WO2023051409A1 - Procédé et appareil de communication - Google Patents

Procédé et appareil de communication Download PDF

Info

Publication number
WO2023051409A1
WO2023051409A1 PCT/CN2022/120943 CN2022120943W WO2023051409A1 WO 2023051409 A1 WO2023051409 A1 WO 2023051409A1 CN 2022120943 W CN2022120943 W CN 2022120943W WO 2023051409 A1 WO2023051409 A1 WO 2023051409A1
Authority
WO
WIPO (PCT)
Prior art keywords
pdu
mac
mac sub
sub
security processing
Prior art date
Application number
PCT/CN2022/120943
Other languages
English (en)
Chinese (zh)
Inventor
徐小英
娄崇
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023051409A1 publication Critical patent/WO2023051409A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity

Definitions

  • the present application relates to the technical field of communication, and in particular to a communication method and device.
  • Wireless communication transmission is divided into user plane transmission and control plane transmission.
  • User plane transmission is mainly used to transmit user plane data
  • control plane transmission is mainly used to transmit control plane signaling.
  • the sending end and the receiving end can perform safe processing on user plane data and control plane signaling.
  • the sending end encrypts the data, and correspondingly, the receiving end decrypts the data to prevent the data from being read by a third party;
  • the sending end performs integrity protection processing on the data, and correspondingly, the receiving end verifies the integrity of the data processing to prevent data from being tampered with by third parties.
  • user plane transmission can also be used to transmit user plane control information. Since some user plane control information is more important, if it is used by illegal base stations or terminals to falsify or monitor related user plane control information, it will cause great security risks to wireless communications. Therefore, how to control user plane information Safe handling still needs further research.
  • the present application provides a communication method and device, which are used to implement security processing on user plane control information and improve the security of user plane control information.
  • the communication method provided in this application may be executed by two communication devices, which are respectively a first communication device and a second communication device.
  • the first communication device is a sending end, configured to execute the first security processing
  • the second communication device is a receiving end, configured to execute the second security processing.
  • the second security processing is a reverse process of the first security processing, for example, the first security processing includes encryption processing and/or integrity protection processing, and the second security processing includes decryption processing and/or integrity verification processing.
  • the first communication device may be an access network device or a chip set in the access network device, or may also be a DU or a chip set in the DU
  • the second communication device may be a terminal device or a chip set in the DU.
  • a chip set in the terminal device or, the first communication device may be a terminal device or a chip set in the terminal device, and the second communication device may be an access network device or a chip set in the access network device, or It can be a DU or a chip set in a DU.
  • the embodiment of the present application provides a communication method, which can be applied to the first communication device.
  • the first communication device performs the first security processing on the user plane control information at the MAC layer to obtain the MAC PDU , and send the MAC PDU to the second communication device;
  • the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, and each first MAC sub-PDU corresponds to at least one second MAC sub-PDU PDU, the first MAC sub-PDU is used by the second communication device to perform second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU, and the M second MAC sub-PDUs include the User plane control information or the first user plane control information after first security processing; N and M are integers greater than or equal to 1.
  • the MAC PDU generated by the first communication device performing the first security processing on the user plane control information may include N first MAC sub-PDUs and M second MAC sub-PDUs
  • the N first MAC sub-PDUs are additional
  • the generated MAC sub-PDUs used to protect the M second MAC sub-PDUs, so that the user plane control information can be safely processed, while the existing MAC PDU format is less affected, and the MAC sub-PDU can be flexibly implemented.
  • One or more MAC CEs or MAC SDUs in the PDU are processed securely.
  • the user plane control information includes M MAC CEs and/or MAC SDUs, where the MAC SDUs include control PDUs from the PDCP layer, control PDUs from the RLC layer, or control PDUs from the SDAP layer .
  • the user plane control information includes at least one of the following: a MAC CE generated by the MAC layer; a control PDU from the PDCP layer; a control PDU from the RLC layer; and a control PDU from the SDAP layer.
  • the first MAC sub-PDU includes indication information, and the indication information is used to indicate a second MAC sub-PDU corresponding to the first MAC sub-PDU.
  • the indication information is carried in the MAC subheader of the first MAC sub-PDU, or the indication information is carried in the MAC CE of the first MAC sub-PDU.
  • the MAC subheader of the first MAC sub-PDU includes a preset logical channel identifier, and the preset logical channel identifier is used to indicate that the MAC sub-PDU including the preset logical channel identifier
  • the PDU is the first MAC sub-PDU.
  • the MAC CE of the first MAC sub-PDU includes at least one of the following: the sequence number of the second MAC sub-PDU corresponding to the first MAC sub-PDU; The count value of the second MAC sub-PDU; the integrity protection parameter of the second MAC sub-PDU corresponding to the first MAC sub-PDU.
  • the method further includes: the first communication device sends enabling information to the second communication device, and the enabling information is used to enable the second communication device
  • the first security processing and/or the second security processing are performed at the MAC layer; in this way, the first communication device can flexibly control whether the second communication device enables the security processing function.
  • the method further includes: receiving notification information from the second communication device, where the notification information is used to notify that the second security processing of the second MAC sub-PDU included in the MAC PDU fails, the The notification information includes the logical channel identifier corresponding to the second MAC sub-PDU that fails the second security process and/or the number of the second MAC sub-PDUs that fail the second security process.
  • the method further includes: receiving enabling information from the second communication device, where the enabling information is used to enable the second communication device to perform the The first security processing and/or the second security processing.
  • the first communication device performs first security processing on the user plane control information at the MAC layer, including: the first communication device uses the first key to perform the first security processing on the user plane control information at the MAC layer The first security process, the first key is deduced according to at least one of the second key, the third key, and the fourth key; wherein the second key is used to deduce the A third key and the fourth key, the third key is used to perform the first security processing or the second security processing on the control plane signaling, and the fourth key is used to perform the second security processing on the user plane data A security treatment or a second security treatment.
  • the first key used by the first communication device for security processing at the MAC layer is different from the key used for security processing at the PDCP layer (control plane signaling, user plane data, etc. are all security processing at the PDCP layer).
  • key so that in the CU-DU separation architecture, the key isolation of the CU and the DU can be realized, and the security of the CU cannot be guaranteed after the first key used by the DU is stolen.
  • the embodiment of the present application provides a communication method, which can be applied to the second communication device, and in this method, the second communication device receives a MAC PDU from the first communication device, and the MAC PDU includes N
  • the first MAC sub-PDU and M second MAC sub-PDUs each of the first MAC sub-PDUs corresponds to at least one second MAC sub-PDU
  • the M second MAC sub-PDUs include user plane control information or have undergone first security processing After the first user plane control information, N and M are integers greater than or equal to 1;
  • the second communication device performs the MAC layer corresponding to the first MAC sub-PDU according to the first MAC sub-PDU
  • the second MAC sub-PDU performs second security processing.
  • the user plane control information includes at least one of the following: a MAC CE generated by the MAC layer; a control PDU from the PDCP layer; a control PDU from the RLC layer; and a control PDU from the SDAP layer.
  • the first MAC sub-PDU includes indication information, and the indication information is used to indicate a second MAC sub-PDU corresponding to the first MAC sub-PDU.
  • the indication information is carried in the MAC subheader of the first MAC sub-PDU, or the indication information is carried in the MAC CE of the first MAC sub-PDU.
  • the MAC subheader of the first MAC sub-PDU includes a preset logical channel identifier, and the preset logical channel identifier is used to indicate that the MAC sub-PDU including the preset logical channel identifier
  • the PDU is the first MAC sub-PDU.
  • the MAC CE of the first MAC sub-PDU includes at least one of the following: the sequence number of the second MAC sub-PDU corresponding to the first MAC sub-PDU; The count value of the second MAC sub-PDU; the integrity protection parameter of the second MAC sub-PDU corresponding to the first MAC sub-PDU.
  • the method further includes: receiving enabling information from the first communication device, where the enabling information is used to enable the second communication device to perform the first security processing and/or said second security processing.
  • the method further includes: receiving notification information from the second communication device, where the notification information is used to notify the second security processing of the second MAC sub-PDU included in the MAC PDU Failure, the notification information includes the logical channel identifier corresponding to the second MAC sub-PDU that failed the second security process and/or the number of the second MAC sub-PDU that failed the second security process.
  • the method further includes: the second communication device sending enabling information to the first communication device, where the enabling information is used to enable the first communication device to The first security processing and/or the second security processing are performed.
  • the second communication device performs second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU at the MAC layer according to the first MAC sub-PDU, including: The second communication device performs second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU at the MAC layer by using a first key according to the first MAC sub-PDU, and the first key is Derived according to at least one of the second key, the third key, and the fourth key; wherein, the second key is used to derive the third key and the fourth key, The third key is used to perform the first security processing or the second security processing on the control plane signaling, and the fourth key is used to perform the first security processing or the second security processing on the user plane data.
  • an embodiment of the present application provides a communication system, which may include a first communication device and a second communication device, wherein the first communication device is used to perform the method described in the first aspect above, and the second communication device The device is used to execute the method described in the second aspect above.
  • the embodiment of the present application provides a communication system, which may include a CU and a DU; the CU is used to: determine the first key, and send the first key to the DU; the DU is used to: receive the The first key is used to perform first security processing and/or second security processing at the MAC layer.
  • the DU is specifically used to: use the first key to perform first security processing on the user plane control information at the MAC layer, obtain a MAC PDU, and send the MAC PDU to the terminal device; wherein, The MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, and the first MAC sub-PDU is used for the second
  • the communication device performs second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU, and the M second MAC sub-PDUs include the user plane control information or the encrypted first user plane control information.
  • Information N and M are integers greater than or equal to 1.
  • the DU is specifically used to: receive a MAC PDU from a terminal device, the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, and each first MAC sub-PDU corresponds to At least one second MAC sub-PDU, the M second MAC sub-PDUs include user plane control information or the first user plane control information after the first security processing, where N and M are integers greater than or equal to 1; According to the first MAC sub-PDU, performing second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU at the MAC layer by using the first key.
  • the CU is specifically configured to: receive a second key from a core network element; derive a third key and a fourth key according to the first key, and the third key It is used to perform the first security processing or the second security processing on the control plane signaling, and the fourth key is used to perform the first security processing or the second security processing on the user plane data; according to the second key, the Deriving at least one of the third key and the fourth key to obtain the first key.
