WO2023030148A1 - 一种通信方法、装置及系统 - Google Patents
一种通信方法、装置及系统 Download PDFInfo
- Publication number
- WO2023030148A1 WO2023030148A1 PCT/CN2022/114680 CN2022114680W WO2023030148A1 WO 2023030148 A1 WO2023030148 A1 WO 2023030148A1 CN 2022114680 W CN2022114680 W CN 2022114680W WO 2023030148 A1 WO2023030148 A1 WO 2023030148A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- node
- key
- communication
- connection
- authentication
- Prior art date
Links
- 230000006854 communication Effects 0.000 title claims abstract description 526
- 238000004891 communication Methods 0.000 title claims abstract description 523
- 238000000034 method Methods 0.000 title claims abstract description 282
- 230000008569 process Effects 0.000 claims abstract description 53
- 230000004044 response Effects 0.000 claims description 72
- 230000005540 biological transmission Effects 0.000 claims description 59
- 238000012545 processing Methods 0.000 claims description 40
- 238000003860 storage Methods 0.000 claims description 17
- 230000004927 fusion Effects 0.000 abstract description 7
- 230000006870 function Effects 0.000 description 61
- 230000015654 memory Effects 0.000 description 49
- 238000004590 computer program Methods 0.000 description 22
- 238000005516 engineering process Methods 0.000 description 22
- 230000011664 signaling Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 10
- 230000001413 cellular effect Effects 0.000 description 9
- 238000012986 modification Methods 0.000 description 9
- 230000004048 modification Effects 0.000 description 9
- 238000007726 management method Methods 0.000 description 8
- 230000003213 activating effect Effects 0.000 description 6
- 238000007792 addition Methods 0.000 description 6
- 238000012217 deletion Methods 0.000 description 6
- 230000037430 deletion Effects 0.000 description 6
- 230000010354 integration Effects 0.000 description 6
- 230000001360 synchronised effect Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 230000007774 longterm Effects 0.000 description 4
- 238000011084 recovery Methods 0.000 description 3
- 239000004984 smart glass Substances 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000005406 washing Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/30—Connection release
- H04W76/34—Selective release of ongoing connections
Definitions
- the embodiments of the present application relate to the field of communication technologies, and in particular, to a communication method, device, and system.
- Embodiments of the present application provide a communication method, device, and system, which are used to update a communication authentication key to improve communication security.
- the embodiment of the present application provides a communication method, which may be applied to a first node.
- the method includes:
- the embodiment of the present application provides a technical solution for the first node and the second node to release the connection after confirming the updated key, and to establish a connection using a new key, so as to realize the switching of different communication connections for communication
- the update process of the authenticated key effectively improves the security of communication.
- connection establishment request is used to request to establish a connection based on the second key, including that the connection establishment request is used to request to perform an authentication and security context negotiation process based on the second key .
- the method further includes: receiving authentication information based on the second key from the second node; the authentication information is used to verify the identity of the second node .
- the authentication information is used to verify the identity of the second node, including whether the authentication information is used to verify whether to establish a second node with the second node based on the second key.
- the first key is a key derived (or negotiated) based on the first communication system, and/or the second key is derived (or negotiated) based on the second communication system ), the first communication system is different from the second communication system.
- the first communication system may be a single communication system
- the second communication system may be a communication system obtained by merging different communication systems.
- the embodiment of the present application provides a communication method in a scenario where different communication systems perform converged communication, which effectively improves communication security.
- an authentication response based on the second key is sent to the second node, where the authentication response is used to verify the identity of the first node.
- the authentication response is used to verify the identity of the first node, including whether the authentication response is used by the second node to verify A node establishes the second communication connection.
- the first node can make the second node further determine whether the authentication based on the second key is successful according to the authentication response by sending the authentication response to the second node.
- the release request includes request reason information; the request reason information is used to indicate key update for communication authentication.
- carrying the request reason in the release request can enable the first node to understand the reason of the request after receiving the release request from the second node, so as to make a more targeted response to the request and have greater adaptability.
- the second key is valid within a first duration
- the first duration is defined by a timer or a time stamp.
- the second key is valid within a first period of time starting from a first moment, and the first moment is the moment when the first communication connection is released, or the connection establishment request is sent moment.
- the present application provides a variety of situations at the first moment, thereby providing a variety of solutions for judging the validity of the second key, with greater flexibility.
- the method further includes performing information transmission with the third node through the backhaul link between the second node and the third node within the validity period of the second key .
- the embodiment of the present application provides a communication method, which may be applied to a second node.
- the method includes:
- the embodiment of the present application provides a technical solution for the first node and the second node to release the connection after confirming the updated key, and to establish a connection using a new key, so as to realize the switching of different communication connections for communication
- the update process of the authenticated key effectively improves the security of communication.
- connection establishment request is used to request to establish a connection based on the second key, including: the connection establishment request is used to request to perform authentication and security context negotiation based on the second key process.
- the method further includes: sending authentication information based on the second key to the first node; the authentication information is used to verify the identity of the second node.
- the authentication information is used to verify the identity of the second node, including whether the authentication information is used by the first node to verify based on the second key and the second A node establishes a second communication connection.
- the first key is a key derived (or negotiated) based on the first communication system, and/or the second key is derived (or negotiated) based on the second communication system ), the first communication system is different from the second communication system.
- the first communication system may be a single communication system
- the second communication system may be a communication system obtained by merging different communication systems.
- the embodiment of the present application provides a communication method in a scenario where different communication systems perform converged communication, which effectively improves communication security.
- the method further includes receiving an authentication response based on the second key from the first node; the authentication response is used to verify the identity of the first node.
- the authentication response is used to verify the identity of the first node, including whether the authentication response is used by the second node to verify A node establishes the second communication connection.
- the first node can make the second node further determine whether the authentication based on the second key is successful according to the authentication response by sending the authentication response to the second node.
- the release request includes request reason information; the request reason information is used to indicate key update for communication authentication.
- carrying the request reason in the release request can enable the first node to understand the reason of the request after receiving the release request from the second node, so as to make a more targeted response to the request and have greater adaptability.
- the second key is valid within a first duration
- the first duration may be defined by a timer or a time stamp.
- the second key is valid within a first duration starting from a first moment, and the first moment is the moment when the first communication connection is released, or the second node receives to the moment of the connection establishment request.
- the present application provides a variety of situations at the first moment, thereby providing a variety of solutions for judging the validity of the second key, with greater flexibility.
- the method further includes passing the transmission information from the first node through the backhaul chain between the second node and the third node within the validity period of the second key route, and send it to the third node.
- the backhaul link is suspended.
- the second node suspends the backhaul link after releasing the first communication connection, which can effectively reduce system overhead and save resources.
- the method further includes activating the backhaul link after determining that the second communication connection with the first node is successfully established; the second communication connection is based on the The second key is used for communication authentication.
- the previously suspended backhaul link is activated to continue to use the backhaul link for communication transmission, which can effectively reduce System overhead, saving resources.
- the embodiment of the present application provides a communication method, which may be applied to the first node.
- the method includes:
- the embodiment of the present application provides a technical solution for the first node and the second node to release the connection after confirming the updated key, and to establish a connection using a new key, so as to realize the switching of different communication connections for communication
- the update process of the authenticated key effectively improves the security of communication.
- connection establishment request is used to request to establish a connection based on the second key, including that the connection establishment request is used to request to perform an authentication and security context negotiation process based on the second key .
- the method further includes: receiving authentication information based on the second key from the second node; the authentication information is used to verify the identity of the second node .
- the authentication information is used to verify the identity of the second node, including whether the authentication information is used to verify whether to establish a second node with the second node based on the second key.
- the first key is a key derived (or negotiated) based on the first communication system, and/or the second key is derived (or negotiated) based on the second communication system ), the first communication system is different from the second communication system.
- the first communication system may be a single communication system
- the second communication system may be a communication system obtained by merging different communication systems.
- the embodiment of the present application provides a communication method in a scenario where different communication systems perform converged communication, which effectively improves communication security.
- the method further includes: sending an authentication response based on the second key to the second node, where the authentication response is used to verify the identity of the first node.
- the authentication response is used to verify the identity of the first node, including whether the authentication response is used by the second node to verify A node establishes the second communication connection.
- the first node can make the second node further determine whether the authentication based on the second key is successful according to the authentication response by sending the authentication response to the second node.
- the release request includes request reason information; the request reason information is used to indicate key update for communication authentication.
- carrying the request reason in the release request can enable the first node to understand the reason of the request after receiving the release request from the second node, so as to make a more targeted response to the request and have greater adaptability.
- the second key is valid within a first duration
- the first duration is defined by a timer or a time stamp.
- the second key is valid within a first period of time starting from a first moment, and the first moment is the moment when the first communication connection is released, or the connection establishment request is sent moment.
- the present application provides a variety of situations at the first moment, thereby providing a variety of solutions for judging the validity of the second key, with greater flexibility.
- the method further includes: within the validity period of the second key, communicating with the third node through the backhaul link between the second node and the third node transmission.
- the embodiment of the present application provides a communication method, which may be applied to the second node.
- the method includes:
- the embodiment of the present application provides a technical solution for the first node and the second node to release the connection after confirming the updated key, and to establish a connection using a new key, so as to realize the switching of different communication connections for communication
- the update process of the authenticated key effectively improves the security of communication.
- connection establishment request is used to request to establish a connection based on the second key, including: the connection establishment request is used to request to perform authentication and security context negotiation based on the second key process.
- the method further includes: sending authentication information based on the second key to the first node; the authentication information is used to verify the identity of the second node.
- the authentication information is used to verify the identity of the second node, including whether the authentication information is used by the first node to verify based on the second key and the second A node establishes a second communication connection.
- the first key is a key derived (or negotiated) based on the first communication system, and/or the second key is derived (or negotiated) based on the second communication system ), the first communication system is different from the second communication system.
- the first communication system may be a single communication system
- the second communication system may be a communication system obtained by merging different communication systems.
- the embodiment of the present application provides a communication method in a scenario where different communication systems perform converged communication, which effectively improves communication security.
- the method further includes receiving an authentication response fed back from the first node; the authentication response is used to verify the identity of the first node.
- the authentication response is used to verify the identity of the first node, including whether the authentication response is used by the second node to verify A node establishes the second communication connection.
- the first node can make the second node further determine whether the authentication based on the second key is successful according to the authentication response by sending the authentication response to the second node.
- the release request includes request reason information; the request reason information is used to indicate key update for communication authentication.
- carrying the request reason in the release request can enable the first node to understand the reason of the request after receiving the release request from the second node, so as to make a more targeted response to the request and have greater adaptability.
- the second key is valid within a first duration
- the first duration may be defined by a timer or a time stamp.
- the second key is valid within a first duration starting from a first moment, and the first moment is the moment when the first communication connection is released, or the second node receives to the moment of the connection establishment request.
- the present application provides a variety of situations at the first moment, thereby providing a variety of solutions for judging the validity of the second key, with greater flexibility.
- the method further includes passing the transmission information from the first node through the backhaul chain between the second node and the third node within the validity period of the second key route, and send it to the third node.
- the backhaul link is suspended.
- the second node suspends the backhaul link after releasing the first communication connection, which can effectively reduce system overhead and save resources.
- the method further includes activating the backhaul link after determining that the second communication connection with the first node is successfully established; the second communication connection is based on the The second key is used for communication authentication.
- the previously suspended backhaul link is activated to continue to use the backhaul link for communication transmission, which can effectively reduce System overhead, saving resources.
- the embodiment of the present application provides a communication device, which is used to realize the above first aspect or any one of the methods in the first aspect, including corresponding functional modules or units, respectively used to realize the above first aspect steps in the method.
- the function can be realized by hardware, or by executing corresponding software by hardware, and the hardware or software includes one or more modules or units corresponding to the above functions; or,
- the device is used to realize the above-mentioned third aspect or any method in the third aspect, and includes corresponding functional modules or units, respectively used to realize the steps in the above-mentioned method of the third aspect.
- Functions can be realized by hardware, or by executing corresponding software by hardware, and the hardware or software includes one or more modules or units corresponding to the above-mentioned functions.
- the embodiment of the present application provides a communication device, which is used to implement the second aspect or any one of the methods in the second aspect, including corresponding functional modules or units, respectively used to implement the second aspect steps in the method.
- the function can be realized by hardware, or by executing corresponding software by hardware, and the hardware or software includes one or more modules or units corresponding to the above functions; or,
- the device is used to implement the fourth aspect or any one of the methods in the fourth aspect, and includes corresponding functional modules or units, respectively used to implement the steps in the method of the fourth aspect.
- Functions can be realized by hardware, or by executing corresponding software by hardware, and the hardware or software includes one or more modules or units corresponding to the above-mentioned functions.
- a communication device includes a processor and a memory.
- the memory is used to store calculation programs or instructions
- the processor is coupled to the memory; when the processor executes the computer programs or instructions, the device is made to perform any method in the first aspect or the first aspect; or the device is made to Execute the third aspect or any one method in the third aspect.
- the communication device may be the first device, or a device capable of supporting the first device to implement the functions required by the method provided by the first aspect above, or a device capable of supporting the first device to implement the functions required by the method provided by the third aspect above, For example, system-on-a-chip.
- the communication device may be a terminal device or a part of components (such as a chip) in the terminal device.
- the terminal device may be, for example, a smart mobile terminal, a smart home device, a smart car, a smart wearable device, and the like.
- the smart mobile terminal includes a mobile phone, a tablet computer, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, a personal digital assistant (PDA) and the like.
- Smart home devices such as smart refrigerators, smart washing machines, smart TVs, speakers, etc.
- Smart car wearable devices such as smart headphones, smart glasses, smart clothing or shoes, etc.
- a communication device includes a processor and a memory.
- the memory is used to store calculation programs or instructions
- the processor is coupled to the memory; when the processor executes the computer programs or instructions, the device is made to perform any method in the second aspect or the second aspect above; or the device is made to Executing the fourth aspect or any one of the methods in the fourth aspect.
- the communication device may be a second device or a device capable of supporting the second device to implement the functions required by the method provided by the second aspect above, or a device capable of supporting the second device to implement the functions required by the method provided by the fourth aspect above, for example system on a chip.
- the communication device may be a terminal device or a part of components (such as a chip) in the terminal device.
- the terminal device may be, for example, a smart mobile terminal, a smart home device, a smart car, a smart wearable device, and the like.
- the smart mobile terminal is such as a mobile phone, a tablet computer, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, a personal digital assistant (personal digital assistant, PDA) and the like.
- Smart home devices such as smart refrigerators, smart washing machines, smart TVs, speakers, etc.
- Smart car wearable devices such as smart headphones, smart glasses, smart clothing or shoes, etc.
- a ninth aspect provides a terminal, and the terminal may include the device described in the fifth aspect or the seventh aspect, and the device in the sixth aspect or the eighth aspect above.
- the device may be smart home equipment, smart manufacturing equipment, smart transportation equipment, etc., such as vehicles, drones, unmanned transport vehicles, cars and vehicles, or robots.
- the device may be a mouse, a keyboard, a wearable device, a TWS earphone, and the like.
- the present application provides a chip, which is connected to a memory, and used to read and execute computer programs or instructions stored in the memory, so as to realize the above-mentioned first aspect or any possible implementation of the first aspect or to achieve the second aspect or a method in any possible implementation of the second aspect; or to achieve the third aspect or a method in any possible implementation of the third aspect; or To implement the fourth aspect or the method in any possible implementation manner of the fourth aspect.
- a computer-readable storage medium in which a computer program or instruction is stored, and when the computer program or instruction is executed by a device, the device executes the above-mentioned first aspect or the first aspect.
- a computer-readable storage medium In a twelfth aspect, a computer-readable storage medium is provided. Computer programs or instructions are stored in the computer-readable storage medium. When the computer programs or instructions are executed by a device, the device executes the above-mentioned second aspect or the second aspect. A method in any possible implementation manner, or causing the device to execute the fourth aspect or the method in any possible implementation manner of the fourth aspect.
- the present application provides a computer program product, the computer program product includes a computer program or an instruction, and when the computer program or instruction is executed by a device, the device executes the above-mentioned first aspect or any possibility of the first aspect
- the present application provides a computer program product, the computer program product includes a computer program or an instruction, and when the computer program or instruction is executed by a device, the device executes the above-mentioned second aspect or any possibility of the second aspect
- FIG. 1 is a schematic diagram of a first communication system provided by an embodiment of the present application.
- FIG. 2 is a schematic diagram of a second communication system provided by an embodiment of the present application.
- FIG. 3 is a schematic flowchart of the first communication method provided by the embodiment of the present application.
- FIG. 4 is a schematic flow diagram of a second communication method provided by an embodiment of the present application.
- FIG. 5 is a schematic flowchart of a third communication method provided by an embodiment of the present application.
- FIG. 6 is a schematic flowchart of a fourth communication method provided by an embodiment of the present application.
- FIG. 7 is a schematic flowchart of a fifth communication method provided by the embodiment of the present application.
- FIG. 8 is a schematic flowchart of a sixth communication method provided by the embodiment of the present application.
- FIG. 9 is a schematic flowchart of a sixth communication method provided by the embodiment of the present application.
- FIG. 10 is a schematic structural diagram of a first communication device provided in an embodiment of the present application.
- FIG. 11 is a schematic structural diagram of a second communication device provided by an embodiment of the present application.
- FIG. 12 is a schematic structural diagram of a terminal provided by an embodiment of the present application.
- the embodiment of the present application provides a communication method and device, in order to realize the authentication process of the integration of wireless short-distance and 5G cellular network.
- the embodiments of the present application will be further described in detail below in conjunction with the accompanying drawings.
- the communication method provided by the embodiment of the present application can be applied to the fifth generation (5th generation, 5G) communication system, such as 5G new air interface (new radio, NR), and can also be applied to various communication systems in the future, such as the sixth generation ( 6th generation, 6G) communication system, which is not limited here.
- 5G 5G new air interface
- 6th generation, 6G 6th generation
- the embodiment of the present application provides an architecture of a communication system to which the communication method is applicable.
- the communication system may include a first node 100 , a second node 110 and a third node 120 .
- the first node may be connected to the second node, and the second node may be connected to the third node.
- the communication system may be a communication system after integration of different communication systems, for example, a communication system obtained after integration of a wireless short-distance communication system and a 5G cellular network communication system, which is not limited here.
- the integrated communication system may also be called a tightly coupled (tight interworking) communication system, or an interworking (interworking) communication system.
- this application takes the integrated communication system of the wireless short-distance communication system and the 5G cellular network communication system as an example, and introduces the integrated communication system:
- the terminal nodes supporting wireless short-distance communication can access the 5G network through the control node or gateway node, and further use the services provided by the 5G network.
- the 5G network can also configure and manage data transmission policies for terminal nodes based on the terminal node's subscription information and link state information, so as to provide refined services for the network. That is to say, in the integrated communication system, the wireless short-distance communication system and the 5G cellular network communication system can work interactively and complement each other.
- the wireless short-distance communication system described in this application can be any possible short-distance communication system, such as Bluetooth, wifi, vehicle-mounted general short-distance communication system and star flash, etc. .
- the first node may be a terminal device or a communication device capable of supporting the terminal device to implement the functions required by the method, or the first node may be a network device or a communication device capable of supporting the network device to implement the functions required by the method, Of course, it can also be other communication devices, such as a system on a chip.
- the second node may be a network device or a communication device capable of supporting the network device to implement the functions required by the method, or the second node may be a terminal device or a communication device capable of supporting the terminal device to implement the functions required by the method, and of course are other communication devices such as system-on-a-chip.
- the third node may be a network device or a communication device capable of supporting the network device to implement the functions required by the method, or the third node may be a terminal device or a communication device capable of supporting the terminal device to implement the functions required by the method, and of course It may be other communication devices, such as a system on a chip.
- the terminal device in this embodiment of the present application may be a device for implementing a wireless communication function, such as a terminal or a chip that may be used in the terminal.
- Examples may include a handheld device with wireless connectivity, or a processing device connected to a wireless modem.
- the terminal device can communicate with the core network via a radio access network (radio access network, RAN), and exchange voice and/or data with the RAN.
- radio access network radio access network
- the terminal equipment may include user equipment (user equipment, UE), wireless terminal equipment, mobile terminal equipment, subscriber unit (subscriber unit), subscriber station (subscriber station), mobile station (mobile station), mobile station (mobile), remote Station (remote station), access point (access point, AP), remote terminal device (remote terminal), access terminal device (access terminal), user terminal device (user terminal), user agent (user agent), or user Equipment (user device), etc.
- user equipment user equipment
- UE wireless terminal equipment
- mobile terminal equipment subscriber unit (subscriber unit), subscriber station (subscriber station), mobile station (mobile station), mobile station (mobile), remote Station (remote station), access point (access point, AP), remote terminal device (remote terminal), access terminal device (access terminal), user terminal device (user terminal), user agent (user agent), or user Equipment (user device), etc.
- mobile phones or called "cellular" phones
- computers with mobile terminal equipment portable, pocket, hand-held, computer built-in or vehicle-mounted mobile devices, smart wearable devices, etc.
- PCS personal communication service
- cordless telephone cordless telephone
- session initiation protocol session initiation protocol
- WLL wireless local loop
- PDA personal digital assistant
- constrained devices such as devices with low power consumption, or devices with limited storage capabilities, or devices with limited computing capabilities, etc.
- it includes barcodes, radio frequency identification (radio frequency identification, RFID), sensors, global positioning system (global positioning system, GPS), laser scanners and other information sensing devices.
- the terminal device may also be a wearable device.
- Wearable devices can also be called wearable smart devices, which is a general term for the application of wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, watches, clothing and shoes.
- a wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable devices are not only a hardware device, but also achieve powerful functions through software support, data interaction, and cloud interaction.
- Generalized wearable smart devices include full-featured, large-sized, complete or partial functions without relying on smart phones, such as smart watches or smart glasses, etc., and only focus on a certain type of application functions, and need to cooperate with other devices such as smart phones Use, such as various smart bracelets, smart helmets, smart jewelry, etc. for physical sign monitoring.
- the network equipment in the embodiment of the present application may include access network (access network, AN) equipment, radio access network (radio access network, RAN) equipment, access network equipment such as base stations (for example, access point), may refer to a device in an access network that communicates with a wireless terminal device through one or more cells over an air interface.
- the base station can be used to convert received over-the-air frames to and from Internet Protocol (IP) packets, acting as a router between the terminal device and the rest of the access network, which can include the IP network.
- IP Internet Protocol
- the network side device can also coordinate attribute management of the air interface.
- the network equipment may include an evolved base station (NodeB or eNB or e-NodeB, evolved Node B) in a long term evolution (long term evolution, LTE) system or an advanced long term evolution (long term evolution-advanced, LTE-A), Or it can also include the next generation node B (next generation node B, gNB) or the next generation evolved base station (next generation evolved base station) in the fifth generation mobile communication technology (the 5th generation, 5G) new air interface (new radio, NR) system nodeB, ng-eNB), en-gNB (enhanced next generation node B, gNB): Enhanced next-generation base stations; can also include centralized units in the cloud access network (cloud radio access network, Cloud RAN) system (centralized unit, CU) and a distributed unit (distributed unit, DU), or may also include a relay device, which is not limited in this embodiment of the present application.
- a relay device which is not limited in this embodiment of the present application.
- the present application also provides another communication system, as shown in Figure 2, the communication system may also include session management function (session management function, SMF), access and mobility management function (access and mobility management function, AMF), user plane function (User Plane Function, UPF) and functional entities such as DN.
- session management function session management function
- AMF access and mobility management function
- UPF User Plane Function
- Each function may be connected through an interface, and the serial number or name of the interface is not limited in this embodiment of the application.
- the interface defined in the 3GPP related standard protocol of the 5G system may be used, or the interface in the future communication system may be used.
- the terminal device communicates with the AMF through the next generation network (next generation, N)1 interface (N1 for short), the network device communicates with the AMF through the N2 interface (N2 for short), and the network device communicates with the local UPF through the N3 interface (N3 for short).
- the UPF communicates with the DN through the N6 interface (N6 for short).
- the AMF communicates with the SMF through the N11 interface (N11 for short), and the SMF communicates with the UPF through the N4 interface (N4 for short).
- Each function included in the communication system may also be called a functional entity, a network element or other names.
- SMF may be referred to as an SMF entity.
- each function in the embodiment of the present application can be realized by one device, can also be realized by multiple devices, or can be realized by one or more functional modules in one device, and this embodiment of the present application does not make any Specific limits.
- the various functions involved in the embodiments of the present application can be network elements in hardware devices, software functions running on dedicated hardware, or a combination of hardware and software, or platforms (for example, cloud platform) instantiated virtualization functions.
- each function may also include other functional entities formed by the fusion of any of the above-mentioned functions, for example, it has two types of session management and policy control.
- the communication systems shown in FIG. 1 to FIG. 2 do not constitute a limitation to the applicable communication systems of the embodiments of the present application.
- the number of terminal devices in Figure 2 is just an example.
- a network device can provide services for multiple terminal devices, and the network device, as well as all or part of the terminal devices among the multiple terminal devices, can all use this method.
- the method provided in the embodiment of the application determines the scheduling limit.
- the communication system architecture shown in FIG. 1 and/or FIG. 2 may be a non-roaming 5G system architecture.
- the method in the embodiment of the present application is also applicable to a roaming 5G system architecture and various communication networks in the future.
- Each function or device involved in the embodiment of the present application may also be referred to as a communication device, which may be a general-purpose device or a special-purpose device, which is not specifically limited in the embodiment of the present application.
- the embodiment of the present application provides a technical solution for the first node and the second node to release the connection after confirming the updated key, and to establish a connection using a new key, and provides communication in the converged communication scenario of different communication systems
- This method effectively improves the security of communication.
- the method and the device are based on the same technical conception. Since the principles of the method and the device to solve the problem are similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.
- FIG. 3 is a flow chart of the method.
- the first node acquires a second key used for communication authentication with the second node.
- the second key in this embodiment of the present application is different from the pre-configured first key.
- the first node is used for communication authentication of the first communication connection
- the second node is used for communication authentication of the second communication connection
- the first key is a key derived (or negotiated) based on the first communication system
- the second key is derived based on the second communication system ( or negotiated)
- the first communication system is different from the second communication system.
- the first communication system in this application may be a single communication system, such as a wireless short-distance communication system, a 5G cellular network communication system, an ultra-high reliability and low-latency communication system, an enhanced mobile broadband communication system, and a massive machine connection communication system, etc.
- the second communication system may be a communication system after the fusion of different communication systems, such as a communication system obtained after the fusion of a wireless short-distance communication system and a 5G cellular network communication system, and a 5G cellular network communication system and an ultra-high reliability low-time communication system.
- the communication system obtained after the fusion of the extended communication system may be a single communication system, such as a wireless short-distance communication system, a 5G cellular network communication system, an ultra-high reliability and low-latency communication system, an enhanced mobile broadband communication system, and a massive machine connection communication system, etc.
- the second communication system may be a communication system after the fusion of different communication systems, such as a communication system obtained after the fusion
- the first key may be a key used for authentication during the initial connection phase between the first node and the second node.
- the first key may be pre-configured between the first node and the second node before the initial connection; or, the first key may be determined by the second node and indicated to the first node through signaling or, the first key may be determined by the first node and indicated to the second node through signaling, which is not limited in this application.
- the second key may be determined by the first node after the first node establishes the first communication connection with the second node, and indicated to the second node through signaling; or, the second key may be After the first node establishes the first communication connection with the second node, the second node determines and indicates to the first node through signaling; or, the second key may be established by the first node and the second node in the first After the communication connection, the first node and the second node jointly negotiate, which is not limited in this application.
- the second key obtained by the first node and used for communication authentication with the second node has a certain timeliness. It can be understood that if the second key If valid, the second key can be used for authentication of the second communication connection; if the second key is invalid, the second key cannot be used for authentication of the second communication connection. Further, after the second key becomes invalid, a key update can be performed.
- step 1 may also be included: the first node performs a fusion connection with the second node (that is, implements an initial authentication process in a scenario where different communication systems are converged).
- step 1 can be that the first node and the second node perform the authentication of the initial connection based on the first key, and the first node and the second node determine that the authentication of the initial connection based on the first key is successful Afterwards, the first node and the second node establish a first communication connection for communication authentication based on the first key.
- the second node acquires a second key used for communication authentication with the first node.
- the second key may be determined by the first node after the first node establishes the first communication connection with the second node, and indicated to the second node through signaling; or, the second key may be After the first node establishes the first communication connection with the second node, the second node determines and indicates to the first node through signaling; or, the second key may be established by the first node and the second node in the first After the communication connection, the first node and the second node jointly negotiate, which is not limited in this application.
- the second node sends a release request for the first communication connection to the first node.
- the release request may include one or more of the following information 1 to information 4:
- Request reason information where the request reason information is used to indicate key update for communication authentication.
- request time where the request time is used to indicate the time when the second node sends the release request.
- the request time may be represented by a timestamp.
- release time where the release time is used to indicate the time when the first node releases the first communication connection.
- the release time may indicate a specific time, for example, the specific time is the first minute after the first node receives the release request, then the first node, after receiving the release request, according to the The release time is to release the first communication connection in the first minute after receiving the release request; or, the release time may indicate a specific time period, for example, the specific time period is within five minutes after the first node receives the release request , then after receiving the release request, the first node releases the first communication connection within five minutes after receiving the release request according to the release time included in the release request.
- Information 4 information used to indicate that wireless resources are suspended.
- the release request may also be used to indicate to suspend wireless resources.
