的安全认证也是NR网络需要考虑的一个重要方向。With the rapid development of wireless mobile networks, the current NR (New Radio, new air interface 5G) network already has high reliability and security, but threats such as loopholes in the development framework and attacks from fake base stations are still emerging one after another. Looking for more reliable The secure encryption algorithm and more reliable security authentication are also an important direction that the NR network needs to consider.
对于终端设备UE发起RRC(Radio Resource Control,无线资源控制)连接恢复请求消息,同样需要对RRC连接恢复请求消息进行完整性保护验证。For the RRC (Radio Resource Control, radio resource control) connection recovery request message initiated by the terminal equipment UE, it is also necessary to perform integrity protection verification on the RRC connection recovery request message.
发明内容Contents of the invention
本申请实施例提供一种无线资源控制RRC连接恢复的安全增强方法和通信装置,可以应用于NR网络,通过终端设备与网络设备进行能力协商,以使得双方具备相同的算法能力,使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。Embodiments of the present application provide a security enhancement method and communication device for radio resource control RRC connection recovery, which can be applied to NR networks, and perform capability negotiation through terminal equipment and network equipment, so that both parties have the same algorithm capability and message integrity The verification information of the verification code resumeMAC-I can be correctly matched, which solves the problem of incompatibility of the integrity protection algorithm, so that the security of the RRC connection recovery request message can be enhanced.
第一方面,本申请实施例提供一种无线资源控制RRC连接恢复的安全增强方法,所述方法应用于终端设备,所述方法包括:In the first aspect, the embodiment of the present application provides a security enhancement method for radio resource control RRC connection recovery, the method is applied to a terminal device, and the method includes:
确定网络设备所支持具备的算法能力;根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法;根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证。Determine the algorithm capability supported by the network device; select the target integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device; The input parameter of the integrity verification code is used to perform integrity protection verification on the RRC connection recovery request message.
在该技术方案中,通过确定网络设备所支持具备的算法能力,选择与网络设备所支持具备的算法能力对应的完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,使得双方具备相同的算法能力,从而使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。In this technical solution, by determining the algorithm capabilities supported by the network equipment, the integrity protection algorithm corresponding to the algorithm capabilities supported by the network equipment is selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties have the same Algorithm capabilities, so that the check information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of integrity protection algorithms is solved, so that the security of the RRC connection recovery request message can be enhanced.
在一种实现方式中,所述输入参数至少包括以下一项或多项:密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 In one implementation, the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
在一种实现方式中,所述确定网络设备所支持具备的算法能力,包括:In an implementation manner, the determining the algorithm capability supported by the network device includes:
根据所述网络设备发送的能力指示信息,确定所述网络设备所支持具备的算法能力。According to the capability indication information sent by the network device, determine the algorithm capability supported by the network device.
在一种实现方式中,所述确定网络设备所支持具备的算法能力,包括:In an implementation manner, the determining the algorithm capability supported by the network device includes:
判断是否接收到所述网络设备发送的第一计算能力指示信息;所述第一计算能力指示信息用于通知所述终端设备,所述网络设备是否支持第一完整性保护算法;其中,所述第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量;响应于接收到所述网络设备发送的第一计算能力指示信息,根据所述第一计算能力指示信息,确定所述网络设备所支持具备的算法能力。 Judging whether the first computing capability indication information sent by the network device is received; the first computing capability indication information is used to notify the terminal device whether the network device supports the first integrity protection algorithm; wherein, the The input parameters of the first integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable; response After receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device according to the first computing capability indication information.
在一种可选地实现方式中,所述确定网络设备所支持具备的算法能力,还包括:In an optional implementation manner, the determining the algorithm capability supported by the network device further includes:
响应于未接收到所述网络设备发送的第一计算能力指示信息,确定所述网络设备所支持具备的算法能力为不支持第一完整性保护算法。In response to not receiving the first computing capability indication information sent by the network device, it is determined that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
在该技术方案中,通过判断是否接收到网络设备发送的能力指示信息,以确定网络设备所支持具备的算法能力,由此通过终端设备与网络设备进行能力协商,以使得双方具备相同的算法能力,使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。In this technical solution, the algorithm capability supported by the network device is determined by judging whether the capability indication information sent by the network device is received, and thus the capability negotiation is performed between the terminal device and the network device so that both parties have the same algorithm capability , so that the check information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the security of the RRC connection recovery request message can be enhanced.
在一种可选地实现方式中,所述第一计算能力指示信息用于通知所述终端设备,所述网络设备支持第一完整性保护算法;所述根据所述第一计算能力指示信息,确定所述网络设备所支持具备的算法能力,包括:In an optional implementation manner, the first computing capability indication information is used to notify the terminal device that the network device supports a first integrity protection algorithm; according to the first computing capability indication information, Determine the algorithm capabilities supported by the network equipment, including:
确定所述网络设备所支持具备的算法能力为支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the network device is to support the first integrity protection algorithm.
在一种可选地实现方式中,所述终端设备支持所述第一完整性保护算法;所述根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:In an optional implementation manner, the terminal device supports the first integrity protection algorithm; according to the algorithm capability supported by the network device, the target integrity protection corresponding to the algorithm capability is selected Algorithms, including:
根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的第一完整性保护算法。According to the algorithm capability supported by the network device, a first integrity protection algorithm corresponding to the algorithm capability is selected.
在一种可选地实现方式中,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证,包括:In an optional implementation manner, performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code includes:
采用所述第一完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码; Using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable, calculate the message integrity verification code;
根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种可能的实现方式中,所述终端设备不支持所述第一完整性保护算法;所述根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:In a possible implementation manner, the terminal device does not support the first integrity protection algorithm; according to the algorithm capability supported by the network device, select the target integrity protection algorithm corresponding to the algorithm capability Algorithms, including:
选择第二完整性保护算法作为所述目标完整性保护算法;其中,所述第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 Select the second integrity protection algorithm as the target integrity protection algorithm; wherein, the input parameters of the second integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target Cell ID, source cell ID and temporary identifier C-RNTI.
可选地,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证,包括:Optionally, performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters for calculating the message integrity verification code includes:
采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码;根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。 Using the second integrity protection algorithm , calculate A message integrity verification code: performing integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种实现方式中,所述第一计算能力指示信息用于通知所述终端设备,所述网络设备不支持第一完整性保护算法;所述根据所述第一计算能力指示信息,确定所述网络设备所支持具备的算法能力,包括:In an implementation manner, the first computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm; and according to the first computing capability indication information, determining the Algorithm capabilities supported by the above network devices, including:
确定所述网络设备所支持具备的算法能力为不支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
在一种可选地实现方式中,所述终端设备支持所述第一完整性保护算法或不支持所述第一完整性保护算法;所述根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的第二完整性保护算法。In an optional implementation manner, the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; according to the algorithm capability supported by the network device, select The target integrity protection algorithm corresponding to the algorithm capability includes: selecting a second integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device.
在一种可选地实现方式中,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证,包括:In an optional implementation manner, performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters for calculating a message integrity verification code includes:
采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码;根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。 Using the second integrity protection algorithm , calculate A message integrity verification code: performing integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种实现方式中,所述增加变量至少包括以下A)至F)中的任意一项:In one implementation, the increased variable at least includes any one of the following A) to F):
A)所述RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;B)所述RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;C)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;D)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;E)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;F)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。A) the recovery identification resumeIdentity, recovery reason resumeCause and spare spare field in the RRC connection recovery request message; B) the permutation and combination of the recovery identification resumeIdentity, recovery reason resumeCause and spare spare field in the RRC connection recovery request message; C ) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as the added variable is set to a special bit; D) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request; E) the RRC connection recovery request message, wherein the RRC connection recovery request message used as the added variable is deleted to represent the message integrity verification code resumeMAC- field of I; F) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request, wherein, the RRC connection recovery request message as the added variable deletes the message integrity verification code field of resumeMAC-I.
在一种实现方式中,所述方法还包括:In one implementation, the method further includes:
确定所述终端设备所支持具备的算法能力;根据所述终端设备所支持具备的算法能力,向所述网络设备发送第二计算能力指示信息,其中,所述第二计算能力指示信息用于通知所述网络设备,所述终端设备是否支持第一完整性保护算法。Determine the algorithm capability supported by the terminal device; send second computing capability indication information to the network device according to the algorithm capability supported by the terminal device, where the second computing capability indication information is used to notify Whether the network device and the terminal device support the first integrity protection algorithm.
在一种可选地实现方式中,所述根据所述终端设备所支持具备的算法能力,向所述网络设备发送第二计算能力指示信息,包括:In an optional implementation manner, the sending the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device includes:
响应于所述终端设备所支持具备的算法能力为支持第一完整性保护算法,向所述网络设备发送支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the terminal device supporting the first integrity protection algorithm, sending capability indication information supporting the first integrity protection algorithm to the network device.
在一种可选地实现方式中,所述根据所述终端设备所支持具备的算法能力,向所述网络设备发送第二计算能力指示信息,包括:In an optional implementation manner, the sending the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device includes:
响应于所述终端设备所支持具备的算法能力为不支持第一完整性保护算法,向所述网络设备发送不支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the terminal device not supporting the first integrity protection algorithm, sending capability indication information not supporting the first integrity protection algorithm to the network device.
在一种可选地实现方式中,所述根据所述终端设备所支持具备的算法能力,向所述网络设备发送第二计算能力指示信息,包括:In an optional implementation manner, the sending the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device includes:
响应于所述终端设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the terminal device not supporting the first integrity protection algorithm, no capability indication information about whether the first integrity protection algorithm is supported is not sent.
在一种实现方式中,向所述网络设备发送能力指示信息的方式至少包括以下任意一种:通过安全模式完成消息发送;通过终端设备UE能力信息消息发送;通过UE辅助信息发送;通过初始接入消息5Msg5发送;通过初始接入消息3Msg3发送;通过初始接入消息1Msg1发送。In an implementation manner, the manner of sending the capability indication information to the network device includes at least any one of the following: sending the message through the security mode; sending the UE capability information message through the terminal device; sending through the UE auxiliary information; Incoming message 5Msg5; initial access message 3Msg3; initial access message 1Msg1.
在一种实现方式中,所述方法还包括:In one implementation, the method further includes:
对于所述终端驻留在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于在非锚点小区发生RRC连接恢复,采用所述第一完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复进行完整性保护验证。For the message integrity verification code calculated by using the first integrity protection algorithm when the terminal resides in the anchor cell, and when cell reselection occurs in the inactive state, in response to RRC connection recovery, using the first integrity protection algorithm and input parameters for calculating message integrity verification codes, to perform integrity protection verification on the RRC connection recovery.
第二方面,本申请实施例提供另一种一种无线资源控制RRC连接恢复的安全增强方法,其特征在于,所述方法应用于网络设备,所述方法包括:In a second aspect, the embodiment of the present application provides another security enhancement method for radio resource control RRC connection recovery, wherein the method is applied to a network device, and the method includes:
响应于接收到终端设备发送的RRC连接恢复请求消息,确定所述终端设备所支持具备的算法能力;根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法;根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证。In response to receiving the RRC connection recovery request message sent by the terminal device, determine the algorithm capability supported by the terminal device; select the target integrity protection corresponding to the algorithm capability according to the algorithm capability supported by the terminal device Algorithm: perform integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters used for calculating message integrity verification codes.
在一种实现方式中,其中,所述输入参数至少包括以下一项或多项:密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 In an implementation manner, wherein the input parameters include at least one or more of the following: key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID , temporary identifier C-RNTI and increase variable.
在一种实现方式中,所述确定所述终端设备所支持具备的算法能力,包括:In an implementation manner, the determining the algorithm capability supported by the terminal device includes:
根据所述终端设备发送的能力指示信息,确定所述终端设备所支持具备的算法能力。According to the capability indication information sent by the terminal device, the algorithm capability supported by the terminal device is determined.
在一种实现方式中,所述确定所述终端设备所支持具备的算法能力,包括:In an implementation manner, the determining the algorithm capability supported by the terminal device includes:
判断是否接收到所述终端设备发送的第二计算能力指示信息;所述第二计算能力指示信息用于通知所述网络设备,所述终端设备是否支持第一完整性保护算法;其中,所述第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量;响应于接收到所述终端设备发送的第二计算能力指示信息,根据所述第二计算能力指示信息,确定所述终端设备所支持具备的算法能力。 Judging whether the second computing capability indication information sent by the terminal device is received; the second computing capability indication information is used to notify the network device whether the terminal device supports the first integrity protection algorithm; wherein, the The input parameters of the first integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable; response After receiving the second computing capability indication information sent by the terminal device, determine the algorithm capability supported by the terminal device according to the second computing capability indication information.
在一种可选地实现方式中,所述确定所述终端设备所支持具备的算法能力,还包括:In an optional implementation manner, the determining the algorithm capability supported by the terminal device further includes:
响应于未接收到所述终端设备发送的第二计算能力指示信息,确定所述终端设备所支持具备的算法能力为不支持第一完整性保护算法。In response to not receiving the second computing capability indication information sent by the terminal device, it is determined that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
在一种可选地实现方式中,所述第二计算能力指示信息用于通知所述网络设备,所述终端设备支持第一完整性保护算法;所述根据所述第二计算能力指示信息,确定所述终端设备所支持具备的算法能力,包括:In an optional implementation manner, the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm; according to the second computing capability indication information, Determine the algorithm capabilities supported by the terminal device, including:
确定所述终端设备所支持具备的算法能力为支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm.
在一种可选地实现方式中,所述网络设备支持所述第一完整性保护算法;所述根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的第一完整性保护算法。In an optional implementation manner, the network device supports the first integrity protection algorithm; according to the algorithm capability supported by the terminal device, the target integrity protection corresponding to the algorithm capability is selected The algorithm includes: selecting a first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
在一种可选地实现方式中,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证,包括:In an optional implementation manner, performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters for calculating a message integrity verification code includes:
采用所述第一完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码;根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。 Using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase The variable is to calculate a message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种可选地实现方式中,所述网络设备不支持所述第一完整性保护算法;所述根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:选择第二完整性保护算法作为所述目标完整性保护算法;其中,所述第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 In an optional implementation manner, the network device does not support the first integrity protection algorithm; according to the algorithm capability supported by the terminal device, the target integrity protection algorithm corresponding to the algorithm capability is selected The protection algorithm includes: selecting a second integrity protection algorithm as the target integrity protection algorithm; wherein, the input parameters of the second integrity protection algorithm include a key Key RRCint , a bearer ID, a data transmission direction, Count COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI.
在一种可选地实现方式中,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证,包括:In an optional implementation manner, performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters for calculating a message integrity verification code includes:
采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码;根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。 Using the second integrity protection algorithm , calculate A message integrity verification code: performing integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种可选地实现方式中,所述第二计算能力指示信息用于通知所述网络设备,所述终端设备不支持第一完整性保护算法;所述根据所述第二计算能力指示信息,确定所述终端设备所支持具备的算法能力,包括:确定所述终端设备所支持具备的算法能力为不支持所述第一完整性保护算法。In an optional implementation manner, the second computing capability indication information is used to notify the network device that the terminal device does not support the first integrity protection algorithm; The step of determining the algorithm capability supported by the terminal device includes: determining that the algorithm capability supported by the terminal device does not support the first integrity protection algorithm.
在一种可选地实现方式中,所述网络设备支持所述第一完整性保护算法或不支持所述第一完整性保护算法;所述根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的第二完整性保护算法。In an optional implementation manner, the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; according to the algorithm capability supported by the terminal device, select The target integrity protection algorithm corresponding to the algorithm capability includes: selecting a second integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
在一种可选地实现方式中,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证,包括:采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码;根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。 In an optional implementation manner, the performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code includes: using The second integrity protection algorithm calculates the message according to the key RRCint , the bearer ID, the data transmission direction, the COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI. Integrity verification code: performing integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种实现方式中,所述增加变量至少包括以下A)至F)中的任意一项:In one implementation, the increased variable at least includes any one of the following A) to F):
A)所述RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;B)所述RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;C)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;D)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;E)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;F)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。A) the recovery identification resumeIdentity, recovery reason resumeCause and spare spare field in the RRC connection recovery request message; B) the permutation and combination of the recovery identification resumeIdentity, recovery reason resumeCause and spare spare field in the RRC connection recovery request message; C ) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as the added variable is set to a special bit; D) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request; E) the RRC connection recovery request message, wherein the RRC connection recovery request message used as the added variable is deleted to represent the message integrity verification code resumeMAC- field of I; F) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request, wherein, the RRC connection recovery request message as the added variable deletes the message integrity verification code field of resumeMAC-I.
在一种实现方式中,所述方法还包括:In one implementation, the method further includes:
确定所述网络设备所支持具备的算法能力;Determine the algorithm capabilities supported by the network device;
根据所述网络设备所支持具备的算法能力,向所述终端设备发送第一计算能力指示信息,其中,所述第一计算能力指示信息用于通知所述终端设备,所述网络设备是否支持第一完整性保护算法。According to the algorithm capability supported by the network device, send first computing capability indication information to the terminal device, where the first computing capability indication information is used to notify the terminal device whether the network device supports the first An integrity protection algorithm.
在一种可选地实现方式中,所述根据所述网络设备所支持具备的算法能力,向所述终端设备发送第一计算能力指示信息,包括:响应于所述网络设备所支持具备的算法能力为支持第一完整性保护算法,向所述终端设备发送支持所述第一完整性保护算法的能力指示信息。In an optional implementation manner, the sending the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device includes: responding to the algorithm capability supported by the network device The capability is to support the first integrity protection algorithm, sending capability indication information supporting the first integrity protection algorithm to the terminal device.
在一种可选地实现方式中,所述根据所述网络设备所支持具备的算法能力,向所述终端设备发送第一计算能力指示信息,包括:响应于所述网络设备所支持具备的算法能力为不支持第一完整性保护算法,向所述终端设备发送不支持所述第一完整性保护算法的能力指示信息。In an optional implementation manner, the sending the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device includes: responding to the algorithm capability supported by the network device The capability is that the first integrity protection algorithm is not supported, and capability indication information that the first integrity protection algorithm is not supported is sent to the terminal device.
在一种可选地实现方式中,所述根据所述网络设备所支持具备的算法能力,向所述终端设备发送第一计算能力指示信息,包括:响应于所述网络设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持所述第一完整性保护算法的能力指示信息。In an optional implementation manner, the sending the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device includes: responding to the algorithm capability supported by the network device The capability is that the first integrity protection algorithm is not supported, and capability indication information for whether the first integrity protection algorithm is supported is not sent.
在一种可选地实现方式中,向所述终端发送能力指示信息的方式至少包括以下任意一种:通过RRC释放消息发送;通过系统消息广播。In an optional implementation manner, the manner of sending the capability indication information to the terminal includes at least any one of the following: sending through an RRC release message; broadcasting through a system message.
在一种实现方式中,所述方法还包括:In one implementation, the method further includes:
对于所述终端驻留在所述网络设备所在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于所述终端设备在非锚点小区发生RRC连接恢复,接收所述非锚点小区内的新网络设备发送的提取终端设备上下文请求消息;其中,所述提取终端设备上下文请求消息包括所述第一完整性保护算法所需的输入参数;采用所述第一完整性保护算法及其所需的输入参数,对所述RRC连接恢复进行完整性保护验证。For the message integrity verification code calculated by using the first integrity protection algorithm when the terminal resides in the anchor cell where the network device is located, and when cell reselection occurs in the inactive state, respond to the The terminal device recovers the RRC connection in the non-anchor cell, and receives a request message for extracting the context of the terminal device sent by a new network device in the non-anchor cell; wherein the request message for extracting the context of the terminal device includes the first complete input parameters required by the integrity protection algorithm; using the first integrity protection algorithm and the input parameters required to perform integrity protection verification on the recovery of the RRC connection.
第三方面,本申请实施例提供一种通信装置,该通信装置具有实现上述第一方面所述的方法中终端设备的部分或全部功能,比如通信装置的功能可具备本申请中的部分或全部实施例中的功能,也可以具备单独实施本申请中的任一个实施例的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或模块。In the third aspect, the embodiment of this application provides a communication device, which has some or all functions of the terminal equipment in the method described in the first aspect above, for example, the functions of the communication device may have part or all of the functions in this application The functions in the embodiments may also have the functions of independently implementing any one of the embodiments in the present application. The functions described above may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. The hardware or software includes one or more units or modules corresponding to the above functions.
在一种实现方式中,该通信装置的结构中可包括确定模块、选择模块、收发模块和处理模块,所述确定模块被配置为支持通信装置执行上述方法中相应的功能。所述选择模块被配置为支持通信装置执行上述方法中相应的功能。所述处理模块被配置为支持通信装置执行上述方法中相应的功能。所述收发模块用于支持通信装置与其他设备之间的通信。所述通信装置还可以包括存储模块,所述存储模块用于与收发模块和处理模块耦合,其保存通信装置必要的计算机程序和数据。In an implementation manner, the structure of the communication device may include a determination module, a selection module, a transceiver module, and a processing module, and the determination module is configured to support the communication device to perform corresponding functions in the above methods. The selection module is configured to support the communication device to perform corresponding functions in the above methods. The processing module is configured to support the communication device to perform corresponding functions in the above methods. The transceiver module is used to support communication between the communication device and other equipment. The communication device may further include a storage module, which is used to be coupled with the transceiver module and the processing module, and stores necessary computer programs and data of the communication device.
作为示例,处理模块可以为处理器,收发模块可以为收发器或通信接口,存储模块可以为存储器。As an example, the processing module may be a processor, the transceiver module may be a transceiver or a communication interface, and the storage module may be a memory.
第四方面,本申请实施例提供另一种通信装置,该通信装置具有实现上述第二方面所述的方法示例中网络设备的部分或全部功能,比如通信装置的功能可具备本申请中的部分或全部实施例中的功能,也可以具备单独实施本申请中的任一个实施例的功能。所述功能可以通过硬件实现,也可以通过硬件执行 相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或模块。In the fourth aspect, the embodiment of the present application provides another communication device, which can implement some or all of the functions of the network equipment in the method example described in the second aspect above, for example, the functions of the communication device can have some of the functions in this application Or the functions in all the embodiments may also have the function of implementing any one embodiment in the present application alone. The functions described above can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more units or modules corresponding to the above functions.
在一种实现方式中,该通信装置的结构中可包括确定模块、选择模块、收发模块和处理模块,所述确定模块被配置为支持通信装置执行上述方法中相应的功能。所述选择模块被配置为支持通信装置执行上述方法中相应的功能。该处理模块被配置为支持通信装置执行上述方法中相应的功能。收发模块用于支持通信装置与其他设备之间的通信。所述通信装置还可以包括存储模块,所述存储模块用于与收发模块和处理模块耦合,其保存通信装置必要的计算机程序和数据。In an implementation manner, the structure of the communication device may include a determination module, a selection module, a transceiver module, and a processing module, and the determination module is configured to support the communication device to perform corresponding functions in the above methods. The selection module is configured to support the communication device to perform corresponding functions in the above methods. The processing module is configured to support the communication device to perform corresponding functions in the above methods. The transceiver module is used to support communication between the communication device and other devices. The communication device may further include a storage module, which is used to be coupled with the transceiver module and the processing module, and stores necessary computer programs and data of the communication device.
作为示例,处理模块可以为处理器,收发模块可以为收发器或通信接口,存储模块可以为存储器。As an example, the processing module may be a processor, the transceiver module may be a transceiver or a communication interface, and the storage module may be a memory.
第五方面,本申请实施例提供一种通信装置,该通信装置包括处理器,当该处理器调用存储器中的计算机程序时,执行上述第一方面所述的方法。In a fifth aspect, an embodiment of the present application provides a communication device, where the communication device includes a processor, and when the processor invokes a computer program in a memory, it executes the method described in the first aspect above.
第六方面,本申请实施例提供一种通信装置,该通信装置包括处理器,当该处理器调用存储器中的计算机程序时,执行上述第二方面所述的方法。In a sixth aspect, an embodiment of the present application provides a communication device, where the communication device includes a processor, and when the processor invokes a computer program in a memory, it executes the method described in the second aspect above.
第七方面,本申请实施例提供一种通信装置,该通信装置包括处理器和存储器,该存储器中存储有计算机程序;所述处理器执行该存储器所存储的计算机程序,以使该通信装置执行上述第一方面所述的方法。In the seventh aspect, the embodiment of the present application provides a communication device, the communication device includes a processor and a memory, and a computer program is stored in the memory; the processor executes the computer program stored in the memory, so that the communication device executes The method described in the first aspect above.
