WO2023051614A1 - 通信方法及装置 - Google Patents
通信方法及装置 Download PDFInfo
- Publication number
- WO2023051614A1 WO2023051614A1 PCT/CN2022/122165 CN2022122165W WO2023051614A1 WO 2023051614 A1 WO2023051614 A1 WO 2023051614A1 CN 2022122165 W CN2022122165 W CN 2022122165W WO 2023051614 A1 WO2023051614 A1 WO 2023051614A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- integrity protection
- user plane
- network standard
- network
- terminal device
- Prior art date
Links
- 238000004891 communication Methods 0.000 title claims abstract description 292
- 238000000034 method Methods 0.000 title claims abstract description 208
- 238000004590 computer program Methods 0.000 claims description 24
- 230000007774 longterm Effects 0.000 claims description 12
- 238000013507 mapping Methods 0.000 claims description 9
- XHSQDZXAVJRBMX-UHFFFAOYSA-N 2-(5,6-dichlorobenzimidazol-1-yl)-5-(hydroxymethyl)oxolane-3,4-diol Chemical compound OC1C(O)C(CO)OC1N1C2=CC(Cl)=C(Cl)C=C2N=C1 XHSQDZXAVJRBMX-UHFFFAOYSA-N 0.000 claims description 3
- 230000001568 sexual effect Effects 0.000 claims description 3
- 230000003213 activating effect Effects 0.000 abstract description 6
- 238000013461 design Methods 0.000 description 132
- 230000006870 function Effects 0.000 description 61
- 238000012545 processing Methods 0.000 description 56
- 230000015654 memory Effects 0.000 description 41
- 230000000694 effects Effects 0.000 description 23
- 230000011664 signaling Effects 0.000 description 22
- 238000001994 activation Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 18
- 230000004913 activation Effects 0.000 description 17
- 238000007726 management method Methods 0.000 description 15
- 101150014264 NIA1 gene Proteins 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 101150070935 NIA2 gene Proteins 0.000 description 6
- 238000010295 mobile communication Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 230000001360 synchronised effect Effects 0.000 description 5
- 102100023078 Early endosome antigen 1 Human genes 0.000 description 4
- 101001050162 Homo sapiens Early endosome antigen 1 Proteins 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000009977 dual effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000003190 augmentative effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- QVWYCTGTGHDWFQ-AWEZNQCLSA-N (2s)-2-[[4-[2-chloroethyl(2-methylsulfonyloxyethyl)amino]benzoyl]amino]pentanedioic acid Chemical compound CS(=O)(=O)OCCN(CCCl)C1=CC=C(C(=O)N[C@@H](CCC(O)=O)C(O)=O)C=C1 QVWYCTGTGHDWFQ-AWEZNQCLSA-N 0.000 description 1
- 241001465754 Metazoa Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 244000144972 livestock Species 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 244000144977 poultry Species 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/108—Source integrity
Definitions
- the present application relates to the communication field, and in particular to a communication method and device.
- the user plane security on-demand protection mechanism is a security mechanism in the fifth generation (5th generation, 5G) network, and the user plane security on-demand protection mechanism includes user plane encryption protection and user plane integrity protection.
- the access network device judges whether to enable user plane encryption protection and/or user plane integrity protection between the access network device and the terminal device according to the user plane security policy. In this way, the user plane security on-demand protection mechanism in the 5G network can provide more flexible user plane security protection for terminal devices.
- the user plane security of the access network device and the terminal device is fixed, that is, the user plane encryption protection is fixed to be enabled, and the user plane integrity protection is fixed to be disabled. That is to say, the existing 4G network does not support user plane integrity protection on demand, and the user plane security protection is not flexible. Therefore, how to realize on-demand protection of user plane integrity in 4G networks has become an urgent problem to be solved.
- Embodiments of the present application provide a communication method and device, which can realize on-demand protection of user plane integrity in a 4G network.
- a communication method includes: when the first condition is met, the access network device of the first network standard obtains user plane integrity protection indication information and the integrity protection algorithm identifier of the second network standard, and sends the second network standard to the terminal device.
- a message according to the first key and the integrity protection algorithm of the second network standard, activate the user plane integrity protection of the first data radio bearer (data radio bearer, DRB).
- the first condition includes: determining to establish a first DRB between the access network device of the first network standard and the terminal device, and determining to enable user plane integrity protection of the first DRB.
- the user plane integrity protection indication information is used to indicate to enable the user plane integrity protection of the first DRB.
- the first message includes user plane integrity protection indication information and an integrity protection algorithm identifier of the second network standard.
- the access network device of the first network standard determines to establish the first DRB and determines to enable the user plane integrity protection of the first DRB, it obtains an instruction to enable the user plane integrity protection
- the user plane integrity protection indication information and the integrity protection algorithm identifier of the second network standard are sent to the terminal device.
- both the access network device and the terminal device of the first network standard can activate the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the second network standard, thereby implementing the second network standard
- the on-demand protection mode of the user plane integrity is adapted to the user plane integrity protection of the terminal device and the access network device of the first network standard, and can reduce changes to the terminal device.
- the first message may further include first indication information, and the first indication information may be used to indicate that the master key is used to determine the first key.
- the master key may be the key KeNB of the access network device of the first network standard.
- the first key may be a user plane integrity protection key, and the first key may be used to perform integrity protection on user plane data between the terminal device and the access network device.
- the first key may be determined according to the master key, the integrity protection algorithm identifier of the second network standard, and the first algorithm type identifier.
- the value of the first algorithm type identifier may be 0x07, for example, the first algorithm type identifier may be N-UP-int-alg.
- the user plane integrity protection of the first DRB can be activated according to the first key and the integrity protection algorithm of the second network standard, so that the on-demand protection mode of the user plane integrity of the second network standard can be adapted to User plane integrity protection between the terminal device and the access network device of the first network standard.
- the integrity protection algorithm identifier of the second network standard may be determined according to the security capability of the second network standard of the terminal device.
- the security capability of the second network standard may be a new air interface (new radio, NR) security capability
- the NR security capability includes at least one integrity protection algorithm identifier, from which the access network device of the first network standard may Select an integrity protection algorithm identifier.
- the communication method provided in the first aspect may further include: the access network device of the first network standard receiving the second message from the core network element of the first network standard.
- the second message may include the security capability of the second network standard of the terminal device. That is to say, the security capability of the second network standard may be received from a core network element of the first network standard.
- the integrity protection algorithm identifier of the second network standard may be determined according to the security capability of the first network standard.
- the security capability of the second network standard may be determined according to the security capability of the first network standard, and the integrity protection algorithm identifier of the second network standard may be determined according to the security capability of the second network standard.
- the communication method provided in the first aspect may further include: when the terminal device supports user plane integrity protection, the access network device of the first network standard according to the security The capability determines the identifier of the integrity protection algorithm of the second network standard. In this way, waste of power consumption can be avoided.
- the security capability of the first network standard may include the integrity protection algorithm identifier of the first network standard
- the integrity protection algorithm identifier of the second network standard may be the integrity protection algorithm identifier of the first network standard. It is obtained by mapping the permanent protection algorithm identifier. In this way, the identifier of the integrity protection algorithm of the second network standard can be obtained through mapping.
- the security capability of the first network standard may be received by an access network device of the first network standard from a network element of the core network of the first network standard. In this way, the security capability of the first network standard can be obtained, so that the integrity protection algorithm identifier of the second network standard can be further obtained.
- the access network device of the above-mentioned first network standard activates the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the second network standard, which may include:
- An access network device of a network standard configures the first key and the integrity protection algorithm of the second network standard to the packet data convergence protocol (packet data convergence protocol, PDCP) entity of the second network standard corresponding to the first DRB .
- PDCP packet data convergence protocol
- the first condition may further include that the terminal device supports user plane integrity protection.
- the process of flexibly enabling user plane integrity protection (for example, obtaining user plane integrity protection indication information and the integrity protection algorithm identifier of the second network standard, etc.), can save power consumption.
- the communication method provided in the first aspect may further include: the access network device of the first network standard receiving user plane indication information from the terminal device or the core network element of the first network standard.
- the user plane indication information may be used to indicate whether the terminal device supports user plane integrity protection, and the first condition may be determined according to the user plane indication information.
- the access network device of the first network standard can determine whether the terminal device supports user plane integrity protection according to the user plane indication information.
- the user plane integrity protection indication information, the integrity protection algorithm identifier of the second network standard, and the first indication information may be encapsulated in the radio bearer configuration (Radiobearerconfig) information element of the first message .
- Radiobearerconfig radio bearer configuration
- the first network standard may include fourth generation 4G, long term evolution (long term evolution, LTE), or evolved packet system (evolved packet system, EPS).
- 4G fourth generation
- long term evolution long term evolution
- EPS evolved packet system
- the second network standard may include fifth generation 5G, new air interface NR, or fifth generation system (5th generation system, 5GS).
- first network standard and the second network standard are limited in this application, and it only needs to satisfy that the first network standard and the second network standard are different network standards.
- a communication method includes: the terminal device receives the first message, when the first message comes from an access network device of the first network standard, and the user plane integrity protection indication information indicates that the user plane integrity protection of the first DRB is enabled , the terminal device activates user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the second network standard.
- the first message includes the user plane integrity protection indication information and the integrity protection algorithm identifier of the second network standard, and the user plane integrity protection indication information is used to indicate the communication between the access network device and the terminal device with the first network standard enabled. User plane integrity protection of the first data radio bearer DRB.
- the first message may also include first indication information, and the first indication information may be used to indicate that the master key is used to determine the first key.
- the communication method provided by the second aspect may also include: the terminal The device determines the first key by using the master key according to the first indication information.
- the first key may be determined according to the master key, the integrity protection algorithm identifier of the second network standard, and the first algorithm type identifier.
- the value of the first algorithm type identifier may be 0x07.
- the first algorithm type specifier may be N-UP-int-alg.
- the communication method provided in the second aspect may further include: when the terminal device supports user plane integrity protection, the terminal device sends a third message to the core network element of the first network standard .
- the third message may include the security capability of the second network standard.
- the terminal device activates the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the second network standard, which may include: the terminal device can use the first key
- the integrity protection algorithm of the second network standard is configured to the packet data convergence layer protocol PDCP entity of the second network standard corresponding to the first DRB.
- the communication method provided in the second aspect may further include: the terminal device determines whether the first message comes from the first network standard according to the public land mobile network identity (public land mobile network identity, PLMN ID)
- the access network device of the PLMN ID is from the access network device that sends the first message. For example, if the PLMN ID does not include 5G, the access network device sending the first message is an access network device of the first network standard.
- the communication method provided in the second aspect may further include: the terminal device sending user plane indication information to an access network device of the first network standard or a core network element of the first network standard.
- the user plane indication information may be used to indicate whether the terminal device supports user plane integrity protection.
- the user plane integrity protection indication information, the integrity protection algorithm identifier of the second network standard, and the first indication information may be encapsulated in the Radiobearerconfig information element of the first message.
- the first network standard may include fourth generation 4G, long term evolution LTE, or evolved packet system EPS.
- the second network standard may include fifth-generation 5G, new air interface NR, or fifth-generation system 5GS.
- a communication method includes: when the first condition is met, the access network device of the first network standard obtains the user plane integrity protection indication information and the integrity protection algorithm identifier of the first network standard, and sends the first network standard integrity protection algorithm identifier to the terminal device.
- the fourth message activates the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard.
- the fourth message includes user plane integrity protection indication information.
- the first condition includes: determining to establish a first data radio bearer (DRB) between the access network device of the first network standard and the terminal device, and determining to enable user plane integrity protection of the first DRB.
- the user plane integrity protection indication information is used to indicate to enable the user plane integrity protection of the first DRB.
- DRB data radio bearer
- the access network device of the first network standard determines to establish the first DRB and determines to enable the user plane integrity protection of the first DRB, obtains a message indicating to enable the user plane integrity protection User plane integrity protection instruction information and the integrity protection algorithm identifier of the first network standard, and instruct the terminal device to use the integrity protection algorithm indicated by the first network to activate integrity protection, so that the access network device of the first network standard Both the user plane and the terminal device can activate the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard, so as to implement the on-demand protection mode of the user plane integrity of the second network standard
- the user plane integrity protection configured to the terminal device and the access network device of the first network standard, and at the same time taking into account the use of the integrity protection algorithm of the first network standard to activate the user plane integrity protection, can realize the integrity of the user plane of different network standards The independent evolution of sexual protection.
- the fourth message may also include first indication information and/or second indication information
- the first indication information may be used to instruct the terminal device to use the master key to determine the first key
- the second indication information It can be used to indicate that the user plane integrity protection of the first DRB is activated according to the integrity protection algorithm identifier of the first network standard.
- the second indication information may indicate that user plane integrity protection is activated according to the currently used integrity protection algorithm of the first network standard, or the second indication information includes the identifier of the integrity protection algorithm of the first network standard. In this way, the second indication information may be used to instruct the adopted integrity protection algorithm to enable user plane integrity protection.
- the master key may be the key KeNB of the access network device of the first network standard.
- the first key may be a user plane integrity protection key, and the first key may be used to perform integrity protection on user plane data between the terminal device and the access network device.
- the first key may be determined according to the master key, the integrity protection algorithm identifier of the first network standard, and the second algorithm type identifier. In this way, the user plane integrity protection of the first DRB can be activated according to the first key and the integrity protection algorithm of the first network standard.
- the first key is determined according to the master key, the identifier of the integrity protection algorithm of the second network standard, and the first algorithm type identifier, and the integrity protection algorithm of the second network standard
- the identifier is determined according to the identifier of the integrity protection algorithm of the first network standard.
- the value of the first algorithm type identifier may be 0x07.
- the first algorithm type specifier may be N-UP-int-alg.
- the access network device of the above-mentioned first network standard activates the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard, which may include:
- the access network device of a network standard activates user plane integrity protection of the first DRB by using the first key and the integrity protection algorithm of the first network standard according to the second indication information.
- the access network device of the first network standard may use the integrity protection algorithm of the first network standard to implement on-demand protection of user plane integrity according to the indication of the second indication information.
- the access network device of the above-mentioned first network standard activates the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard, which may include: An access network device of a network standard configures the first key and the integrity protection algorithm of the first network standard to a packet data convergence layer protocol PDCP entity of the second network standard corresponding to the first DRB. In this way, the PDCP of the second network standard can be used to activate the user plane integrity protection.
- the first condition may further include that the terminal device supports user plane integrity protection.
- the process of flexibly enabling user plane integrity protection (for example, obtaining user plane integrity protection indication information and the integrity protection algorithm identifier of the first network standard, etc.), can save power consumption.
- the communication method provided by the third aspect further includes: the access network device of the first network standard receives user plane indication information from the terminal device or the core network element of the first network standard.
- the user plane indication information may be used to indicate whether the terminal device supports user plane integrity protection, and the first condition may be determined according to the user plane indication information.
- the access network device of the first network standard can determine whether the terminal device supports user plane integrity protection according to the user plane indication information.
- the user plane integrity protection indication information, the first indication information, and the second indication information may be encapsulated in the radio bearer configuration information element of the fourth message. In this way, changes to related standards of access network devices and terminal devices of the first network standard can be reduced.