- the release request may include information for indicating that the wireless resource corresponding to the first communication connection is suspended.
- the first node and the second node determine that the first key used for communication authentication is updated to the second key, when the first communication connection is released and the second communication connection is not successfully established, by making the first communication connection correspond to The wireless resources are suspended and not released, which can effectively facilitate the rapid recovery of the communication link.
- the content of the information 1-4 included in the release request is only an enumeration of the information included in the release request, and does not constitute a limitation on the information included in the release request.
- the release request received by the first node from the second node may include but not limited to:
- the release request may be based on an improvement of the transmission signaling between the first node and the second node, or the release request may be carried on the transmission signaling between the first node and the second node.
- the The release request may be included in the signaling sent by the first node to the second node to indicate the second key; or, the release request may be new signaling between the first node and the second node.
- the second node releases the first communication connection with the first node.
- the second node after receiving the second key, the second node can determine that the key has been updated, and therefore, the second node can trigger the release of the first key with the first node.
- a communication connection establishing a second communication connection for communication authentication based on the second key.
- the second node may also receive a release request response from the first node, which is used to notify the first node of the release request for the first communication connection. - The release of the communication connection.
- the second node may release the first communication connection with the first node before performing S302, that is, the second node releases the first communication connection with the first node after obtaining the second key or, the second node may release the first communication connection with the first node after performing S302, that is, after the second node sends a release request for the first communication connection to the first node, release the connection with the first node.
- the first communication connection of a node; or, the second node may also release the first communication connection with the first node after receiving the release request response from the first node and determining that the first node has completed the release of the first communication connection. the first communication connection.
- the first node receives a release request for the first communication connection from the second node.
- the first node releases the first communication connection with the second node.
- the first node may trigger the release of the first communication connection with the second node.
- the first node may also send a response based on the release request to the second node, for notifying the second node of its release of the first communication connection.
- the first node sends a connection establishment request to the second node, where the connection establishment request is used to request establishment of a connection based on the second key.
- connection establishment request sent by the first node to the second node may include but not limited to:
- connection establishment request may be based on an improvement of the transmission signaling between the first node and the second node, or the connection establishment request may be carried on the transmission signaling between the first node and the second node; or, the connection establishment request It may be new signaling between the first node and the second node.
- connection establishment request may include one or more of the following information 1-information 4:
- Request reason information where the request reason information is used to indicate key update for communication authentication.
- request time where the request time is used to indicate the time when the first node sends the connection establishment request.
- the request time may be represented by a timestamp.
- connection establishment time where the connection establishment time is used to indicate the time when the first node establishes the second communication connection with the second node.
- the connection establishment time may indicate a specific time, for example, the specific time is the first minute after the second node receives the connection establishment request, then the second node, after receiving the connection establishment request, The connection establishment time included in the request establishes a second communication connection with the first node in the first minute after receiving the connection establishment request; or, the connection establishment time may indicate a specific time period, for example, the specific time period is the second Within five minutes after the node receives the connection establishment request, the second node, after receiving the connection establishment request, according to the connection establishment time included in the connection establishment request, within five minutes after receiving the connection establishment request A second communication connection is established with the first node.
- Information 4 Information used to indicate connection recovery.
- connection establishment request may be a connection recovery request between the first node and the second node. That is, after the first communication connection between the first node and the second node is released, the first node and the second node need to establish a second communication connection based on the second key for communication authentication, then the first node can send to the second node A connection restoration request. After receiving the connection restoration request, the second node establishes a communication connection with the first node.
- connection establishment request contents of the information 1 to 4 included in the above connection establishment request are only an enumeration of the information included in the connection establishment request, and do not constitute a limitation on the information included in the connection establishment request.
- the second node receives the connection establishment request sent from the first node.
- connection establishment request is used to request to establish a connection based on the second key, and may include: the connection establishment request is used to request to perform authentication and security context negotiation processes based on the second key.
- the authentication and security context negotiation process may include the identity authentication process of the first node and the second node (for example, the interaction of authentication information and authentication response).
- the content of the identity authentication process of the first and second nodes can be as follows:
- the second node After the second node receives the connection establishment request sent by the first node, the second node sends authentication information based on the second key to the first node, and the authentication information is used to verify the second node's identity.
- the authentication information is used to verify the identity of the second node, it can be understood that the first node can use the authentication information to verify whether the second communication connection with the second node can be established based on the second key.
- the authentication information may include an authentication vector calculated by the second node using the second key.
- the first node receives authentication information based on the second key from the second node, and after determining that the second node has passed the authentication, the first node sends an authentication message for the authentication information to the second node.
- the authentication response is used to verify the identity of the first node.
- the authentication response is used to verify the identity of the first node, it can be understood that the second node can use the authentication response to verify whether the second communication connection with the first node can be established based on the second key.
- the first node may determine whether the second node passes the authentication according to the authentication vector calculated by the second node using the second key included in the received authentication information.
- the first node after receiving the authentication information, obtains the first authentication vector calculated by the second node based on the second key in the authentication information.
- the first node calculates a second authentication vector based on the second key, and then compares the first authentication vector with the second authentication vector. If the first authentication vector and the second authentication vector meet the authentication requirement, for example, the authentication requirement can be that the first authentication vector and the second authentication vector are the same, or the sum of the first authentication vector and the second authentication vector is zero, etc., then The first node determines that the second node has passed the authentication, and if the first authentication vector and the second authentication vector do not meet the authentication requirements, the first node determines that the second node has not passed the authentication.
- the second node receives the authentication response sent by the first node, and performs identity verification on the first node based on the authentication response.
- Scenario 1 After obtaining the second key, the first node actively releases the first communication connection.
- the following steps may be performed in the method corresponding to the scenario.
- the first node and the second node establish a first communication connection based on the first key.
- the first node acquires a second key used for communication authentication with the second node.
- the second node acquires a second key used for communication authentication with the first node.
- the second node releases the first communication connection with the first node.
- the first node releases the first communication connection with the second node.
- the first node sends a connection establishment request to the second node, where the connection establishment request is used to request establishment of a connection based on the second key.
- the second node receives the connection establishment request sent from the first node.
- the second node sends authentication information based on the second key to the first node, where the authentication information is used to verify the identity of the second node.
- the first node receives authentication information based on the second key from the second node.
- the first node determines whether the second node is authenticated, if yes, executes S410, if not, executes S411.
- the first node sends an authentication response to the authentication information to the second node, where the authentication response is used to verify the identity of the first node, and proceed to S412.
- the authentication response includes authentication information generated based on the second key.
- the authentication information may include one or more of the following information 1-2:
- the authentication vector obtained by the first node based on the second key for example, the second authentication vector in the example content of step S305 above.
- the content of information 1-2 included in the authentication information is only an enumeration of the information included in the authentication information, and does not constitute a limitation on the information included in the authentication information.
- the first node After determining that the second node fails to authenticate the second communication connection based on the second key, the first node terminates the communication transmission.
- the present application is an optional method, after the first node determines that the authentication of the second node has failed, the second node can also initiate communication authentication based on the second key again, when the number of authentication failures reaches the threshold number of failures , to terminate the communication transmission.
- the first node may send an authentication failure message to the second node after determining for the first time that the communication authentication of the second node based on the second key fails.
- the second node may send authentication information based on the second key to the first node again to re-authenticate.
- the first node receives authentication information based on the second key from the second node again and performs communication authentication. If the first node determines that the second node's communication based on the second key still fails during the second authentication, then at this time, the first node determines that the number of authentication failures reaches the threshold of 2 times, and then terminates the communication transmission.
- the second node may terminate the communication transmission; or, the first node may terminate the communication transmission Afterwards, a message for terminating the communication transmission may be sent to the second node, and the second node terminates the communication transmission after receiving the message for terminating the communication transmission from the first node.
- the second node receives the authentication response sent from the first node.
- the second node that receives the authentication response can judge whether the first node has passed the authentication according to the authentication information contained in the authentication response and generated based on the second key.
- the specific judgment method can be Refer to the judging manner of the first node above, for a brief description, details are not repeated here.
- the second node determines whether the first node is authenticated, if yes, executes S414, and if not, executes S415.
- the second node After determining that the second node passes the authentication, the second node establishes a second communication connection with the first node, and continues to execute S416.
- the second node terminates the communication transmission after determining that the first node fails to authenticate the second communication connection based on the second key.
- the second node may send a message of terminating the communication transmission to the first node, and the first node receives the message of terminating the communication transmission from the second node. After the message, the communication transmission is terminated.
- the first node After completing the establishment of the second communication connection with the second node, the first node notifies the second node that the establishment of the second communication connection is completed.
- the first node performs information transmission with the third node through the backhaul link between the second node and the third node.
- step numbers do not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not constitute any obligation for the implementation process of the embodiment of the present application. limited.
- S402 may take precedence over S401.
- the above-mentioned steps are not limited, and any additions, deletions, modifications, etc. to the above-mentioned steps belong to the protection scope of the present application.
- Scenario 2 After receiving the release request for the first communication connection from the second node, the first node releases the first communication connection.
- the method corresponding to the second scenario may perform the following steps.
- the first node and the second node establish a first communication connection based on the first key.
- the first node acquires a second key used for communication authentication with the second node.
- the second node acquires a second key used for communication authentication with the first node.
- the second node releases the first communication connection with the first node.
- the second node sends a release request for the first communication connection to the first node.
- the first node receives a release request for the first communication connection from the second node.
- the first node releases the first communication connection with the second node.
- the first node sends a connection establishment request to the second node, where the connection establishment request is used to request establishment of a connection based on the second key.
- the second node receives the connection establishment request sent from the first node.
- the second node sends authentication information based on the second key to the first node, where the authentication information is used to verify the identity of the second node.
- the first node receives authentication information based on the second key from the second node.
- the first node determines whether the second node is authenticated. If yes, execute S512. If not, execute S513.
- the first node After determining that the second node has passed the authentication, the first node sends an authentication response to the authentication information to the second node, where the authentication response is used to verify the identity of the first node, and proceed to S514.
- the first node After determining that the second node fails to authenticate the second communication connection based on the second key, the first node terminates the communication transmission.
- the second node receives the authentication response sent from the first node.
- the second node that receives the authentication response can determine whether the first node has passed the authentication according to the authentication information generated based on the second key contained in the authentication response,
- the judgment method of the first node above which is not described here for brevity.
- the second node determines whether the first node is authenticated, if yes, executes S516, and if not, executes S517.
- the second node After determining that the first node fails to authenticate the second communication connection based on the second key, the second node terminates the communication transmission.
- the first node After completing the establishment of the second communication connection with the second node, the first node notifies the second node that the establishment of the second communication connection is completed.
- the first node performs information transmission with the third node through the backhaul link between the second node and the third node.
- step numbers do not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not constitute any obligation for the implementation process of the embodiment of the present application. limited.
- S502 may take precedence over S501.
- the above-mentioned steps are not limited, and any additions, deletions, modifications, etc. to the above-mentioned steps belong to the protection scope of the present application.
- the second node may also suspend the backhaul link after releasing the first communication connection with the first node. Then, after the second node determines that the second communication connection is successfully established with the first node, the backhaul link may be activated.
- the first node and the second node establish a first communication connection based on the first key.
- the first node acquires a second key used for communication authentication with the second node.
- the second node acquires a second key used for communication authentication with the first node.
- the second node releases the first communication connection with the first node.
- the second node suspends the backhaul link with the third node.
- the second node sends a release request for the first communication connection to the first node.
- the first node receives a release request for the first communication connection from the second node.
- the first node releases the first communication connection with the second node.
- the first node sends a connection establishment request to the second node, where the connection establishment request is used to request establishment of a connection based on the second key.
- the second node receives the connection establishment request sent from the first node.
- the second node sends authentication information based on the second key to the first node, where the authentication information is used to verify the identity of the second node.
- the first node receives authentication information based on the second key from the second node.
- the first node After determining that the second node has passed the authentication, the first node sends an authentication response to the authentication information to the second node, where the authentication response is used to verify the identity of the first node.
- the second node receives the authentication response sent from the first node.
- the second node After determining that the second node passes the authentication, the second node establishes a second communication connection with the first node.
- the first node After completing the establishment of the second communication connection with the second node, the first node notifies the second node that the establishment of the second communication connection is completed.
- the second node activates the backhaul link after determining that the second communication connection is successfully established with the first node.
- the first node performs information transmission with the third node through the backhaul link between the second node and the third node.
- step numbers do not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not constitute any obligation for the implementation process of the embodiment of the present application. limited.
- S605 may take precedence over S604.
- the above-mentioned steps are not limited, and any additions, deletions, modifications, etc. to the above-mentioned steps belong to the protection scope of the present application.
- the first node and the second node can also verify the second key during the process of communication and transmission using the second key. Key is valid.
- the first node can judge whether the second key is valid, and then notify the second node of the judgment result of the second key; or, the second node can judge whether the second key is valid. If the key is valid, then notify the first node of the judgment result of the second key; or, both the first node and the second node may judge the validity of the second key.
- the second key is valid within a first duration
- the first duration may be defined by a timer or a time stamp.
- the first duration can be counted from the first moment, and the first moment can be the moment when the first communication connection is released, or the moment when the second node receives the connection establishment request and/or the first node sends
- the timing of the connection establishment request is not specifically limited.
- Mode 1 the first node and the second node respectively determine whether the second key is valid based on their corresponding timers.
- the first node and the second node establish a first communication connection based on the first key.
- the first node acquires a second key used for communication authentication with the second node.
- the second node acquires a second key used for communication authentication with the first node.
- the second node releases the first communication connection with the first node.
- the second node starts a corresponding second timer for determining the validity of the second key.
- the normal operation duration of the second timer is the first duration.
- the second node sends a release request for the first communication connection to the first node.
- the first node receives a release request for the first communication connection from the second node.
- the first node releases the first communication connection with the second node.
- the first node starts a corresponding first timer for determining the validity of the second key.
- the normal operation duration of the first timer is the first duration.
- the first node sends a connection establishment request to the second node, where the connection establishment request is used to request establishment of a connection based on the second key.
- the second node receives the connection establishment request sent from the first node.
- the second node sends authentication information based on the second key to the first node, where the authentication information is used to verify the identity of the second node.
- the first node receives authentication information based on the second key from the second node.
- the first node After determining that the second node has passed the authentication, the first node sends an authentication response to the authentication information to the second node, where the authentication response is used to verify the identity of the first node.
- the second node receives the authentication response sent from the first node.
- the second node After determining that the second node passes the authentication, the second node establishes a second communication connection with the first node.
- the first node After completing the establishment of the second communication connection with the second node, the first node notifies the second node that the establishment of the second communication connection is completed.
- the first node closes the corresponding first timer.
- the first node judges whether the first timer times out, and if it times out, executes S719, and if not, executes S720.
- the first node determines that the second key is invalid, and terminates communication transmission.
- the first node performs information transmission with the third node through the backhaul link between the second node and the third node.
- the second node After receiving the notification from the first node that the establishment of the second communication connection is completed, the second node closes the corresponding second timer.
- the second node judges whether the second timer times out, and if it times out, executes S723, and if not, executes S724.
- the second node determines that the second key is invalid, and terminates communication transmission.
- the second node sends the transmission information from the first node to the third node through the backhaul link between the second node and the third node.
- the time when the first node starts the corresponding first timer is not limited to after step S707 is performed, for example, the first node starts the corresponding first timer
- the moment at which S709 is executed can also be performed; similarly, the moment at which the second node starts the corresponding second timer is not limited to after performing step S704.
- the moment at which the second node starts the corresponding second timer can also be performed after executing After S710.
- step numbers do not mean the order of execution, the execution order of each process should be determined by its function and internal logic, and should not constitute any obligation for the implementation process of the embodiment of the present application. limited.
- S702 may take precedence over S701.
- the above-mentioned steps are not limited, and any additions, deletions, modifications, etc. to the above-mentioned steps belong to the protection scope of the present application.
- Mode 2 the first node and the second node jointly maintain the same timer to determine whether the second key is valid.
- the first node and the second node establish a first communication connection based on the first key.
- the first node acquires a second key used for communication authentication with the second node.
- the second node acquires a second key used for communication authentication with the first node.
- the second node releases the first communication connection with the first node.
- the second node starts a timer for determining the validity of the second key.
- the second node sends a release request for the first communication connection to the first node.
- the first node receives a release request for the first communication connection from the second node.
- the first node releases the first communication connection with the second node.
- the first node sends a connection establishment request to the second node, where the connection establishment request is used to request establishment of a connection based on the second key.
- the second node receives the connection establishment request sent from the first node.
- the second node sends authentication information based on the second key to the first node, where the authentication information is used to verify the identity of the second node.
- the first node receives authentication information based on the second key from the second node.
- the first node After determining that the second node has passed the authentication, the first node sends an authentication response to the authentication information to the second node, where the authentication response is used to verify the identity of the first node.
- the second node receives the authentication response sent from the first node.
- the second node After determining that the second node passes the authentication, the second node establishes a second communication connection with the first node.
- the first node After completing the establishment of the second communication connection with the second node, the first node notifies the second node that the establishment of the second communication connection is completed.
- the first node disables the timer.
- the first node judges whether the timer times out, and if it times out, executes S818, and if not, executes S819.
- the first node determines that the second key is invalid, and terminates communication transmission.
- the first node may also notify the second node of the second key invalidation result.
- the first node performs information transmission with the third node through the backhaul link between the second node and the third node.
- the timer can also be started by the first node, and the timer can be turned off by the second node. For example, after the first node executes S807, the timer is started. After the second node receives the notification that the second communication connection establishment is completed sent by the first node in S815, it closes the timer; key is valid.
- step numbers do not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not constitute any obligation for the implementation process of the embodiment of the present application. limited.
- S802 may take precedence over S801.
- the above-mentioned steps are not limited, and any additions, deletions, modifications, etc. to the above-mentioned steps belong to the protection scope of the present application.
- Manner 3 The first node and the second node determine whether the second key is valid based on the time stamp carried in the signaling.
- the first node and the second node establish a first communication connection based on the first key.
- the first node acquires a second key used for communication authentication with the second node.
- the second node acquires a second key used for communication authentication with the first node.
- the second node releases the first communication connection with the first node.
- the second node sends a release request for the first communication connection to the first node, where the release request carries the first timestamp.
- the first timestamp may be the time when the second node sends the release request to the first node.
- the second node records the first timestamp after sending the release request to the first node.
- the first node receives the release request for the first communication connection from the second node, and acquires the first timestamp.
- the first node releases the first communication connection with the second node.
- the first node sends a connection establishment request to the second node, where the connection establishment request is used to request establishment of a connection based on the second key.
- the second node receives the connection establishment request sent from the first node.
- the second node sends authentication information based on the second key to the first node, where the authentication information is used to verify the identity of the second node.
- the first node receives authentication information based on the second key from the second node.
- the first node After determining that the second node has passed the authentication, the first node sends an authentication response to the authentication information to the second node, where the authentication response is used to verify the identity of the first node.
- the second node receives the authentication response sent from the first node.
- the second node After determining that the second node passes the authentication, the second node establishes a second communication connection with the first node.
- the first node After completing the establishment of the second communication connection with the second node, the first node sends an establishment complete message to the second node, where the establishment complete message carries a second time stamp.
- the establishment complete message is used to notify the second node that the first node has completed the establishment of the second communication connection.
- the second time stamp may be the time when the first node sends the establishment completion message to the second node; or, the second time stamp may be the time when the first node completes the establishment of the second communication connection.
- the first node records the second timestamp.
- the first node determines whether the time difference between the second time stamp and the first time stamp is not greater than the first time time. If yes, perform S916; if not, perform S917.
- the first node performs information transmission with the third node through the backhaul link between the second node and the third node.
- the first node determines that the second key is invalid, and terminates communication transmission.
- the second node After receiving the establishment complete message, the second node acquires the second timestamp.
- the second node determines whether the time difference between the second time stamp and the first time stamp is not greater than the first time time. If yes, perform S920; if not, perform S921.
- the second node sends the transmission information from the first node to the third node through the backhaul link between the second node and the third node.
- the second node determines that the second key is invalid, and terminates communication transmission.
- the method flow shown in FIG. 9 is only an example for the first node and the second node to determine whether the second key is valid through the timestamp, and does not constitute a limitation on the method for determining whether the second key is valid through the timestamp. , and are not limited to the above steps, and any additions, deletions, deformations, etc. to the above steps belong to the protection scope of the present application.
- the content of judging the validity of the second key using this method 3 is similar to the content of the above-mentioned figure 9.
- This application further verifies whether the second key is valid through the process of communication and transmission between the first node and the second node using the second key, which can ensure the timeliness of the second key and better ensure the security of communication transmission sex.
- the present application provides a communication method in a scenario where different communication systems perform converged communication, which effectively improves communication security.
- the content of the above-mentioned Figures 3 to 9 does not constitute a limitation on the communication method provided by this application. Any modification to the content of the above-mentioned Figures 3 to 9 belongs to the scope of protection of this application.
- the above-mentioned Figure 4 The contents of Figure 6 and Figure 7 are combined to obtain a communication scheme in which the application suspends and activates the backhaul link and verifies the validity of the second key in Scenario 1, which can better reduce system overhead, Improve communication security.
- the method and the device are conceived based on the same or similar technology. Since the principle of solving the problem of the method and the device is similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.
- the terms "system” and "network” in the embodiments of the present application may be used interchangeably.
- “and/or” describes the association relationship of associated objects, indicating that there may be three types of relationships, for example, A and/or B, which may mean: A exists alone, A and B exist simultaneously, and There are three cases of B.
- the character "/" generally indicates that the contextual objects are an "or” relationship.
- the at least one involved in this application refers to one or more; a plurality refers to two or more than two.
- terms such as “first”, “second”, and “third” are only used for the purpose of distinguishing descriptions, and should not be understood as indicating or implying relative importance. Neither should it be construed as indicating or implying an order.
- Reference to “one embodiment” or “some embodiments” or the like in this specification means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases “in one embodiment,” “in some embodiments,” “in other embodiments,” “in other embodiments,” etc.
- Fig. 10 is a schematic block diagram of an apparatus 1000 provided by an embodiment of the present application, which is used to realize the functions of the first apparatus or the second apparatus in the above method embodiment.
- the device may be a software module or a system on a chip.
- the chip may consist of chips, or may include chips and other discrete devices.
- the apparatus 1000 includes a processing unit 1001 and a communication unit 1002 .
- the communication unit 1002 is used to communicate with other devices, and can also be called a communication interface, a transceiver unit, or an input/output interface, etc.
- the above-mentioned device 1000 can be used to realize the function of the first device in the above method, and the device 1000 can be the first device, or a chip or a circuit configured in the first device.
- the processing unit 1001 may be configured to perform processing-related operations of the first device in the above method embodiments, and the communication unit 1002 may be configured to instruct the first device to perform transceiving-related operations in the above method embodiments.
- the processing unit 1001 is configured to obtain a second key used for communication authentication with the second node, the second key is different from the pre-configured first key; the communication unit 1002 is configured to receive the second key from the second node A release request for the first communication connection by the two nodes, the first key is used for communication authentication of the first communication connection; the communication unit 1002 is further configured to send a connection establishment request to the second node , the connection establishment request is used to request to establish a connection based on the second key.
- connection establishment request is used to request to establish a connection based on the second key, including that the connection establishment request is used to request to perform an authentication and security context negotiation process based on the second key.
- the communication unit 1002 is further configured to receive authentication information based on the second key from the second node; the authentication information is used to verify the identity of the second node.
- the authentication information is used to verify the identity of the second node, including whether the authentication information is used to verify whether to establish a second communication connection with the second node based on the second key.
- the communication unit 1002 is further configured to send an authentication response based on the second key to the second node, where the authentication response is used to verify the identity of the first node.
- the authentication response is used to verify the identity of the first node, including used for the second node to verify whether to establish the second communication connection with the first node based on the second key.
- the release request includes request reason information; the request reason information is used to indicate key update for communication authentication.
- the second key is valid within a first duration
- the first duration is defined by a timer or a time stamp.
- the second key is valid within a first duration starting from a first moment, and the first moment is a moment when the first communication connection is released, or a moment when the connection establishment request is sent.
- the processing unit 1001 is further configured to perform information transmission with the third node through a backhaul link between the second node and the third node within the validity period of the second key.
- the first key is a key derived (or negotiated) based on the first communication system
- the second key is a key derived (or negotiated) based on the second communication system
- the first communication system is different from the second communication system.
- the above-mentioned device 1000 can be used to realize the function of the second device in the above method embodiment, and the device 1000 can be the second device, or a chip or a circuit configured in the second device.
- the processing unit 1001 may be used to perform processing related operations of the second device in the above method embodiments, and the communication unit 1002 may be used to perform sending and receiving related operations of the second device in the above method embodiments.
- the processing unit 1001 is configured to obtain a second key used for communicating with the first node for authentication, the second key being different from the pre-configured first key; the communication unit 1002 is configured to send the first node sending a release request for the first communication connection, where the first key is used for communication authentication of the first communication connection; the communication unit 1002 is further configured to receive a connection establishment request sent from the first node, The connection establishment request is used to request to establish a connection based on the second key.
- connection establishment request is used to request to establish a connection based on the second key, including that the connection establishment request is used to request to perform an authentication and security context negotiation process based on the second key.
- the communication unit 1002 is further configured to send authentication information based on the second key to the first node; the authentication information is used to verify the identity of the second node.
- the authentication information is used to verify the identity of the second node, including that the authentication information is used by the first node to verify whether to establish a second communication with the second node based on the second key connect.
- the first key is a key derived (or negotiated) based on the first communication system
- the second key is a key derived (or negotiated) based on the second communication system
- the first communication system is different from the second communication system.
- the communication unit 1002 is further configured to receive an authentication response based on the second key from the first node; the authentication response is used to verify the identity of the first node.
- the authentication response is used to verify the identity of the first node, including that the authentication response is used by the second node to verify whether the second key is established with the first node based on the second key.
- the release request includes request reason information; the request reason information is used to indicate key update for communication authentication.
- the second key is valid within a first duration
- the first duration may be defined by a timer or a time stamp.
- the second key is valid within the first duration starting from the first moment, the first moment is the moment when the first communication connection is released, or the second node receives the connection establishment moment of request.
- the processing unit 1001 is further configured to pass the transmission information from the first node through the backhaul link between the second node and the third node within the validity period of the second key, sent to the third node.
- the processing unit 1001 is further configured to suspend the backhaul link.
- the processing unit 1001 is further configured to activate the backhaul link after determining that the second communication connection with the first node is successfully established; the second communication connection is based on the second key for communication authentication.
- each functional unit may be integrated into one processor, or physically exist separately, or two or more units may be integrated into one unit.
- the above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.
- FIG. 11 is a schematic diagram of an apparatus 1100 provided by an embodiment of the present application.
- the apparatus 1100 may be a node, or a component in a node, such as a chip or an integrated circuit.
- the apparatus 1100 can include at least one processor 1102 and a communication interface 1104 .
- the device may further include at least one memory 1101 .
- a bus 1103 may also be included. Wherein, the memory 1101 , the processor 1102 and the communication interface 1104 are connected through a bus 1103 .
- the memory 1101 is used to provide a storage space, in which data such as operating systems and computer programs can be stored.
- the memory 1101 mentioned in the embodiment of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories.
- the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
- Volatile memory can be random access memory (RAM), which acts as external cache memory.
- RAM random access memory
- SRAM static random access memory
- DRAM dynamic random access memory
- DRAM synchronous dynamic random access memory
- SDRAM double data rate synchronous dynamic random access memory
- double data rate SDRAM double data rate SDRAM
- DDR SDRAM enhanced synchronous dynamic random access memory
- ESDRAM enhanced synchronous dynamic random access memory
- serial link DRAM SLDRAM
- direct memory bus random access memory direct rambus RAM, DR RAM
- Processor 1102 is a module for performing arithmetic operations and/or logic operations, specifically, it may be a central processing unit (central processing unit, CPU), a picture processor (graphics processing unit, GPU), a microprocessor (microprocessor unit, MPU), Application specific integrated circuit (ASIC), field programmable logic gate array (field programmable gate array, FPGA), complex programmable logic device (complex programmable logic device, CPLD), coprocessor (to assist the central processing unit to complete Corresponding processing and application), microcontroller unit (microcontroller unit, MCU) and other processing modules or a combination of more.
- CPU central processing unit
- CPU central processing unit
- MPU graphics processing unit
- ASIC application specific integrated circuit
- FPGA field programmable logic gate array
- FPGA field programmable gate array
- CPLD complex programmable logic device
- coprocessor to assist the central processing unit to complete Corresponding processing and application
- microcontroller unit microcontroller unit, MCU
- the processor is a general-purpose processor, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components
- the memory storage module may be integrated in the processor.
- Communication interface 1104 may be used to provide information input or output to the at least one processor. And/or the communication interface can be used to receive data sent from the outside and/or send data to the outside, which can be a wired link interface such as an Ethernet cable, or a wireless link (Wi-Fi, Bluetooth, General wireless transmission, vehicle short-distance communication technology, etc.) interface.
- the communication interface 1104 may further include a transmitter (such as a radio frequency transmitter, an antenna, etc.) or a receiver coupled with the interface.
- the above-mentioned device 1100 may be the first device in the above method embodiments or components in the first device, such as a chip or an integrated circuit.
- the processor 1102 in the device 1100 is used to read the computer program stored in the memory 1101, and control the first device to perform the following operations:
- the processor 1102 in the first device can also be used to read the program in the memory 1101 and execute the method flow executed by the first node in S300-S305 as shown in Figure 3; or execute The method flow executed by the first node in S400-S417 shown in 4; or execute the method flow executed by the first node in S500-S519 shown in Figure 5; or execute the method flow executed by the first node in S600-S617 shown in Figure 6
- the above-mentioned device 1100 may be the second device in the above method embodiment or a component in the second device, such as a chip or an integrated circuit.
- the processor 1102 in the device 1100 is used to read the computer program stored in the memory 1101, and control the second device to perform the following operations:
- the processor 1102 in the second device can also be used to read the program in the memory 1101 and execute the method flow executed by the second node in S300-S305 as shown in FIG. 3; or execute The method flow executed by the second node in S400-S417 shown in 4; or execute the method flow executed by the second node in S500-S519 shown in Figure 5; or execute the method flow executed by the second node in S600-S617 shown in Figure 6
- the embodiment of the present application also provides a terminal, and the terminal may be an intelligent terminal such as a smart phone, a notebook, and a tablet computer with a short-distance communication function, a mouse, a keyboard, an earphone, an audio system, or a vehicle-mounted playback device.
- the terminal includes a first device and/or a second device, and the first device and the second device may be the first node and the second node in the embodiment shown in FIG. 3 above, respectively.
- the types of the first device and the second device may be the same or different.
- FIG. 12 shows a schematic structural diagram of a simplified terminal device.
- the terminal device includes a processor, a memory, a radio frequency circuit, an antenna, and an input and output device.
- the processor is mainly used to process communication protocols and communication data, control terminal equipment, execute software programs, process data of software programs, and the like.
- Memory is primarily used to store software programs and data.
- the radio frequency circuit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal.
- Antennas are mainly used to send and receive radio frequency signals in the form of electromagnetic waves.
- Input and output devices such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users. It should be noted that some types of terminal equipment may not have input and output devices.
- the processor When data needs to be sent, the processor performs baseband processing on the data to be sent, and outputs the baseband signal to the radio frequency circuit.
- the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data.
- FIG. 12 only one memory and processor are shown in FIG. 12 . In an actual terminal device product, there may be one or more processors and one or more memories.
- a memory may also be called a storage medium or a storage device. The memory may be set independently of the processor, or may be integrated with the processor, which is not limited in this embodiment of the present application.
- the antenna and the radio frequency circuit with the transceiver function may be regarded as the transceiver unit of the terminal device, and the processor with the processing function may be regarded as the processing unit of the terminal device.
- the terminal device includes a transceiver unit 1210 and a processing unit 1220 .
- the transceiver unit may also be referred to as a transceiver, a transceiver, a transceiver device, and the like.
- a processing unit may also be called a processor, a processing board, a processing module, a processing device, and the like.
- the device in the transceiver unit 1210 for realizing the receiving function may be regarded as a receiving unit
- the device in the transceiver unit 1210 for realizing the sending function may be regarded as a sending unit, that is, the transceiver unit 1210 includes a receiving unit and a sending unit.
- the transceiver unit may sometimes also be referred to as a transceiver, a transceiver, or a transceiver circuit.
- the receiving unit may sometimes be called a receiver, a receiver, or a receiving circuit, etc.
- the sending unit may sometimes be called a transmitter, a transmitter, or a transmitting circuit, etc.
- transceiver unit 1210 is used to perform the sending and receiving operations on the first node side in the method embodiment shown in FIG. 3 above, and the processing unit 1220 is used to perform the first node side in the method embodiment shown in FIG. Operations other than sending and receiving operations.
- the transceiving unit 1210 is configured to perform the transceiving steps on the terminal device side in the embodiment shown in FIG. 3, such as S303 and S305, and/or other processes for supporting the technology described herein .
- the processing unit 1220 is configured to execute other operations on the terminal device side in the embodiment shown in FIG. 3 except the transceiving operation, such as S300, and/or other processes for supporting the technology described herein.
- the transceiver unit 1210 is used to perform the sending and receiving operations on the terminal device side in the method embodiment shown in FIG. other operations.
- the transceiving unit 1210 is configured to perform the transceiving steps at the terminal device side in the embodiment shown in FIG. 4 , such as S406, and/or other processes for supporting the technology described herein.
- the processing unit 1220 is configured to execute other operations on the terminal device side in the embodiment shown in FIG. 4 except for the transceiving operation, such as S409, and/or other processes for supporting the technology described herein.
- the transceiver unit 1210 is used to perform the sending and receiving operations on the terminal device side in the method embodiment shown in FIG. other operations.
- the transceiving unit 1210 is configured to perform the transceiving steps at the terminal device side in the embodiment shown in FIG. 5 , such as S508, and/or other processes for supporting the technology described herein.
- the processing unit 1220 is configured to execute other operations on the terminal device side in the embodiment shown in FIG. 5 except the transceiving operation, such as S511, and/or other processes for supporting the technology described herein.
- the transceiver unit 1210 is used to perform the sending and receiving operations on the terminal device side in the method embodiment shown in FIG. other operations.
- the transceiving unit 1210 is configured to perform the transceiving steps at the terminal device side in the embodiment shown in FIG. 6 , such as S606, and/or other processes for supporting the technology described herein.
- the processing unit 1220 is configured to execute other operations on the terminal device side in the embodiment shown in FIG. 6 except the transceiving operation, such as S604, and/or other processes for supporting the technology described herein.
- the transceiver unit 1210 is used to perform the sending operation and receiving operation on the terminal device side in the method embodiment shown in FIG. 7 above, and the processing unit 1220 is used to perform the terminal device side in the method embodiment shown in FIG. other operations.
- the transceiving unit 1210 is configured to perform the transceiving steps at the terminal device side in the embodiment shown in FIG. 7 , such as S706, and/or other processes for supporting the technology described herein.
- the processing unit 1220 is configured to execute other operations on the terminal device side in the embodiment shown in FIG. 7 except the transceiving operation, such as S704, and/or other processes for supporting the technology described herein.
- the transceiver unit 1210 is used to perform the sending and receiving operations on the terminal device side in the method embodiment shown in FIG. other operations.
- the transceiving unit 1210 is configured to perform the transceiving steps on the terminal device side in the embodiment shown in FIG. 8 , such as S806, and/or other processes for supporting the technology described herein.
- the processing unit 1220 is configured to execute other operations on the terminal device side in the embodiment shown in FIG. 8 except the transceiving operation, such as S804, and/or other processes for supporting the technology described herein.
- the transceiver unit 1210 is configured to perform the sending and receiving operations on the terminal device side in the method embodiment shown in FIG. other operations.
- the transceiving unit 1210 is configured to perform the transceiving steps at the terminal device side in the embodiment shown in FIG. 9 , such as S905, and/or other processes for supporting the technology described herein.
- the processing unit 1220 is configured to execute other operations on the terminal device side in the embodiment shown in FIG. 9 except the transceiving operation, such as S915, and/or other processes for supporting the technology described herein.
- the chip When the communication device is a chip, the chip includes a transceiver unit and a processing unit.
- the transceiver unit may be an input-output circuit or a communication interface;
- the processing unit is a processor or a microprocessor or an integrated circuit integrated on the chip.
- the embodiments of the present application also provide a computer-readable storage medium, including instructions, which, when run on a computer, cause the computer to execute the method described in the above embodiments.
- An embodiment of the present application further provides a system on chip, where the system on chip includes at least one processor and an interface circuit. Further optionally, the chip system may further include a memory or an external memory. The processor is configured to perform instruction and/or data interaction through the interface circuit, so as to implement the methods in the above method embodiments.
- the system-on-a-chip may consist of chips, or may include chips and other discrete devices.
- the embodiments of the present application also provide a computer program product, including instructions, which, when run on a computer, cause the computer to execute the method described in the above embodiments.
- the processor may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, or a coprocessor etc., can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application.
- a general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
- the memory may be a non-volatile memory, such as a hard disk (hard disk drive, HDD) or a solid-state drive (solid-state drive, SSD), etc., and may also be a volatile memory (volatile memory), such as Random-access memory (RAM).
- a memory is, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
- the memory in the embodiment of the present application may also be a circuit or any other device capable of implementing a storage function, and is used for storing program instructions and/or data.
- the methods provided in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
- software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part.
- the computer may be a general purpose computer, a special purpose computer, a computer network, network equipment, user equipment or other programmable devices.
- the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
- the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media.
- the available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, a digital video disc (digital video disc, DVD for short)), or a semiconductor medium (for example, SSD).
- a magnetic medium for example, a floppy disk, a hard disk, or a magnetic tape
- an optical medium for example, a digital video disc (digital video disc, DVD for short)
- a semiconductor medium for example, SSD
- the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
- the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium.
- the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
- the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disc and other media that can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (26)
- 一种通信方法,其特征在于,所述方法包括:获取用于与第二节点通信认证的第二密钥,所述第二密钥不同于预先配置的第一密钥;接收来自所述第二节点的、针对第一通信连接的释放请求,所述第一密钥用于所述第一通信连接的通信认证;向所述第二节点发送连接建立请求,所述连接建立请求用于请求基于所述第二密钥建立连接。
- 如权利要求1所述的方法,其特征在于:所述连接建立请求用于请求基于所述第二密钥建立连接,包括:所述连接建立请求用于请求基于所述第二密钥执行认证和安全上下文协商流程。
- 如权利要求1或2所述的方法,其特征在于,所述方法还包括:接收来自所述第二节点的基于所述第二密钥的鉴权信息;所述鉴权信息用于验证所述第二节点的身份。
- 如权利要求3所述的方法,其特征在于,所述方法还包括:向所述第二节点发送基于所述第二密钥的鉴权响应,所述鉴权响应用于验证所述第一节点的身份。
- 如权利要求1~4任一项所述的方法,其特征在于,所述释放请求中包括请求原因信息;所述请求原因信息用于指示用于通信认证的密钥更新。
- 如权利要求1~5任一项所述的方法,其特征在于,所述第二密钥在第一时长内有效,所述第一时长通过定时器或者时间戳定义。
- 如权利要求6所述的方法,其特征在于:所述第二密钥在第一时刻开始的第一时长内有效,所述第一时刻为所述第一通信连接释放的时刻,或者发送所述连接建立请求的时刻。
- 如权利要求1~7任一项所述的方法,其特征在于,所述方法还包括:在所述第二密钥的有效期内,通过所述第二节点与第三节点的回传链路,与所述第三节点进行信息传输。
- 如权利要求1~8任一项所述的方法,其特征在于,所述第一密钥是基于第一通信系统推演的密钥,和/或,所述第二密钥是基于第二通信系统推演的密钥,所述第一通信系统与所述第二通信系统不同。
- 一种通信方法,其特征在于,包括:获取用于与第一节点通信认证的第二密钥,所述第二密钥不同于预先配置的第一密钥;向所述第一节点发送针对第一通信连接的释放请求,所述第一密钥用于所述第一通信连接的通信认证;接收来自所述第一节点发送的连接建立请求,所述连接建立请求用于请求基于所述第二密钥建立连接。
- 如权利要求10所述的方法,其特征在于:所述连接建立请求用于请求基于所述第二密钥建立连接,包括:所述连接建立请求用于请求基于所述第二密钥执行认证和安全上下文协商流程。
- 如权利要求10或11所述的方法,其特征在于,所述方法还包括:向所述第一节点发送基于所述第二密钥的鉴权信息;所述鉴权信息用于验证第二节点的身份。
- 如权利要求12所述的方法,其特征在于,所述方法还包括:接收来自所述第一节点的基于所述第二密钥的鉴权响应;所述鉴权响应用于验证所述第一节点的身份。
- 如权利要求10~13任一项所述的方法,其特征在于,所述释放请求中包括请求原因信息;所述请求原因信息用于指示用于通信认证的密钥更新。
- 如权利要求10~14任一项所述的方法,其特征在于,所述第二密钥在第一时长内有效,所述第一时长可以通过定时器或者时间戳定义。
- 如权利要求15所述的方法,其特征在于:所述第二密钥在第一时刻开始的第一时长内有效,所述第一时刻为所述第一通信连接释放的时刻,或者所述第二节点接收到所述连接建立请求的时刻。
- 如权利要求10~16任一项所述的方法,其特征在于,所述方法还包括:在所述第二密钥的有效期内,将来自所述第一节点的传输信息,通过所述第二节点与第三节点的回传链路,发送给所述第三节点。
- 如权利要求17所述的方法,其特征在于,在释放与所述第一节点的第一通信连之后,还包括:将所述回传链路挂起。
- 如权利要求18所述的方法,其特征在于,所述方法还包括:在确定与所述第一节点之间成功建立第二通信连接后,激活所述回传链路;所述第二通信连接是基于所述第二密钥进行通信认证的。
- 一种通信装置,其特征在于,包括:处理模块,用于获取用于与第二节点通信认证的第二密钥,所述第二密钥不同于预先配置的第一密钥;通信模块,用于接收来自所述第二节点的、针对第一通信连接的释放请求,所述第一密钥用于所述第一通信连接的通信认证;所述通信模块,还用于向所述第二节点发送连接建立请求,所述连接建立请求用于请求基于所述第二密钥建立连接。
- 一种通信装置,其特征在于,包括:处理模块,用于获取用于与第一节点通信认证的第二密钥,所述第二密钥不同于预先配置的第一密钥;通信模块,用于向所述第一节点发送针对第一通信连接的释放请求,所述第一密钥用于所述第一通信连接的通信认证;所述通信模块,还用于接收来自所述第一节点发送的连接建立请求,所述连接建立请求用于请求基于所述第二密钥建立连接。
- 一种通信装置,其特征在于,包括至少一个处理器和接口电路;所述接口电路为所 述至少一个处理器提供程序或者指令,所述至少一个处理器通过逻辑电路或执行程序或者指令以实现所述通信装置所在的设备执行如权利要求1至9中任一项。
- 一种通信装置,其特征在于,包括至少一个处理器和接口电路;所述接口电路为所述至少一个处理器提供程序或者指令,所述至少一个处理器通过逻辑电路或执行程序或者指令以实现所述通信装置所在的设备执行如权利要求10至19中任一项。
- 一种通信系统,其特征在于,包括如权利要求20或22所述的通信装置,以及包括如权利要求21或23所述的通信装置。
- 一种计算机可读存储介质,其特征在于,包括程序指令,当所述程序指令在计算机上运行时,使得所述计算机执行如权利要求1~19中任一所述的方法。
- 一种终端,其特征在于,包括执行如权利要求1~9中任一所述方法的第一节点,和/或,执行如权利要求10~19任一项所述方法的第二节点。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP22863286.5A EP4387302A1 (en) | 2021-08-30 | 2022-08-25 | Communication method, apparatus and system |
KR1020247010737A KR20240049384A (ko) | 2021-08-30 | 2022-08-25 | 통신 방법, 장치 및 시스템 |
US18/592,062 US20240205674A1 (en) | 2021-08-30 | 2024-02-29 | Communication method, apparatus, and system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111005514.2A CN115734219A (zh) | 2021-08-30 | 2021-08-30 | 一种通信方法、装置及系统 |
CN202111005514.2 | 2021-08-30 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/592,062 Continuation US20240205674A1 (en) | 2021-08-30 | 2024-02-29 | Communication method, apparatus, and system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023030148A1 true WO2023030148A1 (zh) | 2023-03-09 |
Family
ID=85290928
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/114680 WO2023030148A1 (zh) | 2021-08-30 | 2022-08-25 | 一种通信方法、装置及系统 |
Country Status (5)
Country | Link |
---|---|
US (1) | US20240205674A1 (zh) |
EP (1) | EP4387302A1 (zh) |
KR (1) | KR20240049384A (zh) |
CN (1) | CN115734219A (zh) |
WO (1) | WO2023030148A1 (zh) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101400059A (zh) * | 2007-09-28 | 2009-04-01 | 华为技术有限公司 | 一种active状态下的密钥更新方法和设备 |
US20160295406A1 (en) * | 2013-11-14 | 2016-10-06 | Samsung Electronics Co., Ltd. | Method and apparatus for managing security key in a near field d2d communication system |
WO2019213925A1 (zh) * | 2018-05-10 | 2019-11-14 | 华为技术有限公司 | 密钥更新方法、设备和存储介质 |
CN112771815A (zh) * | 2020-03-31 | 2021-05-07 | 华为技术有限公司 | 密钥处理方法和装置 |
-
2021
- 2021-08-30 CN CN202111005514.2A patent/CN115734219A/zh active Pending
-
2022
- 2022-08-25 WO PCT/CN2022/114680 patent/WO2023030148A1/zh active Application Filing
- 2022-08-25 KR KR1020247010737A patent/KR20240049384A/ko active Search and Examination
- 2022-08-25 EP EP22863286.5A patent/EP4387302A1/en active Pending
-
2024
- 2024-02-29 US US18/592,062 patent/US20240205674A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101400059A (zh) * | 2007-09-28 | 2009-04-01 | 华为技术有限公司 | 一种active状态下的密钥更新方法和设备 |
US20160295406A1 (en) * | 2013-11-14 | 2016-10-06 | Samsung Electronics Co., Ltd. | Method and apparatus for managing security key in a near field d2d communication system |
WO2019213925A1 (zh) * | 2018-05-10 | 2019-11-14 | 华为技术有限公司 | 密钥更新方法、设备和存储介质 |
CN112771815A (zh) * | 2020-03-31 | 2021-05-07 | 华为技术有限公司 | 密钥处理方法和装置 |
Also Published As
Publication number | Publication date |
---|---|
EP4387302A1 (en) | 2024-06-19 |
CN115734219A (zh) | 2023-03-03 |
KR20240049384A (ko) | 2024-04-16 |
US20240205674A1 (en) | 2024-06-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP7410930B2 (ja) | 無線通信ネットワークにおける非アクセス階層通信の保護 | |
CN114557059A (zh) | 处理时间同步报文的方法和装置 | |
WO2020211778A1 (zh) | 小区切换方法以及装置 | |
WO2020098719A1 (zh) | 一种通信方法及其装置 | |
WO2019085676A1 (zh) | 无人机与控制器的通信方法及设备 | |
WO2021023088A1 (zh) | 数据传输的方法和装置 | |
US20230092744A1 (en) | Ckey obtaining method and apparatus | |
WO2023030148A1 (zh) | 一种通信方法、装置及系统 | |
US20230021397A1 (en) | Time Synchronization Packet Processing Method and Apparatus | |
CN112654046A (zh) | 用于注册的方法和装置 | |
WO2022160205A1 (zh) | 一种数据传输方法、终端设备和网络设备 | |
WO2021184219A1 (zh) | 连接云端的方法和终端设备 | |
CN112154682B (zh) | 密钥更新方法、设备和存储介质 | |
WO2023125342A1 (zh) | 通信方法、装置及系统 | |
US20240244681A1 (en) | Communication method, apparatus, and system | |
WO2024087072A1 (zh) | 一种通信方法、装置及系统 | |
WO2023273880A1 (zh) | 传输方式切换的方法和相关装置 | |
WO2021057456A1 (zh) | 用于注册的方法和装置 | |
EP4391614A1 (en) | Communication method, apparatus and system | |
WO2023137760A1 (zh) | 无线通信方法、远端ue、ausf以及amf | |
WO2024065765A1 (zh) | 安全建立的方法、通信方法及装置 | |
WO2023142815A1 (zh) | 通信的方法和装置 | |
WO2023185960A1 (zh) | 通信方法及装置 | |
WO2023213184A1 (zh) | 一种通信方法及通信装置 | |
WO2023056852A1 (zh) | 一种通信方法、装置及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22863286 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2024513466 Country of ref document: JP |
|
ENP | Entry into the national phase |
Ref document number: 2022863286 Country of ref document: EP Effective date: 20240313 |
|
ENP | Entry into the national phase |
Ref document number: 20247010737 Country of ref document: KR Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |