WO2023125675A1 - Procédé et système de protection d'intégrité de données de plan utilisateur pour tranche de réseau - Google Patents

Procédé et système de protection d'intégrité de données de plan utilisateur pour tranche de réseau Download PDF

Info

Publication number
WO2023125675A1
WO2023125675A1 PCT/CN2022/142873 CN2022142873W WO2023125675A1 WO 2023125675 A1 WO2023125675 A1 WO 2023125675A1 CN 2022142873 W CN2022142873 W CN 2022142873W WO 2023125675 A1 WO2023125675 A1 WO 2023125675A1
Authority
WO
WIPO (PCT)
Prior art keywords
nssai
network slice
user
mapping relationship
service information
Prior art date
Application number
PCT/CN2022/142873
Other languages
English (en)
Chinese (zh)
Inventor
常洁
林黛娣
严黎明
毕家瑜
黄海昆
项春林
陈正文
曾祥宇
Original Assignee
天翼物联科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天翼物联科技有限公司 filed Critical 天翼物联科技有限公司
Publication of WO2023125675A1 publication Critical patent/WO2023125675A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity

Definitions

  • the present invention relates to the technical field of 5G network slicing data security, in particular to a user plane data integrity protection method and system for network slicing.
  • Network slicing is a collection of network functions, resources for running network functions, and network function-specific configurations. Network functions and their corresponding configurations form a complete logical network, including network features required by specific services.
  • network slicing involves end-to-end network elements, service capacity involves the number and configuration of network elements, and connection and delay involve network topology and interface configuration and deployment. In the future, network slicing will carry a lot of high-value application data and sensitive information such as privacy, which will greatly increase the security requirements of 5G networks. Therefore, network slicing user plane security mechanisms are essential, but only user plane data integrity protection based on network slicing However, in different business scenarios, it cannot meet the requirements of 5G high traffic, low latency, and large connections.
  • the purpose of the present invention is to provide a user plane data integrity protection method and system for network slicing, aiming to solve the problem that the prior art cannot meet the requirements of 5G high traffic, low delay and large connection in different business scenarios The problem.
  • an embodiment of the present invention provides a user plane data integrity protection method for network slicing, including:
  • the AUSF After the user UE access authentication is successful, the AUSF generates a network slice anchor key K1 for the user UE to form a mapping relationship ⁇ S-NSSAI, K1>, where S-NSSAI is the network slice identifier;
  • the AUSF sends the mapping relationship ⁇ S-NSSAI, Ki> to the AMF, and the AMF saves the mapping relationship ⁇ S-NSSAI, Ki>;
  • the AUSF returns the network slice identifier S-NSSAI that needs to be encrypted for user plane data and an indication of data transmission security protection to the user UE;
  • the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection, and the user UE generates the network slice identifier S-NSSAI and the network slice anchor key K1
  • the corresponding service information is introduced into the mapping relationship, and the mapping relationship among the network slice identifier S-NSSAI, service information and network slice anchor key K1 is saved.
  • an embodiment of the present invention provides a user plane data integrity protection system for network slicing, which operates through the user plane data integrity protection method for network slicing, including:
  • the user UE is configured to generate a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection; and a mapping relationship between the network slice identifier S-NSSAI and the network slice anchor key K1 Introducing corresponding service information, and saving the mapping relationship between the network slice identifier S-NSSAI, service information and network slice anchor key K1;
  • the AUSF is used to generate a network slice anchor key K1 for the user UE after successful user access authentication to form a mapping relationship ⁇ S-NSSAI, K1>, where S-NSSAI is a network slice identifier; and send the AUSF the The above mapping relationship ⁇ S-NSSAI, K1>; return to the user UE the network slice identifier S-NSSAI that needs to be encrypted for user plane data, and an indication of data transmission security protection;
  • AMF configured to store the mapping relationship ⁇ S-NSSAI, K1>.
  • the data transmitted by the user plane of the network slice is adaptively protected in different service environments, which can reduce the previous configuration and realize the purpose of data integrity protection of the user plane of the network slice, and It can reduce the calculation load and greatly improve the delay of user plane data transmission, which has a certain degree of practicability.
  • FIG. 1 is a schematic flowchart of a user plane data integrity protection method for network slicing provided by an embodiment of the present invention
  • Fig. 2 is a block diagram of a user plane data integrity protection system for network slicing provided by an embodiment of the present invention.
  • SUCI Subscribescription Concealed Identifier, user concealed identifier
  • S-NSSAI Single Network Slice Selection Assistance Information, single network slice selection assistance information
  • AMF Access and Mobility Management Function, access and mobility management function
  • AUSF Authentication Server Function, authentication server function
  • UDM Unified Data Management, unified data management
  • SUPI Subscribescription Permanent Identifier, user permanent identifier
  • SMF Session Management Function, session management function
  • UPF UserPlane Function user plane function
  • gNB is a 5G base station
  • NSSF The Network Slice Selection Function, network slice selection function
  • the authentication phase before the user UE access authentication succeeds is:
  • the user UE accesses the 5G network, initiates an initial registration request, and the request carries information such as the user identifier SUCI, the network slice identifier S-NSSAI supported by the user UE;
  • the AMF After the AMF accepts the UE registration request, it sends an authentication request to the AUSF;
  • the AUSF After the AUSF receives the authentication request, if there is no user subscription information (user ID), it requests the user subscription information from UDM.
  • the request message contains the user ID SUCI.
  • UDM executes the conversion from SUCI to SUPI, and returns the corresponding user subscription information to AUSF;
  • the user subscription information includes an indication of the network slices (S-NSSAI identifiers) that the user is allowed to access and which network slice identifiers corresponding to the S-NSSAI need to perform user plane data security protection;
  • the UDM generates an authentication vector for the user UE's access authentication request and returns it to the AUSF together with the user subscription information;
  • the AUSF receives the user subscription information and the authentication vector, and completes the two-way authentication process for the user UE to access the network with the AMF and the user UE.
  • a user plane data integrity protection method for network slicing including:
  • the AUSF After the user UE access authentication is successful, the AUSF generates a network slice anchor key K1 for the user UE to form a mapping relationship ⁇ S-NSSAI, K1>, where S-NSSAI is the network slice identifier;
  • the AUSF sends the mapping relationship ⁇ S-NSSAI, K1> to the AMF, and the AMF saves the mapping relationship ⁇ S-NSSAI, K1>;
  • the AUSF returns the network slice identifier S-NSSAI that needs to be encrypted for user plane data and an indication of data transmission security protection to the user UE;
  • the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection, and the user UE generates the network slice identifier S-NSSAI and the network slice anchor key K1
  • the corresponding service information is introduced into the mapping relationship, and the mapping relationship among the network slice identifier S-NSSAI, service information and network slice anchor key K1 is saved.
  • the AUSF after the user UE access authentication succeeds, the AUSF generates an anchor key KAUSF for the user UE, and identifies S-NSSAI for the corresponding network slice according to the indication of user plane data security protection returned by the UDM.
  • KAUSF uses the key generation algorithm to generate the network slice anchor key K1 for user plane data security protection;
  • ⁇ S-NSSAI, K1> indicates that user plane data security protection needs to be performed for the network slice corresponding to the user UE access network slice identifier S-NSSAI.
  • the AUSF After the AUSF saves the mapping relationship of the user UE accessing the network and completes other registration processes, it returns a response message of successful authentication to the user UE, and the response message includes the corresponding network slice identifier S-NSSAI that needs to establish user plane data security protection Instructions for establishing user plane data security protection.
  • the user UE receives the authentication success response message returned by the network, generates the anchor key KAUSF, and instructs to use KAUSF and the above-mentioned key generation algorithm to generate a user plane data security protected network for the corresponding network slice identifier S-NSSAI slice anchor key K1;
  • the adaptive integrity protection of the data transmitted by the user plane of the network slice under different business environments can reduce the previous configuration to achieve the purpose of data integrity protection of the user plane of the network slice, and can reduce the calculation load , which greatly improves the delay of data transmission on the user plane, and has a certain degree of practicability.
  • the service information includes data network name DNN information, service quality QoS, service priority, base station side reservation information, bandwidth and delay requirement indicators for 5G service transmission, and the like.
  • the service information includes the data network name DNN information, service quality QoS, service priority, base station side reserved information, bandwidth and delay requirement indicators for 5G service transmission, etc., so that the information in the service information can be Merit selection in network slicing.
  • the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the indication of data transmission security protection, and the user UE is the network slice identifier S-NSSAI and the network slice anchor key K1.
  • the user UE According to the information in the mapping relationship ⁇ S-NSSAI, service information, K1>, the user UE generates an integrity key k3' using a one-way irreversible function based on a preset method, saves the integrity key k3', and saves the mapping Relationship ⁇ S-NSSAI, Service Information, k3'>.
  • the preset method can be set according to the actual situation;
  • the one-way irreversible function is an existing function with a one-way irreversible effect, and a function can be selected according to the actual situation;
  • the information in K1> includes business information, etc.
  • the user UE generates a network slice anchor key K1 for the network slice identifier S-NSSAI according to the indication of data transmission security protection, and the user UE is the network slice identifier S-NSSAI and the network slice anchor key K1.
  • the user UE initiates a session establishment request in the access network slicing process to the AMF;
  • the AMF obtains, according to the mapping relationship ⁇ S-NSSAI, Ki>, the network slice identifier S-NSSAI that needs to be accessed by the user UE, and performs user plane data security protection;
  • the SMF selects the AMF, the AMF generates an integrity key k3' for user plane data security protection for the network slice identifier S-NSSAI, and the AMF stores the mapping relationship ⁇ S-NSSAI, service information, k3'>.
  • the generated integrity key k3' is used to adaptively protect the integrity of the data transmitted in the user plane of the network slice under different service environments.
  • the session establishment request includes: the network slice identifier S-NSSAI that the user UE requests to access and corresponding service information.
  • the network slice identifier S-NSSAI and the corresponding service information are included in the session request, which is convenient for generating the mapping relationship ⁇ S-NSSAI, service information, k3'> at the next level, and also facilitates the service information at the subsequent level Save during transfer.
  • the SMF selects the AMF, the AMF generates an integrity key k3' for user plane data security protection for the network slice identifier S-NSSAI, and the AMF stores the mapping relationship ⁇ S-NSSAI, service Information, k3'>, after that includes:
  • the AMF searches for a corresponding SMF according to the network slice identifier S-NSSAI;
  • a session is established between the AMF and the corresponding SMF, the AMF sends the mapping relationship ⁇ S-NSSAI, service information, k3'> to the SMF, and the SMF saves the mapping relationship ⁇ S-NSSAI, business information, k3'>;
  • the SMF searches for a corresponding UPF according to the network slice identifier S-NSSAI;
  • a session is established between the SMF and the corresponding UPF, the SMF sends the mapping relationship ⁇ S-NSSAI, service information, k3'> to the UPF, and the UPF stores the mapping relationship ⁇ S-NSSAI, service information, k3 '>.
  • UPF saves the mapping relationship and establishes a binding between k3' and the network slice session, that is, when data is transmitted using the network slice session, the integrity key k3' is used for data transmission safety protection.
  • the user UE After the user UE completes the session establishment process for accessing the network slice, it can use the network slice session to carry out application services.
  • a session is established between the SMF and the corresponding UPF, the SMF sends the mapping relationship ⁇ S-NSSAI, service information, k3'> to the UPF, and the UPF stores the mapping relationship ⁇ S- NSSAI, business information, k3′>, after that include:
  • the SMF communicates the message after the session authentication and authorization with the AMF through the N1N2 interface;
  • the gNB performs radio resource reservation
  • wireless resource reservation is to classify network slices according to priority according to service information and corresponding network slice identifier S-NSSAI, and reserve a certain resource space for priority transmission with high priority.
  • other sessions are established between the user UE and the SMF, and the access network slice session establishment process is completed, and then includes:
  • the user UE When the user UE conducts application services between the UPF and the network slice session, the user UE identifies the user plane data, and according to the service information and the mapping relationship ⁇ S-NSSAI, service information, k3'>, for the PDCP SDU Adaptively generate MAC-I based on the mapping relationship ⁇ S-NSSAI, service information, k3'>, and add MAC-I to the user plane data.
  • the data MAC-I is a delay requirement flag, which is identified by calculating the MAC-I and adding corresponding user plane data when the delay requirement is met, so as to facilitate identification and transmission.
  • the user UE when the user UE conducts application services between the UPF through the network slice session, the user UE identifies the user plane data, and according to the service information and the mapping relationship ⁇ S-NSSAI, service information, k3'>, adaptively generate MAC-I for PDCP SDU based on the mapping relationship ⁇ S-NSSAI, service information, k3'>, including:
  • integrity protection is performed based on all information in the concatenated information.
  • the data MAC-I is a high-latency flag, and is added to the end of the user plane data when the high-latency is high.
  • a user plane data integrity protection system for network slicing operates through the user plane data integrity protection method for network slicing, including:
  • the user UE is configured to generate a network slice anchor key K1 for the network slice identifier S-NSSAI according to the instruction of data transmission security protection; and a mapping relationship between the network slice identifier S-NSSAI and the network slice anchor key K1 Introducing corresponding service information, and saving the mapping relationship between the network slice identifier S-NSSAI, service information and network slice anchor key K1;
  • the AUSF is used to generate a network slice anchor key K1 for the user UE after successful user access authentication to form a mapping relationship ⁇ S-NSSAI, K1>, where S-NSSAI is a network slice identifier; and send the AUSF the The above mapping relationship ⁇ S-NSSAI, K1>; return to the user UE the network slice identifier S-NSSAI that needs to be encrypted for user plane data, and an indication of data transmission security protection;
  • AMF configured to store the mapping relationship ⁇ S-NSSAI, K1>.
  • the security of the application service data during transmission in the network slice with the network slice identifier S-NSSAI can be guaranteed.
  • the corresponding protection key will not be generated between the user UE and the UPF, and correspondingly, the user plane data transmitted in its network slice will not be protected for transmission security .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Procédé et système de protection d'intégrité de données de plan utilisateur pour une tranche de réseau. Le procédé comprend les étapes suivantes : une fois que l'authentification d'accès d'un UE utilisateur réussit, une AUSF génère une clé d'ancrage de tranche de réseau K1 pour l'UE utilisateur pour former une relation de mappage <S-NSSAI, K1>, le S-NSSAI étant un identifiant de tranche de réseau ; l'AUSF envoie la relation de mappage <S-NSSAI, K1> à une AMF, et l'AMF sauvegarde la relation de mappage <S-NSSAI, K1> ; l'AUSF renvoie un identifiant de tranche de réseau S-NSSAI nécessitant un chiffrement de données de plan utilisateur et une indication de protection de sécurité de transmission de données à l'UE utilisateur ; et l'UE utilisateur génère une clé d'ancrage de tranche de réseau K1 pour l'identifiant de tranche de réseau S-NSSAI selon l'indication de protection de sécurité de transmission de données. Au moyen de l'ajout d'informations de service à une relation de mappage, une protection d'intégrité auto-adaptative de données transmises par un plan utilisateur de tranche de réseau dans différents environnements de service est obtenue.
PCT/CN2022/142873 2021-12-30 2022-12-28 Procédé et système de protection d'intégrité de données de plan utilisateur pour tranche de réseau WO2023125675A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111680363.0A CN114339761A (zh) 2021-12-30 2021-12-30 一种用于网络切片的用户面数据完整性保护方法和系统
CN202111680363.0 2021-12-30

Publications (1)

Publication Number Publication Date
WO2023125675A1 true WO2023125675A1 (fr) 2023-07-06

Family

ID=81023341

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/142873 WO2023125675A1 (fr) 2021-12-30 2022-12-28 Procédé et système de protection d'intégrité de données de plan utilisateur pour tranche de réseau

Country Status (2)

Country Link
CN (1) CN114339761A (fr)
WO (1) WO2023125675A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114339761A (zh) * 2021-12-30 2022-04-12 天翼物联科技有限公司 一种用于网络切片的用户面数据完整性保护方法和系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111491394A (zh) * 2019-01-27 2020-08-04 华为技术有限公司 用户面安全保护的方法和装置
CN112738800A (zh) * 2020-12-25 2021-04-30 中盈优创资讯科技有限公司 一种网络切片的数据安全传输实现方法
CN113038461A (zh) * 2017-05-05 2021-06-25 华为技术有限公司 一种通信方法及相关装置
CN113541989A (zh) * 2020-04-17 2021-10-22 中国移动通信有限公司研究院 一种网络切片检测方法、装置和存储介质
CN114339761A (zh) * 2021-12-30 2022-04-12 天翼物联科技有限公司 一种用于网络切片的用户面数据完整性保护方法和系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113038461A (zh) * 2017-05-05 2021-06-25 华为技术有限公司 一种通信方法及相关装置
CN111491394A (zh) * 2019-01-27 2020-08-04 华为技术有限公司 用户面安全保护的方法和装置
CN113541989A (zh) * 2020-04-17 2021-10-22 中国移动通信有限公司研究院 一种网络切片检测方法、装置和存储介质
CN112738800A (zh) * 2020-12-25 2021-04-30 中盈优创资讯科技有限公司 一种网络切片的数据安全传输实现方法
CN114339761A (zh) * 2021-12-30 2022-04-12 天翼物联科技有限公司 一种用于网络切片的用户面数据完整性保护方法和系统

Also Published As

Publication number Publication date
CN114339761A (zh) 2022-04-12

Similar Documents

Publication Publication Date Title
US20200128614A1 (en) Session processing method and device
US11533610B2 (en) Key generation method and related apparatus
WO2021037175A1 (fr) Procédé de gestion de tranche de réseau et dispositif associé
US8806608B2 (en) Authentication server and method for controlling mobile communication terminal access to virtual private network
CN110831243B (zh) 一种用户面安全策略实现方法、装置及系统
WO2019184651A1 (fr) Procédé et dispositif de communication
EP2534889B1 (fr) Procédé et appareil de redirection de trafic de données
US20230070712A1 (en) Communication method, apparatus, and system
WO2022001761A1 (fr) Procédé et appareil de communication
WO2022001611A1 (fr) Procédé et appareil de détermination de cellule cible, et support de stockage
WO2018099291A1 (fr) Procédé, appareil et système de transmission de données, et support de stockage
WO2023125675A1 (fr) Procédé et système de protection d&#39;intégrité de données de plan utilisateur pour tranche de réseau
CN111200565A (zh) 一种信息传输方法、终端及网络设备
KR20190103382A (ko) 라우팅 방법 및 장치
US20230337002A1 (en) Security context generation method and apparatus, and computer-readable storage medium
CN112738800A (zh) 一种网络切片的数据安全传输实现方法
TWI702865B (zh) 一種消息傳輸控制方法及裝置
US20230232228A1 (en) Method and apparatus for establishing secure communication
CN112653716B (zh) 服务绑定的方法及装置
CN114071790B (zh) 通信方法、装置、设备及存储介质
CN110351722A (zh) 一种信息发送方法、密钥生成方法以及装置
WO2024001524A1 (fr) Procédé et appareil de communication
WO2022160861A1 (fr) Procédé et appareil de communication
CN116506407B (zh) 语音通信方法、系统、存储介质及电子设备
WO2024037215A1 (fr) Procédé et appareil de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22914927

Country of ref document: EP

Kind code of ref document: A1