WO2023125675A1 - User plane data integrity protection method and system for network slice - Google Patents

User plane data integrity protection method and system for network slice Download PDF

Info

Publication number
WO2023125675A1
WO2023125675A1 PCT/CN2022/142873 CN2022142873W WO2023125675A1 WO 2023125675 A1 WO2023125675 A1 WO 2023125675A1 CN 2022142873 W CN2022142873 W CN 2022142873W WO 2023125675 A1 WO2023125675 A1 WO 2023125675A1
Authority
WO
WIPO (PCT)
Prior art keywords
nssai
network slice
user
mapping relationship
service information
Prior art date
Application number
PCT/CN2022/142873
Other languages
French (fr)
Chinese (zh)
Inventor
常洁
林黛娣
严黎明
毕家瑜
黄海昆
项春林
陈正文
曾祥宇
Original Assignee
天翼物联科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天翼物联科技有限公司 filed Critical 天翼物联科技有限公司
Publication of WO2023125675A1 publication Critical patent/WO2023125675A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity

Definitions

  • the present invention relates to the technical field of 5G network slicing data security, in particular to a user plane data integrity protection method and system for network slicing.
  • Network slicing is a collection of network functions, resources for running network functions, and network function-specific configurations. Network functions and their corresponding configurations form a complete logical network, including network features required by specific services.
  • network slicing involves end-to-end network elements, service capacity involves the number and configuration of network elements, and connection and delay involve network topology and interface configuration and deployment. In the future, network slicing will carry a lot of high-value application data and sensitive information such as privacy, which will greatly increase the security requirements of 5G networks. Therefore, network slicing user plane security mechanisms are essential, but only user plane data integrity protection based on network slicing However, in different business scenarios, it cannot meet the requirements of 5G high traffic, low latency, and large connections.
  • the purpose of the present invention is to provide a user plane data integrity protection method and system for network slicing, aiming to solve the problem that the prior art cannot meet the requirements of 5G high traffic, low delay and large connection in different business scenarios The problem.
  • an embodiment of the present invention provides a user plane data integrity protection method for network slicing, including:
  • the AUSF After the user UE access authentication is successful, the AUSF generates a network slice anchor key K1 for the user UE to form a mapping relationship ⁇ S-NSSAI, K1>, where S-NSSAI is the network slice identifier;
  • the AUSF sends the mapping relationship ⁇ S-NSSAI, Ki> to the AMF, and the AMF saves the mapping relationship ⁇ S-NSSAI, Ki>;
  • the AUSF returns the network slice identifier S-NSSAI that needs to be encrypted for user plane data and an indication of data transmission security protection to the user UE;
  • the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection, and the user UE generates the network slice identifier S-NSSAI and the network slice anchor key K1
  • the corresponding service information is introduced into the mapping relationship, and the mapping relationship among the network slice identifier S-NSSAI, service information and network slice anchor key K1 is saved.
  • an embodiment of the present invention provides a user plane data integrity protection system for network slicing, which operates through the user plane data integrity protection method for network slicing, including:
  • the user UE is configured to generate a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection; and a mapping relationship between the network slice identifier S-NSSAI and the network slice anchor key K1 Introducing corresponding service information, and saving the mapping relationship between the network slice identifier S-NSSAI, service information and network slice anchor key K1;
  • the AUSF is used to generate a network slice anchor key K1 for the user UE after successful user access authentication to form a mapping relationship ⁇ S-NSSAI, K1>, where S-NSSAI is a network slice identifier; and send the AUSF the The above mapping relationship ⁇ S-NSSAI, K1>; return to the user UE the network slice identifier S-NSSAI that needs to be encrypted for user plane data, and an indication of data transmission security protection;
  • AMF configured to store the mapping relationship ⁇ S-NSSAI, K1>.
  • the data transmitted by the user plane of the network slice is adaptively protected in different service environments, which can reduce the previous configuration and realize the purpose of data integrity protection of the user plane of the network slice, and It can reduce the calculation load and greatly improve the delay of user plane data transmission, which has a certain degree of practicability.
  • FIG. 1 is a schematic flowchart of a user plane data integrity protection method for network slicing provided by an embodiment of the present invention
  • Fig. 2 is a block diagram of a user plane data integrity protection system for network slicing provided by an embodiment of the present invention.
  • SUCI Subscribescription Concealed Identifier, user concealed identifier
  • S-NSSAI Single Network Slice Selection Assistance Information, single network slice selection assistance information
  • AMF Access and Mobility Management Function, access and mobility management function
  • AUSF Authentication Server Function, authentication server function
  • UDM Unified Data Management, unified data management
  • SUPI Subscribescription Permanent Identifier, user permanent identifier
  • SMF Session Management Function, session management function
  • UPF UserPlane Function user plane function
  • gNB is a 5G base station
  • NSSF The Network Slice Selection Function, network slice selection function
  • the authentication phase before the user UE access authentication succeeds is:
  • the user UE accesses the 5G network, initiates an initial registration request, and the request carries information such as the user identifier SUCI, the network slice identifier S-NSSAI supported by the user UE;
  • the AMF After the AMF accepts the UE registration request, it sends an authentication request to the AUSF;
  • the AUSF After the AUSF receives the authentication request, if there is no user subscription information (user ID), it requests the user subscription information from UDM.
  • the request message contains the user ID SUCI.
  • UDM executes the conversion from SUCI to SUPI, and returns the corresponding user subscription information to AUSF;
  • the user subscription information includes an indication of the network slices (S-NSSAI identifiers) that the user is allowed to access and which network slice identifiers corresponding to the S-NSSAI need to perform user plane data security protection;
  • the UDM generates an authentication vector for the user UE's access authentication request and returns it to the AUSF together with the user subscription information;
  • the AUSF receives the user subscription information and the authentication vector, and completes the two-way authentication process for the user UE to access the network with the AMF and the user UE.
  • a user plane data integrity protection method for network slicing including:
  • the AUSF After the user UE access authentication is successful, the AUSF generates a network slice anchor key K1 for the user UE to form a mapping relationship ⁇ S-NSSAI, K1>, where S-NSSAI is the network slice identifier;
  • the AUSF sends the mapping relationship ⁇ S-NSSAI, K1> to the AMF, and the AMF saves the mapping relationship ⁇ S-NSSAI, K1>;
  • the AUSF returns the network slice identifier S-NSSAI that needs to be encrypted for user plane data and an indication of data transmission security protection to the user UE;
  • the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection, and the user UE generates the network slice identifier S-NSSAI and the network slice anchor key K1
  • the corresponding service information is introduced into the mapping relationship, and the mapping relationship among the network slice identifier S-NSSAI, service information and network slice anchor key K1 is saved.
  • the AUSF after the user UE access authentication succeeds, the AUSF generates an anchor key KAUSF for the user UE, and identifies S-NSSAI for the corresponding network slice according to the indication of user plane data security protection returned by the UDM.
  • KAUSF uses the key generation algorithm to generate the network slice anchor key K1 for user plane data security protection;
  • ⁇ S-NSSAI, K1> indicates that user plane data security protection needs to be performed for the network slice corresponding to the user UE access network slice identifier S-NSSAI.
  • the AUSF After the AUSF saves the mapping relationship of the user UE accessing the network and completes other registration processes, it returns a response message of successful authentication to the user UE, and the response message includes the corresponding network slice identifier S-NSSAI that needs to establish user plane data security protection Instructions for establishing user plane data security protection.
  • the user UE receives the authentication success response message returned by the network, generates the anchor key KAUSF, and instructs to use KAUSF and the above-mentioned key generation algorithm to generate a user plane data security protected network for the corresponding network slice identifier S-NSSAI slice anchor key K1;
  • the adaptive integrity protection of the data transmitted by the user plane of the network slice under different business environments can reduce the previous configuration to achieve the purpose of data integrity protection of the user plane of the network slice, and can reduce the calculation load , which greatly improves the delay of data transmission on the user plane, and has a certain degree of practicability.
  • the service information includes data network name DNN information, service quality QoS, service priority, base station side reservation information, bandwidth and delay requirement indicators for 5G service transmission, and the like.
  • the service information includes the data network name DNN information, service quality QoS, service priority, base station side reserved information, bandwidth and delay requirement indicators for 5G service transmission, etc., so that the information in the service information can be Merit selection in network slicing.
  • the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the indication of data transmission security protection, and the user UE is the network slice identifier S-NSSAI and the network slice anchor key K1.
  • the user UE According to the information in the mapping relationship ⁇ S-NSSAI, service information, K1>, the user UE generates an integrity key k3' using a one-way irreversible function based on a preset method, saves the integrity key k3', and saves the mapping Relationship ⁇ S-NSSAI, Service Information, k3'>.
  • the preset method can be set according to the actual situation;
  • the one-way irreversible function is an existing function with a one-way irreversible effect, and a function can be selected according to the actual situation;
  • the information in K1> includes business information, etc.
  • the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the indication of data transmission security protection, and the user UE is the network slice identifier S-NSSAI and the network slice anchor key K1.
  • the user UE initiates a session establishment request in the access network slicing process to the AMF;
  • the AMF obtains, according to the mapping relationship ⁇ S-NSSAI, Ki>, the network slice identifier S-NSSAI that needs to be accessed by the user UE, and performs user plane data security protection;
  • the SMF selects the AMF, the AMF generates an integrity key k3' for user plane data security protection for the network slice identifier S-NSSAI, and the AMF stores the mapping relationship ⁇ S-NSSAI, service information, k3'>.
  • the generated integrity key k3' is used to adaptively protect the integrity of the data transmitted in the user plane of the network slice under different service environments.
  • the session establishment request includes: the network slice identifier S-NSSAI that the user UE requests to access and corresponding service information.
  • the network slice identifier S-NSSAI and the corresponding service information are included in the session request, which is convenient for generating the mapping relationship ⁇ S-NSSAI, service information, k3'> at the next level, and also facilitates the service information at the subsequent level Save during transfer.
  • the SMF selects the AMF, the AMF generates an integrity key k3' for user plane data security protection for the network slice identifier S-NSSAI, and the AMF stores the mapping relationship ⁇ S-NSSAI, service Information, k3'>, after that includes:
  • the AMF searches for a corresponding SMF according to the network slice identifier S-NSSAI;
  • a session is established between the AMF and the corresponding SMF, the AMF sends the mapping relationship ⁇ S-NSSAI, service information, k3'> to the SMF, and the SMF saves the mapping relationship ⁇ S-NSSAI, business information, k3'>;
  • the SMF searches for a corresponding UPF according to the network slice identifier S-NSSAI;
  • a session is established between the SMF and the corresponding UPF, the SMF sends the mapping relationship ⁇ S-NSSAI, service information, k3'> to the UPF, and the UPF stores the mapping relationship ⁇ S-NSSAI, service information, k3 '>.
  • UPF saves the mapping relationship and establishes a binding between k3' and the network slice session, that is, when data is transmitted using the network slice session, the integrity key k3' is used for data transmission safety protection.
  • the user UE After the user UE completes the session establishment process for accessing the network slice, it can use the network slice session to carry out application services.
  • a session is established between the SMF and the corresponding UPF, the SMF sends the mapping relationship ⁇ S-NSSAI, service information, k3'> to the UPF, and the UPF stores the mapping relationship ⁇ S- NSSAI, business information, k3′>, after that include:
  • the SMF communicates the message after the session authentication and authorization with the AMF through the N1N2 interface;
  • the gNB performs radio resource reservation
  • wireless resource reservation is to classify network slices according to priority according to service information and corresponding network slice identifier S-NSSAI, and reserve a certain resource space for priority transmission with high priority.
  • other sessions are established between the user UE and the SMF, and the access network slice session establishment process is completed, and then includes:
  • the user UE When the user UE conducts application services between the UPF and the network slice session, the user UE identifies the user plane data, and according to the service information and the mapping relationship ⁇ S-NSSAI, service information, k3'>, for the PDCP SDU Adaptively generate MAC-I based on the mapping relationship ⁇ S-NSSAI, service information, k3'>, and add MAC-I to the user plane data.
  • the data MAC-I is a delay requirement flag, which is identified by calculating the MAC-I and adding corresponding user plane data when the delay requirement is met, so as to facilitate identification and transmission.
  • the user UE when the user UE conducts application services between the UPF through the network slice session, the user UE identifies the user plane data, and according to the service information and the mapping relationship ⁇ S-NSSAI, service information, k3'>, adaptively generate MAC-I for PDCP SDU based on the mapping relationship ⁇ S-NSSAI, service information, k3'>, including:
  • integrity protection is performed based on all information in the concatenated information.
  • the data MAC-I is a high-latency flag, and is added to the end of the user plane data when the high-latency is high.
  • a user plane data integrity protection system for network slicing operates through the user plane data integrity protection method for network slicing, including:
  • the user UE is configured to generate a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection; and a mapping relationship between the network slice identifier S-NSSAI and the network slice anchor key K1 Introducing corresponding service information, and saving the mapping relationship between the network slice identifier S-NSSAI, service information and network slice anchor key K1;
  • the AUSF is used to generate a network slice anchor key K1 for the user UE after successful user access authentication to form a mapping relationship ⁇ S-NSSAI, K1>, where S-NSSAI is a network slice identifier; and send the AUSF the The above mapping relationship ⁇ S-NSSAI, K1>; return to the user UE the network slice identifier S-NSSAI that needs to be encrypted for user plane data, and an indication of data transmission security protection;
  • AMF configured to store the mapping relationship ⁇ S-NSSAI, K1>.
  • the security of the application service data during transmission in the network slice with the network slice identifier S-NSSAI can be guaranteed.
  • the corresponding protection key will not be generated between the user UE and the UPF, and correspondingly, the user plane data transmitted in its network slice will not be protected for transmission security .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A user plane data integrity protection method and system for a network slice. The method comprises: once access authentication of a user UE succeeds, an AUSF generates a network slice anchoring key K1 for the user UE to form a mapping relationship <S-NSSAI, K1>, wherein S-NSSAI is a network slice identifier; the AUSF sends the mapping relationship <S-NSSAI, K1> to an AMF, and the AMF saves the mapping relationship <S-NSSAI, K1>; the AUSF returns a network slice identifier S-NSSAI requiring user plane data encryption and an indication of data transmission security protection to the user UE; and the user UE generates a network slice anchoring key K1 for the network slice identifier S-NSSAI according to the indication of data transmission security protection. By means of adding service information to a mapping relationship, self-adaptive integrity protection of data transmitted by a network slice user plane in different service environments is achieved.

Description

一种用于网络切片的用户面数据完整性保护方法和系统A user plane data integrity protection method and system for network slicing 技术领域technical field
本发明涉及5G网络切片数据安全技术领域,尤其涉及一种用于网络切片的用户面数据完整性保护方法和系统。The present invention relates to the technical field of 5G network slicing data security, in particular to a user plane data integrity protection method and system for network slicing.
背景技术Background technique
随着网络技术的应用越来越广泛,网络应用的场景各有不同。而不同的应用场景需要的网络功能单元(控制面和业务面)部署方式和位置也会有所不同。As the application of network technology becomes more and more extensive, the scenarios of network application are different. The deployment methods and locations of network functional units (control plane and service plane) required by different application scenarios will also be different.
网络切片是一组网络功能、运行网络功能的资源以及网络功能特定的配置所组成的集合,网络功能及其相应的配置形成一个完整的逻辑网络,包含满足特定业务所需要的网络特征。Network slicing is a collection of network functions, resources for running network functions, and network function-specific configurations. Network functions and their corresponding configurations form a complete logical network, including network features required by specific services.
由于网络切片涉及端到端网元,业务容量涉及网元数量和网元配置,连接和延迟涉及网络拓扑和接口配置、部署。未来网络切片将承载很多高价值应用数据及诸如隐私等敏感信息,使得5G网络的安全需求大增,因此网络切片用户面安全机制必不可少,但仅有基于网络切片的用户面数据完整性保护方法,在不同业务场景下是无法适应5G高流量低延时、大连接等需求。Since network slicing involves end-to-end network elements, service capacity involves the number and configuration of network elements, and connection and delay involve network topology and interface configuration and deployment. In the future, network slicing will carry a lot of high-value application data and sensitive information such as privacy, which will greatly increase the security requirements of 5G networks. Therefore, network slicing user plane security mechanisms are essential, but only user plane data integrity protection based on network slicing However, in different business scenarios, it cannot meet the requirements of 5G high traffic, low latency, and large connections.
发明内容Contents of the invention
本发明的目的是提供一种用于网络切片的用户面数据完整性保护方法和系统,旨在解决现有技术中,在不同业务场景下是无法适应5G高流量低延时、大连接等需求的问题。The purpose of the present invention is to provide a user plane data integrity protection method and system for network slicing, aiming to solve the problem that the prior art cannot meet the requirements of 5G high traffic, low delay and large connection in different business scenarios The problem.
第一方面,本发明实施例提供了一种用于网络切片的用户面数据完整性保护方法,包括:In a first aspect, an embodiment of the present invention provides a user plane data integrity protection method for network slicing, including:
在用户UE接入认证成功之后,AUSF为用户UE生成网络切片锚定密钥K1,形成映射关系<S-NSSAI,K1>,其中S-NSSAI为网络切片标识;After the user UE access authentication is successful, the AUSF generates a network slice anchor key K1 for the user UE to form a mapping relationship <S-NSSAI, K1>, where S-NSSAI is the network slice identifier;
所述AUSF向AMF发送所述映射关系<S-NSSAI,Ki>,所述AMF保存所述映射关系<S-NSSAI,Ki>;The AUSF sends the mapping relationship <S-NSSAI, Ki> to the AMF, and the AMF saves the mapping relationship <S-NSSAI, Ki>;
所述AUSF向所述用户UE返回需要进行用户面数据加密的所述网络切片标识S-NSSAI,以及数据传输安全保护的指示;The AUSF returns the network slice identifier S-NSSAI that needs to be encrypted for user plane data and an indication of data transmission security protection to the user UE;
所述用户UE根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1,所述用户UE为所述网络切片标识S-NSSAI和网络切片锚定密钥K1的映 射关系引入对应的业务信息,并保存所述网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系。The user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection, and the user UE generates the network slice identifier S-NSSAI and the network slice anchor key K1 The corresponding service information is introduced into the mapping relationship, and the mapping relationship among the network slice identifier S-NSSAI, service information and network slice anchor key K1 is saved.
第二方面,本发明实施例提供了一种用于网络切片的用户面数据完整性保护系统,通过所述用于网络切片的用户面数据完整性保护方法运行,包括:In a second aspect, an embodiment of the present invention provides a user plane data integrity protection system for network slicing, which operates through the user plane data integrity protection method for network slicing, including:
用户UE,用于根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1;为所述网络切片标识S-NSSAI和网络切片锚定密钥K1的映射关系引入对应的业务信息,并保存所述网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系;The user UE is configured to generate a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection; and a mapping relationship between the network slice identifier S-NSSAI and the network slice anchor key K1 Introducing corresponding service information, and saving the mapping relationship between the network slice identifier S-NSSAI, service information and network slice anchor key K1;
AUSF,用于在用户接入认证成功之后,为所述用户UE生成网络切片锚定密钥K1,形成映射关系<S-NSSAI,K1>,其中S-NSSAI为网络切片标识;向AMF发送所述映射关系<S-NSSAI,K1>;向所述用户UE返回需要进行用户面数据加密的所述网络切片标识S-NSSAI,以及数据传输安全保护的指示;The AUSF is used to generate a network slice anchor key K1 for the user UE after successful user access authentication to form a mapping relationship <S-NSSAI, K1>, where S-NSSAI is a network slice identifier; and send the AUSF the The above mapping relationship <S-NSSAI, K1>; return to the user UE the network slice identifier S-NSSAI that needs to be encrypted for user plane data, and an indication of data transmission security protection;
AMF,用于保存所述映射关系<S-NSSAI,K1>。AMF, configured to store the mapping relationship <S-NSSAI, K1>.
本发明实施例通过在映射关系中加入业务信息,对网络切片用户面传输的数据在不同业务环境下自适应的完整性保护,可以减少前期配置实现网络切片用户面数据完整性保护的目的,且能降低计算负荷,大大提升用户面数据传输的时延,具有一定程度实用性。In the embodiment of the present invention, by adding service information into the mapping relationship, the data transmitted by the user plane of the network slice is adaptively protected in different service environments, which can reduce the previous configuration and realize the purpose of data integrity protection of the user plane of the network slice, and It can reduce the calculation load and greatly improve the delay of user plane data transmission, which has a certain degree of practicability.
附图说明Description of drawings
为了更清楚地说明本发明实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are some embodiments of the present invention. Ordinary technicians can also obtain other drawings based on these drawings on the premise of not paying creative work.
图1为本发明实施例提供的用于网络切片的用户面数据完整性保护方法的流程示意图;FIG. 1 is a schematic flowchart of a user plane data integrity protection method for network slicing provided by an embodiment of the present invention;
图2为本发明实施例提供的用于网络切片的用户面数据完整性保护系统框图。Fig. 2 is a block diagram of a user plane data integrity protection system for network slicing provided by an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
应当理解,当在本说明书和所附权利要求书中使用时,术语“包括”和“包含”指示所描述特征、整体、步骤、操作、元素和/或组件的存在,但并不排除一个或多个其它特征、整体、步骤、操作、元素、组件和/或其集合的存在或添加。It should be understood that when used in this specification and the appended claims, the terms "comprising" and "comprises" indicate the presence of described features, integers, steps, operations, elements and/or components, but do not exclude one or Presence or addition of multiple other features, integers, steps, operations, elements, components and/or collections thereof.
还应当理解,在此本发明说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本发明。如在本发明说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。It should also be understood that the terminology used in the description of the present invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the present invention. As used in this specification and the appended claims, the singular forms "a", "an" and "the" are intended to include plural referents unless the context clearly dictates otherwise.
还应当进一步理解,在本发明说明书和所附权利要求书中使用的术语“和/或”是指相关联列出的项中的一个或多个的任何组合以及所有可能组合,并且包括这些组合。It should also be further understood that the term "and/or" used in the description of the present invention and the appended claims refers to any combination and all possible combinations of one or more of the associated listed items, and includes these combinations .
SUCI(Subscription Concealed Identifier,用户隐藏标识);SUCI (Subscription Concealed Identifier, user concealed identifier);
S-NSSAI(Single Network Slice Selection Assistance Information,单个网络切片选择辅助信息);S-NSSAI (Single Network Slice Selection Assistance Information, single network slice selection assistance information);
AMF(Access and Mobility Management Function,接入和移动性管理功能);AUSF(Authentication Server Function,认证服务器功能);AMF (Access and Mobility Management Function, access and mobility management function); AUSF (Authentication Server Function, authentication server function);
UDM(Unified Data Management,统一数据管理);UDM (Unified Data Management, unified data management);
SUPI(Subscription Permanent Identifier,用户永久标识);SUPI (Subscription Permanent Identifier, user permanent identifier);
SMF(Session Management Function,会话管理功能);SMF (Session Management Function, session management function);
UPF(UserPlane Function用户面功能);UPF (UserPlane Function user plane function);
gNB为5G基站;gNB is a 5G base station;
NSSF(The Network Slice Selection Function,网络切片选择功能);NSSF (The Network Slice Selection Function, network slice selection function);
在用户UE接入认证成功之前的认证阶段为:The authentication phase before the user UE access authentication succeeds is:
1、用户UE接入5G网络,发起初始注册请求,请求中携带用户标识SUCI,用户UE支持的网络切片标识S-NSSAI等信息;1. The user UE accesses the 5G network, initiates an initial registration request, and the request carries information such as the user identifier SUCI, the network slice identifier S-NSSAI supported by the user UE;
2、AMF接受用户UE注册请求之后,向AUSF发起认证请求;2. After the AMF accepts the UE registration request, it sends an authentication request to the AUSF;
3、AUSF接收认证请求之后,如果没有用户签约信息(用户标识),则向UDM请求用户签约信息,该请求消息中包含用户标识SUCI,通过在UDM中匹配与该用户标识SUCI相对应的用户签约信息;3. After the AUSF receives the authentication request, if there is no user subscription information (user ID), it requests the user subscription information from UDM. The request message contains the user ID SUCI. By matching the user subscription information corresponding to the user ID SUCI in the UDM information;
4、UDM执行SUCI向SUPI的转换,并将对应的用户签约信息返回给AUSF;4. UDM executes the conversion from SUCI to SUPI, and returns the corresponding user subscription information to AUSF;
该用户签约信息中包含允许该用户接入的网络切片(S-NSSAI标识)以及哪些网络切片标识S-NSSAI对应的网络切片需要进行用户面数据安全保护的指示;The user subscription information includes an indication of the network slices (S-NSSAI identifiers) that the user is allowed to access and which network slice identifiers corresponding to the S-NSSAI need to perform user plane data security protection;
5、UDM为用户UE的接入认证请求生成认证向量并和用户签约信息一起返回给AUSF;5. The UDM generates an authentication vector for the user UE's access authentication request and returns it to the AUSF together with the user subscription information;
6、AUSF接收用户签约信息和认证向量,并和AMF以及用户UE完成用户UE接入网络的双向认证过程。6. The AUSF receives the user subscription information and the authentication vector, and completes the two-way authentication process for the user UE to access the network with the AMF and the user UE.
请参阅图1,一种用于网络切片的用户面数据完整性保护方法,包括:Please refer to Figure 1, a user plane data integrity protection method for network slicing, including:
在用户UE接入认证成功之后,AUSF为用户UE生成网络切片锚定密钥K1,形成映射关系<S-NSSAI,K1>,其中S-NSSAI为网络切片标识;After the user UE access authentication is successful, the AUSF generates a network slice anchor key K1 for the user UE to form a mapping relationship <S-NSSAI, K1>, where S-NSSAI is the network slice identifier;
所述AUSF向AMF发送所述映射关系<S-NSSAI,K1>,所述AMF保存所述映射关系<S-NSSAI,K1>;The AUSF sends the mapping relationship <S-NSSAI, K1> to the AMF, and the AMF saves the mapping relationship <S-NSSAI, K1>;
所述AUSF向所述用户UE返回需要进行用户面数据加密的所述网络切片标识S-NSSAI,以及数据传输安全保护的指示;The AUSF returns the network slice identifier S-NSSAI that needs to be encrypted for user plane data and an indication of data transmission security protection to the user UE;
所述用户UE根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1,所述用户UE为所述网络切片标识S-NSSAI和网络切片锚定密钥K1的映射关系引入对应的业务信息,并保存所述网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系。The user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection, and the user UE generates the network slice identifier S-NSSAI and the network slice anchor key K1 The corresponding service information is introduced into the mapping relationship, and the mapping relationship among the network slice identifier S-NSSAI, service information and network slice anchor key K1 is saved.
在本实施例中,用户UE接入认证成功之后,AUSF为该用户UE生成锚定密钥KAUSF,并且根据UDM返回的用户面数据安全保护的指示,为对应的网络切片标识S-NSSAI,根据KAUSF使用密钥生成算法生成用户面数据安全保护的网络切片锚定密钥K1;In this embodiment, after the user UE access authentication succeeds, the AUSF generates an anchor key KAUSF for the user UE, and identifies S-NSSAI for the corresponding network slice according to the indication of user plane data security protection returned by the UDM. KAUSF uses the key generation algorithm to generate the network slice anchor key K1 for user plane data security protection;
<S-NSSAI,K1>表示需要为用户UE接入网络切片标识S-NSSAI对应的网络切片进行用户面数据安全保护。<S-NSSAI, K1> indicates that user plane data security protection needs to be performed for the network slice corresponding to the user UE access network slice identifier S-NSSAI.
AUSF在保存用户UE接入网络的映射关系,并完成其他注册过程之后,向用户UE返回认证成功的响应消息,并在响应消息中包含需要建立用户面数据安全保护的网络切片标识S-NSSAI对应的建立用户面数据安全保护的指示。After the AUSF saves the mapping relationship of the user UE accessing the network and completes other registration processes, it returns a response message of successful authentication to the user UE, and the response message includes the corresponding network slice identifier S-NSSAI that needs to establish user plane data security protection Instructions for establishing user plane data security protection.
用户UE接收到网络返回的认证成功的响应消息,生成锚定密钥KAUSF,并指示,利用KAUSF和上述的密钥生成算法,为对应的网络切片标识S-NSSAI生成用户面数据安全保护的网络切片锚定密钥K1;The user UE receives the authentication success response message returned by the network, generates the anchor key KAUSF, and instructs to use KAUSF and the above-mentioned key generation algorithm to generate a user plane data security protected network for the corresponding network slice identifier S-NSSAI slice anchor key K1;
由于是相同的KAUSF和密钥生成算法,保证了用户UE和AUSF生成的网络切片锚定密钥K1相同;Due to the same KAUSF and key generation algorithm, it is guaranteed that the network slice anchor key K1 generated by the user UE and AUSF is the same;
通过在映射关系中加入业务信息,对网络切片用户面传输的数据在不同业务环境下自适应的完整性保护,可以减少前期配置实现网络切片用户面数据完整性保护的目的,且能降低计算负荷,大大提升用户面数据传输的时延,具有一定程度实用性。By adding business information to the mapping relationship, the adaptive integrity protection of the data transmitted by the user plane of the network slice under different business environments can reduce the previous configuration to achieve the purpose of data integrity protection of the user plane of the network slice, and can reduce the calculation load , which greatly improves the delay of data transmission on the user plane, and has a certain degree of practicability.
在一实施例中,所述业务信息包括数据网络名称DNN信息,服务质量QoS,业务优先级,基站侧预留信息,5G业务传输的带宽时延要求指标等。In an embodiment, the service information includes data network name DNN information, service quality QoS, service priority, base station side reservation information, bandwidth and delay requirement indicators for 5G service transmission, and the like.
在本实施例中,业务信息包含了数据网络名称DNN信息,服务质量QoS,业务优先级,基站侧预留信息,5G业务传输的带宽时延要求指标等,使得能根据业务信息中的信息 进行网络切片中的择优。In this embodiment, the service information includes the data network name DNN information, service quality QoS, service priority, base station side reserved information, bandwidth and delay requirement indicators for 5G service transmission, etc., so that the information in the service information can be Merit selection in network slicing.
在一实施例中,所述用户UE根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1,所述用户UE为网络切片标识S-NSSAI和网络切片锚定密钥K1的映射关系引入对应的业务信息,并保存网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系,之后包括:In an embodiment, the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the indication of data transmission security protection, and the user UE is the network slice identifier S-NSSAI and the network slice anchor key K1. Determine the mapping relationship of the key K1 to introduce the corresponding service information, and save the mapping relationship between the network slice identifier S-NSSAI, service information and the network slice anchor key K1, and then include:
用户UE根据映射关系<S-NSSAI,业务信息,K1>中的信息,并基于预置方法采用单向不可逆函数生成完整性密钥k3′,保存所述完整性密钥k3′,并保存映射关系<S-NSSAI,业务信息,k3′>。According to the information in the mapping relationship <S-NSSAI, service information, K1>, the user UE generates an integrity key k3' using a one-way irreversible function based on a preset method, saves the integrity key k3', and saves the mapping Relationship <S-NSSAI, Service Information, k3'>.
在本实施例中,预置方法可根据实际情况进行设定;单向不可逆函数为现有具有单向不可逆效果的函数,可根据实际情况选择一函数;映射关系<S-NSSAI,业务信息,K1>中的信息包括业务信息等。In this embodiment, the preset method can be set according to the actual situation; the one-way irreversible function is an existing function with a one-way irreversible effect, and a function can be selected according to the actual situation; the mapping relationship <S-NSSAI, business information, The information in K1> includes business information, etc.
在一实施例中,所述用户UE根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1,所述用户UE为网络切片标识S-NSSAI和网络切片锚定密钥K1的映射关系引入对应的业务信息,并保存网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系,之后包括:In an embodiment, the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the indication of data transmission security protection, and the user UE is the network slice identifier S-NSSAI and the network slice anchor key K1. Determine the mapping relationship of the key K1 to introduce the corresponding service information, and save the mapping relationship between the network slice identifier S-NSSAI, service information and the network slice anchor key K1, and then include:
所述用户UE向所述AMF发起接入网络切片过程中的会话建立请求;The user UE initiates a session establishment request in the access network slicing process to the AMF;
所述AMF根据所述映射关系<S-NSSAI,Ki>,获取需要为所述用户UE请求接入的所述网络切片标识S-NSSAI并进行用户面数据安全保护;The AMF obtains, according to the mapping relationship <S-NSSAI, Ki>, the network slice identifier S-NSSAI that needs to be accessed by the user UE, and performs user plane data security protection;
所述SMF选择所述AMF,所述AMF为所述网络切片标识S-NSSAI生成用户面数据安全保护的完整性密钥k3′,AMF保存映射关系<S-NSSAI,业务信息,k3′>。The SMF selects the AMF, the AMF generates an integrity key k3' for user plane data security protection for the network slice identifier S-NSSAI, and the AMF stores the mapping relationship <S-NSSAI, service information, k3'>.
在本实施例中,通过生成的完整性密钥k3′对网络切片用户面传输的数据在不同业务环境下自适应的完整性保护。In this embodiment, the generated integrity key k3' is used to adaptively protect the integrity of the data transmitted in the user plane of the network slice under different service environments.
在一实施例中,所述会话建立请求包括:所述用户UE请求接入的所述网络切片标识S-NSSAI和对应的业务信息。In an embodiment, the session establishment request includes: the network slice identifier S-NSSAI that the user UE requests to access and corresponding service information.
在本实施例中,在会话请求时包含了网络切片标识S-NSSAI和对应的业务信息,便于在下一级生成映射关系<S-NSSAI,业务信息,k3′>,亦便于业务信息在后续层级中传输保存。In this embodiment, the network slice identifier S-NSSAI and the corresponding service information are included in the session request, which is convenient for generating the mapping relationship <S-NSSAI, service information, k3'> at the next level, and also facilitates the service information at the subsequent level Save during transfer.
在一实施例中,所述SMF选择所述AMF,所述AMF为所述网络切片标识S-NSSAI生成用户面数据安全保护的完整性密钥k3′,AMF保存映射关系<S-NSSAI,业务信息,k3′>,之后包括:In an embodiment, the SMF selects the AMF, the AMF generates an integrity key k3' for user plane data security protection for the network slice identifier S-NSSAI, and the AMF stores the mapping relationship <S-NSSAI, service Information, k3'>, after that includes:
所述AMF根据所述网络切片标识S-NSSAI查找对应的SMF;The AMF searches for a corresponding SMF according to the network slice identifier S-NSSAI;
所述AMF与对应的所述SMF之间建立会话,所述AMF将映射关系<S-NSSAI,业务信息,k3′>发送至所述SMF,所述SMF保存所述映射关系<S-NSSAI,业务信息,k3′>;A session is established between the AMF and the corresponding SMF, the AMF sends the mapping relationship <S-NSSAI, service information, k3'> to the SMF, and the SMF saves the mapping relationship <S-NSSAI, business information, k3'>;
所述SMF根据所述网络切片标识S-NSSAI查找对应的UPF;The SMF searches for a corresponding UPF according to the network slice identifier S-NSSAI;
所述SMF与对应的所述UPF之间建立会话,所述SMF将映射关系<S-NSSAI,业务信息,k3′>发送给UPF,所述UPF保存映射关系<S-NSSAI,业务信息,k3′>。A session is established between the SMF and the corresponding UPF, the SMF sends the mapping relationship <S-NSSAI, service information, k3'> to the UPF, and the UPF stores the mapping relationship <S-NSSAI, service information, k3 '>.
在本实施例中,UPF保存该映射关系,并建立k3′和网络切片会话之间的绑定,即当数据使用该网络切片会话进行传输时,并采用完整性密钥k3′进行数据传输的安全保护。In this embodiment, UPF saves the mapping relationship and establishes a binding between k3' and the network slice session, that is, when data is transmitted using the network slice session, the integrity key k3' is used for data transmission safety protection.
用户UE完成接入网络切片的会话建立过程之后,并可以使用该网络切片会话开展应用业务。After the user UE completes the session establishment process for accessing the network slice, it can use the network slice session to carry out application services.
在一实施例中,所述SMF与对应的所述UPF之间建立会话,所述SMF将映射关系<S-NSSAI,业务信息,k3′>发送给UPF,所述UPF保存映射关系<S-NSSAI,业务信息,k3′>,之后包括:In an embodiment, a session is established between the SMF and the corresponding UPF, the SMF sends the mapping relationship <S-NSSAI, service information, k3'> to the UPF, and the UPF stores the mapping relationship <S- NSSAI, business information, k3′>, after that include:
所述SMF从N1N2接口与所述AMF进行会话认证授权后的消息传达;The SMF communicates the message after the session authentication and authorization with the AMF through the N1N2 interface;
所述AMF与gNB之间进行会话建立请求和响应;Perform a session establishment request and response between the AMF and the gNB;
所述gNB进行无线资源预留;The gNB performs radio resource reservation;
所述用户UE和所述SMF之间进行其他会话建立,并完成接入网络切片会话建立过程。Establish other sessions between the user UE and the SMF, and complete the access network slicing session establishment process.
在本实施例中,无线资源预留为根据业务信息和对应的网络切片标识S-NSSAI对网络切片进行优先级划分,预留出一定的资源空间给到优先级高的优先传输。In this embodiment, wireless resource reservation is to classify network slices according to priority according to service information and corresponding network slice identifier S-NSSAI, and reserve a certain resource space for priority transmission with high priority.
在一实施例中,所述用户UE和所述SMF之间进行其他会话建立,并完成接入网络切片会话建立过程,之后包括:In an embodiment, other sessions are established between the user UE and the SMF, and the access network slice session establishment process is completed, and then includes:
所述用户UE通过所述网络切片会话与所述UPF之间开展应用业务时,所述用户UE识别用户面数据,根据业务信息和映射关系<S-NSSAI,业务信息,k3′>,对PDCPSDU基于映射关系<S-NSSAI,业务信息,k3′>自适应生成MAC-I,并将MAC-I添加进所述用户面数据。When the user UE conducts application services between the UPF and the network slice session, the user UE identifies the user plane data, and according to the service information and the mapping relationship <S-NSSAI, service information, k3'>, for the PDCP SDU Adaptively generate MAC-I based on the mapping relationship <S-NSSAI, service information, k3'>, and add MAC-I to the user plane data.
在本实施例中,数据MAC-I为时延要求标志,通过计算MAC-I并在符合时延要求时加入对应用户面数据,以进行标识,便于识别传输。In this embodiment, the data MAC-I is a delay requirement flag, which is identified by calculating the MAC-I and adding corresponding user plane data when the delay requirement is met, so as to facilitate identification and transmission.
在一实施例中,所述用户UE通过所述网络切片会话与所述UPF之间开展应用业务时,所述用户UE识别用户面数据,根据业务信息和映射关系<S-NSSAI,业务信息,k3′>,对PDCPSDU基于映射关系<S-NSSAI,业务信息,k3′>自适应生成MAC-I,包括:In an embodiment, when the user UE conducts application services between the UPF through the network slice session, the user UE identifies the user plane data, and according to the service information and the mapping relationship <S-NSSAI, service information, k3'>, adaptively generate MAC-I for PDCP SDU based on the mapping relationship <S-NSSAI, service information, k3'>, including:
判断所述用户面数据对应的业务信息是否是高时延要求;judging whether the service information corresponding to the user plane data has a high latency requirement;
若是,基于自适应算法将用户面数据的级联信息中的业务信息,作为完整性密钥k3′ 的MESSAGE,并通过完整性密钥k3′生成MAC-I,将生成的所述MAC-I添加至所述用户面数据的尾部;If so, use the service information in the concatenation information of the user plane data as the MESSAGE of the integrity key k3' based on the adaptive algorithm, and generate a MAC-I through the integrity key k3', and the generated MAC-I added to the end of the user plane data;
若否,基于级联信息中的全部信息进行完整性保护。If not, integrity protection is performed based on all information in the concatenated information.
在本实施例中,数据MAC-I为高时延标志,在高时延时加入用户面数据的尾部。In this embodiment, the data MAC-I is a high-latency flag, and is added to the end of the user plane data when the high-latency is high.
请参阅图2,一种用于网络切片的用户面数据完整性保护系统,通过所述用于网络切片的用户面数据完整性保护方法运行,包括:Referring to FIG. 2, a user plane data integrity protection system for network slicing operates through the user plane data integrity protection method for network slicing, including:
用户UE,用于根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1;为所述网络切片标识S-NSSAI和网络切片锚定密钥K1的映射关系引入对应的业务信息,并保存所述网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系;The user UE is configured to generate a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection; and a mapping relationship between the network slice identifier S-NSSAI and the network slice anchor key K1 Introducing corresponding service information, and saving the mapping relationship between the network slice identifier S-NSSAI, service information and network slice anchor key K1;
AUSF,用于在用户接入认证成功之后,为所述用户UE生成网络切片锚定密钥K1,形成映射关系<S-NSSAI,K1>,其中S-NSSAI为网络切片标识;向AMF发送所述映射关系<S-NSSAI,K1>;向所述用户UE返回需要进行用户面数据加密的所述网络切片标识S-NSSAI,以及数据传输安全保护的指示;The AUSF is used to generate a network slice anchor key K1 for the user UE after successful user access authentication to form a mapping relationship <S-NSSAI, K1>, where S-NSSAI is a network slice identifier; and send the AUSF the The above mapping relationship <S-NSSAI, K1>; return to the user UE the network slice identifier S-NSSAI that needs to be encrypted for user plane data, and an indication of data transmission security protection;
AMF,用于保存所述映射关系<S-NSSAI,K1>。AMF, configured to store the mapping relationship <S-NSSAI, K1>.
通过上述过程,可以保证应用业务数据在网络切片标识S-NSSAI的网络切片中传输时的安全性。而对于没有用户面数据安全保护要求的S-NSSAI标识,则用户UE和UPF之间不会生成对应的保护密钥,相应的,在其网络切片内传输的用户面数据不会进行传输安全保护。Through the above process, the security of the application service data during transmission in the network slice with the network slice identifier S-NSSAI can be guaranteed. For the S-NSSAI identity that does not require user plane data security protection, the corresponding protection key will not be generated between the user UE and the UPF, and correspondingly, the user plane data transmitted in its network slice will not be protected for transmission security .
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited thereto. Any person familiar with the technical field can easily think of various equivalents within the technical scope disclosed in the present invention. Modifications or replacements shall all fall within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

  1. 一种用于网络切片的用户面数据完整性保护方法,其特征在于,包括:A user plane data integrity protection method for network slicing, characterized in that it includes:
    在用户UE接入认证成功之后,AUSF为用户UE生成网络切片锚定密钥K1,形成映射关系<S-NSSAI,K1>,其中S-NSSAI为网络切片标识;After the user UE access authentication is successful, the AUSF generates a network slice anchor key K1 for the user UE to form a mapping relationship <S-NSSAI, K1>, where S-NSSAI is the network slice identifier;
    所述AUSF向AMF发送所述映射关系<S-NSSAI,K1>,所述AMF保存所述映射关系<S-NSSAI,K1>;The AUSF sends the mapping relationship <S-NSSAI, K1> to the AMF, and the AMF saves the mapping relationship <S-NSSAI, K1>;
    所述AUSF向所述用户UE返回需要进行用户面数据加密的所述网络切片标识S-NSSAI,以及数据传输安全保护的指示;The AUSF returns the network slice identifier S-NSSAI that needs to be encrypted for user plane data and an indication of data transmission security protection to the user UE;
    所述用户UE根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1,所述用户UE为所述网络切片标识S-NSSAI和网络切片锚定密钥K1的映射关系引入对应的业务信息,并保存所述网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系。The user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection, and the user UE generates the network slice identifier S-NSSAI and the network slice anchor key K1 The corresponding service information is introduced into the mapping relationship, and the mapping relationship among the network slice identifier S-NSSAI, service information and network slice anchor key K1 is saved.
  2. 根据权利要求1所述的用于网络切片的用户面数据完整性保护方法,其特征在于:所述业务信息包括数据网络名称DNN信息,服务质量QoS,业务优先级,基站侧预留信息,5G业务传输的带宽时延要求指标等。The user plane data integrity protection method for network slicing according to claim 1, wherein the service information includes data network name DNN information, service quality QoS, service priority, base station side reserved information, 5G Bandwidth and delay requirements for service transmission, etc.
  3. 根据权利要求1所述的用于网络切片的用户面数据完整性保护方法,其特征在于,所述用户UE根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1,所述用户UE为网络切片标识S-NSSAI和网络切片锚定密钥K1的映射关系引入对应的业务信息,并保存网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系,之后包括:The user plane data integrity protection method for network slicing according to claim 1, wherein the user UE generates a network slice anchor key for the network slice identifier S-NSSAI according to the instruction of data transmission security protection. Key K1, the user UE introduces corresponding service information for the mapping relationship between the network slice identifier S-NSSAI and the network slice anchor key K1, and saves the network slice identifier S-NSSAI, service information and network slice anchor key K1 The mapping relationship between the three, then includes:
    用户UE根据映射关系<S-NSSAI,业务信息,K1>中的信息,并基于预置方法采用单向不可逆函数生成完整性密钥k3′,保存所述完整性密钥k3′,并保存映射关系<S-NSSAI,业务信息,k3′>。According to the information in the mapping relationship <S-NSSAI, service information, K1>, the user UE generates an integrity key k3' using a one-way irreversible function based on a preset method, saves the integrity key k3', and saves the mapping Relationship <S-NSSAI, Service Information, k3'>.
  4. 根据权利要求1所述的用于网络切片的用户面数据完整性保护方法,其特征在于,所述用户UE根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1,所述用户UE为网络切片标识S-NSSAI和网络切片锚定密钥K1的映射关系引入对应的业务信息,并保存网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系,之后包括:The user plane data integrity protection method for network slicing according to claim 1, wherein the user UE generates a network slice anchor key for the network slice identifier S-NSSAI according to the instruction of data transmission security protection. Key K1, the user UE introduces corresponding service information for the mapping relationship between the network slice identifier S-NSSAI and the network slice anchor key K1, and saves the network slice identifier S-NSSAI, service information and network slice anchor key K1 The mapping relationship between the three, then includes:
    所述用户UE向所述AMF发起接入网络切片过程中的会话建立请求;The user UE initiates a session establishment request in the access network slicing process to the AMF;
    所述AMF根据所述映射关系<S-NSSAI,K1>,获取需要为所述用户UE请求接入的所述网络切片标识S-NSSAI并进行用户面数据安全保护;According to the mapping relationship <S-NSSAI, K1>, the AMF acquires the network slice identifier S-NSSAI that needs to be accessed by the user UE and performs user plane data security protection;
    所述SMF选择所述AMF,所述AMF为所述网络切片标识S-NSSAI生成用户面数据安全保护的完整性密钥k3′,AMF保存映射关系<S-NSSAI,业务信息,k3′>。The SMF selects the AMF, the AMF generates an integrity key k3' for user plane data security protection for the network slice identifier S-NSSAI, and the AMF stores the mapping relationship <S-NSSAI, service information, k3'>.
  5. 根据权利要求4所述的用于网络切片的用户面数据完整性保护方法,其特征在于,所述会话建立请求包括:所述用户UE请求接入的所述网络切片标识S-NSSAI和对应的业务信息。The user plane data integrity protection method for network slicing according to claim 4, wherein the session establishment request includes: the network slice identifier S-NSSAI and the corresponding business information.
  6. 根据权利要求4所述的用于网络切片的用户面数据完整性保护方法,其特征在于,所述SMF选择所述AMF,所述AMF为所述网络切片标识S-NSSAI生成用户面数据安全保护的完整性密钥k3′,AMF保存映射关系<S-NSSAI,业务信息,k3′>,之后包括:The user plane data integrity protection method for network slicing according to claim 4, wherein the SMF selects the AMF, and the AMF generates user plane data security protection for the network slice identifier S-NSSAI The integrity key k3' of the AMF saves the mapping relationship <S-NSSAI, business information, k3'>, and then includes:
    所述AMF根据所述网络切片标识S-NSSAI查找对应的SMF;The AMF searches for a corresponding SMF according to the network slice identifier S-NSSAI;
    所述AMF与对应的所述SMF之间建立会话,所述AMF将映射关系<S-NSSAI,业务信息,k3′>A session is established between the AMF and the corresponding SMF, and the AMF maps the relationship <S-NSSAI, service information, k3'>
    发送至所述SMF,所述SMF保存所述映射关系<S-NSSAI,业务信息,k3′>;Send to the SMF, and the SMF saves the mapping relationship <S-NSSAI, service information, k3'>;
    所述SMF根据所述网络切片标识S-NSSAI查找对应的UPF;The SMF searches for a corresponding UPF according to the network slice identifier S-NSSAI;
    所述SMF与对应的所述UPF之间建立会话,所述SMF将映射关系<S-NSSAI,业务信息,k3′>发送给UPF,所述UPF保存映射关系<S-NSSAI,业务信息,k3′>。A session is established between the SMF and the corresponding UPF, the SMF sends the mapping relationship <S-NSSAI, service information, k3'> to the UPF, and the UPF stores the mapping relationship <S-NSSAI, service information, k3 '>.
  7. 根据权利要求6所述的用于网络切片的用户面数据完整性保护方法,其特征在于,所述SMF与对应的所述UPF之间建立会话,所述SMF将映射关系<S-NSSAI,业务信息,k3′>发送给UPF,所述UPF保存映射关系<S-NSSAI,业务信息,k3′>,之后包括:The user plane data integrity protection method for network slicing according to claim 6, wherein a session is established between the SMF and the corresponding UPF, and the SMF uses the mapping relationship <S-NSSAI, service The information, k3'> is sent to the UPF, and the UPF saves the mapping relationship <S-NSSAI, service information, k3'>, and then includes:
    所述SMF从N1N2接口与所述AMF进行会话认证授权后的消息传达:The message conveyed by the SMF after performing session authentication and authorization with the AMF through the N1N2 interface:
    所述AMF与gNB之间进行会话建立请求和响应:The session establishment request and response between the AMF and the gNB:
    所述gNB进行无线资源预留;The gNB performs radio resource reservation;
    所述用户UE和所述SMF之间进行其他会话建立,并完成接入网络切片会话建立过程。Establish other sessions between the user UE and the SMF, and complete the access network slicing session establishment process.
  8. 根据权利要求7所述的用于网络切片的用户面数据完整性保护方法,其特征在于,所述用户UE和所述SMF之间进行其他会话建立,并完成接入网络切片会话建立过程,之后包括:The user plane data integrity protection method for network slicing according to claim 7, wherein other sessions are established between the user UE and the SMF, and the access network slicing session establishment process is completed, and then include:
    所述用户UE通过所述网络切片会话与所述UPF之间开展应用业务时,所述用户UE识别用户面数据,根据业务信息和映射关系<S-NSSAI,业务信息,k3′>,对PDCPSDU基于映射关系<S-NSSAI,业务信息,k3′>自适应生成MAC-I,并将MAC-I添加进所述用户面数据。When the user UE conducts application services between the UPF and the network slice session, the user UE identifies the user plane data, and according to the service information and the mapping relationship <S-NSSAI, service information, k3'>, for the PDCP SDU Adaptively generate MAC-I based on the mapping relationship <S-NSSAI, service information, k3'>, and add MAC-I to the user plane data.
  9. 根据权利要求8所述的用于网络切片的用户面数据完整性保护方法,其特征在于,所述用户UE通过所述网络切片会话与所述UPF之间开展应用业务时,所述用户UE识别 用户面数据,根据业务信息和映射关系<S-NSSAI,业务信息,k3′>,对PDCPSDU基于映射关系<S-NSSAI,业务信息,k3′>自适应生成MAC-I,包括:The user plane data integrity protection method for network slicing according to claim 8, wherein when the user UE conducts application services with the UPF through the network slicing session, the user UE identifies User plane data, according to the service information and mapping relationship <S-NSSAI, service information, k3'>, adaptively generate MAC-I based on the mapping relationship <S-NSSAI, service information, k3'> for PDCP SDU, including:
    判断所述用户面数据对应的业务信息是否是高时延要求;judging whether the service information corresponding to the user plane data has a high latency requirement;
    若是,基于自适应算法将用户面数据的级联信息中的业务信息,作为完整性密钥k3′的MESSAGE,并通过完整性密钥k3′生成MAC-I,将生成的所述MAC-I添加至所述用户面数据的尾部;If so, use the service information in the concatenation information of the user plane data as the MESSAGE of the integrity key k3' based on the adaptive algorithm, and generate a MAC-I through the integrity key k3', and use the generated MAC-I added to the end of the user plane data;
    若否,基于级联信息中的全部信息进行完整性保护。If not, integrity protection is performed based on all information in the concatenated information.
  10. 一种用于网络切片的用户面数据完整性保护系统,通过权利要求1-9任一所述用于网络切片的用户面数据完整性保护方法运行,其特征在于,包括:A user plane data integrity protection system for network slicing, operated by the user plane data integrity protection method for network slicing according to any one of claims 1-9, characterized in that it includes:
    用户UE,用于根据数据传输安全保护的指示为所述网络切片标识S-NSSAI生成网络切片锚定密钥K1;为所述网络切片标识S-NSSAI和网络切片锚定密钥K1的映射关系引入对应的业务信息,并保存所述网络切片标识S-NSSAI、业务信息和网络切片锚定密钥K1三者之间的映射关系;The user UE is configured to generate a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection; and a mapping relationship between the network slice identifier S-NSSAI and the network slice anchor key K1 Introducing corresponding service information, and saving the mapping relationship between the network slice identifier S-NSSAI, service information and network slice anchor key K1;
    AUSF,用于在用户接入认证成功之后,为所述用户UE生成网络切片锚定密钥K1,形成映射关系<S-NSSAI,K1>,其中S-NSSAI为网络切片标识;向AMF发送所述映射关系<S-NSSAI,K1>;向所述用户UE返回需要进行用户面数据加密的所述网络切片标识S-NSSAI,以及数据传输安全保护的指示;The AUSF is used to generate a network slice anchor key K1 for the user UE after successful user access authentication to form a mapping relationship <S-NSSAI, K1>, where S-NSSAI is a network slice identifier; and send the AUSF the The above mapping relationship <S-NSSAI, K1>; return to the user UE the network slice identifier S-NSSAI that needs to be encrypted for user plane data, and an indication of data transmission security protection;
    AMF,用于保存所述映射关系<S-NSSAI,K1>。AMF, configured to store the mapping relationship <S-NSSAI, K1>.
PCT/CN2022/142873 2021-12-30 2022-12-28 User plane data integrity protection method and system for network slice WO2023125675A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111680363.0A CN114339761A (en) 2021-12-30 2021-12-30 User plane data integrity protection method and system for network slicing
CN202111680363.0 2021-12-30

Publications (1)

Publication Number Publication Date
WO2023125675A1 true WO2023125675A1 (en) 2023-07-06

Family

ID=81023341

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/142873 WO2023125675A1 (en) 2021-12-30 2022-12-28 User plane data integrity protection method and system for network slice

Country Status (2)

Country Link
CN (1) CN114339761A (en)
WO (1) WO2023125675A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114339761A (en) * 2021-12-30 2022-04-12 天翼物联科技有限公司 User plane data integrity protection method and system for network slicing

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111491394A (en) * 2019-01-27 2020-08-04 华为技术有限公司 Method and device for user plane security protection
CN112738800A (en) * 2020-12-25 2021-04-30 中盈优创资讯科技有限公司 Method for realizing data security transmission of network slice
CN113038461A (en) * 2017-05-05 2021-06-25 华为技术有限公司 Communication method and related device
CN113541989A (en) * 2020-04-17 2021-10-22 中国移动通信有限公司研究院 Network slice detection method, device and storage medium
CN114339761A (en) * 2021-12-30 2022-04-12 天翼物联科技有限公司 User plane data integrity protection method and system for network slicing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113038461A (en) * 2017-05-05 2021-06-25 华为技术有限公司 Communication method and related device
CN111491394A (en) * 2019-01-27 2020-08-04 华为技术有限公司 Method and device for user plane security protection
CN113541989A (en) * 2020-04-17 2021-10-22 中国移动通信有限公司研究院 Network slice detection method, device and storage medium
CN112738800A (en) * 2020-12-25 2021-04-30 中盈优创资讯科技有限公司 Method for realizing data security transmission of network slice
CN114339761A (en) * 2021-12-30 2022-04-12 天翼物联科技有限公司 User plane data integrity protection method and system for network slicing

Also Published As

Publication number Publication date
CN114339761A (en) 2022-04-12

Similar Documents

Publication Publication Date Title
CN109104394B (en) Session processing method and device
US11533610B2 (en) Key generation method and related apparatus
US8806608B2 (en) Authentication server and method for controlling mobile communication terminal access to virtual private network
WO2019184651A1 (en) Communication method and device
CN110831243B (en) Method, device and system for realizing user plane security policy
EP2534889B1 (en) Method and apparatus for redirecting data traffic
WO2019033796A1 (en) Session processing method and related device
EP4138439A1 (en) Communication method, apparatus, and system
WO2022001611A1 (en) Target cell determination method and apparatus, and storage medium
WO2022001761A1 (en) Communication method and apparatus
CN111200565B (en) Information transmission method, terminal and network equipment
WO2023125675A1 (en) User plane data integrity protection method and system for network slice
US20230232228A1 (en) Method and apparatus for establishing secure communication
KR20190103382A (en) Routing Method and Device
TWI702865B (en) Method and device for controlling message transmission
CN112738800A (en) Method for realizing data security transmission of network slice
CN114071790B (en) Communication method, device, equipment and storage medium
CN110351722A (en) A kind of method for sending information, key generation method and device
CN112653716B (en) Service binding method and device
CN116601985A (en) Security context generation method, device and computer readable storage medium
WO2024001524A1 (en) Communication method and apparatus
WO2019184685A1 (en) Service quality data stream processing method and apparatus
WO2022160861A1 (en) Communication method and apparatus
CN116506407B (en) Voice communication method, system, storage medium and electronic equipment
WO2021132087A1 (en) Amf node and method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22914927

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE