WO2023125865A1 - 安全传输方法及装置 - Google Patents
安全传输方法及装置 Download PDFInfo
- Publication number
- WO2023125865A1 WO2023125865A1 PCT/CN2022/143624 CN2022143624W WO2023125865A1 WO 2023125865 A1 WO2023125865 A1 WO 2023125865A1 CN 2022143624 W CN2022143624 W CN 2022143624W WO 2023125865 A1 WO2023125865 A1 WO 2023125865A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- encrypted
- message
- security protocol
- layer security
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 127
- 230000005540 biological transmission Effects 0.000 title claims abstract description 65
- 230000015654 memory Effects 0.000 claims description 49
- 238000004590 computer program Methods 0.000 claims description 16
- 238000012795 verification Methods 0.000 claims description 6
- 230000001360 synchronised effect Effects 0.000 claims description 5
- 238000012545 processing Methods 0.000 abstract description 41
- 238000004891 communication Methods 0.000 description 29
- 230000008569 process Effects 0.000 description 17
- 102100022734 Acyl carrier protein, mitochondrial Human genes 0.000 description 15
- 101000678845 Homo sapiens Acyl carrier protein, mitochondrial Proteins 0.000 description 15
- 230000006870 function Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 10
- 238000007726 management method Methods 0.000 description 10
- 238000012937 correction Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 239000013307 optical fiber Substances 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 239000013256 coordination polymer Substances 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000001228 spectrum Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000005315 distribution function Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W80/00—Wireless network protocols or protocol adaptations to wireless operation
- H04W80/02—Data link layer protocols
Definitions
- the embodiments of the present application relate to the field of secure communication, and more specifically, relate to a secure transmission method and device.
- the first device Before the first device sends a message to the second device, the first device encrypts the message to be sent according to the transport layer security protocol to obtain an encrypted message, and adds a cyclic redundancy check (CRC) sequence to the encrypted message .
- CRC cyclic redundancy check
- the second device After receiving the encrypted message, the second device performs CRC check on the encrypted message, and decrypts the encrypted message according to the transport layer security protocol. If a code error occurs during the transmission of the encrypted message, the second device first performs error correction on the encrypted message, for example, based on an enhanced common public radio interface (eCPRI) in Ethernet.
- eCPRI enhanced common public radio interface
- the second device may use basic (base) forward error correction (forward error correction, FEC) or Reed-Solomon (Reed-solomon, RS) FEC to correct the encrypted message.
- FEC forward error correction
- RS Reed-Solomon
- the hardware processing capability of the first device and the second device is relatively high. And the message transmission efficiency is low.
- the embodiment of the present application provides a secure transmission method, in order to reduce the processing load of the device and improve the message transmission efficiency.
- a method for secure transmission comprising: the first device encrypts the header of the message to be sent according to the transport layer security protocol to obtain the encrypted message header, and the message to be sent includes the first data , the first data is encrypted by the application layer security protocol and not encrypted by the transport layer security protocol; the first device sends a first encrypted message to the second device, and the first encrypted message includes the encrypted message header and the first data.
- the first device encrypts the message header of the message to be sent when encrypting the message to be sent according to the transport layer security protocol, and The first data is not encrypted.
- the second device does not need to decrypt the first data according to the transport layer security protocol. Therefore, the processing load of the first device and the second device can be reduced, and the efficiency of message transmission can be improved.
- the encrypted packet header since the packet header occupies a small proportion in the entire to-be-sent packet, the encrypted packet header also occupies a small proportion in the first encrypted packet. Furthermore, since the length of the encrypted message header is relatively short, the probability of an error in the encrypted message header during transmission is relatively small, and the probability that the second device fails to decrypt the encrypted message header according to the transport layer security protocol is also relatively small. is small, and the probability that the second device will lose the first data due to decryption failure will also be reduced. Therefore, based on the above technical solution, the anti-bit error capability of the link between the first device and the second device can be improved while ensuring safe transmission. If the first data is air interface data, the frequency spectrum utilization rate of the air interface can be improved when the probability of losing the first data is reduced.
- the application layer security protocol includes: a packet data convergence protocol (packet data convergence protocol, PDCP) layer protocol.
- PDCP packet data convergence protocol
- the transport layer security protocol includes: a media access control security (media access control security, MACSec) protocol and an Internet protocol security (Internet protocol security, IPSec) protocol.
- MACSec media access control security
- IPSec Internet protocol security
- the first data is air interface data.
- the first data is data received by the first device from the terminal device.
- the first data is data received by the first device from the third device, and the first data is data sent to the terminal device.
- the third device is used for generating the first data or for forwarding the first data.
- the third device is a source device that performs data transmission in the Ethernet or a routing device that connects the destination device and the source device.
- the third device is a core network device.
- the first device is a source device for packet transmission in Ethernet or a routing device connecting source device and destination device
- the destination device is a destination device for packet transmission in Ethernet
- the second The device is the destination device or a routing device connecting the source device and the destination device.
- the method further includes: the first device sends length information of a packet header of the message to be sent to the second device.
- the first device sends the length information of the packet header to the second device, so that the second device can correctly decrypt the encrypted packet header according to the length information. For example, if the length of the header of the message to be sent is not fixed, the first device sends the length information of the header to the second device, so that the second device can correctly decrypt the encrypted header according to the length information.
- the message to be sent further includes second data that has not been encrypted by the application layer security protocol
- the first encrypted message also includes encrypted data
- the method further includes: The first device encrypts the second data according to the transport layer security protocol to obtain the encrypted data.
- the first device encrypts the second data according to the transport layer security protocol, so as to ensure that the second data Secure transmission between a device and a second device.
- the second data includes control data, management plane data or synchronization clock data transmitted on the fronthaul interface.
- the second data is located before the first data.
- the message to be sent includes a message header, second data and first data
- the message header is located at the front of the message to be sent
- the second data is located before the first data
- the first device can simultaneously encrypt the message header and the second data according to the transport layer security protocol, so that the process of encrypting the message to be sent by the first device can be simplified.
- the method further includes: the first device sending length information of the second data to the second device.
- the first device sends the length information of the second data to the second device, so that the second device can correctly decrypt the encrypted data according to the length information. For example, if the length of the second data is not fixed, the first device sends the length information of the second data to the second device, so that the second device can correctly decrypt the encrypted data according to the length information.
- the method before generating the first encrypted message, the method further includes: the first device receives a second encrypted message from the second device; The integrity check performed by the first device on the second encrypted message according to the transport layer security protocol fails.
- the failure of the first device to check the integrity of the second encrypted message is the first time that the first device fails to check the integrity of the message received from the second device.
- the failure of the first device to check the integrity of the second encrypted message is the Nth failure to check the integrity of the message received from the second device, N is a positive integer, and N is a preset threshold .
- the method before generating the first encrypted message, the method further includes: the first device sends a third encrypted message to the second device, the first encrypted message
- the third encrypted message is generated by encrypting the message to be sent according to the transport layer security protocol; the first device receives the indication information from the second device, and the indication information is used to indicate the integrity verification of the third encrypted message The test failed.
- the first device receives indication information from the second device for the first time.
- the first device receives the indication information from the second device for the Nth time, N is a positive integer, and N is a preset threshold.
- a secure transmission method includes: the second device receives an encrypted message from the first device, the encrypted message includes an encrypted message header and first data, and the first data is passed through the application
- the layer security protocol is encrypted without being encrypted by the transport layer security protocol; the second device decrypts the encrypted message header according to the transport layer security protocol.
- the device if the first data included in the encrypted message received by the second device is encrypted by the application security protocol and not decrypted by the transport layer security protocol, the device must not decrypt the first data according to the transport layer security protocol, Therefore, the processing load of the second device can be reduced, and the efficiency of message transmission can be improved.
- the application layer security protocol includes: PDCP layer protocol.
- the transport layer security protocol includes: MACSec protocol and IPSec protocol.
- the first data is air interface data.