第八方面,本申请实施例提供一种通信装置,该通信装置包括处理器和存储器,该存储器中存储有计算机程序;所述处理器执行该存储器所存储的计算机程序,以使该通信装置执行上述第二方面所述的方法。In an eighth aspect, the embodiment of the present application provides a communication device, the communication device includes a processor and a memory, and a computer program is stored in the memory; the processor executes the computer program stored in the memory, so that the communication device executes The method described in the second aspect above.
第九方面,本申请实施例提供一种通信装置,该装置包括处理器和接口电路,该接口电路用于接收代码指令并传输至该处理器,该处理器用于运行所述代码指令以使该装置执行上述第一方面所述的方法。In the ninth aspect, the embodiment of the present application provides a communication device, the device includes a processor and an interface circuit, the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to make the The device executes the method described in the first aspect above.
第十方面,本申请实施例提供一种通信装置,该装置包括处理器和接口电路,该接口电路用于接收代码指令并传输至该处理器,该处理器用于运行所述代码指令以使该装置执行上述第二方面所述的方法。In the tenth aspect, the embodiment of the present application provides a communication device, the device includes a processor and an interface circuit, the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to make the The device executes the method described in the second aspect above.
第十一方面,本申请实施例提供一种通信系统,该系统包括第三方面所述的通信装置以及第四方面所述的通信装置,或者,该系统包括第五方面所述的通信装置以及第六方面所述的通信装置,或者,该系统包括第七方面所述的通信装置以及第八方面所述的通信装置,或者,该系统包括第九方面所述的通信装置以及第十方面所述的通信装置。In the eleventh aspect, the embodiment of the present application provides a communication system, the system includes the communication device described in the third aspect and the communication device described in the fourth aspect, or the system includes the communication device described in the fifth aspect and The communication device described in the sixth aspect, or, the system includes the communication device described in the seventh aspect and the communication device described in the eighth aspect, or, the system includes the communication device described in the ninth aspect and the communication device described in the tenth aspect the communication device described above.
第十二方面,本发明实施例提供一种计算机可读存储介质,用于储存为上述终端设备所用的指令,当所述指令被执行时,使所述终端设备执行上述第一方面所述的方法。In the twelfth aspect, the embodiment of the present invention provides a computer-readable storage medium, which is used to store instructions used by the above-mentioned terminal equipment, and when the instructions are executed, the terminal equipment executes the above-mentioned first aspect. method.
第十三方面,本发明实施例提供一种可读存储介质,用于储存为上述网络设备所用的指令,当所述指令被执行时,使所述网络设备执行上述第二方面所述的方法。In a thirteenth aspect, an embodiment of the present invention provides a readable storage medium for storing instructions used by the above-mentioned network equipment, and when the instructions are executed, the network equipment executes the method described in the above-mentioned second aspect .
第十四方面,本申请还提供一种包括计算机程序的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面所述的方法。In a fourteenth aspect, the present application further provides a computer program product including a computer program, which, when run on a computer, causes the computer to execute the method described in the first aspect above.
第十五方面,本申请还提供一种包括计算机程序的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第二方面所述的方法。In a fifteenth aspect, the present application further provides a computer program product including a computer program, which, when run on a computer, causes the computer to execute the method described in the second aspect above.
第十六方面,本申请提供一种计算机程序,当其在计算机上运行时,使得计算机执行上述第一方面所述的方法。In a sixteenth aspect, the present application provides a computer program that, when run on a computer, causes the computer to execute the method described in the first aspect above.
第十七方面,本申请提供一种计算机程序,当其在计算机上运行时,使得计算机执行上述第二方面所述的方法。In a seventeenth aspect, the present application provides a computer program that, when run on a computer, causes the computer to execute the method described in the second aspect above.
附图说明Description of drawings
为了更清楚地说明本申请实施例或背景技术中的技术方案,下面将对本申请实施例或背景技术中所需要使用的附图进行说明。In order to more clearly illustrate the technical solutions in the embodiment of the present application or the background art, the following will describe the drawings that need to be used in the embodiment of the present application or the background art.
图1为本申请实施例提供的一种通信系统的架构示意图;FIG. 1 is a schematic structural diagram of a communication system provided by an embodiment of the present application;
图2是本申请实施例提供的一种无线资源控制RRC连接恢复的安全增强方法的流程图;FIG. 2 is a flowchart of a security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application;
图3是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图;FIG. 3 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application;
图4是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图;FIG. 4 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application;
图5是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图;FIG. 5 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application;
图6是本申请实施例提供的又一种无线资源控制RRC连接恢复的安全增强方法的流程图;FIG. 6 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application;
图7是本申请实施例提供的又一种无线资源控制RRC连接恢复的安全增强方法的流程图;FIG. 7 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application;
图8是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图;FIG. 8 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application;
图9是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图;FIG. 9 is a flowchart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application;
图10为本申请实施例提供的一种通信装置的结构示意图;FIG. 10 is a schematic structural diagram of a communication device provided by an embodiment of the present application;
图11是本申请实施例提供的一种通信装置的结构示意图。Fig. 11 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面详细描述本申请的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,旨在用于解释本申请,而不能理解为对本申请的限制。其中,在本申请的描述中,除非另有说明,“/”表示或的意思,例如,A/B可以表示A或B;本文中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。Embodiments of the present application are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary, and are intended to explain the present application, and should not be construed as limiting the present application. Among them, in the description of this application, unless otherwise specified, "/" means or means, for example, A/B can mean A or B; "and/or" in this article is only a kind of association describing associated objects A relationship means that there may be three kinds of relationships, for example, A and/or B means: A exists alone, A and B exist simultaneously, and B exists alone.
首先,随着无线移动网络的高速发展,目前的NR网络已经具备较高的可靠性和安全性,但是开发框架的漏洞、伪基站的攻击等威胁仍然层出不穷,寻找更可靠的安全加密算法,以及更可靠的安全认证也是NR网络需要考虑的一个重要方向。First of all, with the rapid development of wireless mobile networks, the current NR network already has high reliability and security, but threats such as loopholes in the development framework and attacks from pseudo base stations still emerge in endlessly. Looking for more reliable security encryption algorithms, and More reliable security authentication is also an important direction that NR networks need to consider.
对于接入网(Access Stratum,简称:AS)的安全性,其中在PDCP(Packet Date Convergence Protocol,分组数据汇聚协议)层使用了MAC-I(Message Authentication Code Integrity,完整性鉴权编码)来进行完整性保护,在完整性保护功能激活后,发送端根据完整性保护算法计算SRB(Signal Radio Bearer,信令无线承载)/DRB(Date Radio Bearer,数据无线承载)对应的每个PDCP PDU(Protocol Date Unit,协议数据单元)的MAC-I,并将MAC-I填充到PDCP PDU对应的MAC-I字段中。在接收端接收到PDCP PDU时,基于相应的输入参数计算出一个XMAC-I,通过XMAC-I与MAC-I是否一致来验证接收的PDCP PDU的完整性。如果计算得到的XMAC-I与接收到的MAC-I一致,那么证明接收到的数据是完整的、没有被篡改的,否则向高层指示完整性验证失败。For the security of the access network (Access Stratum, referred to as: AS), the PDCP (Packet Date Convergence Protocol, packet data convergence protocol) layer uses MAC-I (Message Authentication Code Integrity, integrity authentication code) to carry out Integrity protection, after the integrity protection function is activated, the sender calculates each PDCP PDU (Protocol Date Unit, protocol data unit) MAC-I, and fill the MAC-I into the MAC-I field corresponding to the PDCP PDU. When the receiving end receives the PDCP PDU, it calculates an XMAC-I based on the corresponding input parameters, and verifies the integrity of the received PDCP PDU by checking whether the XMAC-I is consistent with the MAC-I. If the calculated XMAC-I is consistent with the received MAC-I, it proves that the received data is complete and has not been tampered with, otherwise it indicates to the upper layer that the integrity verification fails.
对于MAC-I的计算方法,PDCP完整性保护所需要的输入参数包括:1、RRC消息(整段数据);2、密钥Key RRCint;3、COUNT值;4、承载标识bearer ID;5、数据传输方向direction。通过这5个输入参数,结合完整性保护算法128bit-NIA,计算出一个32bit的MAC-I/XMAC-I。 For the calculation method of MAC-I, the input parameters required for PDCP integrity protection include: 1, RRC message (whole segment data); 2, key Key RRCint ; 3, COUNT value; 4, bearer identification bearer ID; 5, Data transmission direction direction. Through these 5 input parameters, combined with the integrity protection algorithm 128bit-NIA, a 32bit MAC-I/XMAC-I is calculated.
上述所提及的MAC-I可以保护连接态UE(user equipment,用户设备)的数据完整性,但对于RRC非激活态RRC_INACTIVE的UE而言,当向网络发起RRC连接恢复(RRCResumeRequest)时,使用的上行公共控制信道UL_CCCH承载于SRB0,而SRB0是不存在上述所提的完整性保护机制的。因此,对于UE发起连接恢复RRCResumeRequest时,将采用另外一套类似的机制,进行resumeMAC-I的验证。The above-mentioned MAC-I can protect the data integrity of the connected state UE (user equipment, user equipment), but for the UE of the RRC inactive state RRC_INACTIVE, when the RRC connection recovery (RRRCesumeRequest) is initiated to the network, use The uplink common control channel UL_CCCH is carried on SRB0, but SRB0 does not have the aforementioned integrity protection mechanism. Therefore, when the UE initiates a connection recovery RRCResumeRequest, another set of similar mechanisms will be used to verify the resumeMAC-I.
例如,发起连接恢复的UE仍然需要计算MAC-I,需要使用的输入参数仍然包括旧密钥Key RRCint、bearer ID、direction、COUNT值,但与PDCP date PDU中计算MAC-I的输入参数不同的是,RRC连接恢复时MAC-I的计算不使用整段RRC消息作为输入参数,而使用了一个UE变量VarResumeMAC-Input,该变量里面又包含三个子参数:目标小区ID、源小区ID以及C-RNTI(cell radio network temporary identity,小区无线网络临时标识)。通过上述所提输入参数,UE计算出了一个32bit的MAC-I,并取16位最低有效位(即最右边的16位)设置为resumeMAC-I,包含于RRCResumeRequest进行发送。基站通过相同的算法也计算出resumeMAC-I的值,若与UE发送的resumeMAC-I成功匹配,则认证成功,可以发送RRCResume通知UE恢复RRC连接。 For example, the UE that initiates connection recovery still needs to calculate MAC-I, and the input parameters that need to be used still include the old key Key RRCint , bearer ID, direction, and COUNT values, but they are different from the input parameters for calculating MAC-I in PDCP date PDU Yes, the calculation of MAC-I when the RRC connection resumes does not use the entire RRC message as an input parameter, but uses a UE variable VarResumeMAC-Input, which contains three sub-parameters: target cell ID, source cell ID and C- RNTI (cell radio network temporary identity, cell radio network temporary identity). Through the input parameters mentioned above, the UE calculates a 32-bit MAC-I, and takes the 16 least significant bits (ie, the rightmost 16 bits) and sets it as resumeMAC-I, which is included in the RRCResumeRequest for sending. The base station also calculates the resumeMAC-I value through the same algorithm. If it successfully matches the resumeMAC-I sent by the UE, the authentication is successful, and the RRCResume can be sent to notify the UE to resume the RRC connection.
然而,为了能够增强RRC连接恢复的安全性,需要设计一种新的完整性保护算法以实现RRC连接恢复的安全性的增强,而这在终端设备和网络设备分别用各自算法计算完整性鉴权编码MAC-I时,可能会存在兼容性的问题。However, in order to enhance the security of RRC connection recovery, it is necessary to design a new integrity protection algorithm to achieve the enhancement of RRC connection recovery security, and this is done when the terminal device and the network device use their respective algorithms to calculate the integrity authentication When encoding MAC-I, there may be compatibility issues.
为此,本申请提出了一种无线资源控制RRC连接恢复的安全增强方法和通信装置,可以应用于NR网络,通过终端设备与网络设备进行能力协商,以使得双方具备相同的算法能力,使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。To this end, this application proposes a security enhancement method and communication device for radio resource control RRC connection recovery, which can be applied to NR networks, and perform capability negotiation through terminal equipment and network equipment, so that both parties have the same algorithm capability, so that the message The verification information of the integrity verification code resumeMAC-I can be correctly matched, which solves the problem of incompatibility of the integrity protection algorithm, so that the security of the RRC connection recovery request message can be enhanced.
为了更好的理解本申请实施例公开的一种无线资源控制RRC连接恢复的安全增强方法,下面首先对本申请实施例使用的通信系统进行描述。In order to better understand the security enhancement method for radio resource control RRC connection recovery disclosed in the embodiment of the present application, the communication system used in the embodiment of the present application is firstly described below.
请参见图1,图1为本申请实施例提供的一种通信系统的架构示意图。该通信系统可以包括但不限于一个网络设备和一个终端设备,图1所示的设备数量和形态仅用于举例并不构成对本申请实施例的限定,实际应用中可以包括两个或两个以上的网络设备,两个或两个以上的终端设备。图1所示的通信系统以包括一个网络设备101和一个终端设备102为例。Please refer to FIG. 1 . FIG. 1 is a schematic structural diagram of a communication system provided by an embodiment of the present application. The communication system may include, but is not limited to, a network device and a terminal device. The number and form of the devices shown in Figure 1 are for example only and do not constitute a limitation to the embodiment of the application. In practical applications, two or more network equipment, two or more terminal equipment. The communication system shown in FIG. 1 includes one network device 101 and one terminal device 102 as an example.
需要说明的是,本申请实施例的技术方案可以应用于各种通信系统。例如:长期演进(long term evolution,LTE)系统、第五代(5th generation,5G)移动通信系统、5G新空口(new radio,NR)系 统,或者其他未来的新型移动通信系统等。It should be noted that the technical solutions of the embodiments of the present application may be applied to various communication systems. For example: long term evolution (long term evolution, LTE) system, fifth generation (5th generation, 5G) mobile communication system, 5G new radio interface (new radio, NR) system, or other future new mobile communication systems, etc.
本申请实施例中的网络设备101是网络侧的一种用于发射或接收信号的实体。例如,网络设备101可以为演进型基站(evolved NodeB,eNB)、传输点(transmission reception point,TRP)、NR系统中的下一代基站(next generation NodeB,gNB)、其他未来移动通信系统中的基站或无线保真(wireless fidelity,WiFi)系统中的接入节点等。本申请的实施例对网络设备所采用的具体技术和具体设备形态不做限定。本申请实施例提供的网络设备可以是由集中单元(central unit,CU)与分布式单元(distributed unit,DU)组成的,其中,CU也可以称为控制单元(control unit),采用CU-DU的结构可以将网络设备,例如基站的协议层拆分开,部分协议层的功能放在CU集中控制,剩下部分或全部协议层的功能分布在DU中,由CU集中控制DU。The network device 101 in the embodiment of the present application is an entity on the network side for transmitting or receiving signals. For example, the network device 101 may be an evolved base station (evolved NodeB, eNB), a transmission point (transmission reception point, TRP), a next generation base station (next generation NodeB, gNB) in an NR system, or a base station in other future mobile communication systems Or an access node in a wireless fidelity (wireless fidelity, WiFi) system, etc. The embodiment of the present application does not limit the specific technology and specific device form adopted by the network device. The network device provided by the embodiment of the present application may be composed of a centralized unit (central unit, CU) and a distributed unit (distributed unit, DU), wherein the CU may also be called a control unit (control unit), using CU-DU The structure of the network device, such as the protocol layer of the base station, can be separated, and the functions of some protocol layers are placed in the centralized control of the CU, and the remaining part or all of the functions of the protocol layer are distributed in the DU, and the CU centrally controls the DU.
本申请实施例中的终端设备102是用户侧的一种用于接收或发射信号的实体,如手机。终端设备也可以称为终端设备(terminal)、用户设备(user equipment,UE)、移动台(mobile station,MS)、移动终端设备(mobile terminal,MT)等。终端设备可以是具备通信功能的汽车、智能汽车、手机(mobile phone)、穿戴式设备、平板电脑(Pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制(industrial control)中的无线终端设备、无人驾驶(self-driving)中的无线终端设备、远程手术(remote medical surgery)中的无线终端设备、智能电网(smart grid)中的无线终端设备、运输安全(transportation safety)中的无线终端设备、智慧城市(smart city)中的无线终端设备、智慧家庭(smart home)中的无线终端设备等等。本申请的实施例对终端设备所采用的具体技术和具体设备形态不做限定。The terminal device 102 in the embodiment of the present application is an entity on the user side for receiving or transmitting signals, such as a mobile phone. The terminal equipment may also be called terminal equipment (terminal), user equipment (user equipment, UE), mobile station (mobile station, MS), mobile terminal equipment (mobile terminal, MT) and so on. The terminal device can be a car with communication functions, a smart car, a mobile phone, a wearable device, a tablet computer (Pad), a computer with a wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality ( augmented reality (AR) terminal equipment, wireless terminal equipment in industrial control (industrial control), wireless terminal equipment in self-driving (self-driving), wireless terminal equipment in remote medical surgery (remote medical surgery), smart grid ( Wireless terminal devices in smart grid, wireless terminal devices in transportation safety, wireless terminal devices in smart city, wireless terminal devices in smart home, etc. The embodiment of the present application does not limit the specific technology and specific device form adopted by the terminal device.
可以理解的是,本申请实施例描述的通信系统是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。It can be understood that the communication system described in the embodiment of the present application is to illustrate the technical solution of the embodiment of the present application more clearly, and does not constitute a limitation to the technical solution provided in the embodiment of the present application. With the evolution of the system architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
下面结合附图对本申请所提供的无线资源控制RRC连接恢复的安全增强方法、通信装置和存储介质进行详细地介绍。The following describes in detail the security enhancement method, communication device and storage medium for RRC connection recovery provided by this application with reference to the accompanying drawings.
请参见图2,图2是本申请实施例提供的一种无线资源控制RRC连接恢复的安全增强方法的流程图。需要说明的是,本申请实施例的无线资源控制RRC连接恢复的安全增强方法可应用于终端设备。如图2所示,该无线资源控制RRC连接恢复的安全增强方法可以包括但不限于如下步骤。Please refer to FIG. 2 . FIG. 2 is a flowchart of a security enhancement method for RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a terminal device. As shown in FIG. 2 , the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
步骤201,确定网络设备所支持具备的算法能力。 Step 201, determine the algorithm capabilities supported by the network equipment.
可选地,终端设备与网络设备可以预先进行能力协商,以使得终端设备可以确定网络设备所能够支持具备的算法能力。例如,网络设备可以向终端设备发送能力指示信息。终端设备可以根据网络设备发送的指示信息,确定该网络设备所支持具备的算法能力。Optionally, the terminal device and the network device may negotiate capabilities in advance, so that the terminal device can determine the algorithm capabilities that the network device can support. For example, the network device may send capability indication information to the terminal device. The terminal device can determine the algorithm capability supported by the network device according to the indication information sent by the network device.
作为一种可能实现方式的示例,网络设备向终端设备发送的能力指示信息可以为支持哪种完整性保护算法,例如,该能力指示信息可以是支持第一完整性保护算法,终端设备根据该网络设备发送的能力指示信息,可以确定该网络设备所支持具备的算法能力为支持第一完整性保护算法。具体指示方式可以是通过某个字段(或比特位)表示支持的完整性保护算法类型,当该字段(或比特位)取值为X时表示支持第一完整性保护算法,当该字段(或比特位)取值为Y时表示支持第二完整性保护算法。As an example of a possible implementation, the capability indication information sent by the network device to the terminal device may be which integrity protection algorithm is supported, for example, the capability indication information may be the first integrity protection algorithm supported, and the terminal device according to the network The capability indication information sent by the device may determine that the algorithm capability supported by the network device is to support the first integrity protection algorithm. The specific indication method may be to use a certain field (or bit) to indicate the supported integrity protection algorithm type. When the value of this field (or bit) is X, it indicates that the first integrity protection algorithm is supported. When the value of bit) is Y, it indicates that the second integrity protection algorithm is supported.
又如,该能力指示信息还可以是不支持第一完整性保护算法,终端设备根据该网络设备发送的能力指示信息,可以确定该网络设备所支持具备的算法能力为不支持第一完整性保护算法。For another example, the capability indication information may also be that the first integrity protection algorithm is not supported, and the terminal device may determine that the algorithm capability supported by the network device is that the first integrity protection algorithm is not supported according to the capability indication information sent by the network device. algorithm.
再如,该能力指示信息还可以是支持不同于第一完整性保护算法的算法,比如第二完整性保护算法,终端设备根据该网络设备发送的能力指示信息,可以确定该网络设备所支持具备的算法能力为支持第二完整性保护算法。For another example, the capability indication information may also support an algorithm different from the first integrity protection algorithm, such as the second integrity protection algorithm, and the terminal device may determine the capabilities supported by the network device according to the capability indication information sent by the network device. The algorithm capability of is to support the second integrity protection algorithm.
需要说明的是,本申请实施例中的第一完整性保护算法与第二完整性保护算法为不同的算法,第一完整性保护算法与第二完整性保护算法的输入参数有所不同。其中,在本申请实施例中,输入参数至少包括以下一项或多项:密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 It should be noted that the first integrity protection algorithm and the second integrity protection algorithm in the embodiment of the present application are different algorithms, and the input parameters of the first integrity protection algorithm and the second integrity protection algorithm are different. Among them, in this embodiment of the application, the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
作为另一种可能实现方式的示例,网络设备可以向终端设备发送针对MAC-I的计算能力指示以通知终端设备,该网络设备是否支持第一完整性保护算法。As an example of another possible implementation manner, the network device may send a MAC-I computing capability indication to the terminal device to notify the terminal device whether the network device supports the first integrity protection algorithm.
在一种实现方式中,终端设备可判断是否接收到网络设备发送的第一计算能力指示信息,该第一计算能力指示信息用于通知终端设备,网络设备是否支持第一完整性保护算法;响应于接收到网络设备发送的第一计算能力指示信息,根据第一计算能力指示信息,确定网络设备所支持具备的算法能力。In an implementation manner, the terminal device may determine whether the first computing capability indication information sent by the network device is received, and the first computing capability indication information is used to notify the terminal device whether the network device supports the first integrity protection algorithm; the response After receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device according to the first computing capability indication information.
需要说明的是,第一完整性保护算法是网络设备针对RRC连接恢复过程,所设计的一套新的MAC-I计算方式,通过增加UE存储变量VarResumeMAC-Input里面的输入参数来完成。其中,该第一完整性保护算法的输入参数可包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT 值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,其中,目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量可作为该第一完整性保护算法之中VarResumeMAC-Input中的内容。该增加变量即为在存储变量VarResumeMAC-Input中所增加的变量。 It should be noted that the first integrity protection algorithm is a set of new MAC-I calculation methods designed by the network device for the RRC connection recovery process, and is completed by adding input parameters in the UE storage variable VarResumeMAC-Input. Wherein, the input parameters of the first integrity protection algorithm may include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and Adding variables, wherein, the target cell ID, the source cell ID, the temporary identifier C-RNTI and the added variables can be used as the content of VarResumeMAC-Input in the first integrity protection algorithm. The added variable is the variable added in the stored variable VarResumeMAC-Input.
为了解决兼容性的问题,终端设备与网络设备可以预先进行能力协商。可选地,终端设备可以通过判断是否接收到网络设备发送的第一计算能力指示信息,来确定网络设备所支持具备的算法能力。作为一种可能实现方式的示例,响应于接收到网络设备发送的第一计算能力指示信息,根据第一计算能力指示信息,确定网络设备所支持具备的算法能力。例如,该第一计算能力指示信息用于通知终端设备,网络设备支持第一完整性保护算法,则终端设备根据该第一计算能力指示信息,可确定网络设备所支持具备的算法能力为支持第一完整性保护算法。又如,该第一计算能力指示信息用于通知终端设备,网络设备不支持第一完整性保护算法,则终端设备根据该第一计算能力指示信息,可确定网络设备所支持具备的算法能力为不支持第一完整性保护算法。In order to solve the problem of compatibility, the terminal device and the network device can perform capability negotiation in advance. Optionally, the terminal device may determine the algorithm capability supported by the network device by judging whether the first computing capability indication information sent by the network device is received. As an example of a possible implementation manner, in response to receiving the first computing capability indication information sent by the network device, the algorithm capability supported by the network device is determined according to the first computing capability indication information. For example, the first computing capability indication information is used to notify the terminal device that the network device supports the first integrity protection algorithm, and the terminal device can determine that the algorithm capability supported by the network device is to support the first integrity protection algorithm according to the first computing capability indication information. An integrity protection algorithm. In another example, the first computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm, and the terminal device can determine that the network device supports the algorithm capability according to the first computing capability indication information. The first integrity protection algorithm is not supported.
作为另一种可能实现方式的示例,响应于未接收到网络设备发送的第一计算能力指示信息,终端设备可确定网络设备所支持具备的算法能力为不支持第一完整性保护算法。例如,该网络设备支持第二完整性保护算法,不支持第一完整性保护算法。其中,第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。其中,目标小区标识ID、源小区标识ID和临时标识符C-RNTI可作为该第二完整性保护算法之中VarResumeMAC-Input中的内容。 As an example of another possible implementation manner, in response to not receiving the first computing capability indication information sent by the network device, the terminal device may determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm. For example, the network device supports the second integrity protection algorithm but does not support the first integrity protection algorithm. Wherein, the input parameters of the second integrity protection algorithm include Key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI. Wherein, the target cell ID, the source cell ID and the temporary identifier C-RNTI can be used as the content of VarResumeMAC-Input in the second integrity protection algorithm.
可以看出,本申请实施例中的第二完整性保护算法与第一完整性保护算法的区别在于所需的输入参数不同,其中,第一完整性保护算法比第二完整性保护算法的输入参数多增加了增加变量。本申请实施例通过在完整性保护算法的输入参数中设计该增加变量,可以有效增强RRC连接恢复的安全性。It can be seen that the difference between the second integrity protection algorithm in the embodiment of the present application and the first integrity protection algorithm is that the required input parameters are different. More parameters have been added to increase variables. In this embodiment of the present application, by designing the added variable in the input parameters of the integrity protection algorithm, the security of RRC connection recovery can be effectively enhanced.
在本申请一些实施例中,该增强变量至少可包括以下A)至F)中的任意一项:In some embodiments of the present application, the enhanced variable may include at least any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。为了方便理解,下面将给出对应实现方式进行描述。A) The resumeIdentity, resumeCause, and spare fields in the RRC connection resume request message; B) The arrangement and combination of resumeIdentity, resumeCause, and spare spare fields in the RRC connection resume request message; C) RRC connection resume request message, wherein, the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an increased variable is set to a special bit; D) the RRC connection recovery request message and the field used to indicate the RRC connection recovery request Bits; E) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable; F) RRC connection recovery request message and used for Indicates the bit of the RRC connection resume request, where the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For the convenience of understanding, a corresponding implementation manner will be given below for description.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段。也就是说,在UE存储变量VarResumeMAC-Input中增加RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段,作为额外的输入参数代入完整性保护算法得出一个全新的32bit的MAC-I(其中,除了使用VarResumeMAC-Input的输入参数外,还需要使用密钥Key RRCint、bearer ID、direction、COUNT值),最后取16位最低有效位作为消息完整性验证码ResumeMAC-I,存放于RRC连接恢复请求消息(RRCResumeRequest)中。 In an implementation manner, the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
在一种实现方式中,参照上述实施例,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合,计算方法同理即可。其中,该排列组合可理解为恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段之中任意一个或多个。例如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意一个;又如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意两个。具体可根据实际情况来决定,本申请对此不做具体限定。In an implementation manner, referring to the above embodiment, the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same. Wherein, the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields. For example, the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。作为一种示例,该特殊比特可全为0或全为1,例如,将作为该增强变量的RRC连接恢复请求消息之中resumeMAC-I字段全置为1或全置为0。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit. As an example, the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,也就是说,在将RRC连接恢复请求消息作为增强变量的同时,还可再增加一个用于指示RRC连接恢复请求的比特位也作为该增强变量。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为该增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
步骤202,根据网络设备所支持具备的算法能力,选择与算法能力对应的目标完整性保护算法。Step 202: Select a target integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device.
在本申请实施例中,终端设备可以支持第一完整性保护算法,即支持新的MAC-I计算方式。可以理解,终端设备支持第一完整性保护算法,则可认为该终端设备也可以支持第二完整性保护算法,此时根据网络设备所支持具备的算法能力,选择与算法能力对应的目标完整性保护算法,例如,确定网络设备所支持具备的算法能力为支持第一完整性保护算法,则终端设备可选择第一完整性保护算法作为该目标完整性保护算法;确定网络设备所支持具备的算法能力为不支持第一完整性保护算法,则终端设备可选择第二完整性保护算法作为该目标完整性保护算法。In this embodiment of the present application, the terminal device may support the first integrity protection algorithm, that is, support a new MAC-I calculation manner. It can be understood that if the terminal device supports the first integrity protection algorithm, it can be considered that the terminal device can also support the second integrity protection algorithm. At this time, according to the algorithm capability supported by the network device, the target integrity corresponding to the algorithm capability is selected. Protection algorithm, for example, if it is determined that the algorithm capability supported by the network device is to support the first integrity protection algorithm, then the terminal device can select the first integrity protection algorithm as the target integrity protection algorithm; determine the algorithm supported by the network device If the capability is that the first integrity protection algorithm is not supported, the terminal device may select the second integrity protection algorithm as the target integrity protection algorithm.
可选地,终端设备还可以不支持第一完整性保护算法,即支持老的MAC-I计算方式,如支持第二完整性保护算法,此时不管网络设备支持第一完整性保护算法还是不支持完整性保护算法,由于终端设备不支持第一完整性保护算法,所以,终端设备可选择将第二完整性保护算法作为该目标完整性保护算法。由此,终端设备可根据自身所支持具备的算法能力和网络设备所支持具备的算法能力,选择终端设备与网络设备均能够支持的完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,以保证终端设备和网络设备使用相同算法,保证resumeMAC-I这个校验信息能够正确匹配。Optionally, the terminal device may not support the first integrity protection algorithm, that is, support the old MAC-I calculation method, such as supporting the second integrity protection algorithm. At this time, no matter whether the network device supports the first integrity protection algorithm or not The integrity protection algorithm is supported. Since the terminal device does not support the first integrity protection algorithm, the terminal device may select the second integrity protection algorithm as the target integrity protection algorithm. Therefore, the terminal device can select an integrity protection algorithm that both the terminal device and the network device can support to perform integrity protection verification on the RRC connection recovery request message according to the algorithm capabilities supported by itself and the algorithm capabilities supported by the network device. To ensure that the terminal device and the network device use the same algorithm, and ensure that the resumeMAC-I verification information can be correctly matched.
步骤203,根据目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证。 Step 203, perform integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters for calculating the message integrity verification code.
在一种实现方式中,对于目标完整性保护算法为第一完整性保护算法,可采用第一完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码,并根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 In one implementation, if the target integrity protection algorithm is the first integrity protection algorithm, the first integrity protection algorithm may be used, according to the key Key RRCint , bearer ID, data transmission direction, count COUNT value, The ID of the target cell, the ID of the source cell, the temporary identifier C-RNTI and the added variable, calculate the message integrity verification code, and perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在另一种实现方式中,对于目标完整性保护算法为第二完整性保护算法,可采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码,并根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 In another implementation, if the target integrity protection algorithm is the second integrity protection algorithm, the second integrity protection algorithm can be used, according to the key Key RRCint , the bearer ID, the direction of data transmission, and the count COUNT value , the target cell ID, the source cell ID and the temporary identifier C-RNTI, calculate a message integrity verification code, and perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
通过实施本申请实施例,可以通过确定网络设备所支持具备的算法能力,选择与网络设备所支持具备的算法能力对应的完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,使得双方具备相同的算法能力,从而使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。By implementing the embodiment of the present application, by determining the algorithm capabilities supported by the network equipment, the integrity protection algorithm corresponding to the algorithm capabilities supported by the network equipment can be selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties have With the same algorithm capability, the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of integrity protection algorithms is solved, so that the security of the RRC connection recovery request message can be enhanced.
请参见图3,图3是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图。需要说明的是,本申请实施例的无线资源控制RRC连接恢复的安全增强方法可应用于终端设备。在本实施例中,终端设备通过第一计算能力指示信息了解到网络设备支持第一完整性保护算法;假设本实施例中的终端设备支持第一完整性保护算法,如图3所示,该无线资源控制RRC连接恢复的安全增强方法可包括但不限于如下步骤。Please refer to FIG. 3 . FIG. 3 is a flowchart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a terminal device. In this embodiment, the terminal device learns that the network device supports the first integrity protection algorithm through the first computing capability indication information; assuming that the terminal device in this embodiment supports the first integrity protection algorithm, as shown in FIG. 3 , the The security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
步骤301,判断是否接收到网络设备发送的第一计算能力指示信息;其中,第一计算能力指示信息用于通知终端设备,网络设备支持第一完整性保护算法。 Step 301, judging whether the first computing capability indication information sent by the network device is received; wherein the first computing capability indication information is used to notify the terminal device that the network device supports the first integrity protection algorithm.
其中,在本申请实施例中,该第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Wherein, in the embodiment of the present application, the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
在本申请一些实施例中,该增强变量至少可包括以下A)至F)中的任意一项:In some embodiments of the present application, the enhanced variable may include at least any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息 之中删除了用于表示消息完整性验证码resumeMAC-I的字段;F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。为了方便理解,下面将给出对应实现方式进行描述。A) The resumeIdentity, resumeCause, and spare fields in the RRC connection resume request message; B) The arrangement and combination of resumeIdentity, resumeCause, and spare spare fields in the RRC connection resume request message; C) RRC connection resume request message, wherein, the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an increased variable is set to a special bit; D) the RRC connection recovery request message and the field used to indicate the RRC connection recovery request Bits; E) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable; F) RRC connection recovery request message and used for Indicates the bit of the RRC connection resume request, where the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For the convenience of understanding, a corresponding implementation manner will be given below for description.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段。也就是说,在UE存储变量VarResumeMAC-Input中增加RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段,作为额外的输入参数代入完整性保护算法得出一个全新的32bit的MAC-I(其中,除了使用VarResumeMAC-Input的输入参数外,还需要使用密钥Key RRCint、bearer ID、direction、COUNT值),最后取16位最低有效位作为消息完整性验证码ResumeMAC-I,存放于RRC连接恢复请求消息(RRCResumeRequest)中。 In an implementation manner, the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
在一种实现方式中,参照上述实施例,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合,计算方法同理即可。其中,该排列组合可理解为恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段之中任意一个或多个。例如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意一个;又如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意两个。具体可根据实际情况来决定,本申请对此不做具体限定。In an implementation manner, referring to the above embodiment, the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same. Wherein, the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields. For example, the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。作为一种示例,该特殊比特可全为0或全为1,例如,将作为该增强变量的RRC连接恢复请求消息之中resumeMAC-I字段全置为1或全置为0。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit. As an example, the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,也就是说,在将RRC连接恢复请求消息作为增强变量的同时,还可再增加一个用于指示RRC连接恢复请求的比特位也作为该增强变量。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为该增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
步骤302,响应于接收到网络设备发送的第一计算能力指示信息,根据第一计算能力指示信息,确定网络设备所支持具备的算法能力为支持第一完整性保护算法。Step 302: In response to receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device as supporting the first integrity protection algorithm according to the first computing capability indication information.
步骤303,根据网络设备所支持具备的算法能力,选择与算法能力对应的第一完整性保护算法。Step 303: Select a first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device.
步骤304,采用第一完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码。其中,在计算出消息完整性验证码之后,可执行步骤307,即根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 304, using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variables , to calculate the message integrity verification code. Wherein, after the message integrity verification code is calculated, step 307 may be performed, that is, to perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
步骤305,响应于未接收到网络设备发送的第一计算能力指示信息,确定网络设备所支持具备的算法能力为不支持第一完整性保护算法。Step 305, in response to not receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
在本实施例中,在确定网络设备所支持具备的算法能力为不支持第一完整性保护算法,终端设备可选择第二完整性保护算法进行RRC连接恢复请求消息的安全性验证。其中,在本申请实施例中,该第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 In this embodiment, after determining that the algorithm capability supported by the network device does not support the first integrity protection algorithm, the terminal device may select the second integrity protection algorithm to perform security verification of the RRC connection recovery request message. Wherein, in the embodiment of the present application, the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
步骤306,根据网络设备所支持具备的算法能力,选择采用第二完整性保护算法根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。其中,在计算出消息完整性验证码之后,可执行步骤307,即根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 306, according to the algorithm capabilities supported by the network equipment, choose to use the second integrity protection algorithm according to the key Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID and the temporary identifier C-RNTI to calculate the message integrity verification code. Wherein, after the message integrity verification code is calculated, step 307 may be performed, that is, to perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
步骤307,根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 307, perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
根据本申请实施例的技术方案,通过确定网络设备所支持具备的算法能力,选择与网络设备所支持具备的算法能力对应的完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,使得双方具备相同的算法能力,从而使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。According to the technical solution of the embodiment of the present application, by determining the algorithm capabilities supported by the network equipment, the integrity protection algorithm corresponding to the algorithm capabilities supported by the network equipment is selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties With the same algorithm capability, the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the security of the RRC connection recovery request message can be enhanced.
请参见图4,图4是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图。需要说明的是,本申请实施例的无线资源控制RRC连接恢复的安全增强方法可应用于终端设备。在本实施例中,终端设备通过第一计算能力指示信息了解到网络设备支持第一完整性保护算法;假设本实施例中的终端设备不支持第一完整性保护算法,如图4所示,该无线资源控制RRC连接恢复的安全增强方法可包括但不限于如下步骤。Please refer to FIG. 4 . FIG. 4 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a terminal device. In this embodiment, the terminal device learns that the network device supports the first integrity protection algorithm through the first computing capability indication information; assuming that the terminal device in this embodiment does not support the first integrity protection algorithm, as shown in FIG. 4, The security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
步骤401,判断是否接收到网络设备发送的第一计算能力指示信息;第一计算能力指示信息用于通知终端设备,网络设备支持第一完整性保护算法; Step 401, judging whether the first computing capability indication information sent by the network device is received; the first computing capability indication information is used to notify the terminal device that the network device supports the first integrity protection algorithm;
其中,第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Wherein, the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable .
在本申请一些实施例中,该增强变量至少可包括以下A)至F)中的任意一项:In some embodiments of the present application, the enhanced variable may include at least any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。为了方便理解,下面将给出对应实现方式进行描述。A) The resumeIdentity, resumeCause, and spare fields in the RRC connection resume request message; B) The arrangement and combination of resumeIdentity, resumeCause, and spare spare fields in the RRC connection resume request message; C) RRC connection resume request message, wherein, the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an increased variable is set to a special bit; D) the RRC connection recovery request message and the field used to indicate the RRC connection recovery request Bits; E) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable; F) RRC connection recovery request message and used for Indicates the bit of the RRC connection resume request, where the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For the convenience of understanding, a corresponding implementation manner will be given below for description.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段。也就是说,在UE存储变量VarResumeMAC-Input中增加RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段,作为额外的输入参数代入完整性保护算法得出一个全新的32bit的MAC-I(其中,除了使用VarResumeMAC-Input的输入参数外,还需要使用密钥Key RRCint、bearer ID、direction、COUNT值),最后取16位最低有效位作为消息完整性验证码ResumeMAC-I,存放于RRC连接恢复请求消息(RRCResumeRequest)中。 In an implementation manner, the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
在一种实现方式中,参照上述实施例,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合,计算方法同理即可。其中,该排列组合可理解为恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段之中任意一个或多个。例如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意一个;又如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意两个。具体可根据实际情况来决定,本申请对此不做具体限定。In an implementation manner, referring to the above embodiment, the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same. Wherein, the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields. For example, the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。作为一种示例,该特殊比特可全为0或全为1,例如,将作为该增强变量的RRC连接恢复请求消息之中resumeMAC-I字段全置为1或全置为0。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit. As an example, the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,也就是说,在将RRC连接恢复请求消息作为增强变量的同时,还可再增加一个用于指示RRC连接恢复请求的比特位也作为该增强变量。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为该增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码 resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
步骤402,响应于未接收到网络设备发送的第一计算能力指示信息,确定网络设备所支持具备的算法能力为不支持第一完整性保护算法。Step 402, in response to not receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
在本实施例中,在确定网络设备所支持具备的算法能力为不支持第一完整性保护算法,由于终端设备也不支持第一完整性保护算法,所以终端设备可选择第二完整性保护算法进行RRC连接恢复请求消息的安全性验证,即在本实施例中,在确定网络设备所支持具备的算法能力为不支持第一完整性保护算法,可执行步骤404,即选择第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。 In this embodiment, after determining that the algorithm capability supported by the network device does not support the first integrity protection algorithm, since the terminal device does not support the first integrity protection algorithm, the terminal device can select the second integrity protection algorithm Carry out the security verification of the RRC connection recovery request message, that is, in this embodiment, after determining that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm, step 404 can be performed, that is, the second integrity protection algorithm is selected The algorithm calculates the message integrity verification code according to the key RRCint , the bearer ID, the direction of data transmission, the COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI.
其中,在本申请实施例中,该第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 Wherein, in the embodiment of the present application, the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
步骤403,响应于接收到网络设备发送的第一计算能力指示信息,根据第一计算能力指示信息,确定网络设备所支持具备的算法能力为支持第一完整性保护算法。Step 403: In response to receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is to support the first integrity protection algorithm according to the first computing capability indication information.
也就是说,响应于接收到网络设备发送的第一计算能力指示信息,在根据该第一计算能力指示信息确定网络设备所支持具备的算法能力为支持第一完整性保护算法,由于终端设备不支持第一完整性保护算法,所以需要使用第二完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,即执行步骤404。That is to say, in response to receiving the first computing capability indication information sent by the network device, after determining that the algorithm capability supported by the network device is to support the first integrity protection algorithm according to the first computing capability indication information, since the terminal device does not The first integrity protection algorithm is supported, so the second integrity protection algorithm needs to be used to perform integrity protection verification on the RRC connection recovery request message, that is, step 404 is performed.
步骤404,选择采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。 Step 404, choose to adopt the second integrity protection algorithm , and calculate Message integrity verification code.
步骤405,根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 405, perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
也就是说,即使网络设备支持第一完整性保护算法,由于终端设备不支持完整性保护算法,所以通过终端设备与网络设备进行能力协商,以使得双方具备相同的算法能力,使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。That is to say, even if the network device supports the first integrity protection algorithm, since the terminal device does not support the integrity protection algorithm, the capability negotiation between the terminal device and the network device is carried out so that both parties have the same algorithm capability, so that the message integrity verification The verification information of code resumeMAC-I can be correctly matched, which solves the problem of incompatibility of the integrity protection algorithm, so that the security of the RRC connection recovery request message can be enhanced.
请参见图5,图5是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图。需要说明的是,本申请实施例的无线资源控制RRC连接恢复的安全增强方法可应用于终端设备。在本实施例中,终端设备在确定网络设备不支持第一完整性保护算法,此时不管终端设备是支持第一完整性保护算法还是不支持第一完整性保护算法,均采用第二完整性保护算法对RRC连接恢复请求消息进行完整性保护验证。如图5所示,该无线资源控制RRC连接恢复的安全增强方法可包括但不限于如下步骤。Please refer to FIG. 5 . FIG. 5 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a terminal device. In this embodiment, when the terminal device determines that the network device does not support the first integrity protection algorithm, no matter whether the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the second integrity protection algorithm is adopted. The protection algorithm performs integrity protection verification on the RRC connection recovery request message. As shown in FIG. 5 , the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
步骤501,判断是否接收到网络设备发送的第一计算能力指示信息;第一计算能力指示信息用于通知终端设备,网络设备不支持第一完整性保护算法。 Step 501, judging whether the first computing capability indication information sent by the network device is received; the first computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm.
其中,第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Wherein, the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable .
在本申请一些实施例中,该增强变量至少可包括以下A)至F)中的任意一项:In some embodiments of the present application, the enhanced variable may include at least any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。为了方便理解,下面将给出对应实现方式进行描述。A) The resumeIdentity, resumeCause, and spare fields in the RRC connection resume request message; B) The arrangement and combination of resumeIdentity, resumeCause, and spare spare fields in the RRC connection resume request message; C) RRC connection resume request message, wherein, the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an increased variable is set to a special bit; D) the RRC connection recovery request message and the field used to indicate the RRC connection recovery request Bits; E) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable; F) RRC connection recovery request message and used for Indicates the bit of the RRC connection resume request, where the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For the convenience of understanding, a corresponding implementation manner will be given below for description.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段。也就是说,在UE存储变量VarResumeMAC-Input中增加RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段,作为额外的输入参数代入完整性保护算法得出一个全新的32bit的MAC-I(其中,除了使用VarResumeMAC-Input的输入参数外,还需要使用密钥Key RRCint、bearer ID、direction、COUNT值),最后取16位最低有效位作为消息完整性验证码ResumeMAC-I,存放于RRC连接恢复请求消息(RRCResumeRequest)中。 In an implementation manner, the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
在一种实现方式中,参照上述实施例,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合,计算方法同理即可。其中,该排列组合可理解为恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段之中任意一个或多个。例如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意一个;又如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意两个。具体可根据实际情况来决定,本申请对此不做具体限定。In an implementation manner, referring to the above embodiment, the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same. Wherein, the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields. For example, the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。作为一种示例,该特殊比特可全为0或全为1,例如,将作为该增强变量的RRC连接恢复请求消息之中resumeMAC-I字段全置为1或全置为0。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit. As an example, the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,也就是说,在将RRC连接恢复请求消息作为增强变量的同时,还可再增加一个用于指示RRC连接恢复请求的比特位也作为该增强变量。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为该增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
步骤502,响应于未接收到网络设备发送的第一计算能力指示信息,确定网络设备所支持具备的算法能力为不支持第一完整性保护算法。Step 502, in response to not receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
在本实施例中,在确定网络设备所支持具备的算法能力为不支持第一完整性保护算法,此时不管终端设备是支持第一完整性保护算法还是不支持第一完整性保护算法,终端设备选择第二完整性保护算法进行RRC连接恢复请求消息的安全性验证,即在本实施例中,在确定网络设备所支持具备的算法能力为不支持第一完整性保护算法,可执行步骤504,即选择第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。 In this embodiment, after it is determined that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm, at this time, regardless of whether the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the terminal The device selects the second integrity protection algorithm to verify the security of the RRC connection recovery request message, that is, in this embodiment, after determining that the algorithm capability supported by the network device does not support the first integrity protection algorithm, step 504 can be performed , that is, select the second integrity protection algorithm, and calculate the message integrity according to the key Key RRCint , the bearer ID, the data transmission direction direction, the count COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI gender verification code.
其中,在本申请实施例中,该第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 Wherein, in the embodiment of the present application, the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
步骤503,响应于接收到网络设备发送的第一计算能力指示信息,根据第一计算能力指示信息,确定网络设备所支持具备的算法能力为不支持第一完整性保护算法。Step 503: In response to receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm according to the first computing capability indication information.
也就是说,响应于接收到网络设备发送的第一计算能力指示信息,在根据该第一计算能力指示信息确定网络设备所支持具备的算法能力为不支持第一完整性保护算法,此时不管终端设备是支持第一完整性保护算法还是不支持第一完整性保护算法,终端设备选择使用第二完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,即执行步骤504。That is to say, in response to receiving the first computing capability indication information sent by the network device, when it is determined according to the first computing capability indication information that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm, no matter what Whether the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the terminal device chooses to use the second integrity protection algorithm to perform integrity protection verification on the RRC connection recovery request message, that is, step 504 is executed.
步骤504,选择采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。 Step 504, choose to adopt the second integrity protection algorithm , and calculate Message integrity verification code.
步骤505,根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 505, perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
也就是说,由于网络设备不支持第一完整性保护算法,此时不管终端设备是支持第一完整性保护算法还是不支持第一完整性保护算法,通过终端设备与网络设备进行能力协商,以使得双方具备相同的算法能力,使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。That is to say, since the network device does not support the first integrity protection algorithm, no matter whether the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the capability negotiation between the terminal device and the network device is performed to Make both parties have the same algorithm capability, make the check information of the message integrity verification code resumeMAC-I match correctly, solve the problem of incompatibility of the integrity protection algorithm, and thus realize the enhancement of the security of the RRC connection recovery request message .
在本申请一些实施例中,终端设备可确定自身所支持具备的算法能力,并根据终端设备所支持具备的算法能力,向网络设备发送第二计算能力指示信息,其中,第二计算能力指示信息用于通知网络设备, 终端设备是否支持第一完整性保护算法。可选地,终端设备可通过指示信息将自身所支持具备的算法能力上报给网络设备。In some embodiments of the present application, the terminal device may determine the algorithm capabilities supported by itself, and send the second computing capability indication information to the network device according to the algorithm capabilities supported by the terminal device, wherein the second computing capability indication information It is used to notify the network device whether the terminal device supports the first integrity protection algorithm. Optionally, the terminal device may report its supported algorithm capabilities to the network device through the indication information.
作为一种可能实现方式的示例,响应于终端设备所支持具备的算法能力为支持第一完整性保护算法,向网络设备发送支持第一完整性保护算法的能力指示信息。例如,假设终端设备支持第一完整性保护算法,则终端设备可向网络设备发送支持第一完整性保护算法的能力指示信息。As an example of a possible implementation manner, in response to the algorithm capability supported by the terminal device supporting the first integrity protection algorithm, sending capability indication information supporting the first integrity protection algorithm to the network device. For example, assuming that the terminal device supports the first integrity protection algorithm, the terminal device may send capability indication information supporting the first integrity protection algorithm to the network device.
作为另一种可能实现方式的示例,响应于终端设备所支持具备的算法能力为不支持第一完整性保护算法,向网络设备发送不支持第一完整性保护算法的能力指示信息。例如,假设终端设备不支持第一完整性保护算法,则终端设备可向网络设备发送不支持第一完整性保护算法的能力指示信息。As an example of another possible implementation manner, in response to the algorithm capability supported by the terminal device not supporting the first integrity protection algorithm, sending capability indication information not supporting the first integrity protection algorithm to the network device. For example, assuming that the terminal device does not support the first integrity protection algorithm, the terminal device may send capability indication information not supporting the first integrity protection algorithm to the network device.
作为又一种可能实现方式的示例,响应于终端设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持第一完整性保护算法的能力指示信息。例如,假设终端设备不支持第一完整性保护算法,则不上报能力指示信息。其中,网络设备没有接收到终端设备发送的能力指示信息,则网络设备可确定终端设备不支持第一完整性保护算法。As another example of a possible implementation manner, in response to the fact that the algorithm capability supported by the terminal device does not support the first integrity protection algorithm, no capability indication information about whether the first integrity protection algorithm is supported is not sent. For example, assuming that the terminal device does not support the first integrity protection algorithm, it does not report the capability indication information. Wherein, if the network device does not receive the capability indication information sent by the terminal device, the network device may determine that the terminal device does not support the first integrity protection algorithm.
在本申请一些实施例中,向网络设备发送能力指示信息的方式至少包括以下任意一种:通过安全模式完成消息发送;通过终端设备UE能力信息消息发送;通过UE辅助信息发送;通过初始接入消息5Msg5发送;通过初始接入消息3Msg3发送;通过初始接入消息1Msg1发送。例如,终端设备可通过如下方式进行能力指示信息的上报:通过安全模式完成(SecurityModeComplete)消息发送能力指示信息;通过终端设备UE能力信息(UECapabilityInformation)消息发送能力指示信息;通过UE辅助信息(UEAssistanceInformation)发送能力指示信息;通过初始接入消息5Msg5(RRCSetupComplete)发送能力指示信息;通过初始接入消息3Msg3(RRCSetupRequest)发送能力指示信息;通过初始接入消息1Msg1(preamble)发送能力指示信息。In some embodiments of the present application, the way of sending the capability indication information to the network device includes at least any one of the following: sending the message through the security mode; sending the UE capability information message through the terminal device; sending through the UE auxiliary information; through the initial access Sent by message 5Msg5; sent by initial access message 3Msg3; sent by initial access message 1Msg1. For example, the terminal device can report the capability indication information in the following ways: send the capability indication information through the security mode complete (SecurityModeComplete) message; send the capability indication information through the terminal device UE capability information (UECapabilityInformation) message; Send capability indication information; send capability indication information through initial access message 5Msg5 (RRCSetupComplete); send capability indication information through initial access message 3Msg3 (RRCSetupRequest); send capability indication information through initial access message 1Msg1 (preamble).
一种可能的实现方式:针对支持第一完整性保护算法的UE在初始接入网络,通过RRCSetup连接建立进入连接态时,此时网络设备需要通过SecurityModeCommand(安全模式命令)进行AS安全认证,UE在回复SecurityModeComplete消息时,携带支持该第一完整性保护算法的能力指示信息以支持上报网络设备。A possible implementation method: when a UE that supports the first integrity protection algorithm initially accesses the network and enters the connection state through RRCSetup connection establishment, the network device needs to perform AS security authentication through the SecurityModeCommand (security mode command), and the UE When replying to the SecurityModeComplete message, the capability indication information supporting the first integrity protection algorithm is carried to support reporting to the network device.
一种可能的实现方式:针对不支持第一完整性保护算法的UE在初始接入网络,通过RRCSetup连接建立进入连接态时,此时网络设备需要通过SecurityModeCommand(安全模式命令)进行AS安全认证,UE在回复SecurityModeComplete消息时,携带不支持该第一完整性保护算法的能力指示信息以上报网络设备。A possible implementation method: when a UE that does not support the first integrity protection algorithm initially accesses the network and enters the connection state through RRCSetup connection establishment, the network device needs to perform AS security authentication through the SecurityModeCommand (security mode command). When the UE replies to the SecurityModeComplete message, it carries capability indication information that does not support the first integrity protection algorithm to report to the network device.
一种可能的实现方式:针对不支持第一完整性保护算法的UE在初始接入网络,在进入连接态后,不会上报任何关于支持第一完整性保护算法的能力指示。A possible implementation manner: for a UE that does not support the first integrity protection algorithm to initially access the network, after entering the connected state, it will not report any indication of the ability to support the first integrity protection algorithm.
由此,可通过终端设备与网络设备预先进行能力协商,以便在终端设备发起RRC连接恢复请求时,终端设备可基于与网络设备的协商结果,采用终端设备与网络设备均能够支持的完整性保护算法对RRC连接恢复请求进行完整性保护验证,使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。Therefore, the capability negotiation between the terminal device and the network device can be performed in advance, so that when the terminal device initiates an RRC connection recovery request, the terminal device can adopt the integrity protection that both the terminal device and the network device can support based on the negotiation result with the network device The algorithm performs integrity protection verification on the RRC connection recovery request, so that the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the RRC connection recovery request message can be realized. Security enhancements.
在本申请一些实施例中,对于终端驻留在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于在非锚点小区发生RRC连接恢复,终端设备可采用第一完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复进行完整性保护验证。其中,该锚点小区可理解为该终端设备的服务网络设备所在的小区;该非锚点小区可理解为触发小区重选时该终端设备所在的小区。In some embodiments of the present application, the message integrity verification code calculated by the first integrity protection algorithm is used when the terminal camps on the anchor cell, and when cell reselection occurs in the inactive state, the response to When the RRC connection resumes in the non-anchor cell, the terminal device may use the first integrity protection algorithm and the input parameters for calculating the message integrity verification code to perform integrity protection verification on the RRC connection restoration. Wherein, the anchor cell may be understood as the cell where the serving network device of the terminal device is located; the non-anchor cell may be understood as the cell where the terminal device is located when cell reselection is triggered.
可选地,假设终端设备处于非激活INACTIVE态,且该终端设备发生了小区重选,在非锚点小区(即非上次连接态的服务小区)发生RRC连接恢复,则此时该终端设备可维持原有的算法能力不变,并且该非锚点小区中的新网络设备需要发送新的提取终端设备上下文请求消息通知旧网络设备进行ResumeMAC-I的校验。例如,对于终端驻留在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,锚点小区广播支持该第一完整性保护算法,假设终端设备在非锚点小区发生RRC连接恢复,则终端设备可采用第一完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码,并根据计算得到的消息完整性验证码对RRC连接恢复进行完整性保护验证。又如,对于终端驻留在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,锚点小区广播不支持该第一完整性保护算法,虽然该锚点小区不支持第一完整性保护算法,但是通过锚点小区的服务网络设备进行ResumeMAC-I的校验,而锚点小区的服务网络设备是支持第一完整性保护算法的,所以终端设备可采用第一完整性保护算法对RRC连接恢复进行完整性保护验证。 Optionally, assuming that the terminal equipment is in the inactive INACTIVE state, and the terminal equipment undergoes cell reselection, and RRC connection recovery occurs in a non-anchor cell (that is, a serving cell that is not in the last connection state), then the terminal equipment at this time The original algorithm capability can be kept unchanged, and the new network device in the non-anchor cell needs to send a new request message to extract the terminal device context to notify the old network device to perform ResumeMAC-I verification. For example, for the message integrity verification code calculated by using the first integrity protection algorithm when the terminal camps on the anchor cell, and when cell reselection occurs in the inactive state, the anchor cell broadcasts support for the first Integrity protection algorithm, assuming that the terminal device recovers the RRC connection in a non-anchor cell, the terminal device can adopt the first integrity protection algorithm, according to the key RRCint , bearer ID, data transmission direction, count COUNT value, The ID of the target cell, the ID of the source cell, the temporary identifier C-RNTI and the added variable, calculate the message integrity verification code, and perform integrity protection verification on the RRC connection recovery according to the calculated message integrity verification code. For another example, when the terminal is camped on the anchor cell, the message integrity verification code calculated by using the first integrity protection algorithm, and in the case of cell reselection in the inactive state, the anchor cell broadcast does not support the message integrity verification code. The first integrity protection algorithm, although the anchor cell does not support the first integrity protection algorithm, the ResumeMAC-I check is performed by the serving network device of the anchor cell, and the serving network device of the anchor cell supports the first Integrity protection algorithm, so the terminal device can use the first integrity protection algorithm to perform integrity protection verification on RRC connection recovery.
需要说明的是,在DCCA(载波聚合双连接)场景下,终端设备上次连接态的服务小区特指能够接受系统消息的首次驻留的主小区:PCell(主小区,Primary cell)或PSCell(主辅小区,PrimarySecondary cell)。It should be noted that in the DCCA (Dual Connectivity with Carrier Aggregation) scenario, the serving cell in the last connection state of the terminal device refers to the primary cell that can receive system messages for the first time: PCell (Primary cell) or PSCell (Primary cell) Primary secondary cell, PrimarySecondary cell).
可以理解,上述实施例是从终端设备侧描述本申请实施例的无线资源控制RRC连接恢复的安全增强方法的实现方式。本申请实施例还提出另一种无线资源控制RRC连接恢复的安全增强方法,下面将从网络设备侧描述该无线资源控制RRC连接恢复的安全增强方法的实现方式。请参见图6,图6是本申请实施例提供的又一种无线资源控制RRC连接恢复的安全增强方法的流程图。需要说明的是,本申请实施例的无线资源控制RRC连接恢复的安全增强方法可应用于网络设备。如图6所示,该无线资源控制RRC连接恢复的安全增强方法可以包括但不限于如下步骤。It can be understood that the foregoing embodiments describe the implementation of the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application from the terminal device side. The embodiment of the present application also proposes another security enhancement method for radio resource control RRC connection recovery. The implementation of the security enhancement method for radio resource control RRC connection recovery will be described below from the network device side. Please refer to FIG. 6 . FIG. 6 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a network device. As shown in FIG. 6 , the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
步骤601,响应于接收到终端设备发送的RRC连接恢复请求消息,确定终端设备所支持具备的算法能力。 Step 601, in response to receiving the RRC connection recovery request message sent by the terminal device, determine the algorithm capability supported by the terminal device.
可选地,网络设备在接收到终端设备发送的RRC连接恢复请求消息时,需要对该RRC连接恢复请求消息进行完整性保护验证,其中,可先确定终端设备所支持具备的算法能力,通过终端设备的算法能力来选择对应完整性保护算法来完整验证。Optionally, when the network device receives the RRC connection recovery request message sent by the terminal device, it needs to perform integrity protection verification on the RRC connection recovery request message, wherein the algorithm capability supported by the terminal device can be determined first, and the terminal Algorithm capability of the device to select the corresponding integrity protection algorithm for complete verification.
可选地,网络设备与终端设备可以预先进行能力协商,以使得网络设备可以确定终端设备所能够支持具备的算法能力。例如,终端设备可以向网络设备发送能力指示信息。网络设备可以根据终端设备发送的指示信息,确定该终端设备所支持具备的算法能力。Optionally, the network device and the terminal device may negotiate capabilities in advance, so that the network device may determine the algorithm capabilities that the terminal device can support. For example, the terminal device may send capability indication information to the network device. The network device can determine the algorithm capability supported by the terminal device according to the indication information sent by the terminal device.
作为一种可能实现方式的示例,终端设备向网络设备发送的能力指示信息可以为支持哪种完整性保护算法,例如,该能力指示信息可以是支持第一完整性保护算法,网络设备根据终端设备发送的能力指示信息,可以确定该终端设备所支持具备的算法能力为支持第一完整性保护算法。As an example of a possible implementation manner, the capability indication information sent by the terminal device to the network device may be which integrity protection algorithm is supported, for example, the capability indication information may support the first integrity protection algorithm, and the network device The sent capability indication information may determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm.
又如,该能力指示信息还可以是不支持第一完整性保护算法,网络设备根据该终端设备发送的能力指示信息,可以确定该终端设备所支持具备的算法能力为不支持第一完整性保护算法。For another example, the capability indication information may also be that the first integrity protection algorithm is not supported, and the network device may determine that the algorithm capability supported by the terminal device is that the first integrity protection algorithm is not supported according to the capability indication information sent by the terminal device. algorithm.
再如,该能力指示信息还可以是支持不同于第一完整性保护算法的算法,比如第二完整性保护算法,网络设备根据该终端设备发送的能力指示信息,可以确定该终端设备所支持具备的算法能力为支持第二完整性保护算法。For another example, the capability indication information may also support an algorithm different from the first integrity protection algorithm, such as the second integrity protection algorithm, and the network device may determine the capabilities supported by the terminal device according to the capability indication information sent by the terminal device. The algorithm capability of is to support the second integrity protection algorithm.
需要说明的是,本申请实施例中的第一完整性保护算法与第二完整性保护算法为不同的算法,第一完整性保护算法与第二完整性保护算法的输入参数有所不同。其中,在本申请实施例中,输入参数至少包括以下一项或多项:密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 It should be noted that the first integrity protection algorithm and the second integrity protection algorithm in the embodiment of the present application are different algorithms, and the input parameters of the first integrity protection algorithm and the second integrity protection algorithm are different. Among them, in this embodiment of the application, the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
作为另一种可能实现方式的示例,终端设备可以向网络设备发送针对MAC-I的计算能力指示以通知网络设备,该终端设备是否支持第一完整性保护算法。可选地,网络设备可通过判断是否接收到终端设备发送的能力指示信息,来确定终端设备所支持具备的算法能力。在一种实现方式中,判断是否接收到终端设备发送的第二计算能力指示信息;该第二计算能力指示信息用于通知网络设备,终端设备是否支持第一完整性保护算法;其中,第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量;响应于接收到终端设备发送的第二计算能力指示信息,根据第二计算能力指示信息,确定终端设备所支持具备的算法能力。 As an example of another possible implementation manner, the terminal device may send the MAC-I computing capability indication to the network device to notify the network device whether the terminal device supports the first integrity protection algorithm. Optionally, the network device may determine the algorithm capability supported by the terminal device by judging whether the capability indication information sent by the terminal device is received. In an implementation manner, it is judged whether the second computing capability indication information sent by the terminal device is received; the second computing capability indication information is used to notify the network device whether the terminal device supports the first integrity protection algorithm; wherein, the first The input parameters of the integrity protection algorithm include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable; To the second computing capability indication information sent by the terminal device, determine the algorithm capability supported by the terminal device according to the second computing capability indication information.
需要说明的是,第一完整性保护算法是网络设备针对RRC连接恢复过程,所设计的一套新的MAC-I计算方式,通过增加UE存储变量VarResumeMAC-Input里面的输入参数来完成。其中,该第一完整性保护算法的输入参数可包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。该增加变量即为在存储变量VarResumeMAC-Input中所增加的变量。 It should be noted that the first integrity protection algorithm is a set of new MAC-I calculation methods designed by the network device for the RRC connection recovery process, and is completed by adding input parameters in the UE storage variable VarResumeMAC-Input. Wherein, the input parameters of the first integrity protection algorithm may include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and Add variables. The added variable is the variable added in the stored variable VarResumeMAC-Input.
为了解决兼容性的问题,网络设备与终端设备可以预先进行能力协商。可选地,网络设备可以通过判断是否接收到终端设备发送的第二计算能力指示信息,来确定终端设备所支持具备的算法能力。作为一种可能实现方式的示例,响应于接收到终端设备发送的第二计算能力指示信息,根据第二计算能力指示信息,确定终端设备所支持具备的算法能力。例如,该第二计算能力指示信息用于通知网络设备,终端设备支持第一完整性保护算法,则网络设备根据该第二计算能力指示信息,可确定终端设备所支持具备的算法能力为支持第一完整性保护算法。又如,该第二计算能力指示信息用于通知网络设备,终端设备不支持第一完整性保护算法,则网络设备根据该第二计算能力指示信息,可确定终端设备所支持具备的算法能力为不支持第一完整性保护算法。In order to solve the compatibility problem, the network device and the terminal device can perform capability negotiation in advance. Optionally, the network device may determine the algorithm capability supported by the terminal device by judging whether the second computing capability indication information sent by the terminal device is received. As an example of a possible implementation manner, in response to receiving the second computing capability indication information sent by the terminal device, the algorithm capability supported by the terminal device is determined according to the second computing capability indication information. For example, the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm, and the network device can determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm according to the second computing capability indication information. An integrity protection algorithm. In another example, the second computing capability indication information is used to notify the network device that the terminal device does not support the first integrity protection algorithm, and the network device may determine that the terminal device supports the algorithm capability according to the second computing capability indication information. The first integrity protection algorithm is not supported.
作为另一种可能实现方式的示例,响应于未接收到终端设备发送的第二计算能力指示信息,网络设备可确定终端设备所支持具备的算法能力为不支持第一完整性保护算法。例如,该终端设备支持第二完 整性保护算法,不支持第一完整性保护算法。其中,第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 As an example of another possible implementation manner, in response to not receiving the second computing capability indication information sent by the terminal device, the network device may determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm. For example, the terminal device supports the second integrity protection algorithm but does not support the first integrity protection algorithm. Wherein, the input parameters of the second integrity protection algorithm include Key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI.
可以看出,本申请实施例中的第二完整性保护算法与第一完整性保护算法的区别在于所需的输入参数不同,其中,第一完整性保护算法比第二完整性保护算法的输入参数多增加了增加变量。本申请实施例通过在完整性保护算法的输入参数中设计该增加变量,可以有效增强RRC连接恢复的安全性。It can be seen that the difference between the second integrity protection algorithm in the embodiment of the present application and the first integrity protection algorithm is that the required input parameters are different. More parameters have been added to increase variables. In this embodiment of the present application, by designing the added variable in the input parameters of the integrity protection algorithm, the security of RRC connection recovery can be effectively enhanced.
在本申请一些实施例中,该增强变量至少可包括以下A)至F)中的任意一项:In some embodiments of the present application, the enhanced variable may include at least any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。为了方便理解,下面将给出对应实现方式进行描述。A) The resumeIdentity, resumeCause, and spare fields in the RRC connection resume request message; B) The arrangement and combination of resumeIdentity, resumeCause, and spare spare fields in the RRC connection resume request message; C) RRC connection resume request message, wherein, the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an increased variable is set to a special bit; D) the RRC connection recovery request message and the field used to indicate the RRC connection recovery request Bits; E) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable; F) RRC connection recovery request message and used for Indicates the bit of the RRC connection resume request, where the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For the convenience of understanding, a corresponding implementation manner will be given below for description.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段。也就是说,在UE存储变量VarResumeMAC-Input中增加RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段,作为额外的输入参数代入完整性保护算法得出一个全新的32bit的MAC-I(其中,除了使用VarResumeMAC-Input的输入参数外,还需要使用密钥Key RRCint、bearer ID、direction、COUNT值),最后取16位最低有效位作为消息完整性验证码ResumeMAC-I,存放于RRC连接恢复请求消息(RRCResumeRequest)中。 In an implementation manner, the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
在一种实现方式中,参照上述实施例,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合,计算方法同理即可。其中,该排列组合可理解为恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段之中任意一个或多个。例如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意一个;又如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意两个。具体可根据实际情况来决定,本申请对此不做具体限定。In an implementation manner, referring to the above embodiment, the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same. Wherein, the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields. For example, the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。作为一种示例,该特殊比特可全为0或全为1,例如,将作为该增强变量的RRC连接恢复请求消息之中resumeMAC-I字段全置为1或全置为0。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit. As an example, the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,也就是说,在将RRC连接恢复请求消息作为增强变量的同时,还可再增加一个用于指示RRC连接恢复请求的比特位也作为该增强变量。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为该增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
步骤602,根据终端设备所支持具备的算法能力,选择与算法能力对应的目标完整性保护算法。Step 602: Select a target integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
在本申请实施例中,网络设备可以支持第一完整性保护算法,即支持新的MAC-I计算方式。可以理解,网络设备支持第一完整性保护算法,则可认为该网络设备也可以支持第二完整性保护算法,此时根据终端设备所支持具备的算法能力,选择与算法能力对应的目标完整性保护算法,例如,确定终端设备所支持具备的算法能力为支持第一完整性保护算法,则网络设备可选择第一完整性保护算法作为该 目标完整性保护算法;确定终端设备所支持具备的算法能力为不支持第一完整性保护算法,则网络设备可选择第二完整性保护算法作为该目标完整性保护算法。In this embodiment of the present application, the network device may support the first integrity protection algorithm, that is, support a new MAC-I calculation manner. It can be understood that if the network device supports the first integrity protection algorithm, it can be considered that the network device can also support the second integrity protection algorithm. At this time, according to the algorithm capability supported by the terminal device, select the target integrity value corresponding to the algorithm capability Protection algorithm, for example, if it is determined that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm, then the network device can select the first integrity protection algorithm as the target integrity protection algorithm; determine the algorithm supported by the terminal device If the capability is that the first integrity protection algorithm is not supported, the network device may select the second integrity protection algorithm as the target integrity protection algorithm.
可选地,网络设备还可以不支持第一完整性保护算法,即支持老的MAC-I计算方式,如支持第二完整性保护算法,此时不管终端设备支持第一完整性保护算法还是不支持完整性保护算法,由于网络设备不支持第一完整性保护算法,所以,网络设备可选择将第二完整性保护算法作为该目标完整性保护算法。由此,网络设备可根据自身所支持具备的算法能力和终端she吧所支持具备的算法能力,选择终端设备与网络设备均能够支持的完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,以保证终端设备和网络设备使用相同算法,保证resumeMAC-I这个校验信息能够正确匹配。Optionally, the network device may not support the first integrity protection algorithm, that is, support the old MAC-I calculation method, such as supporting the second integrity protection algorithm. At this time, no matter whether the terminal device supports the first integrity protection algorithm or not The integrity protection algorithm is supported. Since the network device does not support the first integrity protection algorithm, the network device may select the second integrity protection algorithm as the target integrity protection algorithm. Therefore, the network device can select an integrity protection algorithm that both the terminal device and the network device can support to perform integrity protection verification on the RRC connection recovery request message according to the algorithm capabilities supported by itself and the algorithm capabilities supported by the terminal. , to ensure that the terminal device and the network device use the same algorithm, and ensure that the resumeMAC-I verification information can be correctly matched.
步骤603,根据目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证。 Step 603, according to the target integrity protection algorithm and the input parameters for calculating the message integrity verification code, perform integrity protection verification on the RRC connection recovery request message.
在一种实现方式中,对于目标完整性保护算法为第一完整性保护算法,可采用第一完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码,并根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 In one implementation, if the target integrity protection algorithm is the first integrity protection algorithm, the first integrity protection algorithm may be used, according to the key Key RRCint , bearer ID, data transmission direction, count COUNT value, The ID of the target cell, the ID of the source cell, the temporary identifier C-RNTI and the added variable, calculate the message integrity verification code, and perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在另一种实现方式中,对于目标完整性保护算法为第二完整性保护算法,可采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码,并根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 In another implementation, if the target integrity protection algorithm is the second integrity protection algorithm, the second integrity protection algorithm can be used, according to the key Key RRCint , the bearer ID, the direction of data transmission, and the count COUNT value , the target cell ID, the source cell ID and the temporary identifier C-RNTI, calculate a message integrity verification code, and perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
通过实施本申请实施例,可以通过确定终端设备所支持具备的算法能力,选择与终端设备所支持具备的算法能力对应的完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,使得双方具备相同的算法能力,从而使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。By implementing the embodiment of the present application, by determining the algorithm capability supported by the terminal device, the integrity protection algorithm corresponding to the algorithm capability supported by the terminal device can be selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties have With the same algorithm capability, the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of integrity protection algorithms is solved, so that the security of the RRC connection recovery request message can be enhanced.
请参见图7,图7是本申请实施例提供的又一种无线资源控制RRC连接恢复的安全增强方法的流程图。需要说明的是,本申请实施例的无线资源控制RRC连接恢复的安全增强方法可应用于网络设备。在本实施例中,网络设备通过第二计算能力指示信息了解到终端设备支持第一完整性保护算法;假设本实施例中的网络设备支持第一完整性保护算法,如图7所示,该无线资源控制RRC连接恢复的安全增强方法可包括但不限于如下步骤。Please refer to FIG. 7 . FIG. 7 is a flow chart of another security enhancement method for radio resource control RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a network device. In this embodiment, the network device learns that the terminal device supports the first integrity protection algorithm through the second computing capability indication information; assuming that the network device in this embodiment supports the first integrity protection algorithm, as shown in FIG. 7, the The security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
步骤701,判断是否接收到终端设备发送的第二计算能力指示信息;其中,第二计算能力指示信息用于通知网络设备,终端设备支持第一完整性保护算法。 Step 701, judging whether the second computing capability indication information sent by the terminal device is received; wherein, the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm.
其中,在本申请实施例中,该第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Wherein, in the embodiment of the present application, the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary Identifier C-RNTI and increase variable.
在本申请一些实施例中,该增强变量至少可包括以下A)至F)中的任意一项:In some embodiments of the present application, the enhanced variable may include at least any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;A) The recovery identification resumeIdentity, resumeCause and spare spare fields in the RRC connection recovery request message;
B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;B) The arrangement and combination of the resume identification resumeIdentity, resume cause resumeCause and spare spare fields in the RRC connection resume request message;
C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;C) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an added variable is set to a special bit;
D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;D) The RRC connection recovery request message and the bits used to indicate the RRC connection recovery request;
E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;E) RRC connection recovery request message, wherein, the field used to represent the message integrity verification code resumeMAC-I is deleted in the RRC connection recovery request message as an added variable;
F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。为了方便理解,下面将给出对应实现方式进行描述。F) The RRC connection recovery request message and the bits used to indicate the RRC connection recovery request, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable. For the convenience of understanding, a corresponding implementation manner will be given below for description.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段。也就是说,在UE存储变量VarResumeMAC-Input中增加RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段,作为额外的输入参数代入完整性保护算法得出一个全新的32bit的MAC-I(其中,除了使用VarResumeMAC-Input的输入参数外,还需要使用密钥Key RRCint、bearer ID、direction、COUNT值),最后取16位最低有效位作为消息完整性验证码ResumeMAC-I,存放于RRC连接恢复请求消息(RRCResumeRequest)中。 In an implementation manner, the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
在一种实现方式中,参照上述实施例,该增强变量可包括RRC连接恢复请求消息中的恢复识别 resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合,计算方法同理即可。其中,该排列组合可理解为恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段之中任意一个或多个。例如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意一个;又如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意两个。具体可根据实际情况来决定,本申请对此不做具体限定。In an implementation manner, referring to the above embodiment, the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same. Wherein, the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields. For example, the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。作为一种示例,该特殊比特可全为0或全为1,例如,将作为该增强变量的RRC连接恢复请求消息之中resumeMAC-I字段全置为1或全置为0。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit. As an example, the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,也就是说,在将RRC连接恢复请求消息作为增强变量的同时,还可再增加一个用于指示RRC连接恢复请求的比特位也作为该增强变量。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为该增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
步骤702,响应于接收到终端设备发送的第二计算能力指示信息,根据第二计算能力指示信息,确定终端设备所支持具备的算法能力为支持第一完整性保护算法。Step 702: In response to receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm according to the second computing capability indication information.
步骤703,根据终端设备所支持具备的算法能力,选择与算法能力对应的第一完整性保护算法。Step 703: Select a first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
步骤704,采用第一完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码。其中,在计算出消息完整性验证码之后,可执行步骤707,即根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 704, using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variables , to calculate the message integrity verification code. Wherein, after the message integrity verification code is calculated, step 707 may be performed, that is, to perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
步骤705,响应于未接收到终端设备发送的第二计算能力指示信息,确定终端设备所支持具备的算法能力为不支持第一完整性保护算法。Step 705: In response to not receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
在本实施例中,在确定终端设备所支持具备的算法能力为不支持第一完整性保护算法,网络设备可选择第二完整性保护算法进行RRC连接恢复请求消息的安全性验证。其中,在本申请实施例中,该第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 In this embodiment, after determining that the algorithm capability supported by the terminal device does not support the first integrity protection algorithm, the network device may select the second integrity protection algorithm to verify the security of the RRC connection recovery request message. Wherein, in the embodiment of the present application, the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
步骤706,根据终端设备所支持具备的算法能力,选择采用第二完整性保护算法根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。其中,在计算出消息完整性验证码之后,可执行步骤707,即根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 706, according to the algorithm capability supported by the terminal equipment, choose to adopt the second integrity protection algorithm according to the key Key RRCint , the bearer ID, the direction of data transmission, the count COUNT value, the target cell ID, and the source cell ID and the temporary identifier C-RNTI to calculate the message integrity verification code. Wherein, after the message integrity verification code is calculated, step 707 may be performed, that is, to perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
步骤707,根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 707, perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
根据本申请实施例的技术方案,通过确定终端设备所支持具备的算法能力,选择与终端设备所支持具备的算法能力对应的完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,使得双方具备相同的算法能力,从而使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。According to the technical solution of the embodiment of the present application, by determining the algorithm capability supported by the terminal device, the integrity protection algorithm corresponding to the algorithm capability supported by the terminal device is selected to perform integrity protection verification on the RRC connection recovery request message, so that both parties With the same algorithm capability, the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the security of the RRC connection recovery request message can be enhanced.
请参见图8,图8是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图。需要说明的是,本申请实施例的无线资源控制RRC连接恢复的安全增强方法可应用于网络设备。在本实施例中,网络设备通过第二计算能力指示信息了解到终端设备支持第一完整性保护算法;假设本实施例中的网络设备不支持第一完整性保护算法,如图8所示,该无线资源控制RRC连接恢复的安全增强方法可包括但不限于如下步骤。Please refer to FIG. 8 . FIG. 8 is a flow chart of another security enhancement method for RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a network device. In this embodiment, the network device learns that the terminal device supports the first integrity protection algorithm through the second computing capability indication information; assuming that the network device in this embodiment does not support the first integrity protection algorithm, as shown in FIG. 8, The security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
步骤801,判断是否接收到终端设备发送的第二计算能力指示信息;第二计算能力指示信息用于通知网络设备,终端设备支持第一完整性保护算法。 Step 801, judging whether the second computing capability indication information sent by the terminal device is received; the second computing capability indicating information is used to notify the network device that the terminal device supports the first integrity protection algorithm.
其中,该第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Wherein, the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increment variable.
在本申请一些实施例中,该增强变量至少可包括以下A)至F)中的任意一项:In some embodiments of the present application, the enhanced variable may include at least any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;A) The recovery identification resumeIdentity, resumeCause and spare spare fields in the RRC connection recovery request message;
B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;B) The arrangement and combination of the resume identification resumeIdentity, resume cause resumeCause and spare spare fields in the RRC connection resume request message;
C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;C) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an added variable is set to a special bit;
D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;D) The RRC connection recovery request message and the bits used to indicate the RRC connection recovery request;
E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;E) RRC connection recovery request message, wherein, the field used to represent the message integrity verification code resumeMAC-I is deleted in the RRC connection recovery request message as an added variable;
F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。为了方便理解,下面将给出对应实现方式进行描述。F) The RRC connection recovery request message and the bits used to indicate the RRC connection recovery request, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable. For the convenience of understanding, a corresponding implementation manner will be given below for description.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段。也就是说,在UE存储变量VarResumeMAC-Input中增加RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段,作为额外的输入参数代入完整性保护算法得出一个全新的32bit的MAC-I(其中,除了使用VarResumeMAC-Input的输入参数外,还需要使用密钥Key RRCint、bearer ID、direction、COUNT值),最后取16位最低有效位作为消息完整性验证码ResumeMAC-I,存放于RRC连接恢复请求消息(RRCResumeRequest)中。 In an implementation manner, the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
在一种实现方式中,参照上述实施例,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合,计算方法同理即可。其中,该排列组合可理解为恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段之中任意一个或多个。例如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意一个;又如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意两个。具体可根据实际情况来决定,本申请对此不做具体限定。In an implementation manner, referring to the above embodiment, the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same. Wherein, the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields. For example, the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。作为一种示例,该特殊比特可全为0或全为1,例如,将作为该增强变量的RRC连接恢复请求消息之中resumeMAC-I字段全置为1或全置为0。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit. As an example, the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,也就是说,在将RRC连接恢复请求消息作为增强变量的同时,还可再增加一个用于指示RRC连接恢复请求的比特位也作为该增强变量。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为该增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
步骤802,响应于未接收到终端设备发送的第二计算能力指示信息,确定终端设备所支持具备的算法能力为不支持第一完整性保护算法。 Step 802, in response to not receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
在本实施例中,在确定终端设备所支持具备的算法能力为不支持第一完整性保护算法,由于网络设 备也不支持第一完整性保护算法,所以网络设备可选择第二完整性保护算法进行RRC连接恢复请求消息的安全性验证,即在本实施例中,在确定终端设备所支持具备的算法能力为不支持第一完整性保护算法,可执行步骤804,即选择第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。 In this embodiment, after determining that the algorithm capability supported by the terminal device does not support the first integrity protection algorithm, since the network device does not support the first integrity protection algorithm, the network device can select the second integrity protection algorithm Perform security verification of the RRC connection recovery request message, that is, in this embodiment, after determining that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm, step 804 can be performed, that is, the second integrity protection algorithm is selected The algorithm calculates the message integrity verification code according to the key RRCint , the bearer ID, the direction of data transmission, the COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI.
其中,在本申请实施例中,该第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 Wherein, in the embodiment of the present application, the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
步骤803,响应于接收到终端设备发送的第二计算能力指示信息,根据第二计算能力指示信息,确定终端设备所支持具备的算法能力为支持第一完整性保护算法。Step 803: In response to receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm according to the second computing capability indication information.
也就是说,响应于接收到终端设备发送的第二计算能力指示信息,在根据该第二计算能力指示信息确定网络设备所支持具备的算法能力为支持第一完整性保护算法,由于网络设备不支持第一完整性保护算法,所以需要使用第二完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,即执行步骤804。That is to say, in response to receiving the second computing capability indication information sent by the terminal device, after determining according to the second computing capability indication information that the algorithm capability supported by the network device is to support the first integrity protection algorithm, since the network device does not The first integrity protection algorithm is supported, so the second integrity protection algorithm needs to be used to perform integrity protection verification on the RRC connection recovery request message, that is, step 804 is executed.
步骤804,选择采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。 Step 804, choose to adopt the second integrity protection algorithm , and calculate Message integrity verification code.
步骤805,根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 805, perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
也就是说,即使终端设备支持第一完整性保护算法,由于网络设备不支持完整性保护算法,所以通过终端设备与网络设备进行能力协商,以使得双方具备相同的算法能力,使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。That is to say, even if the terminal device supports the first integrity protection algorithm, since the network device does not support the integrity protection algorithm, the capability negotiation between the terminal device and the network device is performed so that both parties have the same algorithm capability, and the message integrity verification The verification information of code resumeMAC-I can be correctly matched, which solves the problem of incompatibility of the integrity protection algorithm, so that the security of the RRC connection recovery request message can be enhanced.
请参见图9,图9是本申请实施例提供的另一种无线资源控制RRC连接恢复的安全增强方法的流程图。需要说明的是,本申请实施例的无线资源控制RRC连接恢复的安全增强方法可应用于网络设备。在本实施例中,网络设备在确定终端设备不支持第一完整性保护算法,此时不管网络设备是支持第一完整性保护算法还是不支持第一完整性保护算法,均采用第二完整性保护算法对RRC连接恢复请求消息进行完整性保护验证。如图9所示,该无线资源控制RRC连接恢复的安全增强方法可包括但不限于如下步骤。Please refer to FIG. 9 . FIG. 9 is a flow chart of another security enhancement method for RRC connection recovery provided by an embodiment of the present application. It should be noted that the security enhancement method for radio resource control RRC connection recovery in the embodiment of the present application can be applied to a network device. In this embodiment, when the network device determines that the terminal device does not support the first integrity protection algorithm, no matter whether the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the second integrity protection algorithm is adopted. The protection algorithm performs integrity protection verification on the RRC connection recovery request message. As shown in FIG. 9 , the security enhancement method for radio resource control RRC connection recovery may include but not limited to the following steps.
步骤901,判断是否接收到终端设备发送的第二计算能力指示信息;第二计算能力指示信息用于通知终端设备,网络设备不支持第一完整性保护算法。 Step 901, judging whether the second computing capability indication information sent by the terminal device is received; the second computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm.
其中,第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Wherein, the input parameters of the first integrity protection algorithm include key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable .
在本申请一些实施例中,该增强变量至少可包括以下A)至F)中的任意一项:In some embodiments of the present application, the enhanced variable may include at least any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;A) The recovery identification resumeIdentity, resumeCause and spare spare fields in the RRC connection recovery request message;
B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;B) The arrangement and combination of the resume identification resumeIdentity, resume cause resumeCause and spare spare fields in the RRC connection resume request message;
C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;C) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an added variable is set to a special bit;
D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;D) The RRC connection recovery request message and the bits used to indicate the RRC connection recovery request;
E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;E) RRC connection recovery request message, wherein, the field used to represent the message integrity verification code resumeMAC-I is deleted in the RRC connection recovery request message as an added variable;
F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。为了方便理解,下面将给出对应实现方式进行描述。F) The RRC connection recovery request message and the bits used to indicate the RRC connection recovery request, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable. For the convenience of understanding, a corresponding implementation manner will be given below for description.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段。也就是说,在UE存储变量VarResumeMAC-Input中增加RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段,作为额外的输入参数代入完整性保护算法得出一个全新的32bit的MAC-I(其中,除了使用VarResumeMAC-Input的输入参数外,还需要使用密钥Key RRCint、bearer ID、direction、COUNT值),最后取16位最低有效位作为消息完整性验证码ResumeMAC-I,存放于RRC连接恢复请求消息(RRCResumeRequest)中。 In an implementation manner, the enhanced variable may include resumeIdentity, resumeCause and spare fields in the RRC connection resume request message. That is to say, add the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message to the UE storage variable VarResumeMAC-Input, and substitute them into the integrity protection algorithm as additional input parameters to obtain a brand new 32-bit MAC -I (in addition to using the input parameters of VarResumeMAC-Input, you also need to use the key Key RRCint , bearer ID, direction, and COUNT values), and finally take the 16 least significant bits as the message integrity verification code ResumeMAC-I, store In the RRC connection recovery request message (RRRCesumeRequest).
在一种实现方式中,参照上述实施例,该增强变量可包括RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合,计算方法同理即可。其中,该 排列组合可理解为恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段之中任意一个或多个。例如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意一个;又如,该增强变量可包括RRC连接恢复请求消息中的resumeIdentity、恢复原因resumeCause以及备用spare字段中的任意两个。具体可根据实际情况来决定,本申请对此不做具体限定。In an implementation manner, referring to the above embodiment, the enhanced variable may include the arrangement and combination of the resumeIdentity, resumeCause and spare fields in the RRC connection resume request message, and the calculation method is the same. Wherein, the permutation and combination can be understood as any one or more of resumeIdentity, resumeCause, and spare fields. For example, the enhanced variable may include any one of resumeIdentity, resumeCause, and spare field in the RRC connection resume request message; for another example, the enhanced variable may include resumeIdentity, resumeCause, and spare field in the RRC connection resume request message. Any two of the spare fields. Specifically, it may be determined according to actual conditions, and this application does not specifically limit it.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特。作为一种示例,该特殊比特可全为0或全为1,例如,将作为该增强变量的RRC连接恢复请求消息之中resumeMAC-I字段全置为1或全置为0。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection resume request message as an added variable is set to a special bit. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message is directly used as the enhanced variable, wherein the RRC connection recovery request message used as the enhanced variable is used to represent the field of the message integrity verification code resumeMAC-I set as a special bit. As an example, the special bits may be all 0 or all 1, for example, the resumeMAC-I field in the RRC connection resume request message as the enhanced variable is set to all 1 or all 0.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,也就是说,在将RRC连接恢复请求消息作为增强变量的同时,还可再增加一个用于指示RRC连接恢复请求的比特位也作为该增强变量。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bit used to indicate the RRC connection recovery request are directly used as the enhanced variable, that is, while the RRC connection recovery request message is used as the enhanced variable , an additional bit for indicating the RRC connection recovery request can also be added as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection resume request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection resume request message is directly used as the enhanced variable, wherein the field for indicating resumeMAC-I is deleted from the RRC connection resume request message used as the enhanced variable.
在一种实现方式中,该增强变量可包括RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为该增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。例如,在UE存储变量VarResumeMAC-Input中,直接将RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位作为该增强变量,其中,作为该增强变量的RRC连接恢复请求消息之中删除了用于表示resumeMAC-I的字段。In an implementation manner, the enhanced variable may include an RRC connection recovery request message and a bit used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted from the RRC connection recovery request message indicating that the message is complete. field of the authentication code resumeMAC-I. For example, in the variable VarResumeMAC-Input stored in the UE, the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request are directly used as the enhanced variable, wherein the RRC connection recovery request message as the enhanced variable deletes Field used to indicate resumeMAC-I.
步骤902,响应于未接收到终端设备发送的第二计算能力指示信息,确定终端设备所支持具备的算法能力为不支持第一完整性保护算法。Step 902: In response to not receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
在本实施例中,在确定终端设备所支持具备的算法能力为不支持第一完整性保护算法,此时不管网络设备是支持第一完整性保护算法还是不支持第一完整性保护算法,网络设备选择第二完整性保护算法进行RRC连接恢复请求消息的安全性验证,即在本实施例中,在确定终端设备所支持具备的算法能力为不支持第一完整性保护算法,可执行步骤904,即选择第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。 In this embodiment, when it is determined that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm, at this time, regardless of whether the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the network The device selects the second integrity protection algorithm to verify the security of the RRC connection recovery request message, that is, in this embodiment, after determining that the algorithm capability supported by the terminal device does not support the first integrity protection algorithm, step 904 can be performed , that is, select the second integrity protection algorithm, and calculate the message integrity according to the key Key RRCint , the bearer ID, the data transmission direction direction, the count COUNT value, the target cell ID, the source cell ID, and the temporary identifier C-RNTI gender verification code.
其中,在本申请实施例中,该第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 Wherein, in the embodiment of the present application, the input parameters of the second integrity protection algorithm include key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, and temporary Identifier C-RNTI.
步骤903,响应于接收到终端设备发送的第二计算能力指示信息,根据第二计算能力指示信息,确定终端设备所支持具备的算法能力为不支持第一完整性保护算法。Step 903: In response to receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm according to the second computing capability indication information.
也就是说,响应于接收到终端设备发送的第二计算能力指示信息,在根据该第二计算能力指示信息确定终端设备所支持具备的算法能力为不支持第一完整性保护算法,此时不管网络设备是支持第一完整性保护算法还是不支持第一完整性保护算法,网络设备选择使用第二完整性保护算法对RRC连接恢复请求消息进行完整性保护验证,即执行步骤904。That is to say, in response to receiving the second computing capability indication information sent by the terminal device, when it is determined according to the second computing capability indication information that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm, regardless of Whether the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the network device chooses to use the second integrity protection algorithm to perform integrity protection verification on the RRC connection recovery request message, that is, step 904 is executed.
步骤904,选择采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码。 Step 904, choose to adopt the second integrity protection algorithm , and calculate Message integrity verification code.
步骤905,根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Step 905, perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
也就是说,由于终端设备不支持第一完整性保护算法,此时不管网络设备是支持第一完整性保护算法还是不支持第一完整性保护算法,通过终端设备与网络设备进行能力协商,以使得双方具备相同的算法能力,使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。That is to say, since the terminal device does not support the first integrity protection algorithm, no matter whether the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm, the capability negotiation between the terminal device and the network device is performed to Make both parties have the same algorithm capability, make the check information of the message integrity verification code resumeMAC-I match correctly, solve the problem of incompatibility of the integrity protection algorithm, and thus realize the enhancement of the security of the RRC connection recovery request message .
在本申请一些实施例中,网络设备可确定自身所支持具备的算法能力,并根据网络设备所支持具备的算法能力,向终端设备发送第一计算能力指示信息,其中,第一计算能力指示信息用于通知终端设备,网络设备是否支持第一完整性保护算法。可选地,网络设备可通过指示信息将自身所支持具备的算法能力下发给终端设备。In some embodiments of the present application, the network device may determine the algorithm capabilities supported by itself, and send the first computing capability indication information to the terminal device according to the algorithm capabilities supported by the network device, wherein the first computing capability indication information It is used to notify the terminal device whether the network device supports the first integrity protection algorithm. Optionally, the network device may send the algorithm capability supported by itself to the terminal device through the indication information.
作为一种可能实现方式的示例,响应于网络设备所支持具备的算法能力为支持第一完整性保护算法,向终端设备发送支持第一完整性保护算法的能力指示信息。例如,假设网络设备支持第一完整性保护算法,则网络设备可向终端设备发送支持第一完整性保护算法的能力指示信息。As an example of a possible implementation manner, in response to the fact that the algorithm capability supported by the network device is to support the first integrity protection algorithm, capability indication information supporting the first integrity protection algorithm is sent to the terminal device. For example, assuming that the network device supports the first integrity protection algorithm, the network device may send capability indication information supporting the first integrity protection algorithm to the terminal device.
作为另一种可能实现方式的示例,响应于网络设备所支持具备的算法能力为不支持第一完整性保护算法,向终端设备发送不支持第一完整性保护算法的能力指示信息。例如,假设网络设备不支持第一完整性保护算法,则网络设备可终端设备发送不支持第一完整性保护算法的能力指示信息。As an example of another possible implementation manner, in response to the fact that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm, capability indication information not supporting the first integrity protection algorithm is sent to the terminal device. For example, assuming that the network device does not support the first integrity protection algorithm, the network device may send capability indication information that the terminal device does not support the first integrity protection algorithm.
作为又一种可能实现方式的示例,响应于网络设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持第一完整性保护算法的能力指示信息。例如,假设网络设备不支持第一完整性保护算法,则不通知终端设备,该网络设备不支持第一完整性保护算法的能力指示信息。其中,终端设备没有接收到网络设备发送的能力指示信息,则终端设备可确定网络设备不支持第一完整性保护算法。As another example of a possible implementation manner, in response to the fact that the algorithm capability supported by the network device does not support the first integrity protection algorithm, no capability indication information on whether to support the first integrity protection algorithm is not sent. For example, assuming that the network device does not support the first integrity protection algorithm, the terminal device is not notified that the network device does not support the capability indication information of the first integrity protection algorithm. Wherein, if the terminal device does not receive the capability indication information sent by the network device, the terminal device may determine that the network device does not support the first integrity protection algorithm.
在本申请一些实施例中,向终端设备发送能力指示信息的方式至少包括以下任意一种:通过RRC释放消息发送;通过系统消息广播。In some embodiments of the present application, the manner of sending the capability indication information to the terminal device includes at least any one of the following: sending through an RRC release message; broadcasting through a system message.
一种可能的实现方式:针对广播,支持第一完整性保护算法的网络设备,需要在系统消息(SIBX)中广播支持具备第一完整性保护算法的能力指示,同时支持第一完整性保护算法的网络设备也必须支持第二完整性保护算法(如老MAC-I算法)。A possible implementation method: For broadcasting, network devices that support the first integrity protection algorithm need to broadcast the ability indication of supporting the first integrity protection algorithm in the system message (SIBX), and at the same time support the first integrity protection algorithm The network equipment must also support the second integrity protection algorithm (such as the old MAC-I algorithm).
一种可能的实现方式:针对广播,不支持第一完整性保护算法的网络设备,需要在系统消息(SIBX)中广播不支持第一完整性保护算法的能力指示,此时仅支持老MAC-I算法,如本文中所提到的第二完整性保护算法。A possible implementation method: For broadcasting, network devices that do not support the first integrity protection algorithm need to broadcast a capability indication that does not support the first integrity protection algorithm in the system message (SIBX). At this time, only the old MAC- I algorithm, such as the second integrity protection algorithm mentioned herein.
一种可能的实现方式:针对广播,是否支持第一完整性保护算法的广播参数为area specific(区域级的参数),当区域内的网络设备都具备相同算法能力时,该区域内的网络设备方可在系统消息(SIBX)中广播是否支持第一完整性保护算法的能力指示。A possible implementation method: for broadcasting, the broadcast parameter of whether to support the first integrity protection algorithm is area specific (area-level parameter). When the network devices in the area have the same algorithm capability, the network devices in the area The party may broadcast a capability indication of whether to support the first integrity protection algorithm in a system message (SIBX).
一种可能的实现方式:针对RRCRelease(RRC释放)消息,支持第一完整性保护算法的网络设备,当连接态的UE释放到INACTIVE态时,通过RRCRelease消息中携带支持第一完整性保护算法的能力指示以通知UE可使用该第一完整性保护算法进行RRC连接恢复。A possible implementation method: For the RRCRelease (RRC Release) message, the network device that supports the first integrity protection algorithm, when the UE in the connected state is released to the INACTIVE state, carries the information that supports the first integrity protection algorithm in the RRCRelease message. The capability indication is used to inform the UE that the first integrity protection algorithm can be used for RRC connection recovery.
一种可能的实现方式:针对RRCRelease消息,不支持第一完整性保护算法的网络设备,当连接态的UE释放到INACTIVE态时,通过RRCRelease消息中携带不支持第一完整性保护算法的能力指示以通知UE使用老算法(如本文中所提到的第二完整性保护算法)进行RRC连接恢复。A possible implementation method: For the RRCRelease message, a network device that does not support the first integrity protection algorithm, when the UE in the connected state is released to the INACTIVE state, the RRCRelease message carries a capability indication that does not support the first integrity protection algorithm In order to notify the UE to use the old algorithm (such as the second integrity protection algorithm mentioned in this document) to perform RRC connection recovery.
一种可能的实现方式:针对任何方式,不支持第一完整性保护算法的网络设备,不会进行任何支持第一完整性保护算法的能力指示。A possible implementation manner: For any manner, a network device that does not support the first integrity protection algorithm will not perform any capability indication of supporting the first integrity protection algorithm.
由此,可通过终端设备与网络设备预先进行能力协商,以便在终端设备发起RRC连接恢复请求时,终端设备可基于与网络设备的协商结果,采用终端设备与网络设备均能够支持的完整性保护算法对RRC连接恢复请求进行完整性保护验证,使得消息完整性验证码resumeMAC-I这个校验信息能够正确匹配,解决了完整性保护算法不兼容的问题,从而可以实现对RRC连接恢复请求消息的安全性的增强。Therefore, the capability negotiation between the terminal device and the network device can be performed in advance, so that when the terminal device initiates an RRC connection recovery request, the terminal device can adopt the integrity protection that both the terminal device and the network device can support based on the negotiation result with the network device The algorithm performs integrity protection verification on the RRC connection recovery request, so that the verification information of the message integrity verification code resumeMAC-I can be correctly matched, and the problem of incompatibility of the integrity protection algorithm is solved, so that the RRC connection recovery request message can be realized. Security enhancements.
在本申请一些实施例中,对于终端驻留在网络设备所在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于终端设备在非锚点小区发生RRC连接恢复,网络设备可接收非锚点小区内的新网络设备发送的提取终端设备上下文请求消息;其中,提取终端设备上下文请求消息包括第一完整性保护算法所需的输入参数;采用第一完整性保护算法及其所需的输入参数,对RRC连接恢复进行完整性保护验证。In some embodiments of the present application, when the terminal resides in the anchor cell where the network device is located, the message integrity verification code calculated by the first integrity protection algorithm is used, and when cell reselection occurs in the inactive state , in response to the RRC connection recovery of the terminal device in the non-anchor cell, the network device may receive an extract terminal device context request message sent by a new network device in the non-anchor cell; wherein the extract terminal device context request message includes the first integrity The input parameters required by the protection algorithm; using the first integrity protection algorithm and the input parameters required to perform integrity protection verification on RRC connection recovery.
可选地,假设终端设备处于非激活INACTIVE态,且该终端设备发生了小区重选,在非锚点小区(即非上次连接态的服务小区)发生RRC连接恢复,则此时该终端设备可维持原有的算法能力不变,并且该非锚点小区中的新网络设备需要发送新的提取终端设备上下文请求消息通知旧网络设备进行ResumeMAC-I的校验。例如,对于终端驻留在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,锚点小区广播支持该第一完整性保护算法,假设终端设备在非锚点小区发生RRC连接恢复,则终端设备可采用第一完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码,并根据计算得到的消息完整性验证码对RRC连接恢复进行完整性保护验证。又如,对于终端驻留在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,锚点小区广播不支持该第一完整性保护算法,虽然该锚点小区不支持第一完整性保护算法,但是通过锚点小区的服务网络设备进行ResumeMAC-I的校验,而锚点小区的服务网络设备是支持第一完整性保护算法的,所以终端设备可采用第一完整性保护算法对RRC连接恢复进行完整性保护验证。 Optionally, assuming that the terminal equipment is in the inactive INACTIVE state, and the terminal equipment undergoes cell reselection, and RRC connection recovery occurs in a non-anchor cell (that is, a serving cell that is not in the last connection state), then the terminal equipment at this time The original algorithm capability can be kept unchanged, and the new network device in the non-anchor cell needs to send a new request message to extract the terminal device context to notify the old network device to perform ResumeMAC-I verification. For example, for the message integrity verification code calculated by using the first integrity protection algorithm when the terminal camps on the anchor cell, and when cell reselection occurs in the inactive state, the anchor cell broadcasts support for the first Integrity protection algorithm, assuming that the terminal device recovers the RRC connection in a non-anchor cell, the terminal device can adopt the first integrity protection algorithm, according to the key RRCint , bearer ID, data transmission direction, count COUNT value, The ID of the target cell, the ID of the source cell, the temporary identifier C-RNTI and the added variable, calculate the message integrity verification code, and perform integrity protection verification on the RRC connection recovery according to the calculated message integrity verification code. For another example, when the terminal is camped on the anchor cell, the message integrity verification code calculated by using the first integrity protection algorithm, and in the case of cell reselection in the inactive state, the anchor cell broadcast does not support the message integrity verification code. The first integrity protection algorithm, although the anchor cell does not support the first integrity protection algorithm, the ResumeMAC-I check is performed by the serving network device of the anchor cell, and the serving network device of the anchor cell supports the first Integrity protection algorithm, so the terminal device can use the first integrity protection algorithm to perform integrity protection verification on RRC connection recovery.
可选地,对于网络设备侧,网络设备需要提取终端设备上下文请求消息中增加内容,该增加的内容可包括第一完整性保护算法所需的输入参数。假设处于INACTIVE态的UE在其他小区进行RRC连接恢复,需要新网络设备向原网络设备发送上下文请求,以获得UE的上下文。其中,原网络设备需要进行ResumeMAC-I校验,才能响应该上下文回复,由于引入了新的MAC-I算法,所以需要扩充Retrieve UE context request(提取终端设备上下文请求消息)中的字段,保证可提供新老算法的输入参数给老网络设备使用,老网络设备照该UE的能力进行合适的算法选择。Optionally, for the network device side, the network device needs to extract the added content in the terminal device context request message, and the added content may include input parameters required by the first integrity protection algorithm. Assuming that the UE in the INACTIVE state restores the RRC connection in another cell, the new network device needs to send a context request to the original network device to obtain the context of the UE. Among them, the original network device needs to perform ResumeMAC-I verification before responding to the context reply. Since the new MAC-I algorithm is introduced, it is necessary to expand the fields in the Retrieve UE context request (extracting the terminal device context request message) to ensure that it can The input parameters of the new and old algorithms are provided for the old network equipment to use, and the old network equipment selects an appropriate algorithm according to the capabilities of the UE.
上述本申请提供的实施例中,分别从终端设备、网络设备的角度对本申请实施例提供的方法进行了介绍。为了实现上述本申请实施例提供的方法中的各功能,网络设备和终端设备可以包括硬件结构、软件模块,以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能可以以硬件结构、软件模块、或者硬件结构加软件模块的方式来执行。In the above-mentioned embodiments provided in the present application, the methods provided in the embodiments of the present application are introduced from the perspectives of the terminal device and the network device respectively. In order to realize the various functions in the method provided by the above embodiments of the present application, the network device and the terminal device may include a hardware structure and a software module, and realize the above functions in the form of a hardware structure, a software module, or a hardware structure plus a software module. A certain function among the above-mentioned functions may be implemented in the form of a hardware structure, a software module, or a hardware structure plus a software module.
请参见图10,为本申请实施例提供的一种通信装置1000的结构示意图。图10所示的通信装置1000可以包括确定模块1001、选择模块1002、处理模块1003。可选地,通信装置1000还可包括收发模块1004。其中,收发模块1004可包括发送模块和/或接收模块,发送模块用于实现发送功能,接收模块用于实现接收功能,收发模块1004可以实现发送功能和/或接收功能。Please refer to FIG. 10 , which is a schematic structural diagram of a communication device 1000 provided in an embodiment of the present application. The communication device 1000 shown in FIG. 10 may include a determination module 1001 , a selection module 1002 , and a processing module 1003 . Optionally, the communication device 1000 may further include a transceiver module 1004 . Wherein, the transceiver module 1004 may include a sending module and/or a receiving module, the sending module is used to realize the sending function, the receiving module is used to realize the receiving function, and the sending and receiving module 1004 can realize the sending function and/or the receiving function.
通信装置1000可以是网络设备,也可以是网络设备中的装置,还可以是能够与网络设备匹配使用的装置。或者,通信装置1000可以是终端设备,也可以是终端设备中的装置,还可以是能够与终端设备匹配使用的装置。The communication device 1000 may be a network device, or a device in the network device, or a device that can be matched with the network device. Alternatively, the communication device 1000 may be a terminal device, may also be a device in a terminal device, and may also be a device that can be matched and used with the terminal device.
通信装置1000为终端设备:在本申请实施例中,确定模块1001用于确定网络设备所支持具备的算法能力;选择模块1002用于根据网络设备所支持具备的算法能力,选择与算法能力对应的目标完整性保护算法;处理模块1003用于根据目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证。The communication device 1000 is a terminal device: in the embodiment of this application, the determination module 1001 is used to determine the algorithm capability supported by the network device; the selection module 1002 is used to select the corresponding algorithm capability according to the algorithm capability supported by the network device. Target integrity protection algorithm; the processing module 1003 is configured to perform integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used for calculating the message integrity verification code.
在一种实现方式中,输入参数至少包括以下一项或多项:密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 In one implementation, the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increasing variables.
在一种实现方式中,确定模块1001用于根据网络设备发送的能力指示信息,确定网络设备所支持具备的算法能力。In an implementation manner, the determining module 1001 is configured to determine the algorithm capability supported by the network device according to the capability indication information sent by the network device.
在一种实现方式中,确定模块1001具体用于:判断是否接收到网络设备发送的第一计算能力指示信息;第一计算能力指示信息用于通知终端设备,网络设备是否支持第一完整性保护算法;其中,第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量;响应于接收到网络设备发送的第一计算能力指示信息,根据第一计算能力指示信息,确定网络设备所支持具备的算法能力。 In one implementation, the determination module 1001 is specifically configured to: determine whether the first computing capability indication information sent by the network device is received; the first computing capability indication information is used to notify the terminal device whether the network device supports the first integrity protection Algorithm; wherein, the input parameters of the first integrity protection algorithm include key Key RRCint , bearer identification bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and Add a variable; in response to receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device according to the first computing capability indication information.
在一种可能的实现方式中,确定模块1001还用于:响应于未接收到网络设备发送的第一计算能力指示信息,确定网络设备所支持具备的算法能力为不支持第一完整性保护算法。In a possible implementation, the determining module 1001 is further configured to: in response to not receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm .
在一种可能的实现方式中,第一计算能力指示信息用于通知终端设备,网络设备支持第一完整性保护算法;确定模块1001具体用于:确定网络设备所支持具备的算法能力为支持第一完整性保护算法。In a possible implementation manner, the first computing capability indication information is used to notify the terminal device that the network device supports the first integrity protection algorithm; the determining module 1001 is specifically configured to: determine that the algorithm capability supported by the network device is to support the first integrity protection algorithm An integrity protection algorithm.
在一种可能的实现方式中,终端设备支持第一完整性保护算法;选择模块1002具体用于:根据网络设备所支持具备的算法能力,选择与算法能力对应的第一完整性保护算法。In a possible implementation manner, the terminal device supports the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device.
在一种可能的实现方式中,处理模块1003具体用于:采用第一完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码;根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 In a possible implementation manner, the processing module 1003 is specifically configured to: adopt the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source The cell identification ID, the temporary identifier C-RNTI and the added variable calculate the message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种可能的实现方式中,终端设备不支持第一完整性保护算法;选择模块1002具体用于:选择第二完整性保护算法作为目标完整性保护算法;其中,第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 In a possible implementation manner, the terminal device does not support the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the second integrity protection algorithm as the target integrity protection algorithm; wherein, the second integrity protection algorithm The input parameters include key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI.
在一种可能的实现方式中,处理模块1003具体用于:采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码;根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 In a possible implementation, the processing module 1003 is specifically configured to: adopt the second integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source The cell identification ID and the temporary identifier C-RNTI calculate the message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种可能的实现方式中,第一计算能力指示信息用于通知终端设备,网络设备不支持第一完整性保护算法;确定模块1001具体用于:确定网络设备所支持具备的算法能力为不支持第一完整性保护算法。In a possible implementation manner, the first computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm; the determining module 1001 is specifically configured to: determine that the algorithm capability supported by the network device is not Supports the first integrity protection algorithm.
在一种可能的实现方式中,终端设备支持第一完整性保护算法或不支持第一完整性保护算法;选择模块1002具体用于:根据网络设备所支持具备的算法能力,选择与算法能力对应的第二完整性保护算法。In a possible implementation manner, the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; the selection module 1002 is specifically configured to: select an algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device. The second integrity protection algorithm of .
在一种可能的实现方式中,处理模块1003具体用于:采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码;根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 In a possible implementation, the processing module 1003 is specifically configured to: adopt the second integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source The cell identification ID and the temporary identifier C-RNTI calculate the message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种可能的实现方式中,增加变量至少包括以下A)至F)中的任意一项:In a possible implementation, increasing variables at least includes any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。A) The resumeIdentity, resumeCause, and spare fields in the RRC connection resume request message; B) The arrangement and combination of resumeIdentity, resumeCause, and spare spare fields in the RRC connection resume request message; C) RRC connection resume request message, wherein, the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an increased variable is set to a special bit; D) the RRC connection recovery request message and the field used to indicate the RRC connection recovery request Bits; E) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable; F) RRC connection recovery request message and used for Indicates the bit of the RRC connection resume request, where the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
在一种实现方式中,收发模块1004用于根据终端设备所支持具备的算法能力,向网络设备发送第二计算能力指示信息,其中,第二计算能力指示信息用于通知网络设备,终端设备是否支持第一完整性保护算法。In one implementation, the transceiver module 1004 is configured to send the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device, wherein the second computing capability indication information is used to notify the network device whether the terminal device Supports the first integrity protection algorithm.
在一种可能的实现方式中,收发模块1004具体用于:响应于终端设备所支持具备的算法能力为支持第一完整性保护算法,向网络设备发送支持第一完整性保护算法的能力指示信息。In a possible implementation, the transceiver module 1004 is specifically configured to: in response to the algorithm capability supported by the terminal device supporting the first integrity protection algorithm, send capability indication information supporting the first integrity protection algorithm to the network device .
在一种可能的实现方式中,收发模块1004具体用于:响应于终端设备所支持具备的算法能力为不支持第一完整性保护算法,向网络设备发送不支持第一完整性保护算法的能力指示信息。In a possible implementation manner, the transceiver module 1004 is specifically configured to: in response to the fact that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm, send the capability of not supporting the first integrity protection algorithm to the network device Instructions.
在一种可能的实现方式中,收发模块1004具体用于:响应于终端设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持第一完整性保护算法的能力指示信息。In a possible implementation, the transceiver module 1004 is specifically configured to: respond to the fact that the algorithm capability supported by the terminal device does not support the first integrity protection algorithm, not sending a capability indication on whether to support the first integrity protection algorithm information.
在一种可能的实现方式中,收发模块1004向网络设备发送能力指示信息的方式至少包括以下任意一种:In a possible implementation manner, the manner in which the transceiver module 1004 sends the capability indication information to the network device includes at least any one of the following:
通过安全模式完成消息发送;通过终端设备UE能力信息消息发送;通过UE辅助信息发送;通过初始接入消息5Msg5发送;通过初始接入消息3Msg3发送;通过初始接入消息1Msg1发送。The message is sent through the security mode; through the terminal equipment UE capability information message; through the UE auxiliary information; through the initial access message 5Msg5; through the initial access message 3Msg3; through the initial access message 1Msg1.
在一种可能的实现方式中,处理模块1003还用于:对于终端驻留在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于在非锚点小区发生RRC连接恢复,采用第一完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复进行完整性保护验证。In a possible implementation, the processing module 1003 is further configured to: use the message integrity verification code calculated by the first integrity protection algorithm when the terminal camps on the anchor cell, and the cell In the case of reselection, in response to the RRC connection recovery occurring in the non-anchor cell, the first integrity protection algorithm and the input parameters for calculating the message integrity verification code are used to perform integrity protection verification on the RRC connection recovery.
通信装置1000为网络设备,在本申请实施例中,确定模块1001用于响应于接收到终端设备发送的RRC连接恢复请求消息,确定终端设备所支持具备的算法能力;选择模块1002用于根据终端设备所支持具备的算法能力,选择与算法能力对应的目标完整性保护算法;处理模块1003用于根据目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证。The communication device 1000 is a network device. In the embodiment of this application, the determination module 1001 is used to determine the algorithm capability supported by the terminal device in response to receiving the RRC connection recovery request message sent by the terminal device; According to the algorithm capability supported by the device, select the target integrity protection algorithm corresponding to the algorithm capability; the processing module 1003 is used to process the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code Perform integrity protection verification.
在一种实现方式中,输入参数至少包括以下一项或多项:密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 In one implementation, the input parameters include at least one or more of the following: Key RRCint , bearer ID, data transmission direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increasing variables.
在一种实现方式中,确定模块1001用于根据终端设备发送的能力指示信息,确定终端设备所支持具备的算法能力。In an implementation manner, the determining module 1001 is configured to determine the algorithm capability supported by the terminal device according to the capability indication information sent by the terminal device.
在一种实现方式中,确定模块1001具体用于:判断是否接收到终端设备发送的第二计算能力指示信息;第二计算能力指示信息用于通知网络设备,终端设备是否支持第一完整性保护算法;其中,第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量;响应于接收到终端设备发送的第二计算能力指示信息,根据第二计算能力指示信息,确定终端设备所支持具备的算法能力。 In one implementation, the determination module 1001 is specifically configured to: determine whether the second computing capability indication information sent by the terminal device is received; the second computing capability indication information is used to notify the network device whether the terminal device supports the first integrity protection Algorithm; wherein, the input parameters of the first integrity protection algorithm include key Key RRCint , bearer identification bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and Add a variable; in response to receiving the second computing capability indication information sent by the terminal device, determine the algorithm capability supported by the terminal device according to the second computing capability indication information.
在一种可能的实现方式中,确定模块1001还用于:响应于未接收到终端设备发送的第二计算能力指示信息,确定终端设备所支持具备的算法能力为不支持第一完整性保护算法。In a possible implementation, the determining module 1001 is further configured to: in response to not receiving the second computing capability indication information sent by the terminal device, determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm .
在一种可能的实现方式中,第二计算能力指示信息用于通知网络设备,终端设备支持第一完整性保护算法;确定模块1001具体用于:确定终端设备所支持具备的算法能力为支持第一完整性保护算法。In a possible implementation manner, the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm; the determining module 1001 is specifically configured to: determine that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm An integrity protection algorithm.
可选地,网络设备支持第一完整性保护算法;选择模块1002具体用于:根据终端设备所支持具备 的算法能力,选择与算法能力对应的第一完整性保护算法。Optionally, the network device supports the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the first integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device.
可选地,处理模块1003具体用于:采用第一完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码;根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Optionally, the processing module 1003 is specifically configured to: adopt the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary The identifier C-RNTI and variable are added, and the message integrity verification code is calculated; the integrity protection verification of the RRC connection recovery request message is performed according to the calculated message integrity verification code.
在一种可能的实现方式中,网络设备不支持第一完整性保护算法;选择模块1002具体用于:选择第二完整性保护算法作为目标完整性保护算法;其中,第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 In a possible implementation manner, the network device does not support the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the second integrity protection algorithm as the target integrity protection algorithm; wherein, the second integrity protection algorithm The input parameters include key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID and temporary identifier C-RNTI.
可选地,处理模块1003具体用于:采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码;根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 Optionally, the processing module 1003 is specifically configured to: adopt the second integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, and temporary The identifier C-RNTI calculates a message integrity verification code; and performs integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种实现方式中,第二计算能力指示信息用于通知网络设备,终端设备不支持第一完整性保护算法;确定模块1001具体用于:确定终端设备所支持具备的算法能力为不支持第一完整性保护算法。In one implementation, the second computing capability indication information is used to notify the network device that the terminal device does not support the first integrity protection algorithm; the determining module 1001 is specifically configured to: determine that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm An integrity protection algorithm.
在一种可能的实现方式中,网络设备支持第一完整性保护算法或不支持第一完整性保护算法;选择模块1002具体用于:根据终端设备所支持具备的算法能力,选择与算法能力对应的第二完整性保护算法。In a possible implementation, the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; the selection module 1002 is specifically configured to: select the algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device. The second integrity protection algorithm of .
在一种可能的实现方式中,处理模块1003具体用于:采用第二完整性保护算法,根据密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码;根据计算得到的消息完整性验证码对RRC连接恢复请求消息进行完整性保护验证。 In a possible implementation, the processing module 1003 is specifically configured to: adopt the second integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source The cell identification ID and the temporary identifier C-RNTI calculate the message integrity verification code; perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
在一种实现方式中,增加变量至少包括以下A)至F)中的任意一项:In one implementation, increasing variables at least includes any one of the following A) to F):
A)RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;B)RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;C)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;D)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;E)RRC连接恢复请求消息,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;F)RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。A) The resumeIdentity, resumeCause, and spare fields in the RRC connection resume request message; B) The arrangement and combination of resumeIdentity, resumeCause, and spare spare fields in the RRC connection resume request message; C) RRC connection resume request message, wherein, the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as an increased variable is set to a special bit; D) the RRC connection recovery request message and the field used to indicate the RRC connection recovery request Bits; E) RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as an added variable; F) RRC connection recovery request message and used for Indicates the bit of the RRC connection resume request, where the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection resume request message as an added variable.
在一种实现方式中,收发模块1004用于根据网络设备所支持具备的算法能力,向终端设备发送第一计算能力指示信息,其中,第一计算能力指示信息用于通知终端设备,网络设备是否支持第一完整性保护算法。In one implementation, the transceiver module 1004 is configured to send the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device, wherein the first computing capability indication information is used to notify the terminal device whether the network device Supports the first integrity protection algorithm.
在一种可能的实现方式中,收发模块1004具体用于:响应于网络设备所支持具备的算法能力为支持第一完整性保护算法,向终端设备发送支持第一完整性保护算法的能力指示信息。In a possible implementation manner, the transceiver module 1004 is specifically configured to: send capability indication information supporting the first integrity protection algorithm to the terminal device in response to the algorithm capability supported by the network device supporting the first integrity protection algorithm .
在一种可能的实现方式中,收发模块1004具体用于:响应于网络设备所支持具备的算法能力为不支持第一完整性保护算法,向终端设备发送不支持第一完整性保护算法的能力指示信息。In a possible implementation, the transceiver module 1004 is specifically configured to: in response to the fact that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm, send the capability of not supporting the first integrity protection algorithm to the terminal device Instructions.
在一种可能的实现方式中,收发模块1004具体用于:响应于网络设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持第一完整性保护算法的能力指示信息。In a possible implementation, the transceiver module 1004 is specifically configured to: respond to the fact that the algorithm capability supported by the network device does not support the first integrity protection algorithm, not sending a capability indication on whether to support the first integrity protection algorithm information.
在一种可能的实现方式中,收发模块1004向终端发送能力指示信息的方式至少包括以下任意一种:通过RRC释放消息发送;通过系统消息广播。In a possible implementation manner, the manner of sending the capability indication information to the terminal by the transceiver module 1004 includes at least any one of the following: sending through an RRC release message; broadcasting through a system message.
在一种可能的实现方式中,收发模块1004还用于对于终端驻留在网络设备所在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于终端设备在非锚点小区发生RRC连接恢复,接收非锚点小区内的新网络设备发送的提取终端设备上下文请求消息;其中,提取终端设备上下文请求消息包括第一完整性保护算法所需的输入参数;处理模块1003还用于采用第一完整性保护算法及其所需的输入参数,对RRC连接恢复进行完整性保护验证。In a possible implementation, the transceiver module 1004 is also configured to use the message integrity verification code calculated by the first integrity protection algorithm when the terminal resides in the anchor cell where the network device is located, and the verification code is generated when the terminal is in an inactive state. In the case of cell reselection, in response to the RRC connection recovery of the terminal device in the non-anchor cell, the terminal device context extraction request message sent by the new network device in the non-anchor cell is received; wherein, the extraction terminal device context request message includes Input parameters required by the first integrity protection algorithm; the processing module 1003 is also configured to perform integrity protection verification on RRC connection recovery by using the first integrity protection algorithm and its required input parameters.
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。Regarding the apparatus in the foregoing embodiments, the specific manner in which each module executes operations has been described in detail in the embodiments related to the method, and will not be described in detail here.
请参见图11,图11是本申请实施例提供的另一种通信装置1100的结构示意图。通信装置1100可以是网络设备,也可以是终端设备,也可以是支持网络设备实现上述方法的芯片、芯片系统、或处理器等,还可以是支持终端设备实现上述方法的芯片、芯片系统、或处理器等。该装置可用于实现上述方法 实施例中描述的方法,具体可以参见上述方法实施例中的说明。Please refer to FIG. 11 , which is a schematic structural diagram of another communication device 1100 provided in an embodiment of the present application. The communication device 1100 may be a network device, or a terminal device, or a chip, a chip system, or a processor that supports the network device to implement the above method, or a chip, a chip system, or a chip that supports the terminal device to implement the above method. processor etc. The device can be used to implement the methods described in the above method embodiments, and for details, refer to the descriptions in the above method embodiments.
通信装置1100可以包括一个或多个处理器1101。处理器1101可以是通用处理器或者专用处理器等。例如可以是基带处理器或中央处理器。基带处理器可以用于对通信协议以及通信数据进行处理,中央处理器可以用于对通信装置(如,基站、基带芯片,终端设备、终端设备芯片,DU或CU等)进行控制,执行计算机程序,处理计算机程序的数据。The communication device 1100 may include one or more processors 1101 . The processor 1101 may be a general-purpose processor or a special-purpose processor. For example, it can be a baseband processor or a central processing unit. The baseband processor can be used to process communication protocols and communication data, and the central processing unit can be used to control communication devices (such as base stations, baseband chips, terminal equipment, terminal equipment chips, DU or CU, etc.) and execute computer programs , to process data for computer programs.
可选的,通信装置1100中还可以包括一个或多个存储器1102,其上可以存有计算机程序1104,处理器1101执行所述计算机程序1104,以使得通信装置1100执行上述方法实施例中描述的方法。可选的,所述存储器1102中还可以存储有数据。通信装置1100和存储器1102可以单独设置,也可以集成在一起。Optionally, the communication device 1100 may further include one or more memories 1102, on which a computer program 1104 may be stored, and the processor 1101 executes the computer program 1104, so that the communication device 1100 executes the method described in the foregoing method embodiments. method. Optionally, data may also be stored in the memory 1102 . The communication device 1100 and the memory 1102 can be set separately or integrated together.
可选的,通信装置1100还可以包括收发器1105、天线1106。收发器1105可以称为收发单元、收发机、或收发电路等,用于实现收发功能。收发器1105可以包括接收器和发送器,接收器可以称为接收机或接收电路等,用于实现接收功能;发送器可以称为发送机或发送电路等,用于实现发送功能。Optionally, the communication device 1100 may further include a transceiver 1105 and an antenna 1106 . The transceiver 1105 may be called a transceiver unit, a transceiver, or a transceiver circuit, etc., and is used to implement a transceiver function. The transceiver 1105 may include a receiver and a transmitter, and the receiver may be called a receiver or a receiving circuit, etc., for realizing a receiving function; the transmitter may be called a transmitter, or a sending circuit, for realizing a sending function.
可选的,通信装置1100中还可以包括一个或多个接口电路1107。接口电路1107用于接收代码指令并传输至处理器1101。处理器1101运行所述代码指令以使通信装置1100执行上述方法实施例中描述的方法。Optionally, the communication device 1100 may further include one or more interface circuits 1107 . The interface circuit 1107 is used to receive code instructions and transmit them to the processor 1101 . The processor 1101 executes the code instructions to enable the communication device 1100 to execute the methods described in the foregoing method embodiments.
通信装置1100为终端设备:处理器1101运行所述代码指令以使通信装置1100执行上述图2至图5所示实施例中描述的方法。The communication device 1100 is a terminal device: the processor 1101 runs the code instructions to enable the communication device 1100 to execute the methods described in the embodiments shown in FIGS. 2 to 5 above.
通信装置1100为网络设备:处理器1101运行所述代码指令以使通信装置1100执行上述图6至图9所示实施例中描述的方法。The communication device 1100 is a network device: the processor 1101 runs the code instructions to enable the communication device 1100 to execute the methods described in the embodiments shown in FIGS. 6 to 9 above.
在一种实现方式中,处理器1101中可以包括用于实现接收和发送功能的收发器。例如该收发器可以是收发电路,或者是接口,或者是接口电路。用于实现接收和发送功能的收发电路、接口或接口电路可以是分开的,也可以集成在一起。上述收发电路、接口或接口电路可以用于代码/数据的读写,或者,上述收发电路、接口或接口电路可以用于信号的传输或传递。In an implementation manner, the processor 1101 may include a transceiver for implementing receiving and sending functions. For example, the transceiver may be a transceiver circuit, or an interface, or an interface circuit. The transceiver circuits, interfaces or interface circuits for realizing the functions of receiving and sending can be separated or integrated together. The above-mentioned transceiver circuit, interface or interface circuit may be used for reading and writing code/data, or the above-mentioned transceiver circuit, interface or interface circuit may be used for signal transmission or transfer.
在一种实现方式中,处理器1101可以存有计算机程序1103,计算机程序1103在处理器1101上运行,可使得通信装置1100执行上述方法实施例中描述的方法。计算机程序1103可能固化在处理器1101中,该种情况下,处理器1101可能由硬件实现。In an implementation manner, the processor 1101 may store a computer program 1103 , and the computer program 1103 runs on the processor 1101 to enable the communication device 1100 to execute the methods described in the foregoing method embodiments. The computer program 1103 may be solidified in the processor 1101, and in this case, the processor 1101 may be implemented by hardware.
在一种实现方式中,通信装置1100可以包括电路,所述电路可以实现前述方法实施例中发送或接收或者通信的功能。本申请中描述的处理器和收发器可实现在集成电路(integrated circuit,IC)、模拟IC、射频集成电路RFIC、混合信号IC、专用集成电路(application specific integrated circuit,ASIC)、印刷电路板(printed circuit board,PCB)、电子设备等上。该处理器和收发器也可以用各种IC工艺技术来制造,例如互补金属氧化物半导体(complementary metal oxide semiconductor,CMOS)、N型金属氧化物半导体(nMetal-oxide-semiconductor,NMOS)、P型金属氧化物半导体(positive channel metal oxide semiconductor,PMOS)、双极结型晶体管(bipolar junction transistor,BJT)、双极CMOS(BiCMOS)、硅锗(SiGe)、砷化镓(GaAs)等。In an implementation manner, the communication device 1100 may include a circuit, and the circuit may implement the function of sending or receiving or communicating in the foregoing method embodiments. The processors and transceivers described in this application can be implemented in integrated circuits (integrated circuits, ICs), analog ICs, radio frequency integrated circuits (RFICs), mixed-signal ICs, application specific integrated circuits (ASICs), printed circuit boards ( printed circuit board, PCB), electronic equipment, etc. The processor and transceiver can also be fabricated using various IC process technologies, such as complementary metal oxide semiconductor (CMOS), nMetal-oxide-semiconductor (NMOS), P-type Metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (bipolar junction transistor, BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
以上实施例描述中的通信装置可以是网络设备或者终端设备(如前述方法实施例中的第一终端设备),但本申请中描述的通信装置的范围并不限于此,而且通信装置的结构可以不受图11的限制。通信装置可以是独立的设备或者可以是较大设备的一部分。例如所述通信装置可以是:The communication device described in the above embodiments may be a network device or a terminal device (such as the first terminal device in the foregoing method embodiments), but the scope of the communication device described in this application is not limited thereto, and the structure of the communication device can be Not limited by Figure 11. A communication device may be a stand-alone device or may be part of a larger device. For example the communication device may be:
(1)独立的集成电路IC,或芯片,或,芯片系统或子系统;(1) Stand-alone integrated circuits ICs, or chips, or chip systems or subsystems;
(2)具有一个或多个IC的集合,可选的,该IC集合也可以包括用于存储数据,计算机程序的存储部件;(2) A set of one or more ICs, optionally, the set of ICs may also include storage components for storing data and computer programs;
(3)ASIC,例如调制解调器(Modem);(3) ASIC, such as modem (Modem);
(4)可嵌入在其他设备内的模块;(4) Modules that can be embedded in other devices;
(5)接收机、终端设备、智能终端设备、蜂窝电话、无线设备、手持机、移动单元、车载设备、网络设备、云设备、人工智能设备等等;(5) Receivers, terminal equipment, intelligent terminal equipment, cellular phones, wireless equipment, handsets, mobile units, vehicle equipment, network equipment, cloud equipment, artificial intelligence equipment, etc.;
(6)其他等等。(6) Others and so on.
本领域技术人员还可以了解到本申请实施例列出的各种说明性逻辑块(illustrative logical block)和步骤(step)可以通过电子硬件、电脑软件,或两者的结合进行实现。这样的功能是通过硬件还是软件来实现取决于特定的应用和整个系统的设计要求。本领域技术人员可以对于每种特定的应用,可以使用各种方法实现所述的功能,但这种实现不应被理解为超出本申请实施例保护的范围。Those skilled in the art can also understand that various illustrative logical blocks and steps listed in the embodiments of the present application can be implemented by electronic hardware, computer software, or a combination of both. Whether such functions are implemented by hardware or software depends on the specific application and overall system design requirements. Those skilled in the art may use various methods to implement the described functions for each specific application, but such implementation should not be understood as exceeding the protection scope of the embodiments of the present application.
本申请实施例还提供一种确定侧链路时长的系统,该系统包括前述图10实施例中作为终端设备的通信装置和作为网络设备的通信装置,或者,该系统包括前述图11实施例中作为终端设备的通信装置和作为网络设备的通信装置。The embodiment of the present application also provides a system for determining the duration of the side link. The system includes the communication device as the terminal device and the communication device as the network device in the aforementioned embodiment in FIG. A communication device as a terminal device and a communication device as a network device.
本申请还提供一种可读存储介质,其上存储有指令,该指令被计算机执行时实现上述任一方法实施例的功能。The present application also provides a readable storage medium on which instructions are stored, and when the instructions are executed by a computer, the functions of any one of the above method embodiments are realized.
本申请还提供一种计算机程序产品,该计算机程序产品被计算机执行时实现上述任一方法实施例的功能。The present application also provides a computer program product, which implements the functions of any one of the above method embodiments when executed by a computer.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机程序。在计算机上加载和执行所述计算机程序时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机程序可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机程序可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,高密度数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer programs. When the computer program is loaded and executed on the computer, all or part of the processes or functions according to the embodiments of the present application will be generated. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer program can be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer program can be downloaded from a website, computer, server or data center Transmission to another website site, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. The available medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (solid state disk, SSD)) etc.
本领域普通技术人员可以理解:本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。Those of ordinary skill in the art can understand that: the first, second and other numbers involved in this application are only for convenience of description, and are not used to limit the scope of the embodiments of this application, and also indicate the sequence.
本申请中的至少一个还可以描述为一个或多个,多个可以是两个、三个、四个或者更多个,本申请不做限制。在本申请实施例中,对于一种技术特征,通过“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”等区分该种技术特征中的技术特征,该“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”描述的技术特征间无先后顺序或者大小顺序。At least one in this application can also be described as one or more, and multiple can be two, three, four or more, and this application does not make a limitation. In this embodiment of the application, for a technical feature, the technical feature is distinguished by "first", "second", "third", "A", "B", "C" and "D", etc. The technical features described in the "first", "second", "third", "A", "B", "C" and "D" have no sequence or order of magnitude among the technical features described.
本申请中各表所示的对应关系可以被配置,也可以是预定义的。各表中的信息的取值仅仅是举例,可以配置为其他值,本申请并不限定。在配置信息与各参数的对应关系时,并不一定要求必须配置各表中示意出的所有对应关系。例如,本申请中的表格中,某些行示出的对应关系也可以不配置。又例如,可以基于上述表格做适当的变形调整,例如,拆分,合并等等。上述各表中标题示出参数的名称也可以采用通信装置可理解的其他名称,其参数的取值或表示方式也可以通信装置可理解的其他取值或表示方式。上述各表在实现时,也可以采用其他的数据结构,例如可以采用数组、队列、容器、栈、线性表、指针、链表、树、图、结构体、类、堆、散列表或哈希表等。The corresponding relationships shown in the tables in this application can be configured or predefined. The values of the information in each table are just examples, and may be configured as other values, which are not limited in this application. When configuring the corresponding relationship between the information and each parameter, it is not necessarily required to configure all the corresponding relationships shown in the tables. For example, in the table in this application, the corresponding relationship shown in some rows may not be configured. For another example, appropriate deformation adjustments can be made based on the above table, for example, splitting, merging, and so on. The names of the parameters shown in the titles of the above tables may also adopt other names understandable by the communication device, and the values or representations of the parameters may also be other values or representations understandable by the communication device. When the above tables are implemented, other data structures can also be used, for example, arrays, queues, containers, stacks, linear tables, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables or hash tables can be used wait.
本申请中的预定义可以理解为定义、预先定义、存储、预存储、预协商、预配置、固化、或预烧制。Predefined in this application can be understood as defining, predefining, storing, prestoring, prenegotiating, preconfiguring, curing, or prefiring.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims (84)

  1. 一种无线资源控制RRC连接恢复的安全增强方法,其特征在于,所述方法应用于终端设备,所述方法包括:A security enhancement method for radio resource control RRC connection recovery, characterized in that the method is applied to a terminal device, and the method includes:
    确定网络设备所支持具备的算法能力;Determine the algorithm capabilities supported by network equipment;
    根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法;Selecting a target integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device;
    根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters used for calculating message integrity verification codes.
  2. 根据权利要求1所述的方法,其特征在于,所述输入参数至少包括以下一项或多项:The method according to claim 1, wherein the input parameters include at least one or more of the following:
    密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI, and added variables.
  3. 根据权利要求1或2所述的方法,其特征在于,所述确定网络设备所支持具备的算法能力,包括:The method according to claim 1 or 2, wherein said determining the algorithm capabilities supported by the network equipment includes:
    根据所述网络设备发送的能力指示信息,确定所述网络设备所支持具备的算法能力。According to the capability indication information sent by the network device, determine the algorithm capability supported by the network device.
  4. 根据权利要求2所述的方法,其特征在于,所述确定网络设备所支持具备的算法能力,包括:The method according to claim 2, wherein said determining the algorithm capability supported by the network device comprises:
    判断是否接收到所述网络设备发送的第一计算能力指示信息;所述第一计算能力指示信息用于通知所述终端设备,所述网络设备是否支持第一完整性保护算法;其中,所述第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量; Judging whether the first computing capability indication information sent by the network device is received; the first computing capability indication information is used to notify the terminal device whether the network device supports the first integrity protection algorithm; wherein, the The input parameters of the first integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable;
    响应于接收到所述网络设备发送的第一计算能力指示信息,根据所述第一计算能力指示信息,确定所述网络设备所支持具备的算法能力。In response to receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device according to the first computing capability indication information.
  5. 根据权利要求4所述的方法,其特征在于,所述确定网络设备所支持具备的算法能力,还包括:The method according to claim 4, wherein said determining the algorithm capability supported by the network device further comprises:
    响应于未接收到所述网络设备发送的第一计算能力指示信息,确定所述网络设备所支持具备的算法能力为不支持所述第一完整性保护算法。In response to not receiving the first computing capability indication information sent by the network device, determine that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
  6. 根据权利要求4所述的方法,其特征在于,所述第一计算能力指示信息用于通知所述终端设备,所述网络设备支持第一完整性保护算法;所述根据所述第一计算能力指示信息,确定所述网络设备所支持具备的算法能力,包括:The method according to claim 4, wherein the first computing capability indication information is used to notify the terminal device that the network device supports a first integrity protection algorithm; Instruction information to determine the algorithm capabilities supported by the network device, including:
    确定所述网络设备所支持具备的算法能力为支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the network device is to support the first integrity protection algorithm.
  7. 根据权利要求6所述的方法,其特征在于,所述终端设备支持所述第一完整性保护算法;所述根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:The method according to claim 6, wherein the terminal device supports the first integrity protection algorithm; and according to the algorithm capability supported by the network device, the target corresponding to the algorithm capability is selected Integrity protection algorithms, including:
    根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的第一完整性保护算法。According to the algorithm capability supported by the network device, a first integrity protection algorithm corresponding to the algorithm capability is selected.
  8. 根据权利要求6或7所述的方法,其特征在于,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证,包括:The method according to claim 6 or 7, wherein, according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code, the RRC connection recovery request message is verified for integrity protection, include:
    采用所述第一完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码; Using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable, calculate the message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  9. 根据权利要求6所述的方法,其特征在于,所述终端设备不支持所述第一完整性保护算法;所述根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:The method according to claim 6, wherein the terminal device does not support the first integrity protection algorithm; and according to the algorithm capability supported by the network device, the algorithm capability corresponding to the algorithm capability is selected. Target integrity protection algorithms, including:
    选择第二完整性保护算法作为所述目标完整性保护算法;其中,所述第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 Select the second integrity protection algorithm as the target integrity protection algorithm; wherein, the input parameters of the second integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target Cell ID, source cell ID and temporary identifier C-RNTI.
  10. 根据权利要求9所述的方法,其特征在于,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证,包括:The method according to claim 9, wherein, according to the target integrity protection algorithm and the input parameters for calculating the message integrity verification code, performing integrity protection verification on the RRC connection recovery request message includes:
    采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码; Using the second integrity protection algorithm , calculate Message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  11. 根据权利要求4所述的方法,其特征在于,所述第一计算能力指示信息用于通知所述终端设备,所述网络设备不支持第一完整性保护算法;所述根据所述第一计算能力指示信息,确定所述网络设备所支持具备的算法能力,包括:The method according to claim 4, wherein the first computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm; Capability indication information to determine the algorithm capabilities supported by the network device, including:
    确定所述网络设备所支持具备的算法能力为不支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
  12. 根据权利要求11所述的方法,其特征在于,所述终端设备支持所述第一完整性保护算法或不支持所述第一完整性保护算法;所述根据所述网络设备所支持具备的算法能力,选择与所述算法能力对 应的目标完整性保护算法,包括:The method according to claim 11, wherein the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; the algorithm supported by the network device Capability, select the target integrity protection algorithm corresponding to the algorithm capability, including:
    根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的第二完整性保护算法。According to the algorithm capability supported by the network device, a second integrity protection algorithm corresponding to the algorithm capability is selected.
  13. 根据权利要求12所述的方法,其特征在于,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证,包括:The method according to claim 12, wherein the integrity protection verification is performed on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code, include:
    采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码; Using the second integrity protection algorithm , calculate Message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  14. 根据权利要求2至13中任一项所述的方法,其特征在于,所述增加变量至少包括以下A)至F)中的任意一项:The method according to any one of claims 2 to 13, wherein said increasing variable comprises at least any one of the following A) to F):
    A)所述RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;A) the recovery identification resumeIdentity, resumeCause and spare spare fields in the RRC connection recovery request message;
    B)所述RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;B) the permutation and combination of resume identification resumeIdentity, resume cause resumeCause and spare spare field in the RRC connection resume request message;
    C)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;C) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as the added variable is set to a special bit;
    D)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;D) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request;
    E)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;E) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as the added variable;
    F)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。F) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request, wherein, the RRC connection recovery request message used as the added variable is deleted for indicating the message integrity verification code resumeMAC-I field.
  15. 根据权利要求1至14中任一项所述的方法,其特征在于,还包括:The method according to any one of claims 1 to 14, further comprising:
    确定所述终端设备所支持具备的算法能力;Determine the algorithm capabilities supported by the terminal device;
    根据所述终端设备所支持具备的算法能力,向所述网络设备发送第二计算能力指示信息,其中,所述第二计算能力指示信息用于通知所述网络设备,所述终端设备是否支持第一完整性保护算法。According to the algorithm capability supported by the terminal device, send second computing capability indication information to the network device, where the second computing capability indication information is used to notify the network device whether the terminal device supports the first An integrity protection algorithm.
  16. 根据权利要求15所述的方法,其特征在于,所述根据所述终端设备所支持具备的算法能力,向所述网络设备发送第二计算能力指示信息,包括:The method according to claim 15, wherein the sending the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device includes:
    响应于所述终端设备所支持具备的算法能力为支持第一完整性保护算法,向所述网络设备发送支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the terminal device supporting the first integrity protection algorithm, sending capability indication information supporting the first integrity protection algorithm to the network device.
  17. 根据权利要求15或16所述的方法,其特征在于,所述根据所述终端设备所支持具备的算法能力,向所述网络设备发送第二计算能力指示信息,包括:The method according to claim 15 or 16, wherein the sending the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device includes:
    响应于所述终端设备所支持具备的算法能力为不支持第一完整性保护算法,向所述网络设备发送不支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the terminal device not supporting the first integrity protection algorithm, sending capability indication information not supporting the first integrity protection algorithm to the network device.
  18. 根据权利要求15至17中任一项所述的方法,其特征在于,所述根据所述终端设备所支持具备的算法能力,向所述网络设备发送第二计算能力指示信息,包括:The method according to any one of claims 15 to 17, wherein the sending the second computing capability indication information to the network device according to the algorithm capability supported by the terminal device includes:
    响应于所述终端设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the terminal device not supporting the first integrity protection algorithm, no capability indication information about whether the first integrity protection algorithm is supported is not sent.
  19. 根据权利要求15所述的方法,其特征在于,向所述网络设备发送能力指示信息的方式至少包括以下任意一种:The method according to claim 15, wherein the manner of sending capability indication information to the network device includes at least any of the following:
    通过安全模式完成消息发送;Complete message sending through safe mode;
    通过终端设备UE能力信息消息发送;Sending through terminal equipment UE capability information message;
    通过UE辅助信息发送;Send through UE auxiliary information;
    通过初始接入消息5 Msg5发送;Sent through the initial access message 5 Msg5;
    通过初始接入消息3 Msg3发送;Sent through the initial access message 3 Msg3;
    通过初始接入消息1 Msg1发送。Sent via initial access message 1 Msg1.
  20. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    对于所述终端驻留在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于在非锚点小区发生RRC连接恢复,采用所述第一完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复进行完整性保护验证。For the message integrity verification code calculated by using the first integrity protection algorithm when the terminal resides in the anchor cell, and when cell reselection occurs in the inactive state, in response to RRC connection recovery, using the first integrity protection algorithm and input parameters for calculating message integrity verification codes, to perform integrity protection verification on the RRC connection recovery.
  21. 一种无线资源控制RRC连接恢复的安全增强方法,其特征在于,所述方法应用于网络设备,所述方法包括:A security enhancement method for radio resource control RRC connection recovery, characterized in that the method is applied to a network device, and the method includes:
    响应于接收到终端设备发送的RRC连接恢复请求消息,确定所述终端设备所支持具备的算法能力;In response to receiving the RRC connection recovery request message sent by the terminal device, determine the algorithm capability supported by the terminal device;
    根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法;Selecting a target integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device;
    根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters used for calculating message integrity verification codes.
  22. 根据权利要求21所述的方法,其特征在于,所述输入参数至少包括以下一项或多项:The method according to claim 21, wherein the input parameters include at least one or more of the following:
    密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI, and added variables.
  23. 根据权利要求21或22所述的方法,其特征在于,所述确定所述终端设备所支持具备的算法能力,包括:The method according to claim 21 or 22, wherein the determining the algorithm capability supported by the terminal device includes:
    根据所述终端设备发送的能力指示信息,确定所述终端设备所支持具备的算法能力。According to the capability indication information sent by the terminal device, the algorithm capability supported by the terminal device is determined.
  24. 根据权利要求22所述的方法,其特征在于,所述确定所述终端设备所支持具备的算法能力,包括:The method according to claim 22, wherein the determining the algorithm capability supported by the terminal device comprises:
    判断是否接收到所述终端设备发送的第二计算能力指示信息;所述第二计算能力指示信息用于通知所述网络设备,所述终端设备是否支持第一完整性保护算法;其中,所述第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量; Judging whether the second computing capability indication information sent by the terminal device is received; the second computing capability indication information is used to notify the network device whether the terminal device supports the first integrity protection algorithm; wherein, the The input parameters of the first integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable;
    响应于接收到所述终端设备发送的第二计算能力指示信息,根据所述第二计算能力指示信息,确定所述终端设备所支持具备的算法能力。In response to receiving the second computing capability indication information sent by the terminal device, determine the algorithm capability supported by the terminal device according to the second computing capability indication information.
  25. 根据权利要求24所述的方法,其特征在于,所述确定所述终端设备所支持具备的算法能力,还包括:The method according to claim 24, wherein the determining the algorithm capability supported by the terminal device further comprises:
    响应于未接收到所述终端设备发送的第二计算能力指示信息,确定所述终端设备所支持具备的算法能力为不支持第一完整性保护算法。In response to not receiving the second computing capability indication information sent by the terminal device, it is determined that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
  26. 根据权利要求24所述的方法,其特征在于,所述第二计算能力指示信息用于通知所述网络设备,所述终端设备支持第一完整性保护算法;所述根据所述第二计算能力指示信息,确定所述终端设备所支持具备的算法能力,包括:The method according to claim 24, wherein the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm; Instruction information to determine the algorithm capabilities supported by the terminal device, including:
    确定所述终端设备所支持具备的算法能力为支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm.
  27. 根据权利要求26所述的方法,其特征在于,所述网络设备支持所述第一完整性保护算法;所述根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:The method according to claim 26, wherein the network device supports the first integrity protection algorithm; and according to the algorithm capability supported by the terminal device, the target corresponding to the algorithm capability is selected Integrity protection algorithms, including:
    根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的第一完整性保护算法。According to the algorithm capability supported by the terminal device, a first integrity protection algorithm corresponding to the algorithm capability is selected.
  28. 根据权利要求26或27所述的方法,其特征在于,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证,包括:The method according to claim 26 or 27, wherein the integrity protection of the RRC connection recovery request message is performed according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code Verification, including:
    采用所述第一完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码; Using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable, calculate the message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  29. 根据权利要求26所述的方法,其特征在于,所述网络设备不支持所述第一完整性保护算法;所述根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:The method according to claim 26, wherein the network device does not support the first integrity protection algorithm; and according to the algorithm capability supported by the terminal device, the algorithm capability corresponding to the algorithm capability is selected. Target integrity protection algorithms, including:
    选择第二完整性保护算法作为所述目标完整性保护算法;其中,所述第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 Select the second integrity protection algorithm as the target integrity protection algorithm; wherein, the input parameters of the second integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target Cell ID, source cell ID and temporary identifier C-RNTI.
  30. 根据权利要求29所述的方法,其特征在于,所述根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证,包括:The method according to claim 29, characterized in that, performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code, include:
    采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码; Using the second integrity protection algorithm , calculate Message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  31. 根据权利要求24所述的方法,其特征在于,所述第二计算能力指示信息用于通知所述网络设备,所述终端设备不支持第一完整性保护算法;所述根据所述第二计算能力指示信息,确定所述终端设备所支持具备的算法能力,包括:The method according to claim 24, wherein the second computing capability indication information is used to notify the network device that the terminal device does not support the first integrity protection algorithm; Capability indication information, which determines the algorithm capabilities supported by the terminal device, including:
    确定所述终端设备所支持具备的算法能力为不支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
  32. 根据权利要求31所述的方法,其特征在于,所述网络设备支持所述第一完整性保护算法或不支持所述第一完整性保护算法;所述根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法,包括:The method according to claim 31, wherein the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; the algorithm supported by the terminal device Capability, select the target integrity protection algorithm corresponding to the algorithm capability, including:
    根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的第二完整性保护算法。According to the algorithm capability supported by the terminal device, a second integrity protection algorithm corresponding to the algorithm capability is selected.
  33. 根据权利要求32所述的方法,其特征在于,所述根据所述目标完整性保护算法和用于计算消 息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证,包括:The method according to claim 32, characterized in that, performing integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used to calculate the message integrity verification code, include:
    采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码; Using the second integrity protection algorithm , calculate Message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  34. 根据权利要求22至33中任一项所述的方法,其特征在于,所述增加变量至少包括以下A)至F)中的任意一项:The method according to any one of claims 22 to 33, wherein the increased variable includes at least any one of the following A) to F):
    A)所述RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;A) the recovery identification resumeIdentity, resumeCause and spare spare fields in the RRC connection recovery request message;
    B)所述RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;B) the permutation and combination of resume identification resumeIdentity, resume cause resumeCause and spare spare field in the RRC connection resume request message;
    C)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;C) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as the added variable is set to a special bit;
    D)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;D) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request;
    E)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;E) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as the added variable;
    F)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。F) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request, wherein, the RRC connection recovery request message used as the added variable is deleted for indicating the message integrity verification code resumeMAC-I field.
  35. 根据权利要求21至34中任一项所述的方法,其特征在于,还包括:The method according to any one of claims 21 to 34, further comprising:
    确定所述网络设备所支持具备的算法能力;Determine the algorithm capabilities supported by the network device;
    根据所述网络设备所支持具备的算法能力,向所述终端设备发送第一计算能力指示信息,其中,所述第一计算能力指示信息用于通知所述终端设备,所述网络设备是否支持第一完整性保护算法。According to the algorithm capability supported by the network device, send first computing capability indication information to the terminal device, where the first computing capability indication information is used to notify the terminal device whether the network device supports the first An integrity protection algorithm.
  36. 根据权利要求35所述的方法,其特征在于,所述根据所述网络设备所支持具备的算法能力,向所述终端设备发送第一计算能力指示信息,包括:The method according to claim 35, wherein the sending of the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device includes:
    响应于所述网络设备所支持具备的算法能力为支持第一完整性保护算法,向所述终端设备发送支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the network device supporting the first integrity protection algorithm, sending capability indication information supporting the first integrity protection algorithm to the terminal device.
  37. 根据权利要求35或36所述的方法,其特征在于,所述根据所述网络设备所支持具备的算法能力,向所述终端设备发送第一计算能力指示信息,包括:The method according to claim 35 or 36, wherein the sending of the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device includes:
    响应于所述网络设备所支持具备的算法能力为不支持第一完整性保护算法,向所述终端设备发送不支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the network device not supporting the first integrity protection algorithm, sending capability indication information not supporting the first integrity protection algorithm to the terminal device.
  38. 根据权利要求35至36中任一项所述的方法,其特征在于,所述根据所述网络设备所支持具备的算法能力,向所述终端设备发送第一计算能力指示信息,包括:The method according to any one of claims 35 to 36, wherein the sending the first computing capability indication information to the terminal device according to the algorithm capability supported by the network device includes:
    响应于所述网络设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the network device not supporting the first integrity protection algorithm, no capability indication information about whether the first integrity protection algorithm is supported is not sent.
  39. 根据权利要求35所述的方法,其特征在于,向所述终端发送能力指示信息的方式至少包括以下任意一种:The method according to claim 35, wherein the manner of sending capability indication information to the terminal includes at least any of the following:
    通过RRC释放消息发送;Send by RRC release message;
    通过系统消息广播。Broadcast via system messages.
  40. 根据权利要求21所述的方法,其特征在于,所述方法还包括:The method according to claim 21, further comprising:
    对于所述终端驻留在所述网络设备所在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于所述终端设备在非锚点小区发生RRC连接恢复,接收所述非锚点小区内的新网络设备发送的提取终端设备上下文请求消息;其中,所述提取终端设备上下文请求消息包括所述第一完整性保护算法所需的输入参数;For the message integrity verification code calculated by using the first integrity protection algorithm when the terminal resides in the anchor cell where the network device is located, and when cell reselection occurs in the inactive state, respond to the The terminal device recovers the RRC connection in the non-anchor cell, and receives a request message for extracting the context of the terminal device sent by a new network device in the non-anchor cell; wherein the request message for extracting the context of the terminal device includes the first complete The input parameters required by the security protection algorithm;
    采用所述第一完整性保护算法及其所需的输入参数,对所述RRC连接恢复进行完整性保护验证。Using the first integrity protection algorithm and its required input parameters, integrity protection verification is performed on the RRC connection restoration.
  41. 一种通信装置,其特征在于,所述通信装置包括:A communication device, characterized in that the communication device includes:
    确定模块,所述确定模块,用于确定网络设备所支持具备的算法能力;A determination module, the determination module is used to determine the algorithm capabilities supported by the network equipment;
    选择模块,所述选择模块,用于根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法;A selection module, the selection module is configured to select a target integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the network device;
    处理模块,所述处理模块用于根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对RRC连接恢复请求消息进行完整性保护验证。A processing module, the processing module is used to perform integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and the input parameters used for calculating the message integrity verification code.
  42. 根据权利要求41所述的通信装置,其特征在于,所述输入参数至少包括以下一项或多项:The communication device according to claim 41, wherein the input parameters include at least one or more of the following:
    密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI, and added variables.
  43. 根据权利要求42或42所述的方法,其特征在于,所述确定模块用于:The method according to claim 42 or 42, wherein the determining module is used for:
    根据所述网络设备发送的能力指示信息,确定所述网络设备所支持具备的算法能力。According to the capability indication information sent by the network device, determine the algorithm capability supported by the network device.
  44. 根据权利要求41所述的通信装置,其特征在于,所述确定模块具体用于:The communication device according to claim 41, wherein the determining module is specifically configured to:
    判断是否接收到所述网络设备发送的第一计算能力指示信息;所述第一计算能力指示信息用于通知所述终端设备,所述网络设备是否支持第一完整性保护算法;其中,所述第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量; Judging whether the first computing capability indication information sent by the network device is received; the first computing capability indication information is used to notify the terminal device whether the network device supports the first integrity protection algorithm; wherein, the The input parameters of the first integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable;
    响应于接收到所述网络设备发送的第一计算能力指示信息,根据所述第一计算能力指示信息,确定所述网络设备所支持具备的算法能力。In response to receiving the first computing capability indication information sent by the network device, determine the algorithm capability supported by the network device according to the first computing capability indication information.
  45. 根据权利要求44所述的通信装置,其特征在于,所述确定模块还用于:The communication device according to claim 44, wherein the determination module is also used for:
    响应于未接收到所述网络设备发送的第一计算能力指示信息,确定所述网络设备所支持具备的算法能力为不支持第一完整性保护算法。In response to not receiving the first computing capability indication information sent by the network device, it is determined that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
  46. 根据权利要求44所述的通信装置,其特征在于,所述第一计算能力指示信息用于通知所述终端设备,所述网络设备支持第一完整性保护算法;所述确定模块具体用于:The communication device according to claim 44, wherein the first computing capability indication information is used to notify the terminal device that the network device supports the first integrity protection algorithm; the determining module is specifically used for:
    确定所述网络设备所支持具备的算法能力为支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the network device is to support the first integrity protection algorithm.
  47. 根据权利要求46所述的通信装置,其特征在于,所述终端设备支持所述第一完整性保护算法;所述选择模块具体用于:The communication device according to claim 46, wherein the terminal device supports the first integrity protection algorithm; the selection module is specifically used for:
    根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的第一完整性保护算法。According to the algorithm capability supported by the network device, a first integrity protection algorithm corresponding to the algorithm capability is selected.
  48. 根据权利要求46或47所述的通信装置,其特征在于,所述处理模块具体用于:The communication device according to claim 46 or 47, wherein the processing module is specifically used for:
    采用所述第一完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码; Using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable, calculate the message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  49. 根据权利要求46所述的通信装置,其特征在于,所述终端设备不支持所述第一完整性保护算法;所述选择模块具体用于:The communication device according to claim 46, wherein the terminal device does not support the first integrity protection algorithm; the selection module is specifically used for:
    选择第二完整性保护算法作为所述目标完整性保护算法;其中,所述第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 Select the second integrity protection algorithm as the target integrity protection algorithm; wherein, the input parameters of the second integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target Cell ID, source cell ID and temporary identifier C-RNTI.
  50. 根据权利要求49所述的通信装置,其特征在于,所述处理模块具体用于:The communication device according to claim 49, wherein the processing module is specifically used for:
    采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码; Using the second integrity protection algorithm , calculate Message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  51. 根据权利要求44所述的通信装置,其特征在于,所述第一计算能力指示信息用于通知所述终端设备,所述网络设备不支持第一完整性保护算法;所述确定模块具体用于:The communication device according to claim 44, wherein the first computing capability indication information is used to notify the terminal device that the network device does not support the first integrity protection algorithm; the determining module is specifically used to :
    确定所述网络设备所支持具备的算法能力为不支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the network device is not supporting the first integrity protection algorithm.
  52. 根据权利要求51所述的通信装置,其特征在于,所述终端设备支持所述第一完整性保护算法或不支持所述第一完整性保护算法;所述选择模块具体用于:The communication device according to claim 51, wherein the terminal device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; the selection module is specifically used for:
    根据所述网络设备所支持具备的算法能力,选择与所述算法能力对应的第二完整性保护算法。According to the algorithm capability supported by the network device, a second integrity protection algorithm corresponding to the algorithm capability is selected.
  53. 根据权利要求52所述的通信装置,其特征在于,所述处理模块具体用于:The communication device according to claim 52, wherein the processing module is specifically used for:
    采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码; Using the second integrity protection algorithm , calculate Message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  54. 根据权利要求42至53中任一项所述的通信装置,其特征在于,所述增加变量至少包括以下A)至F)中的任意一项:The communication device according to any one of claims 42 to 53, wherein the increased variable includes at least any one of the following A) to F):
    A)所述RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;A) the recovery identification resumeIdentity, resumeCause and spare spare fields in the RRC connection recovery request message;
    B)所述RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;B) the permutation and combination of resume identification resumeIdentity, resume cause resumeCause and spare spare field in the RRC connection resume request message;
    C)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;C) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as the added variable is set to a special bit;
    D)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;D) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request;
    E)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了 用于表示消息完整性验证码resumeMAC-I的字段;E) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted in the RRC connection recovery request message as the added variable;
    F)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。F) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request, wherein the RRC connection recovery request message used as the added variable is deleted for indicating the message integrity verification code resumeMAC-I field.
  55. 根据权利要求41至54中任一项所述的通信装置,其特征在于,还包括:The communication device according to any one of claims 41 to 54, further comprising:
    收发模块,所述收发模块用于根据所述终端设备所支持具备的算法能力,向所述网络设备发送第二计算能力指示信息,其中,所述第二计算能力指示信息用于通知所述网络设备,所述终端设备是否支持第一完整性保护算法。A transceiver module, configured to send second computing capability indication information to the network device according to the algorithm capability supported by the terminal device, wherein the second computing capability indication information is used to notify the network device, whether the terminal device supports the first integrity protection algorithm.
  56. 根据权利要求55所述的通信装置,其特征在于,所述收发模块具体用于:The communication device according to claim 55, wherein the transceiver module is specifically used for:
    响应于所述终端设备所支持具备的算法能力为支持第一完整性保护算法,向所述网络设备发送支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the terminal device supporting the first integrity protection algorithm, sending capability indication information supporting the first integrity protection algorithm to the network device.
  57. 根据权利要求55或56所述的通信装置,其特征在于,所述收发模块具体用于:The communication device according to claim 55 or 56, wherein the transceiver module is specifically used for:
    响应于所述终端设备所支持具备的算法能力为不支持第一完整性保护算法,向所述网络设备发送不支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the terminal device not supporting the first integrity protection algorithm, sending capability indication information not supporting the first integrity protection algorithm to the network device.
  58. 根据权利要求55至57中任一项所述的通信装置,其特征在于,所述收发模块具体用于:The communication device according to any one of claims 55 to 57, wherein the transceiver module is specifically used for:
    响应于所述终端设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the terminal device not supporting the first integrity protection algorithm, no capability indication information about whether the first integrity protection algorithm is supported is not sent.
  59. 根据权利要求55所述的通信装置,其特征在于,所述收发模块向所述网络设备发送能力指示信息的方式至少包括以下任意一种:The communication device according to claim 55, characterized in that, the manner in which the sending and receiving module sends capability indication information to the network device includes at least any of the following:
    通过安全模式完成消息发送;Complete message sending through safe mode;
    通过终端设备UE能力信息消息发送;Sending through terminal equipment UE capability information message;
    通过UE辅助信息发送;Send through UE auxiliary information;
    通过初始接入消息5 Msg5发送;Sent through the initial access message 5 Msg5;
    通过初始接入消息3 Msg3发送;Sent through the initial access message 3 Msg3;
    通过初始接入消息1 Msg1发送。Sent via initial access message 1 Msg1.
  60. 根据权利要求41所述的通信装置,其特征在于,所述处理模块还用于:The communication device according to claim 41, wherein the processing module is further used for:
    对于所述终端驻留在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于在非锚点小区发生RRC连接恢复,采用所述第一完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复进行完整性保护验证。For the message integrity verification code calculated by using the first integrity protection algorithm when the terminal resides in the anchor cell, and when cell reselection occurs in the inactive state, in response to RRC connection recovery, using the first integrity protection algorithm and input parameters for calculating message integrity verification codes, to perform integrity protection verification on the RRC connection recovery.
  61. 一种通信装置,其特征在于,所述通信装置包括:A communication device, characterized in that the communication device includes:
    确定模块,所述确定模块用于响应于接收到终端设备发送的RRC连接恢复请求消息,确定所述终端设备所支持具备的算法能力;A determining module, the determining module is configured to determine the algorithm capability supported by the terminal device in response to receiving the RRC connection recovery request message sent by the terminal device;
    选择模块,所述选择模块用于根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的目标完整性保护算法;A selection module, the selection module is configured to select a target integrity protection algorithm corresponding to the algorithm capability according to the algorithm capability supported by the terminal device;
    处理模块,所述处理模块用于根据所述目标完整性保护算法和用于计算消息完整性验证码的输入参数,对所述RRC连接恢复请求消息进行完整性保护验证。A processing module, the processing module is configured to perform integrity protection verification on the RRC connection recovery request message according to the target integrity protection algorithm and input parameters for calculating a message integrity verification code.
  62. 根据权利要求61所述的通信装置,其特征在于,所述输入参数至少包括以下一项或多项:The communication device according to claim 61, wherein the input parameters include at least one or more of the following:
    密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量。 Key RRCint , bearer ID, data transmission direction, COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI, and added variables.
  63. 根据权利要求61或62所述的通信装置,其特征在于,所述确定模块用于:The communication device according to claim 61 or 62, wherein the determining module is used for:
    根据所述终端设备发送的能力指示信息,确定所述终端设备所支持具备的算法能力。According to the capability indication information sent by the terminal device, the algorithm capability supported by the terminal device is determined.
  64. 根据权利要求62所述的通信装置,其特征在于,所述确定模块具体用于:The communication device according to claim 62, wherein the determining module is specifically configured to:
    判断是否接收到所述终端设备发送的第二计算能力指示信息;所述第二计算能力指示信息用于通知所述网络设备,所述终端设备是否支持第一完整性保护算法;其中,所述第一完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量; Judging whether the second computing capability indication information sent by the terminal device is received; the second computing capability indication information is used to notify the network device whether the terminal device supports the first integrity protection algorithm; wherein, the The input parameters of the first integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable;
    响应于接收到所述终端设备发送的第二计算能力指示信息,根据所述第二计算能力指示信息,确定所述终端设备所支持具备的算法能力。In response to receiving the second computing capability indication information sent by the terminal device, determine the algorithm capability supported by the terminal device according to the second computing capability indication information.
  65. 根据权利要求64所述的通信装置,其特征在于,所述确定模块还用于:The communication device according to claim 64, wherein the determining module is also used for:
    响应于未接收到所述终端设备发送的第二计算能力指示信息,确定所述终端设备所支持具备的算法能力为不支持第一完整性保护算法。In response to not receiving the second computing capability indication information sent by the terminal device, it is determined that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
  66. 根据权利要求64所述的通信装置,其特征在于,所述第二计算能力指示信息用于通知所述网络设备,所述终端设备支持第一完整性保护算法;所述确定模块具体用于:The communication device according to claim 64, wherein the second computing capability indication information is used to notify the network device that the terminal device supports the first integrity protection algorithm; the determining module is specifically used for:
    确定所述终端设备所支持具备的算法能力为支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the terminal device is to support the first integrity protection algorithm.
  67. 根据权利要求66所述的通信装置,其特征在于,所述网络设备支持所述第一完整性保护算法;所述选择模块具体用于:The communication device according to claim 66, wherein the network device supports the first integrity protection algorithm; the selection module is specifically used for:
    根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的第一完整性保护算法。According to the algorithm capability supported by the terminal device, a first integrity protection algorithm corresponding to the algorithm capability is selected.
  68. 根据权利要求66或67所述的通信装置,其特征在于,所述处理模块具体用于:The communication device according to claim 66 or 67, wherein the processing module is specifically used for:
    采用所述第一完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID、临时标识符C-RNTI和增加变量,计算消息完整性验证码; Using the first integrity protection algorithm, according to the key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target cell ID, source cell ID, temporary identifier C-RNTI and increase variable, calculate the message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  69. 根据权利要求66所述的通信装置,其特征在于,所述网络设备不支持所述第一完整性保护算法;所述选择模块具体用于:The communication device according to claim 66, wherein the network device does not support the first integrity protection algorithm; the selection module is specifically used for:
    选择第二完整性保护算法作为所述目标完整性保护算法;其中,所述第二完整性保护算法的输入参数包括密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI。 Select the second integrity protection algorithm as the target integrity protection algorithm; wherein, the input parameters of the second integrity protection algorithm include key Key RRCint , bearer ID, data transmission direction direction, count COUNT value, target Cell ID, source cell ID and temporary identifier C-RNTI.
  70. 根据权利要求69所述的通信装置,其特征在于,所述处理模块具体用于:The communication device according to claim 69, wherein the processing module is specifically used for:
    采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码; Using the second integrity protection algorithm , calculate Message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  71. 根据权利要求64所述的通信装置,其特征在于,所述第二计算能力指示信息用于通知所述网络设备,所述终端设备不支持第一完整性保护算法;所述确定模块具体用于:The communication device according to claim 64, wherein the second computing capability indication information is used to notify the network device that the terminal device does not support the first integrity protection algorithm; the determining module is specifically used to :
    确定所述终端设备所支持具备的算法能力为不支持所述第一完整性保护算法。It is determined that the algorithm capability supported by the terminal device is not supporting the first integrity protection algorithm.
  72. 根据权利要求71所述的通信装置,其特征在于,所述网络设备支持所述第一完整性保护算法或不支持所述第一完整性保护算法;所述选择模块具体用于:The communication device according to claim 71, wherein the network device supports the first integrity protection algorithm or does not support the first integrity protection algorithm; the selection module is specifically used for:
    根据所述终端设备所支持具备的算法能力,选择与所述算法能力对应的第二完整性保护算法。According to the algorithm capability supported by the terminal device, a second integrity protection algorithm corresponding to the algorithm capability is selected.
  73. 根据权利要求72所述的通信装置,其特征在于,所述处理模块具体用于:The communication device according to claim 72, wherein the processing module is specifically used for:
    采用所述第二完整性保护算法,根据所述密钥Key RRCint、承载标识bearer ID、数据传输方向direction、计数COUNT值、目标小区标识ID、源小区标识ID和临时标识符C-RNTI,计算消息完整性验证码; Using the second integrity protection algorithm , calculate Message integrity verification code;
    根据计算得到的所述消息完整性验证码对所述RRC连接恢复请求消息进行完整性保护验证。Perform integrity protection verification on the RRC connection recovery request message according to the calculated message integrity verification code.
  74. 根据权利要求62至73中任一项所述的通信装置,其特征在于,所述增加变量至少包括以下A)至F)中的任意一项:The communication device according to any one of claims 62 to 73, wherein the increased variable includes at least any one of the following A) to F):
    A)所述RRC连接恢复请求消息中的恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段;A) the recovery identification resumeIdentity, resumeCause and spare spare fields in the RRC connection recovery request message;
    B)所述RRC连接恢复请求消息之中恢复识别resumeIdentity、恢复原因resumeCause以及备用spare字段的排列组合;B) the permutation and combination of resume identification resumeIdentity, resume cause resumeCause and spare spare field in the RRC connection resume request message;
    C)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中用于表示消息完整性验证码resumeMAC-I的字段置为特殊比特;C) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I in the RRC connection recovery request message as the added variable is set to a special bit;
    D)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位;D) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request;
    E)所述RRC连接恢复请求消息,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段;E) the RRC connection recovery request message, wherein the field used to represent the message integrity verification code resumeMAC-I is deleted from the RRC connection recovery request message as the added variable;
    F)所述RRC连接恢复请求消息和用于指示RRC连接恢复请求的比特位,其中,作为所述增加变量的RRC连接恢复请求消息之中删除了用于表示消息完整性验证码resumeMAC-I的字段。F) the RRC connection recovery request message and the bits used to indicate the RRC connection recovery request, wherein, the RRC connection recovery request message used as the added variable is deleted for indicating the message integrity verification code resumeMAC-I field.
  75. 根据权利要求61至74中任一项所述的通信装置,其特征在于,还包括:The communication device according to any one of claims 61 to 74, further comprising:
    收发模块,所述收发模块用于根据所述网络设备所支持具备的算法能力,向所述终端设备发送第一计算能力指示信息,其中,所述第一计算能力指示信息用于通知所述终端设备,所述网络设备是否支持第一完整性保护算法。A transceiver module, configured to send first computing capability indication information to the terminal device according to the algorithm capability supported by the network device, wherein the first computing capability indication information is used to notify the terminal device, whether the network device supports the first integrity protection algorithm.
  76. 根据权利要求75所述的通信装置,其特征在于,所述收发模块具体用于:The communication device according to claim 75, wherein the transceiver module is specifically used for:
    响应于所述网络设备所支持具备的算法能力为支持第一完整性保护算法,向所述终端设备发送支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the network device supporting the first integrity protection algorithm, sending capability indication information supporting the first integrity protection algorithm to the terminal device.
  77. 根据权利要求75或76所述的通信装置,其特征在于,所述收发模块具体用于:The communication device according to claim 75 or 76, wherein the transceiver module is specifically used for:
    响应于所述网络设备所支持具备的算法能力为不支持第一完整性保护算法,向所述终端设备发送不支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the network device not supporting the first integrity protection algorithm, sending capability indication information not supporting the first integrity protection algorithm to the terminal device.
  78. 根据权利要求75至77中任一项所述的通信装置,其特征在于,所述收发模块具体用于:The communication device according to any one of claims 75 to 77, wherein the transceiver module is specifically used for:
    响应于所述网络设备所支持具备的算法能力为不支持第一完整性保护算法,不发送针对是否支持所述第一完整性保护算法的能力指示信息。In response to the algorithm capability supported by the network device not supporting the first integrity protection algorithm, no capability indication information about whether the first integrity protection algorithm is supported is not sent.
  79. 根据权利要求75所述的通信装置,其特征在于,所述收发模块向所述终端发送能力指示信息的方式至少包括以下任意一种:The communication device according to claim 75, characterized in that, the manner in which the transceiver module sends capability indication information to the terminal includes at least any of the following:
    通过RRC释放消息发送;Send by RRC release message;
    通过系统消息广播。Broadcast via system messages.
  80. 根据权利要求75所述的通信装置,其特征在于,The communication device according to claim 75, wherein:
    所述收发模块,还用于对于所述终端驻留在所述网络设备所在锚点小区时采用第一完整性保护算法计算的消息完整性验证码,且在处于非激活态下发生了小区重选的情况下,响应于所述终端设备在非锚点小区发生RRC连接恢复,接收所述非锚点小区内的新网络设备发送的提取终端设备上下文请求消息;其中,所述提取终端设备上下文请求消息包括所述第一完整性保护算法所需的输入参数;The transceiver module is further configured to use the message integrity verification code calculated by using the first integrity protection algorithm when the terminal resides in the anchor cell where the network device is located, and a cell reconfiguration occurs when the terminal is in an inactive state Optionally, in response to the terminal device recovering the RRC connection in the non-anchor cell, receiving a request message for extracting the terminal device context sent by the new network device in the non-anchor cell; wherein the extracting the terminal device context The request message includes input parameters required by the first integrity protection algorithm;
    所述处理模块,还用于采用所述第一完整性保护算法及其所需的输入参数,对所述RRC连接恢复进行完整性保护验证。The processing module is further configured to use the first integrity protection algorithm and its required input parameters to perform integrity protection verification on the recovery of the RRC connection.
  81. 一种通信装置,其特征在于,所述装置包括处理器和存储器,所述存储器中存储有计算机程序,所述处理器执行所述存储器中存储的计算机程序,以使所述装置执行如权利要求1~20中任一项所述的方法。A communication device, characterized in that the device includes a processor and a memory, and a computer program is stored in the memory, and the processor executes the computer program stored in the memory, so that the device performs the The method described in any one of 1 to 20.
  82. 一种通信装置,其特征在于,所述装置包括处理器和存储器,所述存储器中存储有计算机程序,所述处理器执行所述存储器中存储的计算机程序,以使所述装置执行如权利要求21~40中任一项所述的方法。A communication device, characterized in that the device includes a processor and a memory, and a computer program is stored in the memory, and the processor executes the computer program stored in the memory, so that the device performs the The method described in any one of 21-40.
  83. 一种计算机可读存储介质,用于存储有指令,当所述指令被执行时,使如权利要求1~20中任一项所述的方法被实现。A computer-readable storage medium is used for storing instructions, and when the instructions are executed, the method according to any one of claims 1-20 is realized.
  84. 一种计算机可读存储介质,用于存储有指令,当所述指令被执行时,使如权利要求21~40中任一项所述的方法被实现。A computer-readable storage medium for storing instructions, which, when executed, cause the method according to any one of claims 21-40 to be implemented.
PCT/CN2021/111198 2021-08-06 2021-08-06 Security enhancement method for radio resource control (rrc) connection resumption, and communication apparatus WO2023010531A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2021/111198 WO2023010531A1 (en) 2021-08-06 2021-08-06 Security enhancement method for radio resource control (rrc) connection resumption, and communication apparatus
CN202180002389.1A CN115943724A (en) 2021-08-06 2021-08-06 Security enhancement method and communication device for Radio Resource Control (RRC) connection recovery

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/111198 WO2023010531A1 (en) 2021-08-06 2021-08-06 Security enhancement method for radio resource control (rrc) connection resumption, and communication apparatus

Publications (1)

Publication Number Publication Date
WO2023010531A1 true WO2023010531A1 (en) 2023-02-09

Family

ID=85154048

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/111198 WO2023010531A1 (en) 2021-08-06 2021-08-06 Security enhancement method for radio resource control (rrc) connection resumption, and communication apparatus

Country Status (2)

Country Link
CN (1) CN115943724A (en)
WO (1) WO2023010531A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788795A (en) * 2019-11-08 2021-05-11 华为技术有限公司 Connection recovery method and device
WO2021096411A1 (en) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Integrity protection of radio resource control message

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788795A (en) * 2019-11-08 2021-05-11 华为技术有限公司 Connection recovery method and device
WO2021096411A1 (en) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Integrity protection of radio resource control message

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Further aspects of RRC Resume", 3GPP DRAFT; R2-164322 - FURTHER ASPECTS OF RRC RESUME, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. RAN WG2, no. Nanjing, China; 20160523 - 20160527, 22 May 2016 (2016-05-22), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051105561 *
HUAWEI, HISILICON: "Security handling in Connection Resume in CM-IDLE with Suspend to a new ng-eNB for User Plane CIoT 5GS Optimization", 3GPP DRAFT; S3-194487, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Reno (US); 20191118 - 20191122, 22 November 2019 (2019-11-22), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051828646 *

Also Published As

Publication number Publication date
CN115943724A (en) 2023-04-07

Similar Documents

Publication Publication Date Title
WO2022233063A1 (en) Access failure processing method and apparatus, terminal device and storage medium
EP3840518B1 (en) Rrc connection method and terminal
WO2022233064A1 (en) Method for releasing remote terminal device and apparatus therefor
WO2023102743A1 (en) Access control method and apparatus
WO2024060143A1 (en) Reporting method/apparatus/device, and storage medium
WO2023010531A1 (en) Security enhancement method for radio resource control (rrc) connection resumption, and communication apparatus
WO2023130321A1 (en) Data compression method and apparatus
WO2023087191A1 (en) Radio resource control (rrc) reject message transmitting method and apparatus
WO2022222012A1 (en) Paging processing method and apparatus thereof
WO2023115487A1 (en) Method for creating artificial intelligence session, and apparatus therefor
WO2024011435A1 (en) Failure processing method and apparatus
WO2024168935A1 (en) Message verification method and apparatus therefor
WO2024000208A1 (en) Method for triggering timing advance reporting (tar), apparatus, device, and storage medium
WO2022236623A1 (en) Paging method and apparatus therefor
WO2022266861A1 (en) Paging processing method, communication apparatus, and storage medium
WO2023147708A1 (en) Artificial intelligence session updating method and apparatus
WO2023108369A1 (en) Resource determination method and apparatus
WO2024207368A1 (en) Satellite coverage information determination method and apparatus
WO2022266948A1 (en) Method for recovering beam physical uplink control channel, and apparatus
WO2023240419A1 (en) Access control method and apparatus
WO2023010429A1 (en) Bandwidth part synchronization method and apparatus thereof
WO2024020753A1 (en) Data transmission method and apparatus
WO2023193271A1 (en) Update method and apparatus for cell groups of terminal device in dual connectivity
WO2022147801A1 (en) Data processing method and apparatus
CN118786748A (en) Information sending method and communication device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21952405

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21952405

Country of ref document: EP

Kind code of ref document: A1