- the user plane integrity protection indication information and the first indication information may be encapsulated in a radio bearer configuration information element of the fourth message.
- the first network standard may include fourth generation 4G, long term evolution LTE, or evolved packet system EPS.
- the second network standard may include fifth-generation 5G, new air interface NR, or fifth-generation system 5GS.
- first network standard and the second network standard are limited in this application, and it only needs to satisfy that the first network standard and the second network standard are different network standards.
- a communication method includes: the terminal device receives the fourth message, when the fourth message comes from the access network device of the first network standard, and the user plane integrity protection indication information indicates to enable the user plane integrity protection of the first DRB , the terminal device activates user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard.
- the fourth message includes user plane integrity protection indication information, and the user plane integrity protection indication information is used to instruct to start the user plane integrity protection of the first data radio bearer DRB.
- the fourth message may also include first indication information, and the first indication information may be used to indicate that the master key is used to determine the first key.
- the communication method provided in the fourth aspect may also include: the terminal The device determines to use the master key to determine the first key according to the first indication information.
- the first key may be determined according to the master key, the integrity protection algorithm identifier of the first network standard, and the second algorithm type identifier.
- the first key may be determined according to the master key, the identifier of the integrity protection algorithm of the second network standard, and the first algorithm type identifier, and the integrity protection of the second network standard
- the algorithm identifier may be determined according to the integrity protection algorithm identifier of the first network standard.
- the value of the first algorithm type identifier may be 0x07.
- the first algorithm type specifier may be N-UP-int-alg.
- the communication method provided in the fourth aspect may further include: the terminal device obtains the first network standard information from the access stratum (access stratum, AS) security context according to the user plane integrity protection indication information. Integrity protection algorithm.
- the fourth message may further include second indication information, and the second indication information is used to indicate that the user plane integrity of the first DRB is activated according to the integrity protection algorithm identifier of the first network standard currently used. Integrity protection, the communication method provided in the fourth aspect may further include: the terminal device obtains the integrity protection algorithm of the first network standard from the AS security context according to the second indication information.
- the fourth message further includes second indication information
- the second indication information includes the integrity protection algorithm identifier of the first network standard
- the communication method provided in the fourth aspect may further include: a terminal device According to the integrity protection algorithm identifier of the first network standard, the integrity protection algorithm of the first network standard is obtained.
- the above-mentioned terminal device activates the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard, which may include: the terminal device combines the first key and the The integrity protection algorithm of the first network standard is configured to the packet data convergence layer protocol PDCP entity of the second network standard corresponding to the first DRB.
- the communication method provided in the fourth aspect may further include: the terminal device sending user plane indication information to the access network device of the first network standard or the core network element of the first network standard.
- the user plane indication information can be used to indicate whether the terminal device supports user plane integrity protection.
- the communication method provided in the fourth aspect may also include: the terminal device determines whether the fourth message comes from an access network device of the first network standard according to the PLMN ID of the public land mobile network; the PLMN ID From the access network device sending the fourth message.
- the user plane integrity protection indication information, the first indication information, and the second indication information are encapsulated in the radio bearer configuration Radiobearerconfig information element of the fourth message.
- the user plane integrity protection indication information and the first indication information may be encapsulated in a radio bearer configuration information element of the fourth message.
- the first network standard may include fourth generation 4G, long term evolution LTE, or evolved packet system EPS.
- the second network standard may include fifth-generation 5G, new air interface NR, or fifth-generation system 5GS.
- a communication device in a fifth aspect, includes: a processing module and a transceiver module. Wherein, if the first condition is satisfied, the processing module is configured to acquire user plane integrity protection indication information and an integrity protection algorithm identifier of the second network standard. A transceiver module, configured to send the first message to the terminal device. The processing module is further configured to activate user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the second network standard.
- the first condition includes: determining to establish a first DRB between the communication device and the terminal equipment, and determining to enable user plane integrity protection of the first DRB.
- the user plane integrity protection indication information is used to indicate to enable the user plane integrity protection of the first DRB.
- the first message includes user plane integrity protection indication information and an integrity protection algorithm identifier of the second network standard.
- the first message may further include first indication information, and the first indication information may be used to indicate that the master key is used to determine the first key.
- the first key may be determined according to the master key, the integrity protection algorithm identifier of the second network standard, and the first algorithm type identifier.
- the value of the first algorithm type identifier may be 0x07.
- the first algorithm type specifier may be N-UP-int-alg.
- the integrity protection algorithm identifier of the second network standard may be determined according to the security capability of the second network standard of the terminal device.
- the transceiver module is further configured to receive a second message from a core network element of the first network standard.
- the second message may include the security capability of the second network standard of the terminal device.
- the integrity protection algorithm identifier of the second network standard may be determined according to the security capability of the first network standard.
- the processing module is further configured to determine the integrity protection algorithm identifier of the second network standard according to the security capability of the first network standard.
- the security capability of the first network standard may include the integrity protection algorithm identifier of the first network standard, and the integrity protection algorithm identifier of the second network standard may be the integrity protection algorithm identifier of the first network standard. It is obtained by mapping the permanent protection algorithm identifier.
- the security capability of the first network standard may be received by the communication device from a network element of the core network of the first network standard.
- the processing module is further configured to configure the first key and the integrity protection algorithm of the second network standard to the PDCP entity of the second network standard corresponding to the first DRB.
- the first condition may further include that the terminal device supports user plane integrity protection.
- the transceiver module is also used to receive user plane indication information from the terminal device or the core network element of the first network standard, and the user plane indication information can be used to indicate whether the terminal device supports user plane integrity For protection, the first condition is determined according to user plane indication information.
- the user plane integrity protection indication information, the integrity protection algorithm identifier of the second network standard, and the first indication information may be encapsulated in the Radiobearerconfig information element of the first message.
- the first network standard may include fourth generation 4G, long term evolution LTE, or evolved packet system EPS.
- the second network standard may include fifth-generation 5G, new air interface NR, or fifth-generation system 5GS.
- the transceiver module described in the fifth aspect may include a receiving module and a sending module.
- the receiving module is used to receive data and/or signaling from the terminal device and/or the core network element of the first network standard;
- the sending module is used to send the terminal device and/or the core network network element of the first network standard to send data and/or signaling.
- This application does not specifically limit the specific implementation manner of the transceiver module.
- the communication device described in the fifth aspect may further include a storage module, where programs or instructions are stored in the storage module.
- the processing module executes the program or instruction
- the communication device described in the fifth aspect can execute the method described in the first aspect.
- the communication device described in the fifth aspect may be an access network device of the first network standard, or a chip (system) or other components or components that can be set on the access network device of the first network standard , which is not limited in this application.
- a communication device in a sixth aspect, includes: a processing module and a transceiver module.
- the transceiver module is configured to receive the first message.
- the processing module is configured to, according to the first key and the second The integrity protection algorithm of the second network standard activates the integrity protection of the user plane of the first DRB.
- the first message includes user plane integrity protection indication information and the integrity protection algorithm identifier of the second network standard, and the user plane integrity protection indication information is used to indicate that the connection between the access network equipment and the communication device of the first network standard is enabled. User plane integrity protection of the first data radio bearer DRB between.
- the first message may also include first indication information
- the first indication information may be used to indicate that the master key is used to determine the first key
- the processing module is also used to adopt the master key according to the first indication information The key identifies the first key.
- the first key may be determined according to the master key, the integrity protection algorithm identifier of the second network standard, and the first algorithm type identifier.
- the value of the first algorithm type identifier may be 0x07.
- the first algorithm type specifier may be N-UP-int-alg.
- the transceiver module when the communication device supports user plane integrity protection, is further configured to send a third message to a core network element of the first network standard.
- the third message may include the security capability of the second network standard.
- the processing module when the first message comes from an access network device of the first network standard, and the user plane integrity protection indication information indicates enabling the user plane integrity protection of the first DRB, the processing module, It is also used to configure the first key and the integrity protection algorithm of the second network standard to the PDCP entity of the second network standard corresponding to the first DRB.
- the processing module is further configured to determine whether the first message comes from an access network device of the first network standard according to the PLMN ID, where the PLMN ID comes from the access network device sending the first message.
- the transceiver module is further configured to send user plane indication information to an access network device of the first network standard or a core network element of the first network standard.
- the user plane indication information may be used to indicate whether the communication device supports user plane integrity protection.
- the user plane integrity protection indication information, the integrity protection algorithm identifier of the second network standard, and the first indication information may be encapsulated in the Radiobearerconfig information element of the first message.
- the first network standard may include fourth generation 4G, long term evolution LTE, or evolved packet system EPS.
- the second network standard may include fifth-generation 5G, new air interface NR, or fifth-generation system 5GS.
- the transceiver module described in the sixth aspect may include a receiving module and a sending module.
- the receiving module is used for receiving data and/or signaling from the access network equipment of the first network standard and/or the core network element of the first network standard;
- the sending module is used for accessing to the first network standard network equipment, and/or core network elements of the first network standard to send data and/or signaling.
- This application does not specifically limit the specific implementation manner of the transceiver module.
- the communication device described in the sixth aspect may further include a storage module, where programs or instructions are stored in the storage module.
- the processing module executes the program or instruction
- the communication device described in the sixth aspect can execute the method described in the second aspect.
- the communication device described in the sixth aspect may be a terminal device, or may be a chip (system) or other components or components that may be configured in the terminal device, which is not limited in this application.
- a communication device in a seventh aspect, includes: a processing module and a transceiver module. Wherein, if the first condition is met, the processing module is configured to acquire user plane integrity protection indication information and an integrity protection algorithm identifier of the first network standard. A transceiver module, configured to send the fourth message to the terminal device. The processing module is further configured to activate user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard. Wherein, the fourth message includes user plane integrity protection indication information.
- the first condition includes: determining to establish a first data radio bearer (DRB) between the communication device and the terminal equipment, and determining to enable user plane integrity protection of the first DRB.
- the user plane integrity protection indication information is used to indicate to enable the user plane integrity protection of the first DRB.
- DRB data radio bearer
- the fourth message may also include first indication information and/or second indication information
- the first indication information may be used to instruct the terminal device to use the master key to determine the first key
- the second indication information It can be used to indicate that the user plane integrity protection of the first DRB is activated according to the integrity protection algorithm identifier of the first network standard.
- the second indication information may indicate that user plane integrity protection is activated according to the currently used integrity protection algorithm of the first network standard, or the second indication information includes the identifier of the integrity protection algorithm of the first network standard.
- the first key may be determined according to the master key, the integrity protection algorithm identifier of the first network standard, and the second algorithm type identifier.
- the first key may be determined according to the master key, the identifier of the integrity protection algorithm of the second network standard, and the first algorithm type identifier, and the integrity protection of the second network standard
- the algorithm identifier is determined according to the integrity protection algorithm identifier of the first network standard.
- the value of the first algorithm type identifier may be 0x07.
- the first algorithm type specifier may be N-UP-int-alg.
- the processing module is further configured to activate user plane integrity protection of the first DRB by using the first key and the integrity protection algorithm of the first network standard according to the second indication information.
- the processing module is also configured to configure the first key and the integrity protection algorithm of the first network standard to the packet data convergence layer protocol PDCP entity of the second network standard corresponding to the first DRB .
- the first condition may further include that the terminal device supports user plane integrity protection.
- the transceiver module is further configured to receive user plane instruction information from a terminal device or a core network element of the first network standard.
- the user plane indication information may be used to indicate whether the terminal device supports user plane integrity protection, and the first condition may be determined according to the user plane indication information.
- the user plane integrity protection indication information, the first indication information, and the second indication information may be encapsulated in the Radiobearerconfig information element of the fourth message.
- the user plane integrity protection indication information and the first indication information may be encapsulated in a radio bearer configuration information element of the fourth message.
- the first network standard may include fourth generation 4G, long term evolution LTE, or evolved packet system EPS.
- the second network standard may include fifth-generation 5G, new air interface NR, or fifth-generation system 5GS.
- the transceiver module described in the seventh aspect may include a receiving module and a sending module.
- the receiving module is used to receive data and/or signaling from the terminal device and/or the core network element of the first network standard;
- the sending module is used to send the terminal device and/or the core network network element of the first network standard to send data and/or signaling.
- This application does not specifically limit the specific implementation manner of the transceiver module.
- the communication device described in the seventh aspect may further include a storage module, where programs or instructions are stored in the storage module.
- the processing module executes the program or instruction
- the communication device described in the seventh aspect can execute the method described in the third aspect.
- the communication device described in the seventh aspect may be an access network device of the first network standard, or a chip (system) or other components or components that can be set on the access network device of the first network standard , which is not limited in this application.
- a communication device includes: a processing module and a transceiver module.
- the transceiver module is configured to receive the fourth message.
- the processing module is configured to use the first key and the second An integrity protection algorithm of a network standard, which activates user plane integrity protection of the first DRB.
- the fourth message includes user plane integrity protection indication information, and the user plane integrity protection indication information is used to instruct to start the user plane integrity protection of the first data radio bearer DRB.
- the fourth message may also include first indication information, and the first indication information may be used to indicate that the master key is used to determine the first key, and the processing module is also used to determine the use of the master key according to the first indication information.
- the master key determines the first key.
- the first key may be determined according to the master key, the integrity protection algorithm identifier of the first network standard, and the second algorithm type identifier.
- the first key may be determined according to the master key, the identifier of the integrity protection algorithm of the second network standard, and the first algorithm type identifier, and the integrity protection of the second network standard
- the algorithm identifier may be determined according to the integrity protection algorithm identifier of the first network standard.
- the value of the first algorithm type identifier may be 0x07.
- the first algorithm type specifier may be N-UP-int-alg.
- the processing module is further configured to obtain the integrity protection algorithm of the first network standard from the security context of the access stratum (AS) according to the user plane integrity protection indication information.
- the fourth message may further include second indication information, and the second indication information is used to indicate that the user plane integrity of the first DRB is activated according to the integrity protection algorithm identifier of the first network standard currently used. Integrity protection, the communication method provided in the fourth aspect, and the processing module are further configured to obtain the integrity protection algorithm of the first network standard from the AS security context according to the second indication information.
- the fourth message further includes second indication information
- the second indication information includes the identifier of the integrity protection algorithm of the first network standard
- the processing module is also used for the integrity protection algorithm identifier of the first network standard.
- the protection algorithm identifier is used to obtain the integrity protection algorithm of the first network standard.
- the processing module is further configured to configure the first key and the integrity protection algorithm of the first network standard to the PDCP entity of the second network standard corresponding to the first DRB.
- the sending module is further configured to send user plane indication information to an access network device of the first network standard or a core network element of the first network standard.
- the user plane indication information may be used to indicate whether the communication device supports user plane integrity protection.
- the processing module is further configured to determine whether the fourth message comes from an access network device of the first network standard according to the PLMN ID of the public land mobile network, and the PLMN ID comes from the device sending the fourth message. access network equipment.
- the user plane integrity protection indication information, the first indication information, and the second indication information are encapsulated in the radio bearer configuration Radiobearerconfig information element of the fourth message.
- the user plane integrity protection indication information and the first indication information may be encapsulated in a radio bearer configuration information element of the fourth message.
- the first network standard may include fourth-generation 4G, long-term evolution LTE, or evolved packet system EPS.
- the second network standard may include fifth-generation 5G, new air interface NR, or fifth-generation system 5GS.
- the transceiver module described in the eighth aspect may include a receiving module and a sending module.
- the receiving module is used for receiving data and/or signaling from the access network equipment of the first network standard and/or the core network element of the first network standard;
- the sending module is used for accessing to the first network standard network equipment, and/or core network elements of the first network standard to send data and/or signaling.
- This application does not specifically limit the specific implementation manner of the transceiver module.
- the communication device described in the eighth aspect may further include a storage module, where programs or instructions are stored in the storage module.
- the processing module executes the program or instruction
- the communication device described in the eighth aspect can execute the method described in the fourth aspect.
- the communication device described in the eighth aspect may be a terminal device, or may be a chip (system) or other components or components that may be provided in the terminal device, which is not limited in this application.
- a communication device in a ninth aspect, includes: a processor, the processor is coupled with a memory, and the memory is used for storing computer programs.
- the processor is configured to execute the computer program stored in the memory, so that the communication method described in any possible implementation manner of the first aspect to the fourth aspect is executed.
- the communication device described in the ninth aspect may further include a transceiver.
- the transceiver can be a transceiver circuit or an input/output port.
- the transceiver may be used by the communication means to communicate with other devices.
- the input port can be used to realize the receiving function involved in the first aspect to the fourth aspect
- the output port can be used to realize the sending function involved in the first aspect to the fourth aspect
- the communication device described in the ninth aspect may be an access network device of the first network standard, a terminal device, or a network element of the core network of the first network standard, or be set on an access network of the first network standard A chip or a chip system inside a device, a terminal device, or a core network element of the first network standard.
- a communication system in a tenth aspect, includes the communication device according to the fifth aspect and the communication device according to the sixth aspect. Or, the communication system includes the communication device according to the seventh aspect and the communication device according to the eighth aspect.
- the communication system includes the communication device according to the fifth aspect for realizing the method according to the first aspect, and the communication device according to the sixth aspect for realizing the method according to the second aspect.
- the communication system includes the communication device according to the seventh aspect for realizing the method according to the third aspect, and the communication device according to the eighth aspect for realizing the method according to the fourth aspect.
- the communication system may include an access network device and a terminal device of the first network standard, and may further include a core network element of the first network standard.
- a chip system in an eleventh aspect, includes a logic circuit and an input/output port.
- the logic circuit is used to realize the processing function involved in the first aspect to the fourth aspect
- the input/output port is used to realize the sending and receiving function involved in the first aspect to the fourth aspect.
- the input port can be used to realize the receiving function involved in the first aspect to the fourth aspect
- the output port can be used to realize the sending function involved in the first aspect to the fourth aspect.
- the system-on-a-chip further includes a memory, and the memory is used for storing program instructions and data for realizing the functions involved in the first aspect to the fourth aspect.
- the system-on-a-chip may consist of chips, or may include chips and other discrete devices.
- a computer-readable storage medium including: a computer program or instruction; when the computer program or instruction is run on a computer, the The communication method described above is executed.
- a computer program product including computer programs or instructions.
- the communication described in any one of the possible implementations of the first aspect to the fourth aspect is provided. method is executed.
- FIG. 1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present application.
- FIG. 2 is a schematic flowchart of a communication method provided in an embodiment of the present application.
- FIG. 3 is a schematic flowchart of another communication method provided by the embodiment of the present application.
- FIG. 4 is a schematic flowchart of another communication method provided by the embodiment of the present application.
- FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
- FIG. 6 is a schematic structural diagram of another communication device provided by an embodiment of the present application.
- the technical solutions of the embodiments of the present application can be applied to various communication systems, such as universal mobile telecommunications system (universal mobile telecommunications system, UMTS), wireless local area network (wireless local area network, WLAN), wireless fidelity (wireless fidelity, Wi-Fi ) system, wired network, vehicle to everything (V2X) communication system, device-to-device (D2D) communication system, vehicle networking communication system, 4th generation (4th generation, 4G) mobile communication Systems, such as long term evolution (LTE) system, worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5th generation, 5G) mobile communication system, such as new radio , NR) system, and future communication systems, such as the sixth generation (6th generation, 6G) mobile communication system, etc.
- Universal mobile telecommunications system Universal mobile telecommunications system, UMTS
- wireless local area network wireless local area network
- WLAN wireless local area network
- wireless fidelity wireless fidelity
- Wi-Fi wireless fidelity
- wired network wired
- the present application presents various aspects, embodiments or features in terms of a system that can include a number of devices, components, modules and the like. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. In addition, combinations of these schemes can also be used.
- the network architecture and business scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the embodiments of the present application.
- the technical solutions provided by the embodiments of this application are also applicable to similar technical problems.
- FIG. 1 is a schematic structural diagram of a communication system to which the communication method provided in the embodiment of the present application is applicable.
- the communication system includes terminal equipment and access network equipment.
- the communication system may also include core network elements.
- the access network device can communicate with the terminal device through a logical interface (such as a Uu interface), and the network element of the core network can communicate with the access network device through a logical interface (such as an S1 interface).
- the above-mentioned terminal equipment is a terminal equipment that accesses the above-mentioned communication system and has a wireless transceiver function, or a chip or a chip system that can be provided in the terminal equipment.
- the terminal equipment may also be called sensing equipment, user equipment (user equipment, UE), user device, access terminal, subscriber unit, user station, mobile station, mobile station (mobile station, MS), remote station, remote terminal, Mobile equipment, user terminal, terminal, terminal unit, end station, terminal device, wireless communication device, user agent or user device.
- the terminal equipment in the embodiment of the present application may be customer premise equipment (customer premise equipment, CPE), mobile phone (mobile phone), wireless data card, personal digital assistant (personal digital assistant, PDA) computer, laptop computer (laptop computer), tablet computer (Pad), computer with wireless transceiver function, machine type communication (machine type communication, MTC) terminal, virtual reality (virtual reality, VR) terminal equipment, augmented reality (augmented reality, AR) terminal Equipment, Internet of Things (IoT) terminal equipment, wireless terminals in industrial control (industrial control), wireless terminals in self driving (self driving), wireless terminals in remote medical (remote medical), smart grid Wireless terminals in (smart grid), wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home (such as game consoles, smart TVs, smart Speakers, smart refrigerators and fitness equipment, etc.), vehicle-mounted terminals, and RSUs with terminal functions.
- CPE customer premise equipment
- mobile phone mobile phone
- PDA personal digital assistant
- laptop computer laptop computer
- laptop computer
- the access terminal can be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a handset with wireless communication capabilities , computing devices or other processing devices connected to wireless modems, wearable devices, etc.
- the client terminal equipment is larger than the general terminal and has stronger functions. It can receive the signal sent by the access network equipment and send it to other terminal equipment, which is equivalent to secondary relaying the signal sent by the access network equipment.
- the terminal device in the embodiment of the present application can be an express terminal in smart logistics (such as a device that can monitor the location of cargo vehicles, a device that can monitor the temperature and humidity of goods, etc.), a wireless terminal in smart agriculture (such as a device that can collect poultry wearable devices related to livestock data, etc.), wireless terminals in smart buildings (such as smart elevators, fire monitoring equipment, and smart meters, etc.), wireless terminals in smart medical care (such as wireless terminals that can monitor the physiological status of people or animals) Wearable devices), wireless terminals in intelligent transportation (such as smart buses, smart vehicles, shared bicycles, charging pile monitoring equipment, smart traffic lights, train detectors, sensors such as gas stations, and smart monitoring and smart parking equipment, etc.), smart Wireless terminals in retail (such as vending machines, self-checkout machines, and unmanned convenience stores, etc.).
- smart logistics such as a device that can monitor the location of cargo vehicles, a device that can monitor the temperature and humidity of goods, etc.
- a wireless terminal in smart agriculture such as a device that
- the terminal device of the present application may be a vehicle-mounted module, a vehicle-mounted module, a vehicle-mounted component, a vehicle-mounted chip, or a vehicle-mounted unit built into a vehicle as one or more components or units. Groups, on-board components, on-board chips, or on-board units can implement the methods provided in this application.
- the above-mentioned access network device is a device located on the network side of the above-mentioned communication system and having a wireless transceiver function, or a chip or a chip system that can be provided in the device.
- the access network equipment includes but is not limited to: an access point (access point, AP) in a wireless fidelity (wireless fidelity, Wi-Fi) system, such as a home gateway, a router, a server, a switch, a network bridge, etc., an evolved Node B (evolved Node B, eNB), radio network controller (radio network controller, RNC), node B (Node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved NodeB, or home Node B, HNB), baseband unit (baseband unit, BBU), wireless relay node, wireless backhaul node, transmission point (transmission and reception point, TRP or transmission point,
- the access network device of the first network standard may be the access network device in the LTE system, such as eNB; the access network device of the second network standard may be the access network device in the NR system.
- Network equipment such as gNB or ng-eNB.
- the core network element is a device located on the network side of the communication system and providing network services for terminal devices, or a chip (system) or other components or components that can be provided in the device.
- the core network element includes but not limited to: a mobility management entity (mobility management entity, MME).
- the mobility management entity may be responsible for managing and storing the mobility management context of the terminal device (for example, the identity of the terminal device, mobility management status, and user security parameters, etc.), and may be responsible for non-access stratum (non-access stratum, NAS) signaling ( For example, attach request (attach request), location update request (update location request), service request (service request) and packet data network (packet data network, PDN) connection request (connectivity request), etc.) for processing, responsible for NAS signaling safety etc.
- NAS non-access stratum
- attach request attach request
- location update request update location request
- service request service request
- PDN packet data network
- connection request connectivity request
- the functions of the mobility management entity can be decomposed into access and mobility management function (core access and mobility management function, AMF) and session management function (session management function, SMF).
- AMF access and mobility management function
- SMF session management function
- the mobility management entity may still be MME, or AMF and SMF, or may have other names, which are not limited in this application.
- the core network element may also include a serving gateway (serving gate way, SGW) network element, a home subscriber server (home subscriber server, HSS)+unified data management (unified data manager, UDM) network element, and a session Management function (session management function, SMF) + packet data network gateway-control plane (packet data network gateway-control plane, PGW-C) network element.
- SGW serving gateway
- the SGW network element can realize the user plane function of user plane data forwarding.
- the HSS+UDM network element can be used to store user subscription data.
- the network element not only stores the 4G subscription information of the terminal equipment, but also stores the 5G subscription information of the terminal equipment.
- the SMF+PGW-C network element can be used for session establishment, deletion, and modification management.
- this network element can provide both 4G and 5G session management functions.
- the communication method provided by the embodiment of the present application can be applied between any two nodes shown in Figure 1, such as between a terminal device and an access network device, or between an access network device and a core network element.
- any two nodes shown in Figure 1 such as between a terminal device and an access network device, or between an access network device and a core network element.
- FIG. 1 is only a simplified schematic diagram for easy understanding, and the communication system may also include other network devices and/or other terminal devices, which are not shown in FIG. 1 .
- the user plane security policy is a policy used to describe whether to enable security protection for user plane data.
- the user plane security policy may include a user plane encryption protection policy and a user plane integrity protection policy.
- the user plane encryption protection policy may be used to indicate whether to enable the user plane encryption protection policy;
- the user plane integrity protection policy may be used to indicate whether to enable the user plane integrity protection policy.
- the user plane encryption protection is to protect the confidentiality of the user plane data during the transmission process
- the user plane integrity protection is to protect the integrity of the user plane data during the transmission process.
- integrity means that the obtained signaling or data is consistent with the original signaling or data and has not been modified. Therefore, the integrity protection is to make it "unchangeable" by attackers. Confidentiality means that the real content cannot be seen directly, so the confidentiality protection is to make the attacker “unreadable”.
- the encryption protection in the embodiment of the present application may also be referred to as confidentiality protection, which will be collectively described here and will not be described in detail below.
- protection policies there are three types: required, not needed, and preferred.
- Required means that it must be enabled, required means that it does not need to be enabled, and preferred preference is enabled or called optional enablement, which means that security can be enabled or disabled.
- optional enablement which means that security can be enabled or disabled.
- the three possible values of the above-mentioned protection strategy can be indicated by 2 bits (bit), for example, 00 indicates that it does not need to be turned on, 01 indicates that it can be turned on or not, and 11 indicates that it must be turned on. This application does not specify the number of bits occupied by the protection strategy, and The meaning of each value is limited.
- the user plane integrity protection policy may include: the user plane integrity protection is enabled (required), the user plane integrity protection is not enabled (not needed), or the user plane integrity protection Protection optional (preferred).
- the user plane integrity protection policy may include: the user plane integrity protection is enabled (required), the user plane integrity protection is not enabled (not needed), or the user plane integrity protection Protection optional (preferred).
- the user plane integrity protection policy may include: the user plane integrity protection is enabled (required), the user plane integrity protection is not enabled (not needed), or the user plane integrity protection Protection optional (preferred).
- a user plane encryption protection policy reference may be made to an example of a user plane integrity protection policy, which will not be repeated here.
- the user plane security policy in the embodiment of the present application mainly relates to the security policy used by the user plane between the terminal device and the access network device.
- the user plane security policy may include at least one of the following: user plane encryption protection policy in Uu connection , and the user plane integrity protection policy in the Uu connection.
- the user plane encryption protection policy in the Uu connection and the user plane integrity protection policy in the Uu connection are respectively referred to as the user plane encryption protection policy, and user plane integrity protection policies.
- the security protection indication information can be obtained according to the user plane security policy.
- the access network device determines The user plane integrity protection indication information of the corresponding user plane data is all enabled. If the user plane integrity protection policy is not needed, the access network device determines that the user plane integrity protection indication information of the corresponding user plane data is not enabled. If the user plane integrity protection policy is preferred, the access network device determines that the user plane integrity protection indication information of its corresponding user plane data can be enabled or disabled. For example, the access network device can operate state, control strategy, regulatory requirements, etc.) to determine whether to enable user plane integrity protection. For an example of a user plane encryption protection policy, reference may be made to an example of a user plane integrity protection policy, which will not be repeated here.
- the user plane security policy when the user plane security policy is sent, generally only one of the three (required, not needed, and preferred) is selected for transmission. In some special scenarios, it may At least 2 types of sending will be selected, and one of them is preferred. For example, when sending not needed and preferred, it means that the security protection is not turned on; when sending required and preferred, it means that the security protection is turned on.
- the security capability is used to indicate the security algorithm supported by the terminal device, where the security algorithm may include at least one of the following: one or more encryption protection algorithms, and one or more integrity protection algorithms.
- security capabilities may be different for different network standards.
- the security capability may be an EPS security capability
- the security capability may be an NR security capability.
- the EPS security capability may include at least one of the following algorithm identifiers: EPS (or 4G) integrity algorithm (EPS integrity algorithm, EIA) 0 to EIA7, and EPS (or 4G) encryption algorithm (EPS encryption algorithm, EEA) 0 to EEA7.