  • the present application provides a communication device, the communication device has the function of realizing the above first aspect, for example, the communication device includes a corresponding module or unit or means (means) for performing the operations involved in the above first aspect , the modules or units or means may be realized by software, or by hardware, or by executing corresponding software by hardware.
  • the communication device includes a processing unit and a communication unit, wherein the communication unit can be used to send and receive signals to realize communication between the communication device and other devices, for example, the communication unit is used to receive signals from Configuration information of the terminal device; the processing unit can be used to perform some internal operations of the communication device.
  • the functions performed by the processing unit and the communication unit may correspond to the operations involved in the first aspect above.
  • the communication device includes a processor, and the processor can be used to be coupled with the memory.
  • the memory may store necessary computer programs or instructions to realize the functions referred to in the first aspect above.
  • the processor may execute the computer program or instruction stored in the memory, and when the computer program or instruction is executed, the communication device may implement the method in any possible design or implementation manner in the first aspect above.
  • the communication device includes a processor and a memory, and the memory can store necessary computer programs or instructions for realizing the functions mentioned in the above first aspect.
  • the processor may execute the computer program or instruction stored in the memory, and when the computer program or instruction is executed, the communication device may implement the method in any possible design or implementation manner in the first aspect above.
  • the communication device includes a processor and an interface circuit, where the processor is used to communicate with other devices through the interface circuit, and perform any possible design or implementation in the first aspect above. method.
  • the present application provides a communication device, which is capable of realizing the functions involved in the above-mentioned second aspect, for example, the communication device includes a module or unit or means corresponding to performing the operations involved in the above-mentioned second aspect, the The above functions, units or means can be realized by software, or by hardware, or by executing corresponding software by hardware.
  • the communication device includes a processing unit and a communication unit, wherein the communication unit can be used to send and receive signals to realize communication between the communication device and other devices, for example, the communication unit is used to send The device sends system information; the processing unit can be used to perform some internal operations of the communication device.
  • the functions performed by the processing unit and the communication unit may correspond to the operations involved in the second aspect above.
  • the communication device includes a processor, and the processor can be used to be coupled with the memory.
  • the memory may store necessary computer programs or instructions to realize the functions referred to in the second aspect above.
  • the processor may execute the computer program or instruction stored in the memory, and when the computer program or instruction is executed, the communication device may implement the method in any possible design or implementation manner of the second aspect above.
  • the communication device includes a processor and a memory, and the memory can store necessary computer programs or instructions for realizing the functions mentioned in the second aspect above.
  • the processor may execute the computer program or instruction stored in the memory, and when the computer program or instruction is executed, the communication device may implement the method in any possible design or implementation manner of the second aspect above.
  • the communication device includes a processor and an interface circuit, where the processor is used to communicate with other devices through the interface circuit, and execute the method in any possible design or implementation of the second aspect above .
  • the processor can be implemented by hardware or by software.
  • the processor can be a logic circuit, an integrated circuit, etc.; when implemented by software
  • the processor may be a general-purpose processor, which is realized by reading software codes stored in the memory.
  • there may be one or more processors, and one or more memories.
  • the memory can be integrated with the processor, or the memory can be separated from the processor.
  • the memory and the processor can be integrated on the same chip, or they can be respectively arranged on different chips.
  • the embodiment of the present application does not limit the type of the memory and the arrangement of the memory and the processor.
  • the present application provides a computer-readable storage medium, where computer-readable instructions are stored in the computer-readable medium, and when a computer reads and executes the computer-readable instructions, the computer executes the above-mentioned first aspect or A method in any of the possible designs of the second aspect.
  • the present application provides a computer program product.
  • the computer executes the method in any possible design of the first aspect or the second aspect above.
  • the present application provides a chip, the chip includes a processor, the processor is coupled with a memory, and is used to read and execute a software program stored in the memory, so as to realize the above-mentioned first aspect or second Aspects of any one of the possible design methods.
  • FIG. 1 is a schematic diagram of a network architecture applicable to an embodiment of the present application
  • FIG. 2A is a schematic diagram of the transmission of downlink data between layers provided by the embodiment of the present application.
  • FIG. 2B is a schematic structural diagram of a physical module of a base station provided in an embodiment of the present application.
  • FIG. 2C is a schematic diagram of the CU-DU separation architecture provided by the embodiment of the present application.
  • FIG. 3A is a schematic diagram of integrity protection/verification processing provided by the embodiment of the present application.
  • Fig. 3B is a schematic diagram of the composition of the MAC PDU provided by the embodiment of the present application.
  • FIG. 3C is a schematic diagram of the composition of the MAC sub-header provided by the embodiment of the present application.
  • FIG. 3D is a schematic diagram of the key hierarchy provided by the embodiment of the present application.
  • FIG. 4 is a schematic diagram of security processing provided by the embodiment of the present application.
  • FIG. 5 is a schematic flowchart corresponding to a communication method provided in an embodiment of the present application.
  • FIG. 6A, FIG. 6B, and FIG. 6C are schematic diagrams of the positional relationship between the first MAC sub-PDU and the second MAC sub-PDU provided by the embodiment of the present application;
  • FIG. 7A, FIG. 7B, and FIG. 7C are schematic diagrams of the content contained in the first MAC sub-PDU and the second MAC sub-PDU provided by the embodiment of the present application;
  • FIG. 8 is another schematic flowchart corresponding to the communication method provided in the embodiment of the present application.
  • FIG. 9 is a possible exemplary block diagram of a device involved in an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of an access network device provided in an embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of a terminal device provided in an embodiment of the present application.
  • FIG. 1 is a schematic structural diagram of a communication system applicable to an embodiment of the present application.
  • the communication system 1000 includes a radio access network (radio access network, RAN) 100 and a core network (core network, CN) 200, optionally, the communication system 1000 may also include a data network (data network, DN) ).
  • radio access network radio access network
  • core network core network
  • DN data network
  • the RAN100 may include at least one radio access network device (also referred to as an access network device, such as 110a and 110b in Figure 1), and may also include at least one terminal device (such as 120a-120j in Figure 1), the terminal device It can be connected with wireless access network equipment in a wireless manner.
  • the terminal device and the terminal device and the access network device and the access network device may be connected to each other in a wired or wireless manner.
  • CN200 may include multiple core network elements, and wireless access network equipment may be connected to the core network elements in a wireless or wired manner.
  • the core network element and the radio access network device can be independent and different physical devices, or the functions of the core network element and the logical functions of the radio access network device can be integrated on the same physical device, or they can be a
  • the physical device integrates some functions of core network elements and some functions of radio access network devices.
  • a terminal device may also be called a terminal, a user equipment (user equipment, UE), a mobile station, a mobile terminal, and the like.
  • Terminal devices can be widely used in various scenarios, such as device-to-device (D2D), vehicle-to-everything (V2X) communication, machine-type communication (MTC), Internet of Things (internet of things, IOT), virtual reality, augmented reality, industrial control, automatic driving, telemedicine, smart grid, smart furniture, smart office, smart wear, smart transportation, smart city, etc.
  • Terminal devices can be mobile phones, tablet computers, computers with wireless transceiver functions, wearable devices, vehicles, drones, helicopters, airplanes, ships, robots, robotic arms, smart home devices, etc.
  • the embodiment of the present application does not limit the specific technology and specific device form adopted by the terminal device.
  • the access network equipment can be a base station (base station), an evolved base station (evolved NodeB, eNodeB), a transmission reception point (transmission reception point, TRP), a next generation base station (next generation NodeB, gNB) in a 5G communication system, a first The next-generation base station in the sixth generation (6th generation, 6G) communication system, the base station in the future communication system, or the access node in the WiFi system, etc.; it can also be a module or unit that completes the function of the base station.
  • the access network device may be a macro base station (such as 110a in Figure 1), a micro base station or an indoor station (such as 110b in Figure 1), or a relay node or a donor node.
  • the embodiment of the present application does not limit the specific technology and specific equipment form adopted by the access network equipment.
  • the access network equipment and the terminal equipment may be fixed or mobile. Access network equipment and terminal equipment can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; they can also be deployed on water; they can also be deployed on aircraft, balloons and artificial satellites in the air.
  • the embodiments of the present application do not limit the application scenarios of the access network device and the terminal device.
  • the roles of access network equipment and terminal equipment can be relative.
  • the helicopter or drone 120i in FIG. 1 can be configured as a mobile access network equipment.
  • 120j 120i is an access network device; but for access network device 110a, 120i is a terminal device, that is, communication between 110a and 120i is performed through a wireless air interface protocol.
  • communication between 110a and 120i may also be performed through an interface protocol between access network devices.
  • 120i is also an access network device. Therefore, both the access network equipment and the terminal equipment can be collectively referred to as communication devices, 110a and 110b in FIG. 1 can be referred to as communication devices with access network equipment functions, and 120a-120j in FIG. functional communication device.
  • the functions of the access network equipment may also be performed by modules (such as chips) in the access network equipment, or may be performed by a control subsystem including the functions of the access network equipment.
  • the control subsystem including the functions of the access network equipment may be the control center in the above application scenarios such as smart grid, industrial control, intelligent transportation, and smart city.
  • the functions of the terminal may also be performed by a module (such as a chip or a modem) in the terminal, or may be performed by a device including the terminal function.
  • the control plane protocol layer structure may include radio resource control (radio resource control, RRC) layer, packet data convergence protocol (packet data convergence protocol, PDCP ) layer, radio link control (radio link control, RLC) layer, media access control (media access control, MAC) layer and physical layer (physical layer, PHY);
  • the user plane protocol layer structure may include PDCP layer, RLC layer , a MAC layer, and a physical layer.
  • a service data adaptation protocol (service data adaptation protocol, SDAP) layer may also be included above the PDCP layer.
  • the SDAP layer, the PDCP layer, the RLC layer, the MAC layer, and the physical layer may also be collectively referred to as an access layer.
  • 3GPP 3rd generation partnership project
  • the data transmission needs to pass through the user plane protocol layer, such as the SDAP layer, PDCP layer, RLC layer, MAC layer, and physical layer.
  • the downlink data transmission is taken as an example.
  • Figure 2A is a schematic diagram of the downlink data transmission between layers. After the SDAP layer entity obtains the data from the upper layer, it can identify (QoS flow indicator, QFI) according to the quality of service (QoS) of the data.
  • QFI quality of service
  • the PDCP layer entity can transmit the data to at least one RLC layer entity corresponding to the PDCP layer entity, and then the at least one RLC layer entity is transmitted to the corresponding MAC layer entity, and then the MAC layer Entities generate transport blocks, which are then wirelessly transmitted by corresponding physical layer entities.
  • the data is encapsulated correspondingly in each layer.
  • the data received by a certain layer from the upper layer of the layer is regarded as the service data unit (service data unit, SDU) of the layer, which becomes a protocol data unit (protocol data unit) after layer encapsulation. unit, PDU), and then passed to the next layer.
  • SDU service data unit
  • PDU protocol data unit
  • the data received by the PDCP layer entity from the upper layer is called PDCP SDU, and the data sent by the PDCP layer entity to the lower layer is called PDCP PDU; the data received by the RLC layer entity from the upper layer is called RLC SDU, and the data sent by the RLC layer entity to the lower layer It is called RLC PDU.
  • data can be transmitted between different layers through corresponding channels, for example, data can be transmitted between RLC layer entities and MAC layer entities through a logical channel (logical channel, LCH), and between MAC layer entities and physical layer entities can be transmitted through Transport channel (transport channel) to transmit data.
  • LCH logical channel
  • Transport channel transport channel
  • the centralized unit (CU)-distributed unit (DU) separation architecture is a new base station architecture introduced in the 5G communication system.
  • each base station is independently deployed and connected to the 4G core network; while in the 5G architecture, the DUs of different base stations are deployed independently, but the CUs of different base stations can be deployed centrally, that is, multiple DUs can be deployed by one CU Centralized control, where the CU is connected to the core network, and the DU is connected to the CU through the F1 interface.
  • the base station is divided into baseband unit (baseband unit, BBU), remote radio unit (remote radio unit, RRU) and antenna modules, each base station There is a set of BBUs, which are directly connected to the core network through the BBUs; in a possible design of the 5G communication system, the original RRU and the antenna are combined into an active antenna unit (active antenna unit, AAU), while the BBU is split Into DU and CU, each base station has a set of DU, and then multiple sites share the same CU for centralized management.
  • BBU baseband unit
  • RRU remote radio unit
  • the CU can include the functions of the PDCP layer, the SDAP layer, and the RRC layer, and the DU can include the functions of the RLC layer and the MAC layer. functions and some functions of the PHY layer.
  • a DU may include functions of higher layers in the PHY layer.
  • the high-level functions in the PHY layer may include cyclic redundancy check (cyclic redundancy check, CRC) function, channel coding, rate matching, scrambling, modulation, and layer mapping; or, the high-level functions in the PHY layer may include cyclic Redundancy checking, channel coding, rate matching, scrambling, modulation, layer mapping and precoding.
  • the functions of the middle and lower layers of the PHY layer can be implemented by another network entity (not shown in Figure 2C) that is independent from the DU, wherein the functions of the middle and lower layers of the PHY layer can include precoding, resource mapping, physical antenna mapping and radio frequency functions; or , the functions of the lower layers in the PHY layer may include resource mapping, physical antenna mapping and radio frequency functions.
  • the embodiment of the present application does not limit the function division of the upper layer and the lower layer in the PHY layer.
  • the signaling generated by the CU can be sent to the terminal device through the DU, or the signaling generated by the terminal device can be sent to the CU through the DU.
  • the DU can directly encapsulate the signaling through the protocol layer and transparently transmit it to the terminal device or CU without parsing the signaling.
  • the sending or receiving of the signaling by the DU includes this scenario.
  • signaling at the RRC or PDCP layer will eventually be processed as physical layer data and sent to the terminal device, or converted from received physical layer data.
  • the signaling at the RRC or PDCP layer can also be considered to be sent by the DU, or sent by the DU and the radio frequency device.
  • FIG. 1 is only a schematic diagram, and the communication system may also include other network devices, such as wireless relay devices and wireless backhaul devices.
  • the sending end and the receiving end can perform safe processing on user plane data and control plane signaling.
  • the security processing of the access layer can be performed at the PDCP layer, that is, the sending end performs security processing on the user plane data or control plane signaling at the PDCP layer, such as encryption or integrity protection; the receiving end also performs security processing on the user plane at the PDCP layer.
  • Corresponding security processing is performed on data or control plane signaling, such as decryption or integrity verification, etc., and integrity verification may also be referred to as integrity verification.
  • the sending end is a terminal device, and the receiving end is an access network device; or, the sending end is an access network device, and the receiving end is a terminal device.
  • the encryption process means that the sending end converts the data plaintext into ciphertext through calculation and processing according to the input parameters such as the key
  • the decryption process means that the receiving end converts the ciphertext into data plaintext.
  • Integrity protection processing means that the sender calculates the integrity protection parameters (such as parameter A) through algorithms according to input parameters such as data packets and keys; The algorithm calculates the parameter B. If the parameters A and B are consistent, the integrity verification is successful. If the parameters A and B are inconsistent, the integrity verification fails. When the input parameters used by the sending end are the same as those used by the receiving end, it can be realized that the integrity-protected information at the sending end can be successfully verified by the receiving end.
  • the integrity protection parameters such as parameter A
  • the algorithm calculates the parameter B. If the parameters A and B are consistent, the integrity verification is successful. If the parameters A and B are inconsistent, the integrity verification fails.
  • Fig. 3A it shows the process of integrity protection/verification through 5G security algorithm (integrity algorithm for 5G, NIA), wherein, the input parameters of integrity protection/verification may include count value, key, Information (such as the message itself to be integrity protected/verified), transmission direction (such as uplink transmission direction or downlink transmission direction), radio bearer identification, where the output parameter obtained from the integrity protection process (ie parameter A) may include complete message authentication code-integrity (MAC-I), and the output parameter (ie, parameter B) obtained by the integrity verification process may include an expected message authentication code-integrity (XMAC-I ). If the parameters MAC-I and XMAC-I are consistent, the integrity verification is successful; if the parameters MAC-I and XMAC-I are inconsistent, the integrity verification fails.
  • 5G security algorithm integrated protocol for 5G, NIA
  • Wireless communication transmission is divided into user plane transmission and control plane transmission.
  • User plane transmission can be used to transmit user plane data and user plane control information.
  • Control plane transmission can be used to transmit control plane signaling.
  • Control plane signaling can include RRC signaling. Order and so on.
  • the user plane data may refer to a user plane data PDU, and the user plane data PDU is used to carry communication content data.
  • the user plane data PDUs may include data PDUs of various protocol layers, such as SDAP data PDUs, PDCP data PDUs, RLC data PDUs, and the like.
  • the user plane control information may refer to the user plane control PDU.
  • the user plane control PDU is used to carry the control information that assists the transmission of the user plane data PDU, such as status report, robust header compression (robust header compression, RoHC) feedback, Ethernet header Compression (ethernet header compression, EHC) feedback.
  • the user plane control PDU may include control PDUs of various protocol layers, such as SDAP control PDU, PDCP control PDU, RLC control PDU, and the like.
  • control information such as a MAC control element (control element, CE) and a control PDU of a new protocol layer that may be defined in a future communication system.
  • the MAC PDU can be divided into downlink MAC PDU and uplink MAC PDU.
  • Figure 3B includes a schematic diagram of the composition of a downlink MAC PDU and an uplink MAC PDU.
  • the MAC PDU is composed of at least one MAC sub-PDU (MAC subPDU).
  • MAC subPDU MAC sub-PDU
  • the MAC layer can use the RLC PDU as a MAC SDU and encapsulate it into a MAC sub-PDU.
  • the MAC layer can generate a MAC CE and encapsulate it into a MAC sub-PDU.
  • the MAC sub-PDU may also include padding bits.
  • the MAC layer can combine multiple MAC sub-PDUs into a complete MAC PDU through the multiplexing function.
  • each MAC sub-PDU can also include a MAC sub-header (303).
  • Figure 3C is a schematic diagram of the MAC sub-header. As shown in Figure 3C, for a fixed-size MAC CE, the MAC sub-header can include field R and logical channel Identification (logical channel ID, LCID), where the field R is a reserved field. For a variable-sized MAC CE, the MAC subheader may include a field R, a field F, a logical channel identifier, and a field L, wherein the field F is a format field, and the field L is used to indicate the length of the MAC CE.
  • LCID logical channel Identification
  • the keys used in security processing are divided into non-access stratum keys and access stratum keys, and K AMF is the root key for deriving non-access stratum and access stratum.
  • the non-access stratum key is divided into non-access stratum integrity protection key K NASint and non-access stratum encryption key K NASenc ;
  • the access stratum key is divided into base station key K gNB , RRC Integrity protection key K RRCint , RRC encryption key K RRCenc , user plane integrity protection key K UPint , user plane encryption key K UPenc .
  • the RRC integrity protection key K RRCint the RRC encryption key K RRCenc , the user plane integrity protection key K UPint , and the user plane encryption key K Upenc are derived based on base station keys and different security algorithms. key.
  • the sender can perform encryption processing on the control plane signaling and user plane data PDU, and can further perform integrity protection processing on the control plane signaling, but does not support integrity protection processing on the user plane data PDU.
  • the 5G communication system considering the security of the user plane data PDU, a technical solution for integrity protection of the user plane data PDU and SDAP control PDU is introduced. That is to say, as shown in Figure 4, RRC signaling can be encrypted and integrity protected at the PDCP layer, PDCP data PDUs carried by data can be encrypted and integrity protected at the PDCP layer, and SDAP control PDUs can be supported at the PDCP layer. Integrity protection.
  • security processing has not yet been performed.
  • MAC CE may be used to control terminal equipment to switch serving cells. Once a fake base station counterfeit MAC layer switching signaling, it will cause wrong switching.
  • the embodiment of the present application provides a communication method, that is, the sending end can securely process the user plane control information at the MAC layer to obtain a MAC PDU, and send it to the receiving end; correspondingly, after the receiving end receives the MAC PDU, Corresponding security processing can be performed at the MAC layer, so that the security processing of the user plane control information can be implemented, and the security of the user plane control information can be improved.
  • the security processing performed by the sending end is referred to as the first security processing
  • the security processing performed by the receiving end is referred to as the second security processing.
  • the second security processing is the inverse process of the first security processing, such as the first security processing is encryption processing, then the second security processing can be decryption processing; for another example, the first security processing is integrity protection processing, then the second security processing is
  • the security processing may be integrity verification processing; for another example, the first security processing includes encryption processing and integrity protection processing, and the second security processing may include decryption processing and integrity verification processing.
  • the sending end may be the first communication device, and the receiving end may be the second communication device.
  • the first communication device may be an access network device or a communication device capable of supporting the access network device to implement the functions required by the method, such as a chip or a chip system set in the access network device;
  • the second communication The device may be a terminal device or a communication device capable of supporting the terminal device to implement the functions required by the method, such as a chip or a chip system provided in the terminal device.
  • the access device described below for executing the embodiment shown in Figure 5 may be the access network device in the system architecture shown in Figure 1 (such as the base station 110a), the terminal device described below for executing the embodiment shown in FIG. 5 may be a terminal device (such as the terminal device 120a) in the system architecture shown in FIG. 1 .
  • FIG. 5 is a schematic flowchart corresponding to the communication method provided in Embodiment 1 of the present application. As shown in FIG. 5, the method includes:
  • the access network device sends enabling information to the terminal device, where the enabling information is used to enable the terminal device to perform first security processing and/or second security processing at a MAC layer.
  • the terminal device receives enabling information from the access network device.
  • the enabling information is used to enable the terminal device to perform the first security processing and the second security processing at the MAC layer as an example.
  • the enabling information is used to enable the terminal device to perform the first security processing and the second security processing at the MAC layer In the second security processing, it may also be described as that the enabling information is used to enable the terminal device to perform security processing at the MAC layer.
  • the enabling information may be information of Boolean type. When the value is true (TURE), it means that the terminal device is allowed to perform the first security processing and the second security processing at the MAC layer (that is, enable the security processing function), When the value is false (FALSE), it means that the terminal device is not allowed to perform the first security processing and the second security processing at the MAC layer (that is, disable the security processing function).
  • the enabling information may also be information of an enumeration type.
  • allowing the terminal device to perform the first security processing and the second security processing at the MAC layer may refer to: when the terminal device acts as the sending end, allowing the terminal device to perform the first security processing at the MAC layer; and, when the terminal device acts as the receiving end When the terminal is used, the terminal device is allowed to perform the second security processing at the MAC layer.
  • the access network device may send the enabling information to the terminal device in various possible ways, for example, sending the enabling information through a configuration message, and the configuration message may be an RRC reconfiguration message.
  • the access network device may also send indication information to the terminal device, for example, sending indication information through a configuration message, where the indication information is used to indicate which user plane control information needs to be subjected to the first security processing.
  • the indication information may include type information of the user plane control information that requires the first security processing, where the type of the user plane control information may be divided according to the protocol layer, for example, the control PDU from the SDAP layer, the control PDU from the The control PDU of the PDCP layer, the control PDU from the RLC layer, the MAC CE generated by the MAC layer, etc.
  • the indication information indicates that the control PDU from the PDCP layer needs to be subjected to the first security processing
  • the MAC layer after receiving the RLC data PDU containing the PDCP control PDU, it can be learned that the RLC data PDU contains The PDCP controls the PDU, and then performs the first security processing on the RLC data PDU (that is, the MAC SDU).
  • the indication information may include a logical channel identifier, and the MAC CE corresponding to the logical channel identifier needs to perform the first security processing.
  • the terminal device can enable the security processing function, and then for downlink transmission, the access network device can perform the first security process at the MAC layer, and the terminal device can perform the second security process at the MAC layer.
  • the terminal device For details, see S503 to S505:
  • the terminal device For uplink transmission, the terminal device may perform the first security process at the MAC layer, and the access network device may perform the second security process at the MAC layer.
  • S506 to S508 For details, refer to S506 to S508.
  • the access network device performs first security processing on the first user plane control information at the MAC layer to obtain a first MAC PDU.
  • the first MAC PDU may include N first MAC sub-PDUs and M second MAC sub-PDUs, where N and M are integers greater than or equal to 1.
  • Each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, and the second MAC sub-PDUs corresponding to different first MAC sub-PDUs are different, that is, N may be less than or equal to M.
  • the first MAC sub-PDU may be called a secure MAC sub-PDU
  • the second MAC sub-PDU may be called a protected MAC sub-PDU
  • the MAC CE included in the first MAC sub-PDU may be called Secure MAC CE
  • the MAC CE (or MAC SDU) included in the second MAC sub-PDU can be called a protected MAC CE (or MAC SDU).
  • the first MAC PDU includes X MAC sub-PDUs, and X is an integer
  • X can be greater than the sum of N and M, that is, except for N first MAC sub-PDUs and M second MAC sub-PDUs
  • the first MAC PDU can also include other MAC sub-PDUs, and other MAC sub-PDUs can be unprotected MAC sub-PDUs; or, X can also be equal to the sum of N and M, that is, except N first MAC sub-PDUs and M Except for the second MAC sub-PDU, the first MAC PDU does not include other MAC sub-PDUs.
  • the first MAC sub-PDU and the second MAC sub-PDU are introduced respectively below.
  • the first MAC sub-PDU is used by the terminal device to perform the second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU.
  • the first MAC sub-PDU corresponds to a second MAC sub-PDU, and the first MAC sub-PDU is used by the terminal device to perform the second security processing on the second MAC sub-PDU; two MAC sub-PDUs, the first MAC sub-PDU is used by the terminal device to perform the second security processing on the multiple second MAC sub-PDUs.
  • the first MAC sub-PDU may include indication information, and the indication information is used to indicate the second MAC sub-PDU corresponding to the first MAC sub-PDU.
  • the indication information may be carried in the MAC sub-header of the first MAC sub-PDU, such as occupying some or all bits of the R field in the MAC sub-header; or, the indication information is carried in the MAC CE of the first MAC sub-PDU.
  • the MAC subheader of the first MAC sub-PDU may include a preset logical channel identifier. If the MAC subheader of a certain MAC sub-PDU includes a preset logical channel identifier, it indicates that the MAC sub-PDU is the first MAC sub-PDU.
  • the preset logical channel identifier is used to indicate that the MAC sub-PDU is the first MAC sub-PDU (or security MAC sub-PDU), or described as, the preset logical channel identifier is used to indicate that the MAC sub-PDU includes security MAC CE, or described as, the preset logical channel identifier is used to indicate that the MAC sub-PDU is a MAC sub-PDU for performing the second security processing on the second MAC sub-PDU.
  • the first MAC sub-PDU may include some or all of the input parameters and/or some or all of the output parameters (such as integrity protection parameters) of the first security process, which will be described in detail later.
  • the M second MAC sub-PDUs may include the first user plane control information or the first user plane control information after the first security processing.
  • the first user plane control information includes M MAC CEs and/or MAC SDUs, or the first user plane control information includes M MAC sub-PDUs; wherein, the MAC SDUs may include control PDUs from the PDCP layer and PDUs from the RLC layer. Control PDU or Control PDU from SDAP layer.
  • the M second MAC sub-PDUs may include encrypted first user plane control information; if the first security processing is integrity protection processing, then the M second MAC sub-PDUs The first user plane control information may be included; if the first security processing includes encryption processing and integrity protection processing, the M second MAC sub-PDUs may include the encrypted first user plane control information.
  • the first user plane control information includes MAC CE1; if the first security processing includes encryption processing and integrity protection processing, the second MAC sub-PDU may include MAC CE1' (MAC CE1' is encrypted Processed MAC CE1).
  • the first user plane control information includes MAC sub-PDU1
  • MAC sub-PDU1 includes MAC CE1 or MAC SDU1
  • the second MAC sub-PDU It may be MAC sub-PDU1' (MAC sub-PDU1' is encrypted MAC sub-PDU1).
  • the first user plane control information includes MAC CE1 and MAC CE2; if the first security processing includes encryption processing and integrity protection processing, then one of the second MAC sub-PDUs may include MAC CE1', Another second MAC sub-PDU may include MAC CE2' (MAC CE2' is encrypted MAC CE2).
  • the first user plane control information includes MAC sub-PDU1 and MAC sub-PDU2, MAC sub-PDU1 includes MAC CE1 or MAC SDU1, and MAC sub-PDU2 includes MAC CE2 or MAC SDU2; if the first security process includes Encryption processing and integrity protection processing, then one of the second MAC sub-PDUs can be MAC sub-PDU1', and the other second MAC sub-PDU can be MAC sub-PDU2' (MAC sub-PDU2' is the encrypted MAC sub-PDU2 ).
  • the first MAC sub-PDU may be located before all the second MAC sub-PDUs corresponding to the first MAC sub-PDU.
  • the receiving end such as a terminal device
  • the receiving end can know which MAC sub-PDUs are the second MAC sub-PDU according to the indication information included in the first MAC sub-PDU, and then parse the second MAC sub-PDU
  • the second security processing can be performed immediately after the PDU, so that no time delay is introduced and the processing efficiency is improved.
  • the first MAC sub-PDU may also be located after all second MAC sub-PDUs corresponding to the first MAC sub-PDU.
  • the first MAC PDU includes a first MAC sub-PDU1, and the first MAC sub-PDU1 corresponds to the second MAC sub-PDU1.
  • the first MAC sub-PDU1 is adjacent to the second MAC sub-PDU1, and the first MAC sub-PDU1 can be located before the second MAC sub-PDU1, or the first MAC sub-PDU1 can also be located in the second MAC sub-PDU1 after.
  • the first MAC PDU includes a first MAC sub-PDU1 and a first MAC sub-PDU2, the first MAC sub-PDU1 corresponds to the second MAC sub-PDU1, and the first MAC sub-PDU2 corresponds to the second MAC sub-PDU2.
  • the first MAC sub-PDU1 is adjacent to the second MAC sub-PDU1, and the first MAC sub-PDU2 is adjacent to the second MAC sub-PDU2; the first MAC sub-PDU1 can be located before the second MAC sub-PDU1, or, The first MAC sub-PDU1 may also be located after the second MAC sub-PDU1; the first MAC sub-PDU2 may be located before the second MAC sub-PDU2, or the first MAC sub-PDU2 may also be located after the second MAC sub-PDU2.
  • the first MAC PDU includes a first MAC sub-PDU1, and the first MAC sub-PDU1 corresponds to the second MAC sub-PDU1a, the second MAC sub-PDU1b, and the second MAC sub-PDU1c.
  • the first MAC sub-PDU1 may be adjacent to the second MAC sub-PDU1a, and located before the second MAC sub-PDU1a, the second MAC sub-PDU1b and the second MAC sub-PDU1c; or, the first MAC sub-PDU1 may be adjacent to the second MAC sub-PDU1a
  • the second MAC sub-PDU1c is adjacent and located behind the second MAC sub-PDU1a, the second MAC sub-PDU1b and the second MAC sub-PDU1c.
  • the first MAC sub-PDU may include indication information, and the indication information is used to indicate the second MAC sub-PDU corresponding to the first MAC sub-PDU.
  • indication information is used to indicate the second MAC sub-PDU corresponding to the first MAC sub-PDU.
  • the indication information may include 1 bit. For example, when the value of this bit is 0, it indicates that the second MAC sub-PDU corresponding to the first MAC sub-PDU is a MAC sub-PDU after the first MAC sub-PDU in the first MAC PDU.
  • PDU (for example, refer to the diagram shown above the dotted line in Figure 6A); when the value of this bit is 1, it means that the second MAC sub-PDU corresponding to the first MAC sub-PDU is located in the first MAC sub-PDU in the first MAC PDU A previous MAC sub-PDU (see, for example, the diagram illustrated below the dotted line in FIG. 6A ).
  • the indication information may include two bits. For example, when the value of the two bits is 00, it means that the second MAC sub-PDU corresponding to the first MAC sub-PDU is all MAC sub-PDUs in the first MAC PDU except the first MAC sub-PDU.
  • Sub-PDU when the value of the two bits is 01, it means that the second MAC sub-PDU corresponding to the first MAC sub-PDU is located before the first MAC sub-PDU in the first MAC PDU and adjacent to the first MAC sub-PDU A MAC sub-PDU; when the value of the two bits is 10, it means that the second MAC sub-PDU corresponding to the first MAC sub-PDU is located after the first MAC sub-PDU in the first MAC PDU and is the same as the first MAC sub-PDU An adjacent MAC sub-PDU; when the value of the two bits is 11, it means that the second MAC sub-PDU corresponding to the first MAC sub-PDU is all MACs containing MAC CE in the MAC PDU except the first MAC sub-PDU Sub-PDUs.
  • the indication information may indicate a value K, indicating that the second MAC sub-PDU corresponding to the first MAC sub-PDU is K MAC sub-PDUs located before or after the first MAC sub-PDU in the first MAC PDU.
  • K a value indicating that the second MAC sub-PDU corresponding to the first MAC sub-PDU is K MAC sub-PDUs located before or after the first MAC sub-PDU in the first MAC PDU.
  • whether it is "before” or “after” may be pre-agreed by the protocol, or it may be notified by the sender to the receiver, or it may be indicated by an additional bit (for example, the value of this bit is 0 means "before", and a value of 1 means “after”; or vice versa).
  • the number of bits included in the indication information may be set according to actual needs.
  • the indication information may include a variable-length bitmap, and a bit in the bitmap corresponds to a MAC sub-PDU in the first MAC PDU.
  • the bits in the bitmap correspond to the first MAC in sequence from low to high.
  • Each MAC sub-PDU from left to right in the PDU that is, the lowest bit in the bitmap corresponds to the first MAC sub-PDU from the left in the first MAC PDU, and so on, the highest bit in the bitmap Corresponds to the first MAC sub-PDU from the right in the first MAC PDU.
  • the bits in the bitmap correspond to the MAC sub-PDUs from right to left in the first MAC PDU in order from low to high, that is, the lowest bit in the bitmap corresponds to the sub-PDUs from the right in the first MAC PDU.
  • the highest bit in the bitmap corresponds to the first MAC sub-PDU from the left in the first MAC PDU.
  • a bit in the bitmap has a value of 1, indicating that the MAC sub-PDU corresponding to the bit is the second MAC sub-PDU corresponding to the first MAC sub-PDU, and a value of 0, indicating that the MAC sub-PDU corresponding to the bit is not the first MAC sub-PDU.
  • the bits in the bitmap correspond to the MAC sub-PDUs in the first MAC PDU.
  • the bits in the bitmap can be related to the bits in the first MAC PDU.
  • the second MAC sub-PDUs in a MAC PDU correspond one-to-one.
  • the bits in the bitmap correspond to the second MAC sub-PDUs from left to right in the first MAC PDU in sequence from low to high.
  • the indication information may include an offset of each second MAC sub-PDU corresponding to the first MAC sub-PDU relative to the first MAC sub-PDU. For example, if the first MAC sub-PDU corresponds to the second MAC sub-PDU1, the indication information may include the first offset of the head of the second MAC sub-PDU1 relative to the head or tail of the first MAC sub-PDU, and the second MAC A second offset of the tail of sub-PDU1 relative to the head or tail of the first MAC sub-PDU.
  • the unit of the first offset and the second offset may be the number of bits or the number of bytes.
  • the first offset and the second offset can be negative; if the second MAC sub-PDU1 is located after the first MAC sub-PDU, the first offset Amount and second offset can be positive values.
  • the indication information may include an offset of each second MAC sub-PDU corresponding to the first MAC sub-PDU relative to the first MAC sub-PDU and a length of the second MAC sub-PDU. For example, if the first MAC sub-PDU corresponds to the second MAC sub-PDU1, the indication information may include the offset of the head of the second MAC sub-PDU1 relative to the head or tail of the first MAC sub-PDU and the offset of the second MAC sub-PDU. length.
  • the first MAC sub-PDU can still be determined according to the offset.
  • the first MAC sub-PDU may not include indication information, and in this case, the position of the second MAC sub-PDU corresponding to the first MAC sub-PDU may be stipulated through a protocol.
  • the second MAC sub-PDU corresponding to the first MAC sub-PDU is: a MAC sub-PDU adjacent to the first MAC sub-PDU and located before the first MAC sub-PDU.
  • "before” can also be replaced with “after”.
  • the second MAC sub-PDU corresponding to the first MAC sub-PDU includes: all MAC sub-PDUs before the first MAC sub-PDU.
  • “before” can also be replaced with “after”.
  • the second MAC sub-PDU corresponding to the first MAC sub-PDU is: all MAC sub-PDUs containing MAC CE before the first MAC sub-PDU.
  • “before” can also be replaced with “after”.
  • the first MAC PDU includes a first MAC sub-PDU
  • the second MAC sub-PDU corresponding to the first MAC sub-PDU is stipulated by the agreement as: the first MAC PDU included, except the first MAC sub-PDU All MAC sub-PDUs.
  • the first MAC PDU includes a first MAC sub-PDU
  • the second MAC sub-PDU corresponding to the first MAC sub-PDU is stipulated by the agreement as: the first MAC PDU included, except the first MAC sub-PDU All MAC sub-PDUs containing MAC CE.
  • the first security processing performed by the access network device on the first user plane control information is introduced below.
  • the input parameters used by the access network device to perform the first security processing on the first user plane control information may include at least one of the following: a first key; User plane control information; security processing parameters used to prevent replay; logical channel identification corresponding to the first user plane control information; transmission direction; preset logical channel identification in the MAC subheader of the first MAC sub-PDU; synchronization An identifier of a signal block (synchronization signal block, SSB); an identifier of a serving cell that sends the first user plane control information; an identifier of a set of control resources used to schedule the first user plane control information.
  • a signal block synchronization signal block, SSB
  • the first key may include a first subkey, or include a second subkey, or include a first subkey and a second subkey.
  • the first subkey is used to perform encryption/decryption processing on the first user plane control information at the MAC layer
  • the second subkey is used to perform integrity protection/verification processing on the first user plane control information at the MAC layer.
  • the first key may reuse an existing access layer key, for example, the first subkey is K UPenc , the second subkey is K UPint , and for example, the first subkey is K RRCenc , the second subkey is K RRCint .
  • the first key reuses the existing access layer key, there is no need to additionally determine the first key, which can effectively reduce the processing burden and speed up the efficiency of security processing.
  • the security processing parameters used to prevent replay may include at least one of the following: the sequence number (sequence number, SN) of the first user plane control information, the count value of the first user plane control information, and the time of the first user plane control information
  • the timestamp can be the lower N bits of the system frame number.
  • the sequence number can be maintained by the MAC layer for each MAC sub-PDU, and the MAC layer of the receiving end maintains the sequence number in the same way, so as to ensure that the sequence numbers determined by both sides are consistent.
  • Multiple MAC sub-PDUs can share a sequence number.
  • a MAC PDU corresponds to a sequence number
  • multiple MAC sub-PDUs included in the MAC PDU share the sequence number.
  • the serial number of the first user plane control information may refer to the serial number of the second MAC sub-PDU1
  • the second MAC sub-PDU1 includes MAC CE1 or MAC CE1' (MAC CE1' It is the encrypted MAC CE1).
  • the sequence number (or count value) of the second MAC sub-PDU1 can also be described as the sequence number (or count value) of MAC CE1 or MAC CE1'.
  • the count value may be maintained by the MAC layer for each MAC sub-PDU, or may be maintained for the MAC PDU.
  • the MAC entity at the sending end can maintain a count value for each data packet (such as a MAC sub-PDU), and when sending data, the sending end performs the first security processing in sequence according to the count value of the data packet in ascending order
  • the MAC entity at the receiving end maintains the count value for each data packet with the same calculation method, so as to ensure that when the data packet is submitted to the upper layer, the second security processing is performed in sequence according to the order of the count value of the data packet from small to large.
  • the count value of the MAC sub-PDU is determined according to the serial number of the MAC sub-PDU and the hyper frame number (hyper frame number, HFN) of the MAC layer, wherein the HFN of the MAC layer is determined by the access network device And the terminal equipment maintains itself, the initial value is 0, when the sequence number of the MAC sub-PDU reaches the maximum value, HFN is incremented by 1.
  • the input parameters for the first security processing of different data packets may be the same, resulting in the same output parameters. Therefore, from the receiver's point of view, duplicate packets are received. In this case, if the sender sends a data packet, other illegal base stations or terminals may forge a duplicate data packet and send it, but the receiver will mistakenly think that the sender sent a duplicate data packet, and cannot recognize Forged packets.
  • security processing parameters such as count values
  • the input parameters and output parameters of the first security processing for different data packets are also different, so that it can effectively Prevent illegal base stations or terminals from forging duplicate data packets.
  • the relevant implementation of the above S503 will be introduced in combination with two situations.
  • the first user plane control information includes a MAC CE (such as MAC CE1).
  • the access network device may perform first security processing (such as encryption processing and integrity protection processing) on MAC CE1 at the MAC layer to obtain MAC CE1' and integrity protection parameter 1 (such as MAC-I1), and then Use MAC CE1' as the load of the MAC sub-PDU, add a MAC sub-header, and encapsulate it into a MAC sub-PDU.
  • This MAC sub-PDU is the second MAC sub-PDU, which can be called the second MAC sub-PDU1.
  • the access network device encapsulates some or all of the input parameters (such as SN1 of MAC CE1) and integrity protection parameter 1 of the first security process into a MAC sub-PDU, and the MAC sub-PDU is the first MAC sub-PDU, which can be It is called the first MAC sub-PDU1.
  • the MAC subheader of the first MAC sub-PDU1 may include a preset logical channel identifier
  • the MAC CE may include SN1 and MAC-I1.
  • the MAC-I included in the first MAC sub-PDU may also be replaced with a truncated MAC-I.
  • the length of the truncated MAC-I may be predefined by a protocol, or the sending end may send the length of the truncated MAC-I to the receiving end. In this embodiment of the present application, description is made by taking the first MAC sub-PDU including MAC-I as an example.
  • the access network device can use MAC CE1 as the load of MAC sub-PDU1, and add a MAC sub-header to encapsulate it as MAC sub-PDU1, and then perform the first security processing on the MAC sub-PDU1 at the MAC layer (such as encryption processing and integrity protection processing), obtain MAC sub-PDU1' (being encrypted MAC sub-PDU1), integrity protection parameter 1 (such as MAC-I1), wherein, MAC sub-PDU1' is the second MAC
  • the sub-PDU may be called the second MAC sub-PDU1.
  • the access network device encapsulates some or all of the input parameters (such as SN1 of MAC CE1) and integrity protection parameter 1 of the first security process into a MAC sub-PDU, and the MAC sub-PDU is the first MAC sub-PDU, which can be It is called the first MAC sub-PDU1.
  • the access network device performs the first security processing on the first user plane control information (such as MAC CE) at the MAC layer, which may mean that the access network device performs the first security processing on the MAC CE at the MAC layer, or It may mean that the access network device performs first security processing on the MAC sub-PDU including the MAC CE at the MAC layer.
  • the first user plane control information such as MAC CE
  • the first user plane control information includes multiple MAC CEs (such as MAC CE1, MAC CE2).
  • the access network device can perform first security processing (such as encryption processing and integrity protection processing) on MAC CE1 at the MAC layer to obtain MAC CE1' and integrity protection parameter 1 (such as MAC-I1), Then MAC CE1' is used as the load of the MAC sub-PDU, and a MAC sub-header is added, and it is encapsulated into the second MAC sub-PDU1. Further, the access network device encapsulates part or all of the input parameters (such as SN1 of MAC CE1) and integrity protection parameter 1 of the first security process into the first MAC sub-PDU1.
  • first security processing such as encryption processing and integrity protection processing
  • the access network device can perform encryption processing and integrity protection processing on MAC CE2 at the MAC layer to obtain MAC CE2' and integrity protection parameter 2 (such as MAC-I2), and then use MAC CE2' as the load of the MAC sub-PDU , and add a MAC sub-header, and encapsulate it as the second MAC sub-PDU2. Further, the access network device encapsulates part or all of the input parameters (such as SN2 of MAC CE2) and integrity protection parameters 2 of the first security process into the first MAC sub-PDU2.
  • MAC CE2' and integrity protection parameter 2 such as MAC-I2
  • the access network device can independently perform the first security processing for each MAC CE (or a MAC sub-PDU containing the MAC CE) among the multiple MAC CEs, and for each An additional security MAC sub-PDU is added for each MAC CE.
  • the sequence numbers or count values of multiple MAC CEs can be the same or different.
  • the access network device can perform first security processing (such as encryption processing and integrity protection processing) on MAC CE1 and MAC CE2 at the MAC layer to obtain MAC CE1', MAC CE2', and integrity protection parameters a (such as MAC-Ia), and then use MAC CE1 ' as the load of the MAC sub-PDU, and increase a MAC sub-head, it is encapsulated as the second MAC sub-PDU1, and use MAC CE2 ' as the load of the MAC sub-PDU, and increase A MAC sub-header, which is encapsulated into a second MAC sub-PDU2.
  • first security processing such as encryption processing and integrity protection processing
  • the access network device encapsulates some or all of the input parameters of the first security process (such as SN1 of MAC CE1, where SN2 and SN1 of MAC CE2 are the same) and integrity protection parameter a into the first MAC sub-PDU1.
  • the access network device can perform the first security processing on multiple MAC CEs (such as MAC CE1 and MAC CE2), or the access network device can also perform the first security processing on multiple MAC CEs (such as MAC CE1 and MAC CE2).
  • Multiple MAC sub-PDUs (such as MAC sub-PDU1 containing MAC CE1 and MAC sub-PDU2 containing MAC CE2) are combined to perform the first security processing, thereby effectively saving the processing burden and improving the efficiency of security processing; and for multiple MAC CEs, It only needs to add an additional security MAC sub-PDU, which can effectively reduce the transmission overhead.
  • the sequence numbers or count values of multiple MAC CEs are the same, that is, they share one sequence number or count value, so as to facilitate the combined execution of the first security processing.
  • the access network device sends the first MAC PDU to the terminal device.
  • the terminal device receives the first MAC PDU from the access network device, and performs second security processing on the second MAC sub-PDU included in the first MAC PDU.
  • the terminal device performing the second security processing on the second MAC sub-PDU may refer to: the terminal device performs the second security processing on the second MAC sub-PDU as a whole, or may also refer to the terminal device performing the second security processing on the second MAC sub-PDU.
  • the load section undergoes a second security treatment. Specifically, if the access network device performs the first security processing on the MAC CE or MAC SDU, the terminal device can perform the second security processing on the payload of the second MAC sub-PDU; After performing the first security processing on the PDU, the terminal device may perform the second security processing on the entire second MAC sub-PDU.
  • the terminal device may send a message to the access network device
  • the notification information is used to notify that the second security processing of the second MAC sub-PDU included in the first MAC PDU fails.
  • the notification information may include the logical channel identifier corresponding to the second MAC sub-PDU that failed the second security process and/or the number of the second MAC sub-PDU that failed the second security process (or the number of the second MAC sub-PDU that failed the second security process frequency).
  • the failure of the second security processing performed by the terminal device on the second MAC sub-PDU indicates that there may be a security problem in the transmission of user plane control information. Therefore, the terminal device notifies the access network device of the failure of the second security processing, which facilitates Access network devices perform corresponding operations to improve security.
  • the terminal device performs first security processing on the second user plane control information at the MAC layer to obtain a second MAC PDU.
  • the second user plane control information refers to the above description about the first user plane control information.
  • the difference between the two is only that the second user plane control information is uplink user plane control information, while the first user plane control It is downlink user plane control information.
  • the second MAC PDU please refer to the above description about the first MAC PDU.
  • the difference between the two is only that the second MAC PDU is an uplink MAC PDU, while the first MAC PDU is a downlink MAC PDU.
  • MAC CE1 includes a buffer status report (buffer status report, BSR), since the content of the BSR needs to be determined according to the contents of other MAC sub-PDUs included in the second MAC PDU Therefore, the MAC sub-PDU containing MAC CE1 is generated later and will be arranged after other MAC sub-PDUs; if the MAC sub-PDU containing MAC CE1 needs to perform the first security processing together with other MAC sub-PDUs (for specific implementation, refer to the previous Implementation mode 2), then their corresponding first MAC sub-PDUs can be arranged at the end of the second MAC PDU.
  • BSR buffer status report
  • the terminal device sends the second MAC PDU to the access network device.
  • the access network device receives the first MAC PDU from the terminal device, and performs second security processing on the second MAC sub-PDU included in the second MAC PDU.
  • the terminal device when the access network device performs the second security processing on the second MAC sub-PDU included in the second MAC PDU, if it is determined that the second security processing of a certain second MAC sub-PDU fails, the terminal device may be released.
  • the RRC connection enables the terminal device to enter the idle state from the RRC connection state, or perform other possible operations, depending on the internal implementation of the access network device, which is not limited in this embodiment of the present application.
  • the MAC PDU generated may include N first MAC sub-PDUs and M second MAC sub-PDUs, N
  • the first MAC sub-PDU is an additionally generated MAC sub-PDU used to protect the M second MAC sub-PDUs, so that the user plane control information can be safely processed while the existing MAC PDU format is less affected , and can flexibly implement security processing on one or more MAC CEs or MAC SDUs in the MAC PDU.
  • the first MAC sub-PDU does not participate in the first security processing.
  • the first MAC sub-PDU may also participate in the first security processing.
  • the first security processing is integrity protection processing
  • the first MAC sub-PDU can also perform integrity protection processing together with the second MAC sub-PDU, and then output the integrity protection parameters, which can be carried in the In a MAC sub-PDU. If this method is adopted, for the terminal equipment, the integrity protection parameters can be taken out from the first MAC sub-PDU first, and then the first MAC sub-PDU (not including the integrity protection parameters) and the second MAC sub-PDU can be performed Integrity verification processing.
  • the access network device and the terminal device may agree in advance whether the first MAC sub-PDU participates in the first security process, or indicate in other ways whether the first MAC sub-PDU participates in the first security process.
  • the second MAC sub-PDU corresponding to the first MAC sub-PDU may also include the first MAC sub-PDU itself.
  • the above-described security processing parameters for preventing replay are optional input parameters for the first security processing. If the security processing parameters for preventing replay are not used during the first security processing, that is, the first If the input parameters of a security process do not include the security process parameters for preventing replay, the corresponding SN does not need to be carried in the first MAC sub-PDU in each of the above examples.
  • the access network device may also include separate nodes, as shown in FIG. 2B and FIG. 2C .
  • the access network device mentioned above in FIG. 5 can also be replaced by a DU, that is, the DU can perform the operations performed by the access network device in FIG. 5 .
  • the MAC layer is located in the DU.
  • the DU is deployed outdoors, and the physical security is poorer than that of the CU. Therefore, in order to further improve Security, in this embodiment of the application, the first key used by the DU to perform security processing at the MAC layer may be different from the key used by the CU to perform security processing.
  • FIG. 8 is a schematic flowchart corresponding to the communication method provided in the embodiment of the present application. As shown in FIG. 8, the method includes:
  • the CU receives a second key from a core network element.
  • the core network element may be an access and mobility management function (access and mobility management function, AMF) network element
  • the second key may include a base station key K gNB and/or a next hop (next hop, NH)
  • NH can refer to the definition in the existing protocol.
  • the CU deduces a third key and a fourth key according to the first key, the third key is used to perform the first security processing or the second security processing on the control plane signaling, and the fourth key is used to Perform the first security processing or the second security processing on the user plane data.
  • the third key may include the RRC integrity protection key K RRCint and/or the RRC encryption key K RRCenc
  • the fourth key may include the user plane integrity protection key K UPint and/or the user plane encryption key K UPenc .
  • the CU derives the first key according to at least one of the second key, the third key, and the fourth key.
  • the CU may perform deduction one or more times according to at least one of the second key, the third key, and the fourth key to obtain the first key.
  • the deduction here can be understood as the process of performing specific operations according to the input parameters and the security algorithm to obtain the output parameters.
  • the input parameters include at least one of the second key, the third key, and the fourth key
  • the output parameters are
  • the security algorithm may be a newly introduced security algorithm of the MAC layer.
  • non-access layer encryption algorithm As shown in Table 1, currently available algorithm types include non-access layer encryption algorithm, non-access layer integrity protection algorithm, RRC layer encryption algorithm, RRC layer integrity protection algorithm, user plane encryption algorithm 1.
  • the integrity protection algorithm of the user plane On this basis, the embodiment of the present application may introduce a security algorithm of the MAC layer, such as an encryption algorithm of the MAC layer and an integrity protection algorithm of the MAC layer.
  • Table 1 Examples of various security algorithm types
  • the CU may derive the first key according to the second key and the security algorithm of the MAC layer.
  • the CU may derive the first key according to the third key and the security algorithm of the MAC layer; or, the CU may derive the first key according to the third key and the random number.
  • the CU may derive the first key according to the fourth key and the security algorithm of the MAC layer; or, the CU may derive the first key according to the fourth key and the random number.
  • the CU sends the first key to the DU.
  • the CU can send the first key to the DU through a user context setup request (UE context setup request) message or a user context modification request (UE context modification request) message.
  • UE context setup request user context setup request
  • UE context modification request user context modification request
  • the DU receives the first key from the CU, and uses the first key to perform first security processing or second security processing at the MAC layer.
  • the DU can use the first key to perform first security processing on the first user plane control information at the MAC layer to obtain the first MAC PDU, or it can also use the first key to perform second security processing on the second MAC PDU at the MAC layer.
  • the security processing to obtain the second user plane control information refer to the description in the first embodiment above for details.
  • the terminal device can also derive the first key according to at least one of the second key, the third key, and the fourth key; and then use the first key to control the second user plane at the MAC layer.
  • the information is subjected to the first security processing to obtain the second MAC PDU, or the first key may be used to perform the second security processing on the first MAC PDU at the MAC layer to obtain the first user plane control information.
  • the key used by the DU for security processing at the MAC layer is different from the key used by the CU, so that key isolation can be achieved, and the security of the CU cannot be guaranteed after the DU key is stolen.
  • the access network device or the terminal device may include corresponding hardware structures and/or software modules for performing various functions.
  • the embodiments of the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software drives hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.
  • the embodiment of the present application can divide the functional units of the access network device or the terminal device according to the above method example, for example, each functional unit can be divided corresponding to each function, or two or more functions can be integrated into one unit .
  • the above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.
  • FIG. 9 shows a possible exemplary block diagram of the device involved in the embodiment of the present application.
  • an apparatus 900 may include: a processing unit 902 and a communication unit 903 .
  • the processing unit 902 is used to control and manage the actions of the device 900 .
  • the communication unit 903 is used to support the communication between the apparatus 900 and other devices.
  • the communication unit 903 is also referred to as a transceiver unit, and may include a receiving unit and/or a sending unit, configured to perform receiving and sending operations respectively.
  • the device 900 may further include a storage unit 901 for storing program codes and/or data of the device 900.
  • the apparatus 900 may be the access network device in the foregoing embodiments, or may also be a chip provided in the access network device.
  • the processing unit 902 may support the apparatus 900 to execute the actions of the access network device in the above method examples (such as FIG. 5 or FIG. 8 ).
  • the processing unit 902 mainly executes internal actions of the access network device in the method example (such as FIG. 5 or FIG. 8 ), and the communication unit 903 may support communication between the apparatus 900 and other devices.
  • the processing unit 902 is configured to: perform first security processing on the user plane control information at the MAC layer to obtain a MAC PDU;
  • the communication unit 903 is configured to: send the MAC PDU to the terminal device; wherein, the The MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, and the first MAC sub-PDU is used for the terminal device to The second MAC sub-PDU corresponding to the first MAC sub-PDU is subjected to the second security processing, and the M second MAC sub-PDUs include the user plane control information or the first user plane PDU after the first security processing.
  • Control information; N and M are integers greater than or equal to 1.
  • the communication unit 903 is configured to: receive a MAC PDU from a terminal device, the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, and each first MAC sub-PDU corresponds to At least one second MAC sub-PDU, the M second MAC sub-PDUs include user plane control information or the first user plane control information after the first security processing, where N and M are integers greater than or equal to 1;
  • the processing unit 902 is configured to: perform second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU at the MAC layer according to the first MAC sub-PDU.
  • the apparatus 900 may be the terminal device in the foregoing embodiments, or may also be a chip provided in the terminal device.
  • the processing unit 902 may support the apparatus 900 to execute the actions of the terminal device in the above method examples (such as FIG. 5 ).
  • the processing unit 902 mainly executes internal actions of the terminal device in the method example (such as FIG. 5 ), and the communication unit 903 can support communication between the apparatus 900 and other devices.
  • the processing unit 902 is configured to: perform first security processing on the user plane control information at the MAC layer to obtain a MAC PDU;
  • the communication unit 903 is configured to: send the MAC PDU to the access network device; wherein , the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, and the first MAC sub-PDU is used for the access
  • the network access device performs second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU, and the M second MAC sub-PDUs include the user plane control information or the first security processing of the First user plane control information; N and M are integers greater than or equal to 1.
  • the communication unit 903 is configured to: receive a MAC PDU from an access network device, the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU The PDU corresponds to at least one second MAC sub-PDU, and the M second MAC sub-PDUs include user plane control information or the first user plane control information after the first security processing, and N and M are greater than or equal to 1 Integer; the processing unit 902 is configured to: perform second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU at the MAC layer according to the first MAC sub-PDU.
  • each unit in the device can be implemented in the form of software called by the processing element; they can also be implemented in the form of hardware; some units can also be implemented in the form of software called by the processing element, and some units can be implemented in the form of hardware.
  • each unit can be a separate processing element, or it can be integrated in a certain chip of the device.
  • it can also be stored in the memory in the form of a program, which is called and executed by a certain processing element of the device. Function.
  • all or part of these units can be integrated together, or implemented independently.
  • the processing element mentioned here may also be a processor, which may be an integrated circuit with signal processing capability.
  • each operation of the above method or each unit above may be realized by an integrated logic circuit of hardware in the processor element, or implemented in the form of software called by the processing element.
  • the units in any of the above devices may be one or more integrated circuits configured to implement the above method, for example: one or more specific integrated circuits (application specific integrated circuit, ASIC), or, one or Multiple microprocessors (digital signal processor, DSP), or, one or more field programmable gate arrays (field programmable gate array, FPGA), or a combination of at least two of these integrated circuit forms.
  • ASIC application specific integrated circuit
  • DSP digital signal processor
  • FPGA field programmable gate array
  • the units in the device can be implemented in the form of a processing element scheduler
  • the processing element can be a processor, such as a general-purpose central processing unit (central processing unit, CPU), or other processors that can call programs.
  • CPU central processing unit
  • these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
  • the above unit for receiving is an interface circuit of the device for receiving signals from other devices.
  • the receiving unit is an interface circuit for the chip to receive signals from other chips or devices.
  • the above sending unit is an interface circuit of the device, and is used to send signals to other devices.
  • the sending unit is an interface circuit used by the chip to send signals to other chips or devices.
  • the access network device 100 may include one or more DUs 1001 and one or more CUs 1002.
  • the DU 1001 may include at least one antenna 10011, at least one radio frequency unit 10012, at least one processor 10013 and at least one memory 10014.
  • the DU 1001 part is mainly used for transmitting and receiving radio frequency signals, conversion of radio frequency signals and baseband signals, and part of baseband processing.
  • the CU 1002 may include at least one processor 10022 and at least one memory 10021 .
  • the CU 1002 is mainly used for baseband processing, controlling access network equipment, and the like.
  • the DU 1001 and the CU 1002 may be physically set together, or physically separated, that is, distributed base stations.
  • the CU 1002 is the control center of the access network equipment, and can also be called a processing unit, which is mainly used to complete the baseband processing function.
  • the CU 1002 may be used to control the access network device to execute the operation procedures related to the access network device in the foregoing method embodiments.
  • the access network device 100 may include one or more radio frequency units, one or more DUs, and one or more CUs.
  • the DU may include at least one processor 10013 and at least one memory 10014
  • the radio frequency unit may include at least one antenna 10011 and at least one radio frequency unit 10012
  • the CU may include at least one processor 10022 and at least one memory 10021.
  • the CU1002 can be composed of one or more single boards, and multiple single boards can jointly support a wireless access network (such as a 5G network) with a single access indication, or can separately support wireless access networks of different access standards.
  • Access network (such as LTE network, 5G network or other networks).
  • the memory 10021 and the processor 10022 may serve one or more single boards. That is to say, memory and processors can be set independently on each single board. It may also be that multiple single boards share the same memory and processor. In addition, necessary circuits can also be set on each single board.
  • the DU1001 can be composed of one or more single boards, and multiple single boards can jointly support a wireless access network (such as a 5G network) with a single access indication, or can separately support wireless access networks of different access standards (such as a 5G network). LTE network, 5G network or other networks).
  • the memory 10014 and the processor 10013 may serve one or more single boards. That is to say, memory and processors can be set independently on each single board. It may also be that multiple single boards share the same memory and processor. In addition, necessary circuits can also be set on each single board.
  • the access network device shown in FIG. 10 can implement various processes involving the access network device in the method embodiments shown in FIGS. 5 and 8 .
  • the operations and/or functions of the various modules in the access network device shown in FIG. 10 are respectively intended to implement the corresponding processes in the foregoing method embodiments.
  • the terminal device includes: an antenna 1110 , a radio frequency part 1120 , and a signal processing part 1130 .
  • the antenna 1110 is connected to the radio frequency part 1120 .
  • the radio frequency part 1120 receives the information sent by the network equipment through the antenna 1110, and sends the information sent by the network equipment to the signal processing part 1130 for processing.
  • the signal processing part 1130 processes the information of the terminal device and sends it to the radio frequency part 1120
  • the radio frequency part 1120 processes the information of the terminal device and sends it to the network device through the antenna 1110 .
  • the signal processing part 1130 may include a modulation and demodulation subsystem, which is used to realize the processing of each communication protocol layer of data; it may also include a central processing subsystem, which is used to realize the processing of the operating system and application layer of the terminal equipment; Including other subsystems, such as multimedia subsystems, peripheral subsystems, etc., wherein the multimedia subsystem is used to realize the control of the terminal equipment camera, screen display, etc., and the peripheral subsystem is used to realize the connection with other devices.
  • the modem subsystem can be a separate chip.
  • the modem subsystem may include one or more processing elements 1131, including, for example, a master CPU and other integrated circuits.
  • the modem subsystem may further include a storage element 1132 and an interface circuit 1133 .
  • the storage element 1132 is used to store data and programs, but the program used to execute the method executed by the terminal device in the above methods may not be stored in the storage element 1132, but stored in a memory outside the modem subsystem, When used, the modem subsystem is loaded and used.
  • Interface circuit 1133 is used to communicate with other subsystems.
  • the modem subsystem can be realized by a chip, and the chip includes at least one processing element and an interface circuit, wherein the processing element is used to execute each step of any method performed by the above terminal equipment, and the interface circuit is used to communicate with other devices.
  • the unit for the terminal device to implement each step in the above method may be implemented in the form of a processing element scheduler.
  • the device for the terminal device includes a processing element and a storage element, and the processing element calls the program stored in the storage element to Execute the method performed by the terminal device in the above method embodiment.
  • the storage element may be a storage element on the same chip as the processing element, that is, an on-chip storage element.
  • the program for executing the method executed by the terminal device in the above method may be stored in a storage element on a different chip from the processing element, that is, an off-chip storage element.
  • the processing element invokes or loads a program from the off-chip storage element on the on-chip storage element, so as to invoke and execute the method performed by the terminal device in the above method embodiment.
  • the unit of the terminal device that implements each step in the above method may be configured as one or more processing elements, and these processing elements are set on the modem subsystem, where the processing elements may be integrated circuits, For example: one or more ASICs, or one or more DSPs, or one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits can be integrated together to form a chip.
  • the units of the terminal device for implementing each step in the above method can be integrated together and implemented in the form of an SOC, and the SOC chip is used to implement the above method.
  • the chip may integrate at least one processing element and a storage element, and the processing element calls the stored program of the storage element to realize the method executed by the above terminal device; or, the chip may integrate at least one integrated circuit for realizing the above terminal
  • the method executed by the device; or, the above implementation manners may be combined, the functions of some units are implemented in the form of calling programs by processing elements, and the functions of some units are implemented in the form of integrated circuits.
  • the above apparatus for a terminal device may include at least one processing element and an interface circuit, where at least one processing element is configured to execute any method performed by the terminal device provided in the above method embodiments.
  • the processing element can perform some or all of the steps performed by the terminal device in the first way: that is, by calling the program stored in the storage element; or in the second way: through the integrated logic circuit of the hardware in the processor element combined with instructions Part or all of the steps performed by the terminal device may be performed in a manner; of course, some or all of the steps performed by the terminal device may also be performed in combination with the first method and the second method.
  • the processing elements here are the same as those described above, and may be implemented by a processor, and the functions of the processing elements may be the same as those of the processing unit described in FIG. 9 .
  • the processing element may be a general-purpose processor, such as a CPU, and may also be one or more integrated circuits configured to implement the above method, such as: one or more ASICs, or, one or more microprocessors DSP , or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms.
  • the storage element may be implemented by a memory, and the function of the storage element may be the same as that of the storage unit described in FIG. 9 .
  • a storage element may be one memory, or a general term for multiple memories.
  • the terminal device shown in FIG. 11 can implement various processes related to the terminal device in the foregoing method embodiments.
  • the operations and/or functions of the various modules in the terminal device shown in FIG. 11 are respectively for implementing the corresponding processes in the foregoing method embodiments.
  • system and “network” in the embodiments of the present application may be used interchangeably.
  • “At least one” means one or more, and “plurality” means two or more.
  • “And/or” describes the association relationship of associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean: A exists alone, A and B exist simultaneously, and B exists alone, where A, B can be singular or plural.
  • the character “/” generally indicates that the contextual objects are an “or” relationship.
  • “At least one of the following” or similar expressions refer to any combination of these items, including any combination of single or plural items. For example "at least one of A, B and C” includes A, B, C, AB, AC, BC or ABC. And, unless otherwise specified, ordinal numerals such as “first” and “second” mentioned in the embodiments of this application are used to distinguish multiple objects, and are not used to limit the order, timing, priority or importance of multiple objects degree.
  • the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions
  • the device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente demande se rapporte au domaine technique des communications. Un procédé et un appareil de communication sont divulgués. Le procédé comprend les étapes suivantes : un premier appareil de communication effectue un premier traitement de sécurité sur des informations de commande de plan utilisateur dans une couche MAC pour obtenir une PDU MAC, et envoie la PDU MAC à un deuxième appareil de communication, la PDU MAC pouvant comprendre N premières sous-PDU MAC et M deuxièmes sous-PDU MAC, et les N premières sous-PDU MAC sont en outre générées et utilisées pour protéger les sous-PDU MAC des M deuxièmes sous-PDU MAC, de telle sorte que l'effet sur un format de PDU MAC existant est petit tout en mettant en œuvre un traitement de sécurité sur des informations de commande de plan d'utilisateur, et le traitement de sécurité sur un ou plusieurs MAC CE ou MAC SDU dans une PDU MAC peut être mis en œuvre de manière flexible.
PCT/CN2022/120943 2021-09-28 2022-09-23 Procédé et appareil de communication WO2023051409A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111143477.1A CN115884173A (zh) 2021-09-28 2021-09-28 一种通信方法及装置
CN202111143477.1 2021-09-28

Publications (1)

Publication Number Publication Date
WO2023051409A1 true WO2023051409A1 (fr) 2023-04-06

Family

ID=85763472

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/120943 WO2023051409A1 (fr) 2021-09-28 2022-09-23 Procédé et appareil de communication

Country Status (2)

Country Link
CN (1) CN115884173A (fr)
WO (1) WO2023051409A1 (fr)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011021866A2 (fr) * 2009-08-21 2011-02-24 Samsung Electronics Co., Ltd. Procédé et système de transmission de données sur une liaison d'accès
US20120039471A1 (en) * 2009-04-21 2012-02-16 Sun Hee Kim Efficient security-related processing
CN106465183A (zh) * 2016-09-20 2017-02-22 北京小米移动软件有限公司 数据传输方法、装置及系统
CN109586900A (zh) * 2017-09-29 2019-04-05 华为技术有限公司 数据安全处理方法及装置
CN111600831A (zh) * 2019-04-30 2020-08-28 维沃移动通信有限公司 信令传输的方法和设备
CN112166623A (zh) * 2018-06-14 2021-01-01 Oppo广东移动通信有限公司 一种控制安全功能的方法及装置、网络设备、终端设备
CN113273236A (zh) * 2019-01-18 2021-08-17 高通股份有限公司 媒体接入控制安全性

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120039471A1 (en) * 2009-04-21 2012-02-16 Sun Hee Kim Efficient security-related processing
WO2011021866A2 (fr) * 2009-08-21 2011-02-24 Samsung Electronics Co., Ltd. Procédé et système de transmission de données sur une liaison d'accès
CN106465183A (zh) * 2016-09-20 2017-02-22 北京小米移动软件有限公司 数据传输方法、装置及系统
CN109586900A (zh) * 2017-09-29 2019-04-05 华为技术有限公司 数据安全处理方法及装置
CN112166623A (zh) * 2018-06-14 2021-01-01 Oppo广东移动通信有限公司 一种控制安全功能的方法及装置、网络设备、终端设备
CN113273236A (zh) * 2019-01-18 2021-08-17 高通股份有限公司 媒体接入控制安全性
CN111600831A (zh) * 2019-04-30 2020-08-28 维沃移动通信有限公司 信令传输的方法和设备

Also Published As

Publication number Publication date
CN115884173A (zh) 2023-03-31

Similar Documents

Publication Publication Date Title
US10887942B2 (en) Method and apparatus for transmitting/receiving data in mobile communication system
US12010592B2 (en) Sidelink communications method and apparatus
US20200260355A1 (en) Data transmission system, method, and apparatus
US8670369B2 (en) Method, relay node, and system for processing data on relay link
AU2018202590A1 (en) Apparatus, system and method of securing communications of a user equipment (ue) in a wireless local area network
WO2018058687A1 (fr) Procédé, dispositif et système de traitement de signalisation de commande
EP3840518B1 (fr) Procédé de connexion rrc et terminal
EP4114127A1 (fr) Procédé, appareil et système de configuration d'une porteuse radio
WO2018084202A1 (fr) Terminal sans fil et station de base
WO2023005929A1 (fr) Procédé et appareil de communication
WO2023051409A1 (fr) Procédé et appareil de communication
WO2021238813A1 (fr) Procédé et appareil d'obtention de clé
CN113455034B (zh) 一种通信方法及装置
WO2016136492A1 (fr) Terminal sans fil et station de base
CN115668822A (zh) 用信号通知网络编码操作的暂停和恢复的方法和设备
CN112640570B (zh) 一种下行数据早传方法及装置
WO2023213191A1 (fr) Procédé de protection de sécurité et appareil de communication
WO2023098209A1 (fr) Procédé, dispositif et système de protection de transmission de données
WO2022267450A1 (fr) Procédé de transmission de données, entité d'envoi de pdcp, dispositif de réseau et support de stockage
WO2022170545A1 (fr) Procédé et appareil de rétablissement de liaison radio
EP4322606A1 (fr) Procédé et dispositif de communication
KR20230047837A (ko) 통신 시스템에서 사용자 평면 보안을 위한 방법, 장치 및 시스템
CN116980838A (zh) 一种通信方法及装置
CN115174491A (zh) 一种通信方法及通信装置
CN116803114A (zh) 方法、基础设施设备和通信装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22874795

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE