WO2024065469A1 - 一种直连链路建立方法、设备及存储介质 - Google Patents

一种直连链路建立方法、设备及存储介质 Download PDF

Info

Publication number
WO2024065469A1
WO2024065469A1 PCT/CN2022/122824 CN2022122824W WO2024065469A1 WO 2024065469 A1 WO2024065469 A1 WO 2024065469A1 CN 2022122824 W CN2022122824 W CN 2022122824W WO 2024065469 A1 WO2024065469 A1 WO 2024065469A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
key
shared
link
relay
Prior art date
Application number
PCT/CN2022/122824
Other languages
English (en)
French (fr)
Inventor
商正仪
陆伟
Original Assignee
北京小米移动软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京小米移动软件有限公司 filed Critical 北京小米移动软件有限公司
Priority to CN202280003895.7A priority Critical patent/CN118120200A/zh
Priority to PCT/CN2022/122824 priority patent/WO2024065469A1/zh
Publication of WO2024065469A1 publication Critical patent/WO2024065469A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L27/00Modulated-carrier systems

Definitions

  • the present disclosure relates to the field of communication technology, and in particular to a method, device and storage medium for establishing a direct link.
  • 5G ProSe service in order to better enable direct communication between user equipment (UE), 5G ProSe service can be introduced.
  • 5G ProSe service can better solve the following problems: if the source UE cannot communicate directly with the target UE, the source UE can try to communicate with the UE-to-UE relay first, and then connect to the target UE through the UE-to-UE relay for communication.
  • the transmitted information may be compromised, thereby compromising the security (including integrity and confidentiality) of the communication information between UEs, and may cause the direct link established with the source UE and the target UE to be subject to a man-in-the-middle attack (MITM), causing the communication content to be leaked, which will damage the security of the 5G Prose service.
  • MITM man-in-the-middle attack
  • the direct link establishment method, device and storage medium proposed in the present disclosure can establish a secure direct link, provide security for communication between UEs, and avoid leakage of communication content.
  • an embodiment of the present disclosure provides a method for establishing a direct link, the method being executed by a first UE, including:
  • a third message is received, which is sent by the third UE via the second UE, wherein the third message indicates that the end-to-end link establishment is completed.
  • the first message sent by the first UE to the second UE is encrypted using a first key
  • the first key is generated by negotiation between the first UE and the second UE when creating a PC5 link between the first UE and the second UE and is shared by the first UE and the second UE.
  • performing a security negotiation process with the third UE to generate the end-to-end shared key includes:
  • IKEv2 Internet Key Exchange protocol
  • the third message is encrypted using the end-to-end shared key.
  • the third message is encrypted using the end-to-end shared key and the first key.
  • it further includes:
  • the user ID information includes at least one of the following:
  • a first UE identifier, a second UE identifier, and a third UE identifier A first UE identifier, a second UE identifier, and a third UE identifier.
  • an embodiment of the present disclosure provides a method for establishing a direct link, the method being executed by a third UE, including:
  • the first message is used to request to create an end-to-end link between the first UE and the third UE via the second UE, and the second UE is a layer 2 relay UE;
  • a third message is sent to the first UE via the second UE, wherein the third message indicates that the end-to-end link establishment is completed.
  • the first message received by the third UE from the second UE is encrypted using a second key, where the second key is generated by negotiation between the third UE and the second UE when creating a PC5 link between the third UE and the second UE and is shared by the third UE and the second UE.
  • the performing a security negotiation process with the first UE via the second UE to generate the end-to-end shared key includes:
  • IKEv2 Internet Key Exchange protocol
  • the third message is encrypted using the end-to-end shared key.
  • the third message is encrypted using the end-to-end shared key and the second key.
  • it further includes:
  • the user ID information includes at least one of the following:
  • a first UE identifier, a second UE identifier, and a third UE identifier A first UE identifier, a second UE identifier, and a third UE identifier.
  • an embodiment of the present disclosure provides a method for establishing a direct link, the method being executed by a second UE, including:
  • the first message received by the second UE from the first UE is encrypted using a first key, where the first key is generated by negotiation between the first UE and the second UE when creating a PC5 link between the first UE and the second UE and is shared by the first UE and the second UE, and the method further includes:
  • a first message received from the first UE is decrypted based on the first key.
  • the first message sent by the second UE to the third UE is encrypted using a second key, where the second key is generated by negotiation between the third UE and the second UE when creating a PC5 link between the third UE and the second UE and is shared by the third UE and the second UE, and the method further includes:
  • a first message obtained from the first UE is encrypted based on the second key.
  • the third message received by the second UE from the third UE is encrypted using the end-to-end shared key and the second key, and the method further includes:
  • a third message received from the third UE is decrypted based on the second key.
  • the third message sent by the second UE to the first UE is encrypted using the end-to-end shared key and the first key, and the method further includes:
  • a third message obtained from the third UE is encrypted based on the first key.
  • the second UE stores a preconfigured long-term credential related to a relay service code RSC/proximity service ProSe code, and the long-term credential is used to generate the first key and the second key.
  • it further includes:
  • ProSe key request to a proximity communication key management function PKMF network element or a direct discovery name management function DDNMF network element of the second UE, where the ProSe key request includes a credential ID and an RSC/ProSe code, so as to request a long-term credential associated with the credential ID and the RSC/ProSe code from the PKMF network element or the DDNMF network element, where the long-term credential is used to generate the first key and the second key; and
  • a ProSe key response is received from the PKMF network element or the DDNMF network element, where the ProSe key response carries the long-term credential.
  • an embodiment of the present disclosure provides a direct link establishment device, which is used for a first UE, and the device includes a transceiver module, which is used to:
  • a third message is received, which is sent by the third UE via the second UE, wherein the third message indicates that the end-to-end link establishment is completed.
  • an embodiment of the present disclosure provides a direct link establishment device, characterized in that it is used for a third UE, and the device includes a transceiver module, which is used to:
  • a third message is sent to the first UE via the second UE, wherein the third message indicates that the end-to-end link establishment is completed.
  • an embodiment of the present disclosure provides a direct link establishment device, characterized in that it is used for a second UE, and the device includes a transceiver module, which is used to:
  • an embodiment of the present disclosure provides a communication device, which includes a processor.
  • the processor calls a computer program in a memory, the method described in the first aspect is executed.
  • an embodiment of the present disclosure provides a communication device, which includes a processor.
  • the processor calls a computer program in a memory, the method described in the second aspect is executed.
  • an embodiment of the present disclosure provides a communication device, which includes a processor.
  • the processor calls a computer program in a memory, the method described in the third aspect is executed.
  • an embodiment of the present disclosure provides a communication device, which includes a processor and a memory, in which a computer program is stored; the processor executes the computer program stored in the memory so that the communication device executes the method described in the first aspect above.
  • an embodiment of the present disclosure provides a communication device, which includes a processor and a memory, in which a computer program is stored; the processor executes the computer program stored in the memory so that the communication device executes the method described in the second aspect above.
  • an embodiment of the present disclosure provides a communication device, which includes a processor and a memory, in which a computer program is stored; the processor executes the computer program stored in the memory so that the communication device executes the method described in the third aspect above.
  • an embodiment of the present disclosure provides a communication device, which includes a processor and an interface circuit, wherein the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to enable the device to execute the method described in the first aspect above.
  • an embodiment of the present disclosure provides a communication device, which includes a processor and an interface circuit, wherein the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to enable the device to execute the method described in the second aspect above.
  • an embodiment of the present disclosure provides a communication device, which includes a processor and an interface circuit, wherein the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to enable the device to execute the method described in the third aspect above.
  • an embodiment of the present disclosure provides a communication system, the system comprising the communication device described in the fourth aspect to the communication device described in the sixth aspect, or the system comprising the communication device described in the seventh aspect to the communication device described in the ninth aspect, or the system comprising the communication device described in the tenth aspect to the communication device described in the twelfth aspect, or the system comprising the communication device described in the thirteenth aspect to the communication device described in the fifteenth aspect.
  • an embodiment of the present invention provides a computer-readable storage medium for storing instructions used for the above-mentioned network device.
  • the terminal device executes the method described in any one of the above-mentioned first to third aspects.
  • the present disclosure further provides a computer program product comprising a computer program, which, when executed on a computer, enables the computer to execute the method described in any one of the first to third aspects above.
  • the present disclosure provides a chip system, which includes at least one processor and an interface, and is used to support a network device to implement the functions involved in the method described in any one of the first aspect to the third aspect, for example, determining or processing at least one of the data and information involved in the above method.
  • the chip system also includes a memory, and the memory is used to store computer programs and data necessary for the source auxiliary node.
  • the chip system can be composed of a chip, and can also include a chip and other discrete devices.
  • the present disclosure provides a computer program which, when executed on a computer, enables the computer to execute the method described in any one of the first to third aspects above.
  • a direct link establishment method, device and storage medium in which the first UE first requests to create an end-to-end link for communicating with the third UE via the second UE, and after receiving the shared key fed back by the third UE, it jointly generates an end-to-end shared key with the third UE, and obtains a link creation completion message. Based on this, the information communicated and transmitted between the first UE (i.e., the source UE) and the third UE (i.e., the target UE) is encrypted and decrypted using the shared key, thereby avoiding information leakage caused by attacks on the layer 2 relay UE, so as to achieve the establishment of a secure direct link.
  • the layer 2 relay UE participates in the process of establishing a direct link, so that a secure direct link can be effectively established.
  • FIG1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present disclosure.
  • FIG2 is a flow chart of a method for establishing a direct link provided by an embodiment of the present disclosure
  • FIG3 is a flow chart of another direct link establishment method provided by an embodiment of the present disclosure.
  • FIG4 is a flowchart of another direct link establishment method provided by an embodiment of the present disclosure.
  • FIG5 is a schematic diagram of a direct link establishment method provided by the present disclosure.
  • FIG6 is a structural diagram of a direct link establishment device provided in an embodiment of the present disclosure.
  • FIG. 7 is a structural diagram of another direct link establishment device provided in an embodiment of the present disclosure.
  • FIG8 is a structural diagram of another direct link establishment device provided by an embodiment of the present disclosure.
  • FIG9 is a block diagram of a communication device provided by an embodiment of the present disclosure.
  • FIG. 10 is a block diagram of a chip device provided by an embodiment of the present disclosure.
  • first, second, third, etc. may be used to describe various information in the disclosed embodiments, these information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other.
  • first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information.
  • the words "if” and “if” as used herein may be interpreted as “at” or "when” or "in response to determination".
  • 5G ProSe refers to direct communication between devices or between nearby mobile devices. Through UE-to-UE relay, 5G ProSe can further expand the range of direct communication.
  • IKEv2 is a secure key negotiation mechanism that can securely perform identity authentication, key distribution, and key negotiation on an insecure network, thereby establishing an Internet Protocol Security (IPSec) channel.
  • IPSec Internet Protocol Security
  • PMF Proximity Key Management Function
  • the main functions include key generation, distribution, use, update and destruction.
  • FIG1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present disclosure.
  • the communication system may include, but is not limited to, a first UE, a second UE, and a third UE.
  • the number and form of devices shown in FIG1 are only used as examples and do not constitute a limitation on the embodiment of the present disclosure. In actual applications, two or more first UEs, second UEs, and third UEs may be included.
  • the communication system 10 shown in FIG1 takes a first UE 11, a second UE 12, and a third UE 13 as an example.
  • LTE long term evolution
  • 5G fifth generation
  • NR 5G new radio
  • straight link in the embodiment of the present disclosure can also be called a side link or a through link.
  • the first UE11, the second UE12 and the third UE13 in the embodiment of the present disclosure are entities for receiving or transmitting signals on the user side, such as mobile phones.
  • UE can also be called terminal equipment (terminal), user equipment (UE), mobile station (MS), mobile terminal equipment (MT), etc.
  • the terminal equipment can be a car with communication function, a smart car, a mobile phone (mobile