- the algorithm identifier EIA7 may be used to indicate that the terminal device supports user plane integrity protection (user plane integrity protection, UPIP).
- the NR security capability may include at least one of the following algorithm identifiers: 5G integrity algorithm (intergrity algorithm for 5G, NIA) 0 to NIA7, and 5G encryption algorithm (encryption algorithm for 5G, NEA) NEA0 to NEA7.
- the algorithm identifier is used to identify the algorithm, for example, the algorithm identifier EIA1 corresponds to the SNOW 3G algorithm.
- an integrity algorithm may also be called an integrity protection algorithm
- an encryption algorithm may also be called an encryption protection algorithm.
- the embodiment of the present application uses the integrity protection algorithm and the encryption protection algorithm as examples for illustration.
- the network standard refers to the type of network.
- the network standard mainly refers to the type of mobile communication network.
- the network standard may include second generation (2th generation, 2G), global system for mobile communications (global system for mobile communications, GSM), third generation (3th generation, 3G), code division multiple access (code division muitiple access, CMDA), 4G, LTE, EPS, 5G, NR, 5GS, etc.
- first network standard and the second network standard are limited in this application, and it only needs to satisfy that the first network standard and the second network standard are different network standards.
- FIG. 2 is a schematic flowchart of a communication method provided in an embodiment of the present application.
- This communication method can be applied to the communication between the terminal equipment and the access network equipment shown in Figure 1, between the access network equipment and the core network elements, and the core network elements can include MME network elements, SGW network elements, HSS +UDM) network element, and SMF+PGW-C network element.
- Figure 2 takes the initial access scenario as an example.
- the communication method includes the following steps:
- the terminal device sends an attach request (attach request) message to the MME network element.
- the MME network element receives the attach request message from the terminal device.
- the attach request message includes the EPS security capability of the terminal device.
- EPS security capabilities include EIA7, which can be used to instruct terminal equipment to support user plane integrity protection.
- the MME network element sends a location update request (location update request) message to the HSS+UDM network element.
- the HSS+UDM network element receives the location update request message from the MME network element.
- the HSS+UDM network element sends a location update request acknowledgment (acknowledge, ACK) message to the MME network element.
- the MME network element receives the location update request confirmation message from the HSS+UDM network element.
- the MME network element sends a create session request (create session request) message to the SGW network element.
- the SGW network element receives the session creation request message from the MME network element.
- the SGW network element sends a session creation request message to the SMF+PGW-C network element.
- the SMF+PGW-C network element receives the session creation request message from the SGW network element.
- the SMF+PGW-C network element obtains a user plane security policy.
- the user plane security policy may include user plane security policy 1 or user plane security policy 2.
- the SMF+PGW-C network element can obtain the user plane security policy 1 from the HSS+UDM network element, otherwise SMF+PGW can be used -C NE default user plane security policy 2.
- the tunnel protocol control plane (general packet radio service tunnel protocol-control plane, GTP-C)
- GTP-C general packet radio service tunnel protocol-control plane
- the SMF+PGW-C network element sends a create session response message (create session response) to the SGW network element.
- the SGW network element receives the session creation response message from the SMF+PGW-C network element.
- the create session response message may include created bearer contexts to be created.
- the created bearer context may include a user plane security policy, for example, a user plane integrity protection policy.
- the SGW network element sends the user plane security policy to the MME network element.
- the MME network element receives the user plane security policy from the SGW.
- the MME network element determines to send the user plane security policy to the access network device.
- the MME network element determines that the terminal device supports user plane integrity protection according to the EPS security capability, it sends the user plane security policy to the access network device. For example, if the EPS security capability includes EIA7, the MME network element sends the user plane security policy to the access network device. If the MME network element determines that the terminal device does not support user plane integrity protection according to the EPS security capability, it may not send the user plane security policy to the access network device.
- the MME network element sends an S1 message to the access network device.
- the access network device receives the S1 message from the MME network element.
- the S1 message may include the EPS security capability, and S1 is a logical interface between the MME network element and the access network device.
- the S1 message may also include a user plane security policy.
- the user plane security policy may include a user plane integrity protection policy.
- the access network device determines the 4G algorithm identifier according to the EPS security capability of the terminal device.
- the EPS security capability includes one or more 4G integrity protection algorithm identifiers, and one or more 4G encryption protection algorithm identifiers.
- the access network device may select a 4G encryption protection algorithm identifier from one or more 4G encryption protection algorithm identifiers according to a locally configured algorithm priority list and EPS security capabilities.
- the access network device may select a 4G integrity protection algorithm identifier from one or more 4G integrity protection algorithm identifiers according to a locally configured algorithm priority list and EPS security capabilities.
- the access network device according to the access network device key KeNB, the selected 4G encryption protection algorithm identifier (such as EEA1, EEA2, EEA3, etc.), and the algorithm type identifier (such as: RRC-enc -alg, the value is 0x03), the derived control plane encryption protection key Krrc-enc.
- Krrc-enc is used to encrypt and protect the RRC messages of the terminal device and the access network device, that is, to activate the encryption protection of the signaling radio bearer (Signaling radio bearer, SRB).
- the access network device key KeNB may be obtained from the initial context establishment request message.
- the access network device is based on the access network device key KeNB, the selected 4G integrity protection algorithm identifier (such as EIA1, EIA2, EIA3, etc.) and the algorithm type identifier (such as: RRC-int-alg, The value is 0x04), and the control plane integrity protection key Krrc-int is derived.
- Krrc-int is used to protect the integrity of the RRC message of the terminal device and the access network device, that is, to activate the integrity protection of the signaling radio bearer (SRB).
- the access network device is based on the access network device key KeNB, the selected 4G encryption protection algorithm identifier (such as EEA1, EEA2, EEA3, etc.) and the algorithm type identifier (such as: UP-enc-alg, value is 0x05), and derive the user plane encryption protection key Kup-enc.
- Kup-enc is used to encrypt and protect the user plane data of the terminal device and the access network device.
- the access network device can activate the security protection between the access network device and the terminal device according to the derived key and the selected 4G security algorithm.
- the access network device can activate the control plane encryption protection between the access network device and the terminal device according to Krrc-enc and the selected 4G encryption protection algorithm.
- the access network device can activate the control plane integrity protection between the access network device and the terminal device according to Krrc-int and the selected 4G integrity protection algorithm (such as SNOW 3G corresponding to EIA1), for example, activate RRC integrity protection.
- Krrc-int Krrc-int
- 4G integrity protection algorithm such as SNOW 3G corresponding to EIA1
- the access network device can activate user plane encryption protection between the access network device and the terminal device according to Kup-enc and the selected 4G encryption protection algorithm.
- the activation of the integrity protection by the access network device means that the RRC message or the user plane message sent by the access network device after the integrity protection is activated uses the 4G integrity protection algorithm and Krrc-int or Kup-int for integrity protection,
- the received RRC message or user plane message uses the 4G integrity protection algorithm and Krrc-int or Kup-int to check the integrity.
- the activation of encryption protection by the access network device means that the RRC message or user plane message sent by the access network device after the encryption protection is activated is encrypted using the 4G encryption protection algorithm and Krrc-enc or Kup-enc, and the received RRC message or User plane messages are decrypted using the 4G encryption protection algorithm and Krrc-enc or Kup-enc.
- the access network device can save the EPS security capability, user plane security policy, Krrc-enc, Krrc-int, Kup-enc, and the selected 4G encryption protection algorithm and 4G integrity protection algorithm as the terminal device's AS security context.
- the access network device sends an AS security mode command (security mode command, SMC) message to the terminal device.
- AS security mode command security mode command, SMC
- the terminal device receives the AS SMC message from the access network device.
- the security mode command message may include a 4G encryption protection algorithm identifier, and may also include a 4G integrity protection algorithm identifier.
- the terminal device enables control plane security protection.
- the terminal device derives the control plane encryption protection key Krrc-enc according to the access network device key KeNB, the 4G encryption protection algorithm identifier, and the algorithm type distinguisher.
- the terminal device derives the control plane integrity protection key Krrc-int according to the access network device key KeNB, the selected 4G integrity protection algorithm identifier and the algorithm type distinguisher.
- the terminal device derives the user plane encryption protection key Kup-enc according to the access network device key KeNB, the selected 4G encryption protection algorithm identifier and the algorithm type distinguisher.
- the terminal device can activate the security protection between the access network device and the terminal device according to the derived key and the 4G security algorithm.
- the terminal device can activate the control plane encryption protection between the access network device and the terminal device according to the Krrc-enc and 4G encryption protection algorithm.
- the terminal device can activate control plane integrity protection between the access network device and the terminal device according to Krrc-int and the selected 4G integrity protection algorithm, for example, activate RRC integrity protection.
- the terminal device can activate user plane encryption protection between the access network device and the terminal device according to Kup-enc and the selected 4G encryption protection algorithm. That is to say, in addition to activating the security protection of the control plane, the terminal device can also activate the encryption protection of the user plane.
- the activation of integrity protection by the terminal device means that the RRC message or user plane message sent by the terminal device after the activation of the integrity protection uses the 4G integrity protection algorithm and Krrc-int or Kup-int for integrity protection, and the received RRC message Or the user plane message uses the 4G integrity protection algorithm and Krrc-int or Kup-int to check the integrity.
- the terminal device activates encryption protection means that the RRC message or user plane message sent by the terminal device after the encryption protection is activated is encrypted using the 4G encryption protection algorithm and Krrc-enc or Kup-enc, and the received RRC message or user plane message is encrypted using 4G encryption protection algorithm and Krrc-enc or Kup-enc for decryption.
- the terminal device may save Krrc-enc, Krrc-int, Kup-enc, and the selected 4G encryption protection algorithm and 4G integrity protection algorithm as the AS security context of the terminal device.
- the terminal device sends an AS security mode complete (security mode complete, SMP) message to the access network device.
- AS security mode complete security mode complete
- the access network equipment receives the AS SMP message from the terminal equipment.
- the access network device determines user plane security activation indication information.
- the access network device may determine the user plane security activation indication information according to the EPS security capability and/or the user plane security policy.
- the access network device determines the user plane security activation indication information according to the user plane security policy.
- the access network device determines according to the preconfigured user plane security policy Instructions for user plane security activation.
- the access network device may instruct to disable the encryption protection of the user plane in S215.
- integrity Protection status of the user plane indicates integrity protection (integrityProtection), it means that the integrity protection is enabled, otherwise it means that it is not enabled.
- the access network device can enable user plane encryption protection between the access network device and the terminal device according to the user plane security activation indication information, and not enable user plane integrity protection between the access network device and the terminal device .
- the access network device determines the user plane security activation indication information, it can activate the user plane security protection immediately, or it can delay the activation of the user plane security protection before receiving the user plane data, which is not limited in this application.
- the access network device sends a first radio resource control (radio resource control, RRC) reconfiguration message to the terminal device.
- RRC radio resource control
- the first RRC reconfiguration message includes user plane security activation indication information.
- the first RRC reconfiguration message may not carry user plane security activation indication information, which is an implicit indication, and user plane encryption protection is enabled by default, and user plane integrity protection is not enabled.
- the terminal device may determine to enable user plane security encryption protection between itself and the access network device according to the user plane security activation indication information carried in the first RRC reconfiguration message (if it has been enabled in S213, then can no longer be enabled), and do not enable user plane integrity protection. Afterwards, the user plane data sent between the terminal device and the access network device will be protected by encryption and cannot be protected by integrity.
- the terminal device may send an RRC connection reconfiguration complete (RRC connection reconfiguration complete) message to the access network device.
- RRC connection reconfiguration complete RRC connection reconfiguration complete
- the access network device receives the RRC reconfiguration complete message from the terminal device.
- the MME network element sends an attach accept (attach accept) message to the terminal device.
- the terminal device receives an attach accept message from the MME network element.
- the attach accept message may be used to instruct the terminal device to complete the initial access.
- the communication method shown in FIG. 2 can enable user plane encryption protection and integrity protection, but does not provide a solution for access network devices and terminal devices to obtain parameters for activating user plane integrity protection and activate user plane integrity protection.
- FIG. 3 is a schematic flow chart of another communication method provided by an embodiment of the present application.
- the communication method may be applicable to communication between a terminal device and an access network device, and between an access network device and a network element of a core network as shown in FIG. 1 .
- the method shown in Figure 3 is applicable to any scenario where user plane integrity protection needs to be enabled flexibly, for example, various scenarios of establishing or rebuilding DRB, such as initial access, PDN session establishment, dedicated bearer activation, X2 handover (X2 is The communication interface between access network devices), or S1 handover, etc., expounds the scheme of activating the integrity protection of the user plane.
- the communication method includes the following steps:
- the access network device of the first network standard acquires user plane integrity protection indication information and an integrity protection algorithm identifier of the second network standard.
- the first network standard may include 4G, LTE, or EPS.
- the second network standard may include 5G, NR, or 5GS.
- the first condition includes: determining to establish a first DRB between the access network device of the first network standard and the terminal device, and determining to enable user plane integrity protection of the first DRB.
- the determination by the access network device of the first network standard to establish a DRB for the terminal device may occur in the attach process for establishing a default EPS bearer, or may occur in the process of establishing a PDN connection or a dedicated bearer During the activation process, it is used to establish a dedicated EPS bearer, or it may occur during the mobility process to restore the DRB on the new access network device, such as handover, re-establishment, etc.
- the first condition may further include: the terminal device supports user plane integrity protection.
- the UPIP that the terminal device supports the user plane integrity protection may have multiple description manners.
- supporting user plane integrity protection or “supporting UPIP” can be described according to objects (optional) and features, for example, described as “support and object (replaced with one of the following objects 1 to 6) feature (replaced with one of the following features 1 to 3)", or described as “supporting feature (replaced with one of the following features 1 to 3)”.
- the objects may include: 1) evolved packet core network (evolved packet core, EPC); 2) eNB; 3) LTE; 4) E-UTRA and EPC (E-UTRA with EPC); NR radio access technology (radio access technology, RAT) dual connection EPC (EPC based Dual Connectivity of E-UTRA and NR RAT); 6) EPS.
- EPC evolved packet core network
- eNB evolved packet core
- LTE Long Term Evolution
- E-UTRA and EPC E-UTRA with EPC
- NR radio access technology radio access technology, RAT
- EPC EPC based Dual Connectivity of E-UTRA and NR RAT
- EPS evolved packet core network
- features may include: 1) user plane integrity protection; 2) user plane security protection; 3) user plane on-demand protection (you can determine whether to enable user plane encryption protection and/or user plane integrity protection according to user plane security policy ).
- the terminal device supports user plane integrity protection can be expressed as "the terminal device supports user plane integrity protection with EPC”.
- the terminal device supports user plane integrity protection can be expressed as "the terminal device supports user plane integrity protection with the eNB".
- the eNB may be an access network device of the first network standard, that is, the terminal device supports user plane integrity protection with the access network device of the first network standard.
- the object is optional, combined with feature 1), it can be expressed as "the terminal device supports user plane integrity protection".
- support user plane integrity protection or "support UPIP” can be replaced by "support and object (replace with one of the above objects 1 to 6) (replace is one of the above-mentioned features 1 to 3)", or "supporting feature (replaced by one of the above-mentioned features 1 to 3)".
- whether the terminal device supports user plane integrity protection may be determined by the access network device of the first network standard according to the user plane indication information.
- the user plane indication information may be used to indicate whether the terminal device supports user plane integrity protection.
- the access network device of the first network standard may obtain user plane indication information through the following steps 1a to 2a, or step 1b.
- step 1a the terminal device sends user plane indication information to a core network element of the first network standard.
- the core network element of the first network standard receives the user plane indication information from the terminal device.
- the user plane indication information may be sent through NAS signaling.
- the user plane indication information may be encapsulated in capability information of the terminal device, for example, EPS security capability of the terminal device.
- step 2a the core network element of the first network standard sends user plane indication information to the access network device of the first network standard.
- the access network device of the first network standard receives the user plane indication information from the core network element of the first network standard.
- the user plane indication information may be sent through S1 signaling.
- the access network device of the first network standard can obtain the user plane indication information from the terminal device through the core network element of the first network standard.
- step 1b the terminal device sends user plane indication information to the access network device of the first network standard.
- the access network device of the first network standard receives the user plane indication information from the terminal device.
- the user plane indication information may be sent through RRC signaling.
- the user plane indication information may be encapsulated in the wireless capability information of the terminal device, such as the evolved UMTS terrestrial radio access network (Evolved UMTS terrestrial radio access network, E-UTRAN) wireless capability of the terminal device.
- the wireless capability information of the terminal device such as the evolved UMTS terrestrial radio access network (Evolved UMTS terrestrial radio access network, E-UTRAN) wireless capability of the terminal device.
- E-UTRAN evolved UMTS terrestrial radio access network
- the access network device of the first network standard can directly obtain the user plane indication information from the terminal device.
- the access network device of the first network standard can determine whether the terminal device supports user plane integrity protection according to the user plane indication information, and if the user plane indication information indicates that the terminal device supports user plane integrity protection, then the first network standard The access network device can obtain that the terminal device supports user plane integrity protection, otherwise, the terminal device does not support user plane integrity protection.
- the user plane integrity protection indication information may be used to indicate to enable the user plane integrity protection of the first DRB.
- the user plane integrity protection corresponding to the first DRB can be activated, so as to realize the on-demand protection of the user plane integrity.
- the user plane integrity protection indication information may be determined by the access network device of the first network standard according to the user plane integrity protection policy.
- the user plane integrity protection indication information indicates enabling the user plane integrity protection of the first DRB; if the user plane integrity protection strategy includes disabling the user plane integrity protection protection, the user plane integrity protection indication information indicates to disable the user plane integrity protection of the first DRB.
- the user plane integrity protection indication information may be determined by the access network device of the first network standard according to the received user plane integrity protection policy.
- the access network device of the first network standard may obtain the user plane integrity protection policy from an external network element.
- the access network device of the first network standard receives the user plane integrity protection policy from the MME network element.
- the access network device of the first network standard may also receive the user plane encryption protection policy, which is not limited in this application.
- S210 shown in FIG. 2 above and for a process for the MME network element to obtain the user plane integrity protection policy, refer to S204 to S208 above.
- the access network device of the first network standard receives the user plane integrity protection policy from other access network devices, and the other access network devices may be source access network devices in mobility scenarios such as handover or re-establishment.
- the user plane integrity protection indication information may be determined by the access network device of the first network standard according to a preconfigured user plane integrity protection policy.
- the access network device of the first network standard pre-configures a user plane integrity protection policy.
- the access network device of the first network standard may also pre-configure a user plane encryption protection policy, which is not limited in this application.
- the integrity protection algorithm identifier of the second network standard may be a 5G integrity protection algorithm identifier, such as NIA 0 to NIA7.
- the integrity protection algorithm identifier of the second network standard may be determined according to the security capability of the second network standard of the terminal device.
- the security capability of the second network standard may be an NR security capability
- the NR security capability includes at least one algorithm identifier, from which the access network device of the first network standard can select an integrity protection algorithm identifier.
- the access network device of the first network standard may select the integrity protection algorithm identifier of the second network standard according to the NR security capability of the terminal device and a locally configured algorithm priority list.
- the access network device of the first network standard can combine the two and select NIA2 The identifier of the integrity protection algorithm of the selected second network standard.
- the access network device of the first network standard may obtain the security capability of the terminal device of the second network standard in various ways.
- the integrity protection algorithm identifier of the second network standard is determined according to the security capability of the first network standard.
- the access network device of the first network standard may determine the security capability of the second network standard according to the security capability of the first network standard, and determine the integrity protection algorithm identifier of the second network standard according to the security capability of the second network standard symbol.
- the access network device of the first network standard determines the security capability of the second network standard according to the security capability of the first network standard, and the security capability of the second network standard includes the first The identifier of the integrity protection algorithm of the second network standard.
- waste of power consumption can be avoided.
- the security capability of the second network standard is determined, but user plane integrity protection cannot be realized, and meaningless operations will occur, thus Will result in wasted power consumption.
- the security capability of the first network standard includes the integrity protection algorithm identifier of the first network standard
- the security capability of the second network standard includes the integrity protection algorithm identifier of the second network standard
- the second network standard The integrity protection algorithm identifier of is obtained by mapping the integrity protection algorithm identifier of the first network standard.
- the mapped NR security capabilities include NEA1, NEA2, NIA1, and NIA2.
- NEA1 is mapped based on EEA1
- NEA2 is mapped based on EEA2
- NIA1 is mapped based on EIA1
- NIA2 is mapped based on EIA2.
- This mapping method is also applicable to EIA3 to EIA7, and EEA3 to EEA7, and they are not listed one by one.
- the integrity protection algorithms identified by the 4G integrity protection algorithm identifier EIA1 and the 5G integrity protection algorithm identifier NIA1 are the same (both are SNOW 3G algorithms), and similarly, the integrity protection algorithms identified by EIA2 and NIA2 are the same (both are SNOW 3G algorithms). It is an advanced encryption standard (AES) algorithm), and the integrity protection algorithms identified by EIA3 and NIA3 are the same (both are Zu Chongzhi’s ZUC algorithms), and they are not listed one by one, so that the integrity protection algorithm from the first network standard can be realized
- AES advanced encryption standard
- the integrity protection algorithms identified by EIA3 and NIA3 are the same (both are Zu Chongzhi’s ZUC algorithms), and they are not listed one by one, so that the integrity protection algorithm from the first network standard can be realized
- the identifier is mapped to the identifier of the integrity protection algorithm of the second network standard.
- the communication method shown in FIG. 3 may further include: S305, the core network element of the first network standard sends a second message to the access network device of the first network standard.
- the access network device of the first network standard receives the second message from the core network element of the first network standard.
- the second message includes the security capability of the first network standard of the terminal device.
- the second message may be an initial context setup request (initial context setup request) message.
- the access network device of the first network standard may save the security capability of the first network standard of the terminal device as the AS security context of the terminal device.
- the security capability of the second network standard may be received by the access network device of the first network standard from the network element of the core network of the first network standard.
- the second message may further include the security capability of the second network standard of the terminal device.
- the access network device of the first network standard may save the NR security capability of the terminal device in the AS security context of the terminal device.
- the second message may not include the security capability of the second network standard. This is because, if the MME network element is a traditional MME network element, the MME network element may fail to correctly identify the security capability of the second network standard and fail to send it to the access network device. If the MME network element is not a traditional MME network element, such as an MME network element that supports UPIP, and the MME network element can identify the security capability of the second network standard of the terminal device, the second message may include the security capability of the second network standard of the terminal device. ability.
- the communication method shown in FIG. 3 may further include: S306, the terminal device sends a third message to a core network element of the first network standard.
- the core network element of the first network standard receives the third message from the terminal device.
- the third message may include the security capability of the first network standard.
- the above S306 may include: when the terminal device supports user plane integrity protection, the terminal device sends the security capability of the second network standard to the core network element of the first network standard, that is, the third message can also Including the security capability of the second network standard.
- the third message may be an attach request message or a tracking area update (tracking area update, TAU) request message.
- TAU tracking area update
- the access network device of the first network standard sends a first message to the terminal device.
- the terminal device receives the first message.
- the first message may include user plane integrity protection indication information and an integrity protection algorithm identifier of the second network standard.
- the first message may further include first indication information.
- the first indication information may be used to indicate that the master key is used to determine the first key.
- the master key may be a key KeNB of an access network device of the first network standard.
- the key of the access network device of the first network standard may be called the master key
- the key of the access network device of the second network standard may be called the secondary key. (secondary) key.
- the first key may be a user plane integrity protection key, and the first key may be used to perform integrity protection on user plane data between the terminal device and the access network device.
- the first key may be Kup-int.
- the first message may be an RRC connection reconfiguration (RRC connection reconfiguration) message.
- RRC connection reconfiguration RRC connection reconfiguration
- the user plane integrity protection indication information and the integrity protection algorithm identifier of the second network standard may be encapsulated in a radio bearer configuration (Radiobearerconfig) information element of the first message.
- the first indication information may also be encapsulated in the radio bearer configuration information element of the first message.
- the user plane integrity protection indication information is encapsulated into the PDCP configuration (PDCP-config) of the Radiobearerconfig information element, for example, the PDCP-config encapsulates the integrity protection (integrityProtection) information element.
- the PDCP-config may not encapsulate any information element, and at this time, the integrity protection is disabled by default.
- the integrity protection algorithm identifier of the second network standard may be encapsulated in a security algorithm configuration (securityAlgorithmConfig) information element of the Radiobearerconfig information element.
- securityAlgorithmConfig security algorithm configuration
- the first indication information may be encapsulated in a used key (keyToUse) information element of the Radiobearerconfig information element.
- keyToUse used key
- the access network device of the first network standard may set keyToUse as a master key, so that the terminal device may use the master key to generate a user plane key according to the instruction of keyToUse.
- the first key is determined according to the master key, the identifier of the integrity protection algorithm of the second network standard, and the first algorithm type distinguisher (for example: N-UP-int-alg, the value is 0x07) .
- the first indication information may be an implicit indication, the first message does not carry the keyToUse information element, and indicates by default that the user plane key is derived using the master key.
- the access network device of the first network standard activates user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the second network standard.
- sequence of S302 and S303 is not limited in this embodiment of the present application.
- the first key may be determined by the access network device of the first network standard according to the master key, the integrity protection algorithm identifier of the second network standard, and the first algorithm type identifier, for example, the user plane integrity Sexual protection key Kup-int.
- the value of the first algorithm type identifier may be 0x07, for example, the first algorithm type identifier is N-UP-int-alg.
- the master key may be obtained from the AS security context of the terminal device.
- the access network device of the first network standard may obtain the first key directly from the AS security context of the terminal device, for example, the Kup-int has been deduced in advance.
- the access network device of the first network standard can activate the user plane integrity protection of the first DRB according to the Kup-int and the integrity protection algorithm of the second network standard. Therefore, the user plane data sent by the access network device of the first network standard after the user plane integrity protection is activated uses the integrity protection algorithm of the second network standard and Kup-int for integrity protection, and the received user plane data packets use Integrity protection algorithm of the second network standard and Kup-int check integrity.
- the above S303 may include: the access network device of the first network standard configures the first key and the integrity protection algorithm of the second network standard into the PDCP entity of the second network standard corresponding to the first DRB .
- the PDCP entity of the second network standard may be NR PDCP.
- the access network device of the first network standard activates the user plane integrity protection, so as to realize the on-demand protection of the user plane integrity.
- the terminal device In the case that the first message comes from an access network device of the first network standard, and the user plane integrity protection indication information indicates that the user plane integrity protection of the first DRB is enabled, the terminal device according to the first key and the second The integrity protection algorithm of the network standard activates the user plane integrity protection of the first DRB.
- the terminal device may determine whether it is connected to the network of the first network standard.
- the terminal device may determine whether it is currently connected to the E-UTRA/EPC according to the PLMN ID broadcast by the access network device of the first network standard. For example, if the PLMN ID broadcast by the access network device of the first network standard does not include 5G, the terminal device may determine that it is connected to E-UTRA/EPC.
- the terminal device can use the first key and the integrity protection algorithm of the second network standard , activate user plane integrity protection of the first DRB.
- the terminal device may determine whether the first message comes from an access network device of the first network standard according to the PLMN ID, where the PLMN ID comes from the access network device sending the first message. For example, the access network device 1 broadcasts the PLMN ID and sends the first message to the terminal device. If the PLMN ID does not include 5G, the access network device 1 is an access network device of the first network standard, so the first message comes from the first Network access network equipment.
- the first key may be the terminal device according to the master key, the integrity protection algorithm identifier of the second network standard, and the first algorithm type distinguisher (for example: N-UP-int-alg, the value is 0x07 ), such as the user plane integrity protection key Kup-int.
- the first algorithm type distinguisher for example: N-UP-int-alg, the value is 0x07
- the master key may be obtained by the terminal device from the AS security context of the terminal device according to the first indication information.
- the terminal device may directly obtain the first key from the AS security context of the terminal device, for example, the Kup-int has been deduced in advance.
- the terminal device can activate the user plane integrity protection of the first DRB according to the Kup-int and the integrity protection algorithm of the second network standard. Therefore, after the user plane integrity protection is activated, the user plane data sent by the terminal device uses the integrity protection algorithm of the second network standard and Kup-int for integrity protection, and the received user plane data packets use the integrity protection algorithm of the second network standard Protection algorithm and Kup-int check integrity.
- the above S304 may include: when the first message comes from an access network device of the first network standard, and the user plane integrity protection indication information indicates that the user plane integrity protection of the first DRB is enabled, the terminal device According to the user plane integrity protection instruction information, configure the first key and the integrity protection algorithm of the second network standard to the PDCP entity of the second network standard corresponding to the first DRB.
- the RRC layer of the terminal device may configure the first key and the integrity protection algorithm of the second network standard to the NR PDCP entity corresponding to the first DRB.
- the terminal device activates the integrity protection of the user plane, so as to realize the on-demand protection of the integrity of the user plane.
- the communication method shown in FIG. 3 may further include: S307, the terminal device sends an RRC reconfiguration complete message to the access network device of the first network standard.
- the access network device of the first network standard receives the RRC reconfiguration complete message from the terminal device.
- the communication method shown in FIG. 3 may further include: S308 to S311.
- S308 to S311 please refer to the above S211 to S214 respectively.
- the main difference is that "4G" is replaced by "first network standard”, and "access network device” is replaced by “first network standard access network device”. ".
- S308 to S311 may be performed before S301, which is not limited in this application.
- the access network device of the first network standard determines the 4G algorithm identifier according to the EPS security capability of the terminal device.
- the access network device of the first network standard derives the first key according to the master key and the integrity protection algorithm identifier of the first network standard, such as the user plane integrity protection key Kup -int.
- the Kup-int is used for integrity protection of the user plane data of the terminal device and the access network device of the first network standard.
- the access network device of the first network standard can derive Kup-int according to the master key KeNB and the 4G integrity protection algorithm identifier during the process of deriving the control plane key and the user plane encryption key, so that
- the access network device of the first network standard may directly obtain the first key from the AS security context of the terminal device.
- the terminal device may directly obtain the first key from the AS security context of the terminal device.
- the access network device of the first network standard may activate user plane encryption protection in S308, and deactivate user plane encryption protection in S303.
- the first message in S301 may further include user plane encryption protection state indication information, which is used to indicate whether to enable or disable user plane encryption protection. If S308 to S311 are performed before S301, and the access network device of the first network standard has activated the user plane encryption protection in S308, the access network device of the first network standard can disable the user plane encryption protection that has been enabled in S303 , to further realize on-demand protection of user plane encryption.
- the access network device of the first network standard sends an AS SMC message to the terminal device.
- the terminal device receives the AS SMC message from the access network device of the first network standard.
- the terminal device enables control plane security protection.
- the embodiment of the present application does not limit the sequence of enabling the security protection of the terminal device and deriving the key and activating the security protection of the access network device of the first network standard in S308 above.
- the terminal device may activate user plane encryption protection in S310, and deactivate user plane encryption protection in S304.
- the first message in S301 may further include user plane encryption protection state indication information, which is used to indicate whether to enable or disable user plane encryption protection. If S308 to S311 are performed before S301, and the terminal device has activated user plane encryption protection in S310, the terminal device may disable the enabled user plane encryption protection in S304, so as to further realize on-demand protection of user plane encryption.
- the terminal device sends an AS SMP message to the access network device of the first network standard.
- the access network device of the first network standard receives the AS SMP message from the terminal device.
- the access network device of the first network standard obtains the user instruction to enable the user plane integrity protection when it determines to establish the first DRB and determines to enable the user plane integrity protection of the first DRB.
- the face integrity protection instruction information and the integrity protection algorithm identifier of the second network standard are sent to the terminal device, so that the access network device and the terminal device of the first network standard can
- the integrity protection algorithm of the first DRB activates the user plane integrity protection of the first DRB, so as to realize the adaptation of the on-demand protection mode of the user plane integrity of the second network standard to the connection between the terminal device and the access network device of the first network standard
- the integrity of the user plane is protected, and changes to terminal equipment can be reduced.
- FIG. 4 is a schematic flowchart of another communication method provided in the embodiment of the present application.
- the communication method may be applicable to communication between a terminal device and an access network device, and between an access network device and a network element of a core network as shown in FIG. 1 .
- the method shown in Figure 4 is applicable to any scenario where user plane integrity protection needs to be flexibly enabled, for example, various scenarios for establishing or rebuilding DRB, such as initial access, PDN session establishment, dedicated bearer activation, X2 handover (X2 is The interface between access network devices), or S1 handover, etc., expounds the scheme of activating the integrity protection of the user plane.
- the communication method includes the following steps:
- the access network device of the first network standard acquires user plane integrity protection indication information and an integrity protection algorithm identifier of the first network standard.
- the first network standard may include 4G, LTE, or EPS
- the second network standard may include 5G, NR, or 5GS.
- the first condition includes: determining to establish a first DRB between the access network device of the first network standard and the terminal device, and determining to enable user plane integrity protection of the first DRB.
- the first condition may further include that the terminal device supports user plane integrity protection.
- whether the terminal device supports user plane integrity protection may be determined by the access network device of the first network standard according to the user plane indication information.
- the access network device of the first network standard may be determined by the access network device of the first network standard according to the user plane indication information.
- the specific implementation manner for the access network device of the first network standard to obtain the user plane indication information may refer to Step 1a to Step 2a or Step 1b in the above S301, which will not be repeated here.
- the user plane integrity protection indication information may be used to indicate to enable the user plane integrity protection of the first DRB.
- reference may be made to the corresponding implementation manner in S301 above, which will not be repeated here.
- the integrity protection algorithm of the first network standard may be a 4G integrity protection algorithm, and for details, refer to the corresponding description in the above security capabilities.
- the integrity protection algorithm identifier of the first network standard may be determined according to the security capability of the first network standard of the terminal device.
- the security capability of the first network standard may be an EPS security capability
- the EPS security capability includes at least one algorithm identifier, from which an access network device of the first network standard may select an integrity protection algorithm identifier, for example EIA1.
- the access network device of the first network standard may select the integrity protection algorithm identifier of the first network standard according to the EPS security capability of the terminal device and a locally configured algorithm priority list.
- the specific implementation is similar to the selection of the integrity protection algorithm identifier of the second network standard according to the NR security capability of the terminal device and the locally configured algorithm priority list in S301 above, and will not be repeated here.
- the integrity protection algorithm identifier of the first network standard may be the integrity protection algorithm identifier of the first network standard currently being used between the access network device and the terminal device of the first network standard.
- the access network device of the first network standard obtains the currently used integrity protection algorithm identifier of the first network standard from the AS security context of the terminal device.
- the communication method shown in FIG. 4 may further include: S405.
- the core network element of the first network standard sends a fifth message to the access network device of the first network standard.
- the access network device of the first network standard receives the fifth message from the core network element of the first network standard.
- the fifth message includes the security capability of the first network standard of the terminal device.
- the fifth message may be an initial context establishment request message.
- the access network device of the first network standard may save the security capability of the first network standard of the terminal device as the AS security context of the terminal device.
- the communication method shown in FIG. 4 may further include: S406, the terminal device sends a sixth message to a core network element of the first network standard.
- the core network element of the first network standard receives the sixth message from the terminal device.
- the sixth message may include the security capability of the first network standard.
- the sixth message may be an attach request message or a tracking area update request message.
- the access network device of the first network standard sends a fourth message to the terminal device.
- the terminal device receives the fourth message.
- the fourth message includes user plane integrity protection indication information.
- the fourth message may further include the first indication information and/or the second indication information.
- the first indication information may be used to indicate that the master key is used to determine the first key.
- the first indication information may be used to indicate that the master key is used to determine the first key.
- the second indication information may be used to indicate to activate the user plane integrity protection of the first DRB according to the integrity protection algorithm of the first network standard.
- the second indication information may include an integrity protection algorithm identifier of the first network standard, or the second indication information may indicate that user plane integrity protection is activated according to the currently used integrity protection algorithm of the first network standard.
- the second indication information may be used to instruct the adopted integrity protection algorithm to enable user plane integrity protection, that is, the integrity protection algorithm of the first network standard.
- the fourth message includes user plane integrity protection indication information
- the user plane integrity protection indication information indicates that the user plane integrity protection of the first DRB is enabled, which may implicitly indicate the integrity protection according to the first network standard.
- the integrity protection algorithm activates user plane integrity protection.
- the user plane integrity protection indication information may not only indicate to enable the user plane integrity protection, but may also indicate to use the integrity protection algorithm of the first network standard to activate the user plane integrity protection.
- the fourth message may be an RRC connection reconfiguration message.
- the user plane integrity protection indication information may be encapsulated in the Radiobearerconfig information element of the fourth message.
- the first indication information may also be encapsulated in the Radiobearerconfig information element of the fourth message.
- the second indication information may be encapsulated in the Radiobearerconfig information element of the fourth message, or may be encapsulated in other information elements different from the Radiobearerconfig information element of the fourth message.
- Radiobearerconfig cell For the implementation of encapsulating the user plane integrity protection indication information in the Radiobearerconfig cell, refer to the corresponding implementation in S302 above, and details will not be repeated here.
- the second indication information may include an integrity protection algorithm identifier of the first network standard.
- the Radiobearerconfig information element may carry the algorithm configuration information element of the first network standard in the securityAlgorithmConfig, which is different from the method shown in FIG. 3 .
- the algorithm configuration information element of the first network standard may be used to encapsulate the integrity protection algorithm identifier of the first network standard, and may indicate that the user plane integrity protection of the first DRB is activated using the integrity protection algorithm of the first network standard.
- the second indication information may indicate that user plane integrity protection is activated according to the currently used integrity protection algorithm of the first network standard.
- the second indication information information element may be carried in the fourth message, but the second indication information information element may not be encapsulated in the Radiobearerconfig information element, which is different from the method shown in FIG. 3 .
- the access network device of the first network standard activates user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard.
- the first key may be the access network device of the first network standard according to the master key, the integrity protection algorithm identifier of the first network standard, and the second algorithm type identifier (for example: UP- int-alg, the value is 0x06), such as the user plane integrity protection key Kup-int.
- the second algorithm type identifier for example: UP- int-alg, the value is 0x06
- the master key may be obtained from the AS security context of the terminal device.
- the access network device of the first network standard may obtain the first key directly from the AS security context of the terminal device, for example, the Kup-int has been deduced in advance.
- the access network device of the first network standard can The identifier EIA1 determines the first key Kup-int-E.
- the access network device of the first network standard can activate the user plane integrity protection of the first DRB according to the Kup-int-E and the integrity protection algorithm of the first network standard. Therefore, after the user plane integrity protection is activated by the access network device of the first network standard, the transmitted user plane data is integrity protected using the integrity protection algorithm of the first network standard and Kup-int-E, and the received user plane data The data packet uses the integrity protection algorithm of the first network standard and Kup-int-E to check the integrity.
- the first key may be an access network device of the first network standard according to the master key, the integrity protection algorithm identifier of the second network standard and the first algorithm type distinguisher (for example: N-UP -int-alg, the value is 0x07), the integrity protection algorithm identifier of the second network standard is determined according to the integrity protection algorithm identifier of the first network standard.
- the integrity protection algorithm identifier of the second network standard is determined according to the integrity protection algorithm identifier of the first network standard.
- the integrity protection algorithm identifier of the second network standard may be a 5G integrity protection algorithm identifier, such as NIA1.
- the integrity protection algorithm identifier of the second network standard is obtained by mapping the integrity protection algorithm identifier of the first network standard by the access network device of the first network standard.
- the integrity protection algorithm identifier of the first network standard determined in the above S401 or the following S408 is EIA1
- the integrity protection algorithm identifier NIA1 of the second network standard is mapped according to EIA1.
- the access network device of the first network standard can use the master key, the integrity protection algorithm identifier NIA1 of the second network standard, and the first algorithm type distinguisher (for example: N-UP-int-alg, the value is 0x07), determine the first key Kup-int-N.
- the algorithms identified by the integrity protection algorithm identifier of the first network standard and the integrity protection algorithm identifier of the second network standard that can be mapped to each other may be the same, but the determined first key may not same.
- both EIA1 and NIA1 identify the SNOW 3G algorithm, but the first key Kup-int-E determined according to EIA1 and KeNB is different from the first key Kup-int-N determined according to NIA1 and KeNB.
- the determined first keys are different.
- the access network device of the first network standard can be based on Kup-int-N and the algorithm identified by the integrity protection algorithm identifier of the second network standard (which may be referred to as the integrity protection algorithm of the first network standard, or the second
- the integrity protection algorithm of the network standard such as the SNOW 3G algorithm, activates the integrity protection of the user plane of the first DRB.
- the above S403 may include: the access network device of the first network standard uses the first key and the integrity protection algorithm of the first network standard to activate the first DRB according to the second indication information.
- User plane integrity protection used in this way, the access network device of the first network standard may use the integrity protection algorithm of the first network standard to implement on-demand protection of user plane integrity according to the indication of the second indication information.
- the above S403 may include: the access network device of the first network standard configures the first key and the integrity protection algorithm of the first network standard to the second network corresponding to the first DRB Standard PDCP entity.
- the access network device of the first network standard activates the user plane integrity protection, so as to realize the on-demand protection of the user plane integrity.
- the terminal device In the case that the fourth message comes from an access network device of the first network standard, and the user plane integrity protection indication information indicates that the user plane integrity protection of the first DRB is enabled, the terminal device according to the first key and the first The integrity protection algorithm of the network standard activates the user plane integrity protection of the first DRB.
- the terminal device may determine whether it is connected to the network of the first network standard.
- the terminal device may judge whether it is currently connected to E-UTRA/EPC according to the PLMN ID broadcast by the access network device of the first network standard. For example, if the PLMN ID broadcast by the access network device of the first network standard does not include 5G, the terminal device can determine that it is connected to E-UTRA/EPC.
- the terminal device can , activate user plane integrity protection of the first DRB.
- the terminal device may determine whether the fourth message comes from the access network device of the first network standard according to the PLMN ID, where the PLMN ID comes from the access network device sending the fourth message. For example, the access network device 2 broadcasts the PLMN ID and sends the fourth message to the terminal device. If the PLMN ID does not include 5G, the access network device 2 is an access network device of the first network standard, so the fourth message comes from the first Network access network equipment.
- the integrity protection algorithm of the first network standard may be received by the terminal device from the access network device of the first network standard, or obtained by the terminal device from the AS security context of the terminal device.
- the terminal device may obtain the integrity protection of the currently used first network standard from the AS security context of the terminal device when the user plane integrity protection indication information indicates that the user plane integrity protection of the first DRB is enabled algorithm.
- the second indication information may indicate that user plane integrity protection is activated according to the integrity protection algorithm of the first network standard currently used, and the terminal device may obtain the currently used The integrity protection algorithm of the first network standard.
- the second indication information may include the integrity protection algorithm identifier of the first network standard, and the terminal device obtains the integrity protection algorithm of the first network standard according to the integrity protection algorithm identifier of the first network standard.
- the first key may be the terminal device's master key, the integrity protection algorithm identifier of the first network standard, and the second algorithm type distinguisher (for example: UP-int-alg, the value is 0x06) Certain, for example, the user plane integrity protection key Kup-int.
- the master key may be obtained by the terminal device from the AS security context of the terminal device according to the first indication information.
- the terminal device may directly obtain the first key from the AS security context of the terminal device, for example, the Kup-int has been deduced in advance.
- the terminal device can determine the first key Kup-int-E according to the master key KeNB and the integrity protection algorithm identifier EIA1 of the first network standard .
- the terminal device can activate the user plane integrity protection of the first DRB according to Kup-int-E and the integrity protection algorithm of the first network standard. Therefore, the user plane data sent by the terminal device after the user plane integrity protection is activated uses the integrity protection algorithm of the first network standard and Kup-int-E for integrity protection, and the received user plane data packets use the integrity protection algorithm of the first network standard Integrity protection algorithm and Kup-int-E check integrity.
- the first key may be the identifier of the integrity protection algorithm of the terminal device according to the master key and the second network standard and the first algorithm type distinguisher (for example: N-UP-int-alg, the value is 0x07), the integrity protection algorithm identifier of the second network standard is determined according to the integrity protection algorithm identifier of the first network standard.
- the first algorithm type distinguisher for example: N-UP-int-alg, the value is 0x07
- the integrity protection algorithm identifier of the second network standard may be a 5G integrity protection algorithm identifier, such as NIA1.
- the integrity protection algorithm identifier of the second network standard may be obtained by the terminal device by mapping the integrity protection algorithm identifier of the first network standard.
- the first key may be the terminal device using the master key, the integrity protection algorithm identifier of the second network standard, and the first algorithm type discriminator (for example: N-UP-int- alg, the value is 0x07), the integrity protection algorithm identifier of the second network standard is mapped according to the integrity protection algorithm identifier of the first network standard.
- the specific implementation method can refer to the above S403.
- the integrity protection algorithm identifier of the second network standard is obtained by mapping the integrity protection algorithm identifier of the first network standard from the access network device of the first network standard. repeat.
- the integrity protection algorithm, master key, and first key of the first network standard in the AS security context of the terminal device can all be obtained in the following step S410.
- the terminal device activates the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard may include: the terminal device uses the first key The key and the integrity protection algorithm of the first network standard are configured to the PDCP entity of the second network standard corresponding to the first DRB.
- the RRC layer of the terminal device may configure the first key and the integrity protection algorithm of the first network standard to the NR PDCP entity corresponding to the first DRB.
- the terminal device activates the integrity protection of the user plane, so as to realize the on-demand protection of the integrity of the user plane.
- the communication method shown in FIG. 4 may further include: S407 to S411.
- the specific implementation of S407 to S411 can refer to the above S307 to S311, which will not be repeated here.
- the main differences include replacing S301 with S401, replacing S303 with S403, and replacing S304 with S404.
- the access network device of the first network standard determines to establish the first DRB and determines to enable the user plane integrity protection of the first DRB, it obtains the user instruction to enable the user plane integrity protection. face the integrity protection indication information and the integrity protection algorithm identifier of the first network standard, and instruct the terminal device to use the integrity protection algorithm indicated by the first network to activate the integrity protection.
- both the access network device and the terminal device of the first network standard can activate the user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard, so as to implement the second network standard
- the on-demand protection mode of user plane integrity is adapted to the user plane integrity protection of terminal devices and access network devices of the first network standard, and at the same time, the integrity protection algorithm of the first network standard is used to activate user plane integrity Protection can realize the independent evolution of user plane integrity protection in different network standards.
- the communication method provided by the embodiment of the present application has been described in detail above with reference to FIGS. 2-4 .
- the communication device provided by the embodiment of the present application will be described in detail below with reference to FIGS. 5-6 .
- FIG. 5 is a schematic structural diagram of a communication device that can be used to implement the communication method provided by the embodiment of the present application.
- the communication device 500 may be an access network device or a terminal device of the first network standard, or a core network element of the first network standard, or may be an access network device or a terminal device applied to the first network standard, or A chip in a core network element of the first network standard or other components with corresponding functions.
- a communication device 500 may include a processor 501 .
- the communications device 500 may further include one or more of a memory 502 and a transceiver 503 .
- the processor 501 may be coupled with one or more of the memory 502 and the transceiver 503, such as through a communication bus, or the processor 501 may be used alone.
- the components of the communication device 500 are specifically introduced below in conjunction with FIG. 5 :
- the processor 501 is the control center of the communication device 500, and may be one processor, or may be a general term for multiple processing elements.
- the processor 501 is one or more central processing units (central processing unit, CPU), may also be a specific integrated circuit (application specific integrated circuit, ASIC), or is configured to implement one or more An integrated circuit, for example: one or more microprocessors (digital signal processor, DSP), or, one or more field programmable gate arrays (field programmable gate array, FPGA).
- CPU central processing unit
- ASIC application specific integrated circuit
- An integrated circuit for example: one or more microprocessors (digital signal processor, DSP), or, one or more field programmable gate arrays (field programmable gate array, FPGA).
- the processor 501 can execute various functions of the communication device 500 by running or executing software programs stored in the memory 502 and calling data stored in the memory 502 .
- the processor 501 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 5 .
- the communication device 500 may also include multiple processors, for example, the processor 501 and the processor 504 shown in FIG. 5 .
- processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
- a processor herein may refer to one or more communication devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
- the memory 502 may be a read-only memory (read-only memory, ROM) or other types of static storage communication devices that can store static information and instructions, or a random access memory (random access memory, RAM) that can store information and other types of dynamic storage communication devices for instructions, and can also be electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or Other optical disc storage, optical disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disc storage media or other magnetic storage communication devices, or can be used to carry or store desired information in the form of instructions or data structures program code and any other medium that can be accessed by a computer, but not limited to.
- the memory 502 can be integrated with the processor 501 or exist independently, and is coupled with the processor 501 through an input/output port (not shown in FIG. 5 ) of the communication device 500, which is not specifically limited in this embodiment of the present application.
- the input port can be used to implement the receiving function performed by the access network device or terminal device of the first network standard, or the core network element of the first network standard in any of the above method embodiments
- the output port can be used for Realize the sending function performed by the access network device or terminal device of the first network standard, or the core network element of the first network standard in any of the above method embodiments.
- the memory 502 can be used to store a software program for executing the solution of the present application, and the execution is controlled by the processor 501 .
- the processor 501 controls the execution of the solution of the present application.
- the transceiver 503 is used for communication with other communication devices.
- the transceiver 503 may be used to communicate with the terminal device and a core network element of the first network standard.
- the transceiver 503 may be used to communicate with an access network device of the first network standard and a core network element of the first network standard.
- the transceiver 503 may be used to communicate with access network devices and terminal devices of the first network standard.
- the transceiver 503 may include a receiver and a transmitter (not separately shown in FIG.
- the transceiver 503 may be integrated with the processor 501, or may exist independently, and be coupled to the processor 501 through an input/output port (not shown in FIG. 5 ) of the communication device 500, which is not specifically limited in this embodiment of the present application. .
- the structure of the communication device 500 shown in FIG. 5 does not constitute a limitation to the communication device, and an actual communication device may include more or less components than shown in the figure, or combine certain components, or Different component arrangements.
- the actions of the access network equipment of the first network standard in the above-mentioned Fig. 2-Fig. 4 can be called by the processor 501 in the communication device 500 shown in Fig.
- the access network equipment executes.
- the above-mentioned actions of the terminal device in FIGS. 2-4 can be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 502 to instruct the terminal device to execute, which is not limited in this embodiment.
- the actions of the core network elements of the first network standard in FIGS. 2-4 above can be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application program code stored in the memory 502 to instruct the core network elements to execute, This embodiment does not impose any limitation on this.
- the communication device 500 can execute any one or more possible design methods involved in the access network device of the first network standard in the above method embodiment;
- the communication device is a terminal device, the communication device 500 may implement any one or more possible design manners related to the terminal device in the foregoing method embodiments.
- the communication device is a core network element of the first network standard, the communication device 500 may execute any one or more possible design methods related to the core network network element of the first network standard in the above method embodiments.
- FIG. 6 is a schematic structural diagram of another communication device provided by an embodiment of the present application. For ease of illustration, FIG. 6 only shows the main components of the communication device.
- the communication device 600 includes a transceiver module 601 and a processing module 602 .
- the communication apparatus 600 may be an access network device or a terminal device of the first network standard in the foregoing method embodiments, or a core network element of the first network standard.
- the transceiver module 601, which may also be referred to as a transceiver unit, is used to implement the transceiver function performed by the access network device or terminal device of the first network standard, or the core network element of the first network standard in any of the above method embodiments .
- the transceiver module 601 may include a receiving module and a sending module (not shown in FIG. 6 ). Wherein, the receiving module is used for receiving data and/or signaling from other devices; the sending module is used for sending data and/or signaling to other devices. This application does not specifically limit the specific implementation manner of the transceiver module.
- the transceiver module may be composed of a transceiver circuit, a transceiver, a transceiver or a communication interface.
- the processing module 602 may be configured to implement the processing function performed by the access network device or terminal device of the first network standard, or the core network element of the first network standard in any of the above method embodiments.
- the processing module 602 may be a processor.
- the communication device 600 is presented in the form of dividing various functional modules in an integrated manner.
- a “module” here may refer to a specific ASIC, a circuit, a processor and a memory executing one or more software or firmware programs, an integrated logic circuit, and/or other devices that can provide the functions described above.
- the communication device 600 can take the form of the communication device 500 shown in FIG. 5 .
- the processor 501 in the communication device 500 shown in FIG. 5 can invoke the computer-executed instructions stored in the memory 502, so that the communication method in the above method embodiment is executed.
- the functions/implementation process of the transceiver module 601 and the processing module 602 in FIG. 6 can be implemented by the processor 501 in the communication device 500 shown in FIG. 5 invoking computer-executed instructions stored in the memory 502 .
- the function/implementation process of the processing module 602 in FIG. 6 can be realized by the processor 501 in the communication device 500 shown in FIG. /The implementation process can be implemented by the transceiver 503 in the communication device 500 shown in FIG. 5 .
- the communication device 600 provided in this embodiment can execute the above-mentioned communication method, the technical effect it can obtain can refer to the above-mentioned method embodiment, and details are not repeated here.
- the communication device 600 shown in FIG. 6 is applicable to the communication system shown in FIG. 1 , and implements the access network equipment of the first network standard in the communication method shown in FIG. 3 function.
- the processing module 602 is configured to acquire user plane integrity protection indication information and an integrity protection algorithm identifier of the second network standard.
- the first condition includes: determining to establish a first data radio bearer (DRB) between the communication apparatus 600 and the terminal equipment, and determining to enable user plane integrity protection of the first DRB.
- the user plane integrity protection indication information is used to indicate to enable the user plane integrity protection of the first DRB.
- the transceiver module 601 is configured to send the first message to the terminal device.
- the first message includes user plane integrity protection indication information and an integrity protection algorithm identifier of the second network standard.
- the processing module 602 is further configured to activate user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the second network standard.
- the communication device 600 may further include a storage module (not shown in FIG. 6 ), where programs or instructions are stored in the storage module.
- the processing module 602 executes the program or the instruction
- the communication apparatus 600 can execute the function of the access network device of the first network standard in the communication method shown in FIG. 3 .
- the communication device 600 may be an access network device of the first network standard, or may be a chip (system) or other components or components that can be set on the access network device of the first network standard. No limit.
- the technical effect of the communication device 600 may refer to the technical effect of the communication method shown in FIG. 3 , which will not be repeated here.
- the communication apparatus 600 shown in FIG. 6 may be applicable to the communication system shown in FIG. 1 , and execute the function of the terminal device in the communication method shown in FIG. 3 .
- the transceiver module 601 is configured to receive the first message.
- the first message includes user plane integrity protection indication information and the integrity protection algorithm identifier of the second network standard, and the user plane integrity protection indication information is used to instruct the access network device and the communication device 600 to enable the first network standard User plane integrity protection between the first data radio bearer DRB.
- the processing module 602 When the first message comes from an access network device of the first network standard, and the user plane integrity protection indication information indicates that the user plane integrity protection of the first DRB is enabled, the processing module 602 is configured to, according to the first key and The integrity protection algorithm of the second network standard activates the user plane integrity protection of the first DRB.
- the communication device 600 may further include a storage module (not shown in FIG. 6 ), where programs or instructions are stored in the storage module.
- the processing module 602 executes the program or instruction
- the communication apparatus 600 can execute the function of the terminal device in the communication method shown in FIG. 3 .
- the communication device 600 may be a terminal device, or may be a chip (system) or other components or components that may be provided in the terminal device, which is not limited in this application.
- the technical effect of the communication device 600 may refer to the technical effect of the communication method shown in FIG. 3 , which will not be repeated here.
- the communication device 600 shown in FIG. 6 can be applied to the communication system shown in FIG. 1 and implement the access network of the first network standard in the communication method shown in FIG. 4 the functionality of the device.
- the processing module 602 is configured to acquire user plane integrity protection indication information and an integrity protection algorithm identifier of the first network standard.
- the first condition includes: determining to establish a first data radio bearer (DRB) between the signaling apparatus 600 and the terminal device, and determining to enable user plane integrity protection of the first DRB.
- the user plane integrity protection indication information is used to indicate to enable the user plane integrity protection of the first DRB.
- the transceiving module 601 is configured to send the fourth message to the terminal device.
- the fourth message includes user plane integrity protection indication information and an integrity protection algorithm identifier of the first network standard.
- the processing module 602 is further configured to activate user plane integrity protection of the first DRB according to the first key and the integrity protection algorithm of the first network standard.
- the communication device 600 may further include a storage module (not shown in FIG. 6 ), where programs or instructions are stored in the storage module.
- the processing module 602 executes the program or the instruction, the communication device 600 can execute the function of the access network device of the first network standard in the communication method shown in FIG. 4 .
- the communication device 600 may be an access network device of the first network standard, or may be a chip (system) or other components or components that can be set on the access network device of the first network standard. No limit.
- the communication apparatus 600 shown in FIG. 6 may be applicable to the communication system shown in FIG. 1 , and execute the function of the terminal device in the communication method shown in FIG. 4 .
- the transceiver module 601 is configured to receive the fourth message.
- the fourth message includes user plane integrity protection indication information and an integrity protection algorithm identifier of the first network standard, and the user plane integrity protection indication information is used to indicate to enable user plane integrity protection of the first data radio bearer DRB.
- the processing module 602 is configured to, according to the first key and The integrity protection algorithm of the first network standard activates the user plane integrity protection of the first DRB.
- the communication device 600 may further include a storage module (not shown in FIG. 6 ), where programs or instructions are stored in the storage module.
- the processing module 602 executes the program or instruction
- the communication apparatus 600 can execute the function of the terminal device in the communication method shown in FIG. 4 .
- the communication device 600 may be a terminal device, or may be a chip (system) or other components or components that may be provided in the terminal device, which is not limited in this application.
- An embodiment of the present application provides a communication system.
- the communication system includes: access network equipment and terminal equipment of the first network standard.
- the communication system may further include a core network element of the first network standard.
- the access network device of the first network standard is used to execute the actions of the access network device of the first network standard in the above method embodiment, and the specific execution method and process can refer to the above method embodiment, and will not be repeated here.
- the terminal device is used to execute the actions of the terminal device in the foregoing method embodiments.
- the core network element of the first network standard is used to execute the actions of the core network element of the first network standard in the above method embodiment.
- the specific execution method and process can refer to the above method embodiment, and will not be repeated here.
- An embodiment of the present application provides a chip system, and the chip system includes a logic circuit and an input/output port.
- the logic circuit can be used to realize the processing function involved in the communication method provided by the embodiment of the present application
- the input/output port can be used for the sending and receiving function involved in the communication method provided in the embodiment of the present application.
- the input port can be used to realize the receiving function involved in the communication method provided by the embodiment of the present application
- the output port can be used to realize the sending function involved in the communication method provided in the embodiment of the present application.
- the processor in the communication device 500 may be used to perform, for example but not limited to, baseband related processing, and the transceiver in the communication device 500 may be used to perform, for example but not limited to, radio frequency transceiving.
- the above-mentioned devices may be respectively arranged on independent chips, or at least partly or all of them may be arranged on the same chip.
- processors can be further divided into analog baseband processors and digital baseband processors.
- the analog baseband processor can be integrated with the transceiver on the same chip, and the digital baseband processor can be set on an independent chip.
- a digital baseband processor can be combined with a variety of application processors (such as but not limited to graphics processors, multimedia processors, etc.) integrated on the same chip.
- application processors such as but not limited to graphics processors, multimedia processors, etc.
- Such a chip can be called a system chip (system on chip). Whether each device is independently arranged on different chips or integrated and arranged on one or more chips often depends on the specific needs of product design.
- the embodiments of the present application do not limit the specific implementation forms of the foregoing devices.
- the chip system further includes a memory, where the memory is used to store program instructions and data for implementing functions involved in the communication method provided by the embodiments of the present application.
- the system-on-a-chip may consist of chips, or may include chips and other discrete devices.
- An embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium includes a computer program or an instruction, and when the computer program or instruction is run on a computer, the communication method provided in the embodiment of the present application is executed.
- An embodiment of the present application provides a computer program product, and the computer program product includes: a computer program or an instruction, and when the computer program or instruction is run on a computer, the communication method provided in the embodiment of the present application is executed.
- the processor in the embodiment of the present application may be a central processing unit (central processing unit, CPU), and the processor may also be other general-purpose processors, digital signal processors (digital signal processor, DSP), dedicated integrated Circuit (application specific integrated circuit, ASIC), off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
- a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
- the memory in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories.
- the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
- Volatile memory can be random access memory (RAM), which acts as external cache memory.
- RAM random access memory
- static random access memory static random access memory
- DRAM dynamic random access memory
- DRAM synchronous dynamic random access memory Access memory
- SDRAM synchronous dynamic random access memory
- double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
- enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
- serial link DRAM SLDRAM
- direct memory bus random access memory direct rambus RAM, DR RAM
- the above-mentioned embodiments may be implemented in whole or in part by software, hardware (such as circuits), firmware, or other arbitrary combinations.
- the above-described embodiments may be implemented in whole or in part in the form of computer program products.
- the computer program product comprises one or more computer instructions or computer programs. When the computer instruction or computer program is loaded or executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part.
- the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
- the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server or data center by wired (such as infrared, wireless, microwave, etc.).
- the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center that includes one or more sets of available media.
- the available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media.
- the semiconductor medium may be a solid state drive.
- At least one means one or more, and “multiple” means two or more.
- At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items.
- at least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
- sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present application.
- the implementation process constitutes any limitation.
- the disclosed systems, devices and methods may be implemented in other ways.
- the device embodiments described above are only illustrative.
- the division of the units is only a logical function division. In actual implementation, there may be other division methods.
- multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
- the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
- the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
- each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
- the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium.
- the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
- the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disc and other media that can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (32)
- 一种通信方法,其特征在于,包括:在满足第一条件的情况下,第一网络制式的接入网设备获取用户面完整性保护指示信息和第二网络制式的完整性保护算法标识符;其中,所述第一条件包括:确定建立所述第一网络制式的接入网设备与终端设备之间的第一数据无线承载DRB,且确定开启所述第一DRB的用户面完整性保护;所述用户面完整性保护指示信息用于指示开启所述第一DRB的用户面完整性保护;所述第一网络制式的接入网设备向所述终端设备发送第一消息;所述第一消息包括所述用户面完整性保护指示信息和所述第二网络制式的完整性保护算法标识符;所述第一网络制式的接入网设备根据第一密钥和所述第二网络制式的完整性保护算法,激活所述第一DRB的用户面完整性保护。
- 根据权利要求1所述的通信方法,其特征在于,所述第一消息还包括第一指示信息,所述第一指示信息用于指示采用主密钥确定所述第一密钥。
- 根据权利要求2所述的通信方法,其特征在于,所述第一密钥是根据所述主密钥、所述第二网络制式的完整性保护算法标识符和第一算法类型区别符确定的。
- 根据权利要求3所述的通信方法,其特征在于,所述第一算法类型区别符的值为0x07。
- 根据权利要求1-4中任一项所述的通信方法,其特征在于,所述第二网络制式的完整性保护算法标识符是根据所述终端设备的第二网络制式的安全能力确定的。
- 根据权利要求5所述的通信方法,其特征在于,所述方法还包括:所述第一网络制式的接入网设备接收来自第一网络制式的核心网网元的第二消息;所述第二消息包括所述终端设备的所述第二网络制式的安全能力。
- 根据权利要求1-4中任一项所述的通信方法,其特征在于,所述第二网络制式的完整性保护算法标识符是根据第一网络制式的安全能力确定的。
- 根据权利要求7所述的通信方法,其特征在于,所述方法还包括:在所述终端设备支持用户面完整性保护的情况下,所述第一网络制式的接入网设备根据所述第一网络制式的安全能力确定所述第二网络制式的完整性保护算法标识符。
- 根据权利要求7或8所述的通信方法,其特征在于,所述第一网络制式的安全能力包括第一网络制式的完整性保护算法标识符,所述第二网络制式的完整性保护算法标识符是对所述第一网络制式的完整性保护算法标识符进行映射获得的。
- 根据权利要求7-9中任一项所述的通信方法,其特征在于,所述第一网络制式的安全能力是所述第一网络制式的接入网设备从第一网络制式的核心网网元接收的。
- 根据权利要求1-10中任一项所述的通信方法,其特征在于,所述第一网络制式的接入网设备根据第一密钥和所述第二网络制式的完整性保护算法,激活所述第一DRB的用户面完整性保护,包括:所述第一网络制式的接入网设备将所述第一密钥和所述第二网络制式的完整性保护算法,配置到所述第一DRB对应的第二网络制式的分组数据汇聚层协议PDCP实体。
- 根据权利要求1-11中任一项所述的通信方法,其特征在于,所述第一条件还包括所述终端设备支持用户面完整性保护。
- 根据权利要求12所述的通信方法,其特征在于,所述方法还包括:所述第一网络制式的接入网设备接收来自所述终端设备或第一网络制式的核心网网元的所述用户面指示信息,所述用户面指示信息用于指示所述终端设备是否支持用户面完整性保护,所述第一条件是根据所述用户面指示信息确定的。
- 根据权利要求2-4中任一项所述的通信方法,其特征在于,所述用户面完整性保护指示信息、所述第二网络制式的完整性保护算法标识符、和所述第一指示信息封装在所述第一消息的无线承载配置Radiobearerconfig信元中。
- 根据权利要求1-14中任一项所述的通信方法,其特征在于,所述第一网络制式包括第四代4G、长期演进LTE、或演进分组系统EPS。
- 根据权利要求1-15中任一项所述的通信方法,其特征在于,所述第二网络制式包括第五代5G、新空口NR、或第五代系统5GS。
- 一种通信方法,其特征在于,包括:终端设备接收第一消息;所述第一消息包括用户面完整性保护指示信息和第二网络制式的完整性保护算法标识符,所述用户面完整性保护指示信息用于指示开启第一网络制式的接入网设备与所述终端设备之间的第一数据无线承载DRB的用户面完整性保护;在所述第一消息来自所述第一网络制式的接入网设备、且所述用户面完整性保护指示信息指示开启所述第一DRB的用户面完整性保护的情况下,所述终端设备根据第一密钥和所述第二网络制式的完整性保护算法,激活所述第一DRB的用户面完整性保护。
- 根据权利要求17所述的通信方法,其特征在于,所述第一消息还包括第一指示信息,所述第一指示信息用于指示采用主密钥确定所述第一密钥,所述方法还包括:所述终端设备根据所述第一指示信息采用所述主密钥确定所述第一密钥。
- 根据权利要求18所述的通信方法,其特征在于,所述第一密钥是根据所述主密钥、所述第二网络制式的完整性保护算法标识符、和第一算法类型区别符确定的。
- 根据权利要求19所述的通信方法,其特征在于,所述第一算法类型区别符的值为0x07。
- 根据权利要求17-20中任一项所述的通信方法,其特征在于,所述方法还包括:在所述终端设备支持用户面完整性保护的情况下,所述终端设备向第一网络制式的核心网网元发送第三消息;所述第三消息包括第二网络制式的安全能力。
- 根据权利要求17-21中任一项所述的通信方法,其特征在于,所述终端设备根据第一密钥和所述第二网络制式的完整性保护算法,激活所述第一DRB的用户面完整性保护,包括:所述终端设备将所述第一密钥和所述第二网络制式的完整性保护算法,配置到所述第一DRB对应的第二网络制式的分组数据汇聚层协议PDCP实体。
- 根据权利要求17-22中任一项所述的通信方法,其特征在于,所述方法还包括:所述终端设备根据公共陆地移动网标识PLMN ID,确定所述第一消息是否来自所述第一网络制式的接入网设备;所述PLMN ID来自于发送所述第一消息的接入网设备。
- 根据权利要求17-23中任一项所述的通信方法,其特征在于,所述方法还包括:所述终端设备向所述第一网络制式的接入网设备或第一网络制式的核心网网元发送用户面指示信息;所述用户面指示信息用于指示所述终端设备是否支持用户面完整性保护。
- 根据权利要求18-20中任一项所述的通信方法,其特征在于,所述用户面完整性保护指示信息、所述第二网络制式的完整性保护算法标识符、和所述第一指示信息封装在所述第一消息的无线承载配置Radiobearerconfig信元中。
- 根据权利要求17-25中任一项所述的通信方法,其特征在于,所述第一网络制式包括第四代4G、长期演进LTE、或演进分组系统EPS。
- 根据权利要求17-26中任一项所述的通信方法,其特征在于,所述第二网络制式包括第五代5G、新空口NR、或第五代系统5GS。
- 一种通信装置,其特征在于,所述通信装置包括用于执行如权利要求1至16中任一项所述方法的单元或模块。
- 一种通信装置,其特征在于,所述通信装置包括用于执行如权利要求17至27中任一项所述方法的单元或模块。
- 一种通信装置,其特征在于,所述通信装置包括:处理器;所述处理器,用于执行如权利要求1-27中任一项所述的通信方法。
- 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质包括计算机程序或指令,当所述计算机程序或指令在计算机上运行时,使得如权利要求1-27中任一项所述的通信方法被执行。
- 一种计算机程序产品,其特征在于,所述计算机程序产品包括:计算机程序或指令,当所述计算机程序或指令在计算机上运行时,使得如权利要求1-27中任一项所述的通信方法被执行。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2022353804A AU2022353804A1 (en) | 2021-09-29 | 2022-09-28 | Communication method and apparatus |
CA3233735A CA3233735A1 (en) | 2021-09-29 | 2022-09-28 | Communication method and apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111155030.6 | 2021-09-29 | ||
CN202111155030.6A CN115884170A (zh) | 2021-09-29 | 2021-09-29 | 通信方法及装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023051614A1 true WO2023051614A1 (zh) | 2023-04-06 |
Family
ID=85756455
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/122165 WO2023051614A1 (zh) | 2021-09-29 | 2022-09-28 | 通信方法及装置 |
Country Status (4)
Country | Link |
---|---|
CN (1) | CN115884170A (zh) |
AU (1) | AU2022353804A1 (zh) |
CA (1) | CA3233735A1 (zh) |
WO (1) | WO2023051614A1 (zh) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109600803A (zh) * | 2017-09-30 | 2019-04-09 | 华为技术有限公司 | 一种安全保护的方法、装置和系统 |
CN109802809A (zh) * | 2017-11-17 | 2019-05-24 | 华为技术有限公司 | 网络接入的方法、终端设备和网络设备 |
WO2020064387A1 (en) * | 2018-09-27 | 2020-04-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Security algorithm configuration in mr-dc and enabling dual connectivity in eutra connected to 5gc |
CN111641947A (zh) * | 2019-03-01 | 2020-09-08 | 华为技术有限公司 | 密钥配置的方法、装置和终端 |
CN111866857A (zh) * | 2019-04-28 | 2020-10-30 | 华为技术有限公司 | 通信方法及其装置 |
CN111937424A (zh) * | 2018-04-04 | 2020-11-13 | 中兴通讯股份有限公司 | 用于管理完整性保护的技术 |
-
2021
- 2021-09-29 CN CN202111155030.6A patent/CN115884170A/zh active Pending
-
2022
- 2022-09-28 WO PCT/CN2022/122165 patent/WO2023051614A1/zh active Application Filing
- 2022-09-28 AU AU2022353804A patent/AU2022353804A1/en active Pending
- 2022-09-28 CA CA3233735A patent/CA3233735A1/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109600803A (zh) * | 2017-09-30 | 2019-04-09 | 华为技术有限公司 | 一种安全保护的方法、装置和系统 |
CN109802809A (zh) * | 2017-11-17 | 2019-05-24 | 华为技术有限公司 | 网络接入的方法、终端设备和网络设备 |
CN111937424A (zh) * | 2018-04-04 | 2020-11-13 | 中兴通讯股份有限公司 | 用于管理完整性保护的技术 |
WO2020064387A1 (en) * | 2018-09-27 | 2020-04-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Security algorithm configuration in mr-dc and enabling dual connectivity in eutra connected to 5gc |
CN111641947A (zh) * | 2019-03-01 | 2020-09-08 | 华为技术有限公司 | 密钥配置的方法、装置和终端 |
CN111866857A (zh) * | 2019-04-28 | 2020-10-30 | 华为技术有限公司 | 通信方法及其装置 |
Also Published As
Publication number | Publication date |
---|---|
AU2022353804A1 (en) | 2024-04-18 |
CA3233735A1 (en) | 2023-04-06 |
CN115884170A (zh) | 2023-03-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11140654B2 (en) | Method for sending paging message and related device | |
WO2018171703A1 (zh) | 通信方法与设备 | |
WO2018165996A1 (zh) | 切换方法和装置 | |
US20200344245A1 (en) | Message sending method and apparatus | |
WO2021089015A1 (zh) | 一种寻呼方法和装置 | |
US20230379700A1 (en) | Security parameter obtaining method, apparatus, and system | |
WO2022253083A1 (zh) | 一种公私网业务的隔离方法、装置及系统 | |
WO2017132962A1 (zh) | 一种安全参数传输方法及相关设备 | |
WO2021180209A1 (zh) | 传输寻呼信息的方法和通信装置 | |
WO2022095047A1 (zh) | 无线通信的方法、终端设备和网络设备 | |
WO2023186028A1 (zh) | 通信方法及装置 | |
WO2023051614A1 (zh) | 通信方法及装置 | |
WO2022206393A1 (zh) | 通信方法及装置 | |
WO2023072272A1 (zh) | 通信方法和装置 | |
WO2022148469A1 (zh) | 一种安全保护方法、装置和系统 | |
US20220225463A1 (en) | Communications method, apparatus, and system | |
WO2022252867A1 (zh) | 通信方法及通信装置 | |
WO2022160315A1 (zh) | 通信方法及装置 | |
WO2022171156A1 (zh) | 配置演进分组系统非接入层安全算法的方法及相关装置 | |
US11991516B2 (en) | Session migration method and apparatus | |
WO2022133682A1 (zh) | 数据传输方法、终端设备和网络设备 | |
WO2022021165A1 (zh) | 中继发现方法和终端 | |
WO2022027375A1 (zh) | 选择接入小区的方法、终端设备和网络设备 | |
KR102642804B1 (ko) | 다중 대역 통신 방법 및 장치 | |
WO2018228444A1 (zh) | 连接管理方法、终端及无线接入网设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22874997 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 3233735 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: AU2022353804 Country of ref document: AU |
|
ENP | Entry into the national phase |
Ref document number: 2022353804 Country of ref document: AU Date of ref document: 20220928 Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2022874997 Country of ref document: EP Effective date: 20240425 |