- the first data is data received by the first device from the terminal device.
- the first data is data received by the first device from the third device, and the first data is data sent to the terminal device.
- the third device is used for generating the first data or for forwarding the first data.
- the third device is a source device that performs data transmission in the Ethernet or a routing device that connects the destination device and the source device.
- the third device is a core network device.
- the first device is a source device for packet transmission in Ethernet or a routing device connecting source device and destination device
- the destination device is a destination device for packet transmission in Ethernet
- the second The device is the destination device or a routing device connecting the source device and the destination device.
- the second device sends the first data to the third device.
- the fourth device is a destination device for data transmission in the Ethernet or a routing device connecting the destination device and the source device.
- the fourth device is a terminal device or a core network device.
- the second device is a radio frequency device, and the fourth device is a terminal device.
- the second device is a control device, and the fourth device is a core network device.
- the method further includes: the second device receives first length information from the first device; the second device determines the encrypted length information according to the first length information The length of the packet header before it is encrypted.
- the second device determines the length of the encrypted message header before it is encrypted according to the first length information, so that the second device can correctly decrypt the encrypted message header according to the first length information. For example, if the length of the packet header is not fixed, the first device sends the first length information to the second device, so that the second device can correctly decrypt the encrypted packet header according to the first length information.
- the encrypted message further includes encrypted data
- the method further includes: the second device decrypts the encrypted data according to the transport layer security protocol to obtain the second data .
- the second data includes control data, management plane data or synchronization clock data transmitted on the fronthaul interface.
- the method further includes: the second device receives second length information from the first device; the second device determines the second length information according to the second length information. The length of the second data.
- the second device determines the length of the second data according to the second length information, so that the second device can correctly decrypt the encrypted data according to the second length information to obtain the second data. For example, if the length of the second data is not fixed, the first device sends the second length information to the second device, so that the second device can correctly decrypt the encrypted data according to the second length information.
- a device in a third aspect, includes a transceiver unit and a processing unit, the processing unit is used to encrypt the message header of the message to be sent according to the transport layer security protocol to obtain the encrypted message header, the message to be sent Including first data, the first data is encrypted by the application layer security protocol and not encrypted by the transport layer security protocol; the transceiver unit is used to send a first encrypted message, the first encrypted message includes the encrypted message header and the first data.
- the application layer security protocol includes: PDCP layer protocol.
- the transport layer security protocol includes: MACSec protocol and IPSec protocol.
- the first data is air interface data.
- the first data is data received by the apparatus from a terminal device.
- the first data is data received by the apparatus from the third device, and the first data is data sent to the terminal device.
- the third device is used for generating the first data or for forwarding the first data.
- the third device is a source device that performs data transmission in the Ethernet or a routing device that connects the destination device and the source device.
- the third device is a core network device.
- the device is a source device for message transmission in Ethernet or a routing device connecting source device and destination device
- the destination device is a destination device for message transmission in Ethernet
- the second device is The destination device or a routing device connecting the source device and the destination device.
- the transceiving unit is further configured to send the length information of the header of the message to be sent to the second device.
- the message to be sent further includes second data that has not been encrypted by the application layer security protocol
- the first encrypted message also includes encrypted data
- the processing unit further uses The encrypted data is obtained by encrypting the second data according to the transport layer security protocol.
- the second data includes control data, management plane data or synchronization clock data transmitted on the fronthaul interface.
- the second data is located before the first data.
- the transceiving unit is further configured to send length information of the second data to the second device.
- the transceiver unit is further configured to receive the second encrypted message from the second device; the processing unit is further configured to transmit the second encrypted message according to the transport layer security protocol. The integrity check of the encrypted message failed.
- the transceiver unit is further configured to send a third encrypted message to the second device, and the third encrypted message is a message to be sent according to the transport layer security protocol. generated by encrypting the text; the transceiving unit is further configured to receive indication information from the second device, where the indication information is used to indicate that the integrity check of the third encrypted message fails.
- an apparatus in a fourth aspect, includes a transceiver unit and a processing unit, the transceiver unit is used to receive an encrypted message from a first device, the encrypted message includes an encrypted message header and first data, the first A data is encrypted by the application layer security protocol but not encrypted by the transport layer security protocol; the processing unit is used to decrypt the encrypted message header according to the transport layer security protocol.
- the application layer security protocol includes: PDCP layer protocol.
- the transport layer security protocol includes: MACSec protocol and IPSec protocol.
- the first data is air interface data.
- the first data is data received by the first device from the terminal device.
- the first data is data received by the first device from the third device, and the first data is data sent to the terminal device.
- the third device is used for generating the first data or for forwarding the first data.
- the third device is a source device that performs data transmission in the Ethernet or a routing device that connects the destination device and the source device.
- the third device is a core network device.
- the first device is a source device for message transmission in Ethernet or a routing device connecting source device and destination device
- the destination device is a destination device for message transmission in Ethernet
- the device is The destination device or a routing device connecting the source device and the destination device.
- the transceiver unit is further configured to receive first length information from the first device; the processing unit is further configured to determine the encrypted message according to the first length information The length of the header before it is encrypted.
- the encrypted message further includes encrypted data
- the processing unit is further configured to decrypt the encrypted data according to the transport layer security protocol to obtain second data.
- the second data includes control data, management plane data or synchronization clock data transmitted on the fronthaul interface.
- the transceiving unit is further configured to receive second length information from the first device; the processing unit is further configured to determine the second length information according to the second length information. The length of the data.
- the present application provides a device, including a processor.
- the processor is coupled with the memory, and can be used to execute instructions in the memory, so as to implement the method in the above first aspect or any possible implementation manner of the first aspect.
- the device also includes a memory.
- the device also includes a communication interface, and the processor is coupled with the communication interface.
- the apparatus is a first device.
- the communication interface may be a transceiver, or an input/output interface.
- the apparatus is a chip or a chip system configured in the first device.
- the communication interface may be an input/output interface.
- the transceiver may be a transceiver circuit.
- the input/output interface may be an input/output circuit.
- the present application provides a device, including a processor.
- the processor is coupled with the memory, and can be used to execute instructions in the memory, so as to implement the method in the above second aspect or any possible implementation manner of the second aspect.
- the device also includes a memory.
- the device further includes a communication interface, and the processor is coupled with the communication interface.
- the apparatus is the second device.
- the communication interface may be a transceiver, or an input/output interface.
- the apparatus is a chip or a chip system configured in the second device.
- the communication interface may be an input/output interface.
- the transceiver may be a transceiver circuit.
- the input/output interface may be an input/output circuit.
- the present application provides a processor, including: an input circuit, an output circuit, and a processing circuit.
- the processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes the method in each aspect above.
- the above-mentioned processor can be a chip
- the input circuit can be an input pin
- the output circuit can be an output pin
- the processing circuit can be a transistor, a gate circuit, a flip-flop, and various logic circuits.
- the input signal received by the input circuit may be received and input by, for example but not limited to, the receiver
- the output signal of the output circuit may be, for example but not limited to, output to the transmitter and transmitted by the transmitter
- the circuit may be the same circuit, which is used as an input circuit and an output circuit respectively at different times.
- the embodiment of the present application does not limit the specific implementation manners of the processor and various circuits.
- the present application provides a processing device, including a communication interface and a processor.
- the communication interface is coupled with the processor.
- the communication interface is used for input and/or output of information.
- the information includes at least one of instructions or data.
- the processor is configured to execute a computer program, so that the processing device executes the methods in the various aspects above.
- the present application provides a processing device, including a processor and a memory.
- the processor is used to read instructions stored in the memory, and can receive signals through the receiver and transmit signals through the transmitter, so that the processing device executes the methods in the above aspects.
- processors there are one or more processors. If there is a memory, the memory can also be one or more.
- the memory may be integrated with the processor, or the memory may be set separately from the processor.
- the memory can be a non-transitory (non-transitory) memory, such as a read-only memory (read only memory, ROM), which can be integrated with the processor on the same chip, or can be set in different On the chip, the embodiment of the present application does not limit the type of the memory and the configuration of the memory and the processor.
- a non-transitory memory such as a read-only memory (read only memory, ROM)
- ROM read only memory
- sending indication information may be a process of outputting indication information from a processor
- receiving indication information may be a process of inputting received indication information to a processor.
- the processed output information may be output to the transmitter, and the input information received by the processor may be from the receiver.
- the transmitter and the receiver may be collectively referred to as a transceiver.
- the devices in the above-mentioned eighth and ninth aspects may be chips, and the processor may be implemented by hardware or by software.
- the processor When implemented by hardware, the processor may be a logic circuit, an integrated circuit, etc.; when implemented by When implemented by software, the processor may be a general-purpose processor, and may be implemented by reading software codes stored in a memory.
- the memory may be integrated in the processor, or it may be located outside the processor and exist independently.
- the present application provides a computer program product
- the computer program product includes: a computer program (also called code, or instruction), when the computer program is executed, it causes the computer to perform the above-mentioned aspects. Methods.
- the present application provides a computer-readable storage medium
- the computer-readable storage medium stores a computer program (also referred to as code, or instruction) when it is run on a computer, causing the computer to perform the above-mentioned methods in various aspects.
- the present application provides a system, including the aforementioned first device and second device.
- Fig. 1 is a schematic diagram of a system suitable for the method provided by the embodiment of the present application
- Fig. 2 is a schematic flowchart of the method provided by the embodiment of the present application.
- FIG. 3 is a schematic diagram of a first device generating a message to be sent
- Fig. 4 is a schematic diagram of the format of the message to be sent
- Fig. 5 is a schematic block diagram of a device provided by an embodiment of the present application.
- Fig. 6 is a schematic structural diagram of the device provided by the implementation of the present application.
- FIG. 7 is a schematic diagram of a chip system provided by an embodiment of the present application.
- the technical solution of the embodiment of the present application can be applied to various communication systems, for example: long term evolution (long term evolution, LTE) system, frequency division duplex (frequency division duplex, FDD), time division duplex (time division duplex, TDD) system, worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5th generation, 5G) system or new radio (new radio, NR), sixth generation (6th generation, 6G) system or future communication systems, etc.
- the 5G mobile communication system described in this application includes a non-standalone (NSA) 5G mobile communication system or a standalone (standalone, SA) 5G mobile communication system.
- the communication system can also be a public land mobile network (public land mobile network, PLMN), a device-to-device (D2D) communication system, a machine-to-machine (M2M) communication system, or an Internet of Things (Internet of Things).
- PLMN public land mobile network
- D2D device-to-device
- M2M machine-to-machine
- Internet of Things Internet of Things
- IoT Internet of Things
- V2X vehicle to everything
- UAV uncrewed aerial vehicle
- At least one item (piece) of a, b or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein, a, b, c can be single or multiple .
- words such as “first” and “second” are used to distinguish the same or similar items with basically the same function and effect. Those skilled in the art can understand that words such as “first” and “second” do not limit the quantity and execution order, and words such as “first” and “second” do not necessarily limit the difference.
- words such as “exemplarily” or “for example” are used as examples, illustrations or illustrations. Any embodiment or design solution described as “exemplary” or “for example” in the embodiments of the present application shall not be interpreted as being more preferred or more advantageous than other embodiments or design solutions.
- the use of words such as “exemplarily” or “for example” is intended to present relevant probabilities in a specific manner for easy understanding.
- the network architecture and business scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the implementation of the present application.
- Those skilled in the art know that as The evolution of the network architecture and the emergence of new business scenarios, the technical solutions provided by the embodiments of the present application are also applicable to similar technical problems.
- FIG. 1 To facilitate understanding of the embodiment of the present application, an application scenario of the embodiment of the present application is described in detail first with reference to FIG. 1 .
- Fig. 1 is a system architecture applicable to the method provided by the embodiment of the present application.
- the system includes a first device and a second device.
- the first device and the second device are devices capable of transmitting packets on the Ethernet.
- the first device may be a source device that transmits packets on an Ethernet or a routing device that connects the source device and the destination device
- the second device may be a destination device that transmits packets on the Ethernet or connects the source device and the The routing device of the target device.
- the first device is a source device, and the second device is a destination device; or, the first device is a source device, and the second device is a routing device; or, the first device is a routing device, and the second device is a destination device; or, Both the first device and the second device are routing devices.
- the source device may be a control device that performs message transmission based on an enhanced common public radio interface (enhanced common public radio interface, eCPRI) protocol in Ethernet
- the destination device may be a control device that performs message transmission based on eCPRI protocol in Ethernet
- the routing device can be an extension device that transmits packets based on the eCPRI protocol in Ethernet; or, the source device can be a radio frequency device that transmits packets based on the eCPRI protocol in Ethernet, and the destination device can be A control device that transmits messages based on the eCPRI protocol in the Ethernet.
- the eCPRI protocol is a protocol defined in eCPRI specification (specification) V2.0.
- the control device can be used as the main device of the base station, process the digital baseband signal, and provide control and management of the functions of each device of the base station.
- the radio frequency device can be used as a radio frequency module of the base station, and can be used to process intermediate frequency signals and/or radio frequency signals, and can also be used to receive and transmit wireless signals.
- the radio frequency device may be used to process the baseband digital signal, for example, perform fast Fourier transform (fast Fourier transform, FFT) on the baseband digital signal.
- FFT fast Fourier transform
- the expansion device is used to provide data aggregation and distribution functions for the communication between the control device and the radio frequency device.
- the extension device receives an uplink signal from the radio frequency device, performs radio frequency combination on the received uplink signal, and then sends it to the control device.
- the expansion device receives the downlink signal sent by the control device, and sends the downlink signal to all connected radio frequency devices.
- control device may be any of the following: a baseband processing unit (baseband unit, BBU or BU), a distributed unit (distributed unit, DU), and a centralized unit (centralized unit, CU).
- the extension device can be any of the following: switch (switch), router (router), LAN switch (LAN switch, LSW) or radio remote unit hub (radio remote unit hub, rHUB).
- the radio frequency device can be any of the following: remote radio unit (radio remote unit, RRU), radio unit (radio unit, RU), active antenna unit (active antenna unit, AAU), micro radio remote unit (pico radio remote unit, pRRU).
- control device may include a centralized unit (centralized unit, CU) and a DU, wherein the DU is connected to the expansion device through an optical fiber.
- CU can also adopt a structure in which the control plane (control plane, CP) and the user plane (user plane, UP) are separated, that is, the CU can include a CU-CP entity and a CU-UP entity.
- the source device may be a DU that transmits packets based on an enhanced common public radio interface (enhanced common public radio interface, eCPRI) protocol in Ethernet
- the destination device may be a DU that performs packet transmission based on eCPRI protocol in Ethernet
- the source device may be a CU that transmits packets based on the eCPRI protocol in the Ethernet
- the destination device may be a DU that transmits packets based on the eCPRI protocol in the Ethernet.
- the CU implements some functions of the base station
- the DU implements some functions of the base station.
- the CU is responsible for processing non-real-time protocols and services, implementing radio resource control (radio resource control, RRC), packet data convergence protocol (packet data convergence protocol, PDCP) ) layer functions, DU is responsible for processing physical layer protocols and real-time services, and realizes the radio link control (radio link control, RLC) layer, medium access control (medium access control, MAC) layer and physical (physical, PHY) layer. Function.
- RRC radio resource control
- PDCP packet data convergence protocol
- DU is responsible for processing physical layer protocols and real-time services, and realizes the radio link control (radio link control, RLC) layer, medium access control (medium access control, MAC) layer and physical (physical, PHY) layer.
- RLC radio link control
- MAC medium access control
- PHY physical
- the source device may be an integrated access and backhaul (IAB) node (node) for data transmission in Ethernet
- the destination device may be an IAB for message transmission in Ethernet Donor
- the routing device can be an IAB node that transmits packets in Ethernet; or, the source device can be an IAB donor that transmits packets in Ethernet, and the destination device can be a packet in Ethernet The transported IAB node.
- IAB integrated access and backhaul
- the first device Before the first device sends a message to the second device, the first device encrypts the message to be sent according to the transport layer security protocol to obtain an encrypted message, and adds a cyclic redundancy check (CRC) sequence to the encrypted message .
- CRC cyclic redundancy check
- the second device after receiving the encrypted message, the second device performs CRC check on the encrypted message, and decrypts the encrypted message according to the transport layer security protocol. If a code error occurs during the transmission of the encrypted message, the second device first corrects the encrypted message. For example, in the process of message transmission based on the eCPRI protocol in Ethernet, the second device can (base) forward error correction (forward error correction, FEC) or Reed-Solomon (Reed-solomon, RS) FEC to correct the encrypted message. After correcting the encrypted message, the second device performs CRC check on the encrypted message, and decrypts the encrypted message according to the transport layer security protocol.
- forward error correction forward error correction
- RS Reed-So
- the hardware processing capability of the first device and the second device is relatively high. And the message transmission efficiency is low.
- the embodiment of the present application provides a method for secure transmission, in order to reduce the processing load of the first device and the second device, and improve message transmission efficiency.
- Fig. 2 shows a schematic flow chart of a secure transmission method provided by an embodiment of the present application. As shown in FIG. 2 , the method 200 may include S210 to S230.
- the first device encrypts the header of the packet to be sent according to the transport layer security protocol to obtain the encrypted header.
- the message to be sent includes a message header and first data.
- the first data is encrypted by the application layer security protocol and not encrypted by the transport layer security protocol.
- the first data is data generated by the first device, and the first data is data sent to the terminal device.
- the first data is data received by the first device from the terminal device.
- the first data is data received by the first device from the third device, and the first data is data sent to the terminal device.
- the third device is used for generating the first data or for forwarding the first data.
- the third device is a source device that performs data transmission in the Ethernet or a routing device that connects the destination device and the source device.
- the third device is a core network device.
- the transport layer security protocol includes media access control security (media access control security, MACSec) protocol and Internet protocol security (Internet protocol security, IPSec) protocol, transport layer security protocol (transport layer security, TLS), security Socket layer (secure socket layer, SLL) protocol.
- Application layer security protocols include packet data convergence protocol (packet data convergence protocol, PDCP) layer protocol.
- the process of generating a message to be sent by the first device is described below with reference to FIG. 3 , taking the first data as data received by the first device from the terminal device as an example.
- service data adaptation protocol service data adaptation protocol
- SDAP service data adaptation protocol
- the service data adaptation protocol uses the IP data packet as the SDAP service Data unit (service data unit, SDU).
- the SDAP entity of the terminal device adds an SDAP header to the SDAP SDU according to the SDAP layer protocol to obtain an SDAP protocol data unit (protocol data unit, PDU).
- PDU protocol data unit
- the SDAP entity of the terminal device sends the SDAP PDU to the PDCP entity of the terminal device.
- the PDCP entity of the terminal device After the PDCP entity of the terminal device receives the SDAP PDU, it regards the SDAP PDU as a PDCP SDU, and performs integrity protection on the part of the PDCP SDU except the SDAP header according to the PDCP layer protocol.
- the PDCP entity of the terminal device protects the integrity of the PDCP SDU according to the PDCP layer protocol: the PDCP entity configures the first integrity protection algorithm and the first integrity Calculate the integrity message authentication code (message authentication code integrity, MAC-I) using the permanent protection key, and concatenate the MAC-I at the end of the PDCP SDU. Further, the PDCP entity performs confidentiality encryption on the part of the PDCP SDU except the SDAP header according to the PDCP layer protocol.
- the PDCP entity of the terminal device encrypts the confidentiality of the PDCP SDU according to the PDCP layer protocol: the PDCP entity encrypts the PDCP SDU according to the first confidentiality protection algorithm and the first confidentiality protection key configured by the upper layer (such as the RRC layer) sex encryption. Further, the PDCP entity of the terminal device adds a PDCP header to the encrypted message to obtain a PDCP PDU, and sends the PDCP PDU to a radio link control (radio link control, RLC) entity of the terminal device.
- RLC radio link control
- the PDCP entity of the terminal device may also perform network coding on the PDCP PDU, for example, perform network coding on the PDCP PDU according to a low density parity check code (low density parity check code, LDPC).
- a low density parity check code low density parity check code, LDPC
- the RLC entity of the terminal device After the RLC entity of the terminal device receives the PDCP PDU, it takes the PDCP PDU as the RLC SDU, and adds the RLC header to the RLC SDU according to the RLC layer protocol to obtain the RLC PDU. Further, the RLC entity of the terminal device sends the RLC PDU to a media access control (media access control, MAC) entity of the terminal device. After receiving the RLC PDU, the MAC entity of the terminal device takes the RLC PDU as the MAC SDU, and adds the MAC header to the MAC SDU according to the MAC layer protocol to obtain the MAC PDU. Further, the terminal device obtains the first data that can be transmitted on the air interface after adding the L1 header to the MAC PDU through the layer 1 (layer 1, L1) protocol, and sends the first data to the AAU through the air interface.
- layer 1 layer 1, L1
- the PDCP entity performs integrity protection and confidentiality encryption on the part of the PDCP SDU except the SDAP header as an example for illustration.
- the PDCP entity of the terminal device may perform integrity protection and confidentiality encryption on all parts included in the PDCP SDU.
- the PDCP entity of the terminal device may perform integrity protection or confidentiality encryption on the PDCP SDU.
- the transport layer security protocol is the PDCP layer protocol as an example.
- the embodiment of the present application is not limited to the future communication system.
- the transport layer security protocol may be the SDAP layer protocol or the RLC layer protocol.
- the AAU after receiving the first data from the terminal device, the AAU encapsulates the first data according to the eCPRI protocol, and obtains a message to be sent.
- the first device After the first device generates the message to be sent, it encrypts the message header of the message to be sent according to the transport layer security protocol.
- Encrypting the header of the message to be sent by the first device according to the transport layer security protocol includes: performing confidentiality encryption by the first device on the header of the message to be sent according to the transport layer security protocol, and/or, the first device according to the transmission layer security protocol
- the layer security protocol performs integrity protection on the message to be sent.
- the integrity protection of the header of the message to be sent by the first device according to the transport layer security protocol includes: the integrity protection of the header of the message to be sent by the first device according to the second integrity protection algorithm and the second integrity protection key sexual protection.
- the second integrity protection algorithm is an integrity protection algorithm defined by the transport layer security protocol. If the transport layer security protocol defines multiple integrity protection algorithms, the first device and the second device may negotiate a second integrity protection algorithm to use.
- the first device and the second device negotiate the second integrity protection algorithm used according to the following steps: step 1, the first device sends at least one integrity protection algorithm supported by the first device to the second device; step 2, the second The device selects the integrity protection algorithm supported by the second device from at least one integrity protection algorithm supported by the first device, and uses the selected integrity protection algorithm as the second integrity protection algorithm; step 3, the second device sends the first The device sends the second integrity protection algorithm.
- the second integrity protection key is an integrity protection key defined by the transport layer security protocol.
- the second integrity protection key is a pre-configured key, or a key generated through negotiation between the first device and the second device.
- the first device and the second device may negotiate the second integrity protection key according to the (MACSec key agreement, MKA) protocol.
- MKA media authentication key agreement
- the first device and the second device discover through the MKA protocol that both the first device and the second device have the same connection association key (connectivity association key, CAK), and then the first device and the second device
- the algorithm, CAK and random number generate an integrity check value key (integrity check value key, ICK), and ICK is the second integrity protection key.
- the first device performs integrity protection on the header of the message to be sent according to the second integrity protection algorithm and the second integrity protection key, including: the first device performs integrity protection according to the second integrity protection algorithm, the second The integrity protection key and the message header of the message to be sent are calculated to obtain a first integrity check value (integrity check value, ICV), and the first ICV is placed at the end of the message header.
- ICV integration check value
- the confidentiality encryption of the header of the message to be sent by the first device according to the transport layer security protocol includes: encrypting the header of the message to be sent by the first device according to the second confidentiality protection algorithm and the second confidentiality protection key.
- the second confidentiality protection algorithm is a confidentiality protection algorithm defined by the transport layer security protocol. If the transport layer security protocol defines multiple confidentiality protection algorithms, the first device and the second device may negotiate a second confidentiality protection algorithm to use.
- the first device and the second device negotiate the second confidentiality protection algorithm used according to the following steps: step 1, the first device sends at least one confidentiality protection algorithm supported by the first device to the second device; step 2, the second The device selects a confidentiality protection algorithm supported by the second device from at least one confidentiality protection algorithm supported by the first device, and uses the selected confidentiality protection algorithm as the second confidentiality protection algorithm; step 3, the second device sends the first The device sends the second confidentiality protection algorithm.
- the second confidentiality protection key is a confidentiality protection key defined by the transport layer security protocol.
- the second confidentiality protection key is a pre-configured key, or a key generated through negotiation between the first device and the second device.
- the first device and the second device may negotiate the second confidentiality protection key according to the MKA protocol.
- the first device and the second device discover through the MKA protocol that both the first device and the second device have the same CAK, and then the first device and the second device generate a security association key according to the same key algorithm, CAK and random number.
- Key security association key, SAK
- SAK is the second confidentiality protection key.
- the first device when the first device performs confidentiality encryption on the message header according to the transport layer security protocol, it may perform confidentiality encryption on the message header, or may perform confidentiality encryption on parts of the message header other than the first ICV .
- the message to be sent further includes second data.
- the second data includes control data, management plane data, or synchronous clock data transmitted on the fronthaul interface; or, the second data includes control data, management plane data, or synchronous clock data transmitted on the midhaul interface; or , the second data includes control data, management plane data, or synchronous clock data transmitted on the backhaul interface.
- the second data includes one or more of the following: operation, maintenance and management (operation administration and maintenance, OAM) data sent by the control device to the radio frequency device, synchronization clock data sent by the control device to the radio frequency device, Control and management (C&M) data sent.
- OAM operation administration and maintenance
- C&M Control and management
- the method 200 further includes: the first device encrypts the second data according to the transport layer security protocol to obtain the encrypted data.
- the encryption of the second data by the first device includes: the first device performs confidentiality encryption on the second data according to the transport layer security protocol and/or encrypts the second data Second, data integrity protection.
- Encrypting the second data confidentiality by the first device according to the transport layer security protocol includes: encrypting the second data by the first device according to the second confidentiality protection algorithm and the second confidentiality protection key.
- Performing integrity protection on the second data by the first device according to the transport layer security protocol includes: performing integrity protection on the second data by the first device according to the second integrity protection algorithm and the second integrity protection key.
- the second data included in the message to be sent is located before the first data.
- the message format of the message to be sent is shown in FIG. 4 .
- the first device simultaneously encrypts the header of the message to be sent and the second data according to the transport layer security protocol.
- the first device performs integrity protection on the packet header and the second data at the same time according to the second integrity protection algorithm and the second integrity protection key includes: the first device performs integrity protection according to the second integrity protection algorithm, the The second ICV is obtained by calculating the integrity protection key, the message header and the second data, and the second ICV is placed at the end of the second data.
- the first device encrypts the entire message to be sent according to the transport layer security protocol.
- the first device may also perform a CRC check on the packet to be sent. That is, the first device generates a CRC sequence according to the data included in the message to be sent, and places the CRC sequence after the data included in the message to be sent.
- the data included in the message to be sent is the first data and/or the second data.
- the first device does not perform CRC check on the packet to be sent.
- the method 200 further includes S240a and S250a.
- the first device receives the second encrypted message from the second device.
- the second device sends the second encrypted message to the first device.
- the second encrypted message is a message encrypted by the transport layer security protocol.
- the second encrypted message is a message that has undergone confidentiality encryption and integrity protection of the transport layer security protocol.
- the second encrypted message is a message that has undergone integrity protection of the transport layer security protocol.
- the method 200 executes S210.
- the first device determines that the integrity verification of the second encrypted message fails.
- the first device after receiving the second encrypted message, the first device, according to the second integrity protection algorithm, the second integrity protection key and the first The part other than the ICV in the second encrypted message calculates the ICV', and if the ICV' is inconsistent with the ICV in the second encrypted message, the first device determines that the integrity check of the second encrypted message fails.
- the failure of the first device to check the integrity of the second encrypted message is the first time the first device fails to check the integrity of the message received from the second device. That is to say, before the first device receives the second encrypted message from the second device, the first device successfully checks the integrity of the encrypted message received from the second device according to the transport layer security protocol. That is to say, once the first device fails to verify the integrity of the encrypted message received from the second device according to the transport layer security protocol, the first device uses the message encryption method described in S210 to encrypt the message to be sent, that is The first device encrypts the message header of the message to be sent according to the transport layer security protocol to obtain the encrypted message header.
- the failure of the first device to check the integrity of the second encrypted message is the Nth failure of the integrity check of the message received from the second device, N is a positive integer, and N is the preset threshold. That is to say, the failure of the first device to check the integrity of the encrypted message received from the second device according to the transport layer security protocol reaches the preset threshold this time. That is to say, once the number of times that the first device fails to check the integrity of the encrypted message received from the second device according to the transport layer security protocol reaches a preset threshold, the first device uses the message encryption method described in S210 to treat The sending message is encrypted, that is, the first device encrypts the header of the message to be sent according to the transport layer security protocol to obtain the encrypted header.
- the method 200 further includes S240b and S250b.
- the first device sends the third encrypted packet to the second device.
- the second device receives the third encrypted packet from the first device.
- the third encrypted message is a message encrypted by the transport layer security protocol.
- the third encrypted message is a message that has undergone confidentiality encryption and integrity protection of the transport layer security protocol.
- the third encrypted message is a message that has undergone integrity protection of the transport layer security protocol.
- the second device sends indication information to the first device.
- the first device receives indication information from the second device.
- the indication information is used to indicate that the integrity verification of the third encrypted message fails. If in S250b, the first device receives the indication information from the second device, the method 200 executes S210.
- the second device After receiving the third encrypted message from the first device, the second device performs an integrity check on the third encrypted message according to the transport layer security protocol. If the second device fails to check the integrity of the third encrypted message according to the transport layer security protocol, the second device sends indication information to the first device.
- the second device receives the third encrypted message, first, according to the second confidentiality protection algorithm and the second confidentiality protection key key to decrypt the third encrypted message, and then calculate ICV' according to the second integrity protection algorithm, the second integrity protection key and the decrypted message except ICV, if ICV' is the same as the decrypted message If the ICVs in the text are inconsistent, the second device determines that the integrity verification of the third encrypted message fails.
- the second device after receiving the third encrypted message, the second device, according to the second integrity protection algorithm, the second integrity protection key and the first The part other than the ICV in the third encrypted message is calculated to obtain the ICV', and if the ICV' is inconsistent with the ICV in the third encrypted message, the second device determines that the integrity verification of the third encrypted message fails.
- the first device receives indication information from the second device for the first time. That is to say, once the first device receives the indication information from the second device, the first device encrypts the message to be sent using the message encryption method described in S210, that is, the first device encrypts the message to be sent according to the transport layer security protocol
- the header of the message is encrypted to obtain the encrypted message header.
- the first device receives the indication information from the second device for the Nth time, N is a positive integer, and N is a preset threshold. That is to say, once the number of times the first device receives indication information from the second device reaches the preset threshold, the first device encrypts the message to be sent using the message encryption method described in S210, that is, the first device encrypts the message to be sent according to the transmission Layer security protocol encrypts the message header of the message to be sent to obtain the encrypted message header.
- the first device sends the first encrypted message to the second device.
- the second device receives the first encrypted message from the first device.
- the first encrypted message includes an encrypted message header and first data. That is to say, after the first device generates the message to be sent, it encrypts the header of the message to be sent according to the transport layer security protocol to obtain the first encrypted message, and sends the first encrypted message to the second device.
- the method 200 further includes: the first device sends length information (that is, first length information) of a header of a packet to be sent to the second device.
- the length information of the packet header is used to determine the length of the packet header.
- the first device before the first device sends the first encrypted packet to the second device, the first device sends the first length information to the second device.
- the first device may add a service type field before the first data according to the service type of the first data. It should be understood that for different service types, the length of the service type field may be different, resulting in different lengths of the message header. Therefore, in order to enable the second device to correctly decrypt the first encrypted packet, the first device may send the length information of the packet header to the second device.
- the method 200 further includes: the first device sending service type information to the second device, where the service type information is used to indicate the service type of the first data.
- the service type of the first data is used to determine the length of the message header of the message to be sent.
- the first encrypted message includes an encrypted message header, encrypted data, and first data. That is to say, after the first device generates the message to be sent, it encrypts the header and the second data of the message to be sent according to the transport layer security protocol to obtain the first encrypted message, and sends the first encrypted message to second device.
- the method 200 further includes: the first device sends length information (that is, second length information) of the second data to the second device.
- the length information of the second data is used to determine the length of the second data.
- the first device before the first device sends the first encrypted packet to the second device, the first device sends the second length information to the second device.
- the first encrypted packet further includes a CRC sequence.
- the second device decrypts the encrypted packet header included in the first encrypted packet according to the transport layer security protocol.
- the first device performs confidentiality encryption and integrity protection on the header of the message to be sent according to the transport layer security protocol
- the second device first uses the second confidentiality protection algorithm and the second confidentiality protection key to decrypt the encrypted message header to obtain the message header, and then the second device according to the second integrity protection algorithm, the second integrity protection key and the information in the message header except the first ICV
- the first ICV' is obtained by calculating the part of the first ICV', and if the first ICV' is consistent with the first ICV, the second device determines that the integrity check of the encrypted message header is successful.
- the first device performs confidentiality encryption on the header of the message to be sent according to the transport layer security protocol
- the second device encrypts the header according to the second confidentiality protection algorithm and the second The confidentiality protection key decrypts the encrypted message header to obtain the message header.
- the second device performs integrity protection according to the second integrity protection algorithm, the second The integrity protection key and the part other than the first ICV in the encrypted message header are calculated to obtain the first ICV'. If the first ICV' is consistent with the first ICV, the second device determines the integrity check of the encrypted message header. The test was successful.
- the second device first determines the length of the encrypted message header before it is encrypted according to the first length information, and then the second device determines the length of the encrypted message header according to the encrypted message header.
- the length before encryption is used to decrypt the encrypted header.
- the second device calculates the length of the encrypted packet header according to the second confidentiality protection algorithm, the second confidentiality protection key, and the first length information. Further, the second device locates the encrypted message header from the first encrypted message according to the calculated length of the encrypted message header. Further, the second device decrypts the encrypted message header.
- the second device further decrypts the encrypted data according to the transport layer security protocol to obtain the second data.
- the manner in which the second device decrypts the encrypted data is the same as the manner in which the second device decrypts the encrypted header, and for the sake of brevity, details are not described here.
- the second device first determines the length of the encrypted data before it is encrypted according to the second length information, and then the second device determines the length of the encrypted data according to the length before the encrypted data is encrypted Decrypt encrypted data.
- the second device calculates the length of the encrypted data according to the second confidentiality protection algorithm, the second confidentiality protection key and the second length information. Further, the second device locates the encrypted data from the first encrypted message according to the calculated length of the encrypted data. Further, the second device decrypts the encrypted message.
- the second device further performs a CRC check on the first encrypted message according to the CRC check code. If the first encrypted message does not include the CRC check code, the second device does not perform the CRC check on the first encrypted message.
- the second device sends the first data to the fourth device.
- the fourth device is a destination device for data transmission in the Ethernet or a routing device connecting the destination device and the source device.
- the fourth device is a terminal device or a core network device.
- the second device is a radio frequency device, and the fourth device is a terminal device.
- the second device is a control device, and the fourth device is a core network device.
- the terminal device if the first data is data sent to the terminal device, if a bit error occurs in the first data during transmission from the first device to the second device, after the terminal device receives the first data , and then perform error correction on the first data, for example, the terminal device performs error correction on the first data according to a Turbo code, a polar code or an LDPC code.
- the first data is data sent by the terminal device to the control device or the core network device, during the transmission from the first device to the second device, if a bit error occurs in the first data, when the control device Or the core network device corrects the first data after receiving the first data, for example, the control device or the core network device corrects the first data according to a Turbo code, a polar code or an LDPC code.
- the first device encrypts the message header of the message to be sent when encrypting the message to be sent according to the transport layer security protocol , without encrypting the first data.
- the second device decrypts the encrypted message header included in the encrypted message without decrypting the first data. Therefore, the processing burden of the first device and the second device can be reduced, the chip cost and power consumption of the first device and the second device can be reduced, and the efficiency of message transmission can be improved.
- the secure transmission of the first data between the first device and the second device can be guaranteed.
- the header of the message to be sent is not encrypted, after the first device encrypts the header according to the transport layer security protocol, the secure transmission of the header between the first device and the second device can be guaranteed .
- the encrypted packet header since the packet header occupies a small proportion in the entire to-be-sent packet, the encrypted packet header also occupies a small proportion in the first encrypted packet. Furthermore, since the length of the encrypted message header is relatively short, the probability of an error in the encrypted message header during transmission is relatively small, and the probability that the second device fails to decrypt the encrypted message header according to the transport layer security protocol is also relatively small. is small, and the probability that the second device loses the first data due to a failure to decrypt the message header or to check the integrity is also reduced. Therefore, based on the above technical solution, the anti-bit error capability of the link between the first device and the second device can be improved while ensuring safe transmission. If the first data is air interface data, the spectrum utilization rate of the air interface can be improved when the probability of losing the first data is reduced.
- the secure transmission method provided by the implementation of this application can be used without replacing the first device and/or the second device
- the anti-bit error capability of the link between the first device and the second device is improved.
- the first device and the second device are connected through an optical fiber link
- the integrity check of the encrypted message transmitted between the first device and the second device fails, the following problems may occur: the first device And/or power degradation of the optical module deployed on the second device, optical signal attenuation caused by fiber extension between the first device and the second device, and insertion loss caused by fiber fusion.
- the link between the first device and the second device can be improved even without replacing the optical module of the first device, the optical module of the second device or the optical fiber. anti-error capability.
- FIG. 5 is a schematic block diagram of an apparatus 1000 provided by an embodiment of the present application. As shown in the figure, the apparatus 1000 may include: a transceiver unit 1010 and a processing unit 1020 .
- the apparatus 1000 may be the first device in the above method embodiment, or may be a chip for realizing the function of the first device in the above method embodiment.
- the apparatus 1000 may correspond to the first device in the method 200 according to the embodiment of the present application, and the apparatus 1000 may include a method unit for executing the first device in the method 200 in FIG. 2 .
- each unit in the apparatus 1000 and the above-mentioned other operations and/or functions are respectively intended to implement a corresponding flow of the method 200 in FIG. 2 . It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.
- the apparatus 1000 may be the second device in the above method embodiment, or may be a chip for realizing the function of the second device in the above method embodiment.
- the apparatus 1000 may correspond to the second device in the method 200 according to the embodiment of the present application, and the apparatus 1000 may include a unit for performing the method performed by the second device in the method 200 in FIG. 2 .
- each unit in the apparatus 1000 and the above-mentioned other operations and/or functions are respectively intended to implement a corresponding flow of the method 200 in FIG. 2 . It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.
- transceiver unit 1010 in the device 1000 may correspond to the transceiver 2020 in the device 2000 shown in FIG. 6
- processing unit 1020 in the device 1000 may correspond to the Processor 2010.
- the chip when the device 1000 is a chip, the chip includes a transceiver unit and a processing unit.
- the transceiver unit may be an input-output circuit or a communication interface;
- the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip.
- the transceiver unit 1010 is used to realize the signal sending and receiving operation of the device 1000
- the processing unit 1020 is used to realize the signal processing operation of the device 1000 .
- the apparatus 1000 further includes a storage unit 1030, and the storage unit 1030 is used for storing instructions.
- FIG. 6 is a schematic block diagram of an apparatus 2000 provided by an embodiment of the present application.
- the apparatus 2000 includes: at least one processor 2010 and a transceiver 2020 .
- the processor 2010 is coupled with the memory, and is used for executing instructions stored in the memory to control the transceiver 2020 to send signals and/or receive signals.
- the apparatus 2000 further includes a memory 2030 for storing instructions.
- processor 2010 and memory 2030 may be combined into one processing device, and the processor 2010 is used to execute the program code stored in the memory 2030 to realize the above-mentioned functions.
- the memory 2030 may also be integrated in the processor 2010 , or be independent of the processor 2010 .
- the transceiver 2020 may include a receiver (or called a receiver) and a transmitter (or called a transmitter).
- the transceiver 2020 may further include antennas, and the number of antennas may be one or more.
- the transceiver 2020 may in turn be a communication interface or an interface circuit.
- the chip When the device 2000 is a chip, the chip includes a transceiver unit and a processing unit.
- the transceiver unit may be an input-output circuit or a communication interface;
- the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip.
- FIG. 7 is a schematic diagram of a chip system according to an embodiment of the present application.
- the chip system here may also be a system composed of circuits.
- the chip system 3000 shown in FIG. 7 includes: a logic circuit 3010 and an input/output interface (input/output interface) 3020, the logic circuit is used to couple with the input interface, and transmit data through the input/output interface (for example, the first instruction information) to execute the method described in FIG. 2 .
- the embodiment of the present application also provides a processing device, including a processor and an interface.
- the processor may be used to execute the methods in the foregoing method embodiments.
- the above processing device may be a chip.
- the processing device may be a field programmable gate array (field programmable gate array, FPGA), an application specific integrated circuit (ASIC), or a system chip (system on chip, SoC). It can be a central processor unit (CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (micro controller unit) , MCU), can also be a programmable controller (programmable logic device, PLD) or other integrated chips.
- CPU central processor unit
- NP network processor
- DSP digital signal processor
- microcontroller micro controller unit
- PLD programmable logic device
- each step of the above method can be completed by an integrated logic circuit of hardware in a processor or an instruction in the form of software.
- the steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
- the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
- the storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware. To avoid repetition, no detailed description is given here.
- the processor in the embodiment of the present application may be an integrated circuit chip, which has a signal processing capability.
- each step of the above-mentioned method embodiments may be completed by an integrated logic circuit of hardware in a processor or instructions in the form of software.
- the above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components .
- DSP digital signal processor
- ASIC application-specific integrated circuit
- FPGA field-programmable gate array
- a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
- the memory in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories.
- the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
- Volatile memory can be random access memory (RAM), which acts as external cache memory.
- the present application also provides a computer program product, the computer program product including: computer program code, when the computer program code is run on the computer, the computer is made to execute the embodiment shown in FIG. 2 Methods.
- the present application also provides a computer-readable medium, the computer-readable medium stores program code, and when the program code is run on the computer, the computer executes the embodiment shown in FIG. 2 Methods.
- the present application further provides a system, which includes the foregoing first device and the second device.
- all or part of them may be implemented by software, hardware, firmware or any combination thereof.
- software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part.
- the computer instructions may be stored in, or transmitted from, one computer-readable storage medium to another computer-readable storage medium.
- the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media.
- the available medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (solid state disc, SSD)) etc.
- a magnetic medium for example, a floppy disk, a hard disk, a magnetic tape
- an optical medium for example, a high-density digital video disc (digital video disc, DVD)
- a semiconductor medium for example, a solid state disk (solid state disc, SSD)
- the disclosed systems, devices and methods may be implemented in other ways.
- the device embodiments described above are only illustrative.
- the division of the units is only a logical function division. In actual implementation, there may be other division methods.
- multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
- the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (25)
- 一种安全传输的方法,其特征在于,包括:第一设备根据传输层安全协议对待发送报文的报文头进行加密得到加密报文头,所述待发送报文包括第一数据,所述第一数据经过应用层安全协议加密且不经过所述传输层安全协议加密;所述第一设备向第二设备发送第一加密报文,所述第一加密报文包括所述加密报文头和所述第一数据。
- 根据权利要求1所述的方法,所述应用层安全协议包括:分组数据汇聚协议PDCP层协议。
- 根据权利要求1或2所述的方法,所述传输层安全协议包括媒体访问控制安全协议或因特网协议安全协议。
- 根据权利要求1至3中任一项所述的方法,其中,所述方法还包括:所述第一设备向所述第二设备发送所述待发送报文的报文头的长度信息。
- 根据权利要求1至4中任一项所述的方法,所述待发送报文还包括未经过所述应用层安全协议加密的第二数据,所述第一加密报文还包括加密数据,所述方法还包括:所述第一设备根据所述传输层安全协议对所述第二数据进行加密得到所述加密数据。
- 根据权利要求5所述的方法,所述第二数据位于所述第一数据之前。
- 根据权利要求5或6所述的方法,其中,所述方法还包括:所述第一设备向所述第二设备发送所述第二数据的长度信息。
- 根据权利要求5至7中任一项所述的方法,所述第二数据包括在前传接口上传输的控制数据、管理面数据或同步时钟数据。
- 根据权利要求1至8中任一项所述的方法,所述第一数据是空口数据。
- 根据权利要求1至9中任一项所述的方法,在生成所述第一加密报文之前,所述方法还包括:所述第一设备接收来自所述第二设备的第二加密报文;所述第一设备根据所述传输层安全协议对所述第二加密报文进行的完整性校验失败。
- 根据权利要求1至10中任一项所述的方法,在生成所述第一加密报文之前,所述方法还包括:所述第一设备向所述第二设备发送第三加密报文,所述第三加密报文是根据所述传输层安全协议对待发送报文加密生成的;所述第一设备接收来自所述第二设备的指示信息,所述指示信息用于指示对所述第三加密报文的完整性校验失败。
- 根据权利要求1至11中任一项所述的方法,所述第一设备是在以太网中进行报文传输的源设备或连接所述源设备和目的设备的路由设备,所述目的设备是在以太网中进行报文传输的目的设备,所述第二设备是所述目的设备或连接所述源设备和所述目的设备的路由设备。
- 一种安全传输的方法,其特征在于,包括:第二设备接收来自第一设备的加密报文,所述加密报文包括加密报文头和第一数据,所述第一数据经过应用层安全协议加密且不经过传输层安全协议加密;所述第二设备根据所述传输层安全协议对所述加密报文头进行解密。
- 根据权利要求13所述的方法,所述应用层安全协议包括:分组数据汇聚协议PDCP层协议。
- 根据权利要求13或14所述的方法,所述传输层安全协议包括媒体访问控制安全协议或因特网协议安全协议。
- 根据权利要求13至15中任一项所述的方法,其中,所述方法还包括:所述第二设备接收来自所述第一设备的第一长度信息;所述第二设备根据所述第一长度信息确定所述加密报文头被加密之前的长度。
- 根据权利要求13至16中任一项所述的方法,所述加密报文还包括加密数据,所述方法还包括:所述第二设备根据所述传输层安全协议对所述加密数据进行解密得到第二数据。
- 根据权利要求17所述的方法,其中,所述方法还包括:所述第二设备接收来自所述第一设备的第二长度信息;所述第二设备根据所述第二长度信息确定所述第二加密数据被加密之前的长度。
- 根据权利要求17或18所述的方法,所述第二数据包括在前传接口上传输的控制数据、管理面数据或同步时钟数据。
- 根据权利要求13至19中任一项所述的方法,所述第一数据是空口数据。
- 根据权利要求13至20中任一项所述的方法,所述第一设备是在以太网中进行报文传输的源设备或连接所述源设备和目的设备的路由设备,所述第二设备是所述目的设备或连接所述源设备和所述目的设备的路由设备。
- 一种装置,其特征在于,包括至少一个处理器,所述至少一个处理器与至少一个存储器耦合,所述至少一个处理器用于执行所述至少一个存储器中存储的计算机程序或指令,以使所述装置执行如权利要求1至12中任一项所述的方法。
- 一种装置,其特征在于,包括至少一个处理器,所述至少一个处理器与至少一个存储器耦合,所述至少一个处理器用于执行所述至少一个存储器中存储的计算机程序或指令,以使所述装置执行如权利要求13至21中任一项所述的方法。
- 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被执行时,以使得如权利要求1至21中任一项所述的方法被执行。
- 一种系统,其特征在于,包括如权利要求22和23所述的装置。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020247025953A KR20240130781A (ko) | 2021-12-31 | 2022-12-29 | 보안 송신 방법 및 장치 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111670362.8 | 2021-12-31 | ||
CN202111670362.8A CN114465775B (zh) | 2021-12-31 | 2021-12-31 | 安全传输方法及装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023125865A1 true WO2023125865A1 (zh) | 2023-07-06 |
Family
ID=81407541
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/143624 WO2023125865A1 (zh) | 2021-12-31 | 2022-12-29 | 安全传输方法及装置 |
Country Status (3)
Country | Link |
---|---|
KR (1) | KR20240130781A (zh) |
CN (1) | CN114465775B (zh) |
WO (1) | WO2023125865A1 (zh) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114465775B (zh) * | 2021-12-31 | 2023-10-20 | 华为技术有限公司 | 安全传输方法及装置 |
CN115378660A (zh) * | 2022-07-29 | 2022-11-22 | 天翼云科技有限公司 | 一种数据传输方法、装置、设备及介质 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180063103A1 (en) * | 2016-08-26 | 2018-03-01 | Nicira, Inc. | Secure key management protocol for distributed network encryption |
CN111567095A (zh) * | 2018-01-10 | 2020-08-21 | 三星电子株式会社 | 用于无线通信系统中的无线通信的方法和装置 |
CN112073372A (zh) * | 2020-08-04 | 2020-12-11 | 南京国电南自维美德自动化有限公司 | 一种电力系统通信报文双重加密方法、解密方法和报文交互系统 |
CN113438071A (zh) * | 2021-05-28 | 2021-09-24 | 荣耀终端有限公司 | 安全通信的方法及设备 |
CN114465775A (zh) * | 2021-12-31 | 2022-05-10 | 华为技术有限公司 | 安全传输方法及装置 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100488168C (zh) * | 2005-12-13 | 2009-05-13 | 华为技术有限公司 | 一种对应用层报文进行安全封装的方法 |
CN102281203A (zh) * | 2011-09-08 | 2011-12-14 | 航天科工深圳(集团)有限公司 | 一种iec101协议报文传输的方法和系统 |
CN102882789B (zh) * | 2012-09-17 | 2016-03-30 | 华为技术有限公司 | 一种数据报文处理方法、系统及设备 |
CN104811427B (zh) * | 2014-01-27 | 2017-12-19 | 沈阳中科奥维科技股份有限公司 | 一种安全的工业控制系统通信方法 |
US10951533B2 (en) * | 2017-09-27 | 2021-03-16 | Qualcomm Incorporated | Header formats in wireless communication |
KR20200076558A (ko) * | 2018-12-19 | 2020-06-29 | 삼성전자주식회사 | 차세대 이동 통신 시스템에서 pdcp 계층 장치 기반 보안키 확인 방법 및 장치 |
CN112448918B (zh) * | 2019-08-29 | 2023-06-09 | 华为技术有限公司 | 报文传输方法及装置、计算机存储介质 |
CN111371549B (zh) * | 2020-03-05 | 2023-03-24 | 浙江双成电气有限公司 | 一种报文数据传输方法、装置及系统 |
CN112165494B (zh) * | 2020-09-30 | 2023-04-28 | 厦门亿联网络技术股份有限公司 | 报文分析方法、装置、电子设备及存储介质 |
-
2021
- 2021-12-31 CN CN202111670362.8A patent/CN114465775B/zh active Active
-
2022
- 2022-12-29 WO PCT/CN2022/143624 patent/WO2023125865A1/zh active Application Filing
- 2022-12-29 KR KR1020247025953A patent/KR20240130781A/ko active Search and Examination
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180063103A1 (en) * | 2016-08-26 | 2018-03-01 | Nicira, Inc. | Secure key management protocol for distributed network encryption |
CN111567095A (zh) * | 2018-01-10 | 2020-08-21 | 三星电子株式会社 | 用于无线通信系统中的无线通信的方法和装置 |
CN112073372A (zh) * | 2020-08-04 | 2020-12-11 | 南京国电南自维美德自动化有限公司 | 一种电力系统通信报文双重加密方法、解密方法和报文交互系统 |
CN113438071A (zh) * | 2021-05-28 | 2021-09-24 | 荣耀终端有限公司 | 安全通信的方法及设备 |
CN114465775A (zh) * | 2021-12-31 | 2022-05-10 | 华为技术有限公司 | 安全传输方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
CN114465775B (zh) | 2023-10-20 |
CN114465775A (zh) | 2022-05-10 |
KR20240130781A (ko) | 2024-08-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2023125865A1 (zh) | 安全传输方法及装置 | |
KR101033345B1 (ko) | 멀티홉 메시 네트워크를 통한 관리 트래픽 운송 | |
RU2579622C2 (ru) | Устройство и способы сжатия заголовка управления доступом к среде | |
JP5661949B2 (ja) | ネットワークにおいて通信するためのシステムおよび方法 | |
US12058745B2 (en) | System and method for RRC connection using a relay terminal | |
KR101862101B1 (ko) | Mac 헤더 압축을 위한 장치 및 방법들 | |
US9872175B2 (en) | Packet processing method, apparatus, and system | |
KR20220127811A (ko) | 멀티 링크의 안전한 재송신을 위한 통신 장치 및 통신 방법 | |
CN107801187B (zh) | 加解密方法、装置及系统 | |
WO2022151917A1 (zh) | 消息处理方法、装置、终端及网络侧设备 | |
JP2024511040A (ja) | ダイレクトリンクアドレス指定方法およびダイレクトリンクアドレス指定装置 | |
US11212321B2 (en) | Group communication service enabler security | |
US11652910B2 (en) | Data transmission method, device, and system | |
CN117579241B (zh) | 数据传输方法、通信装置、计算机可读存储介质和芯片 | |
TWI815243B (zh) | 用於wlan多鏈路管理幀尋址的方法和系統 | |
WO2017193313A1 (zh) | 数字单元、无线单元、基站及数据传输方法 | |
WO2024138394A1 (zh) | 数据传输方法及相关装置 | |
WO2024131561A1 (zh) | 通信认证方法和装置 | |
WO2023051409A1 (zh) | 一种通信方法及装置 | |
WO2024129106A1 (en) | Apparatus and method for small-packet processing by tiny-dataplane protocol stack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22915114 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2022915114 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202437053820 Country of ref document: IN |
|
ENP | Entry into the national phase |
Ref document number: 2022915114 Country of ref document: EP Effective date: 20240712 |
|
ENP | Entry into the national phase |
Ref document number: 20247025953 Country of ref document: KR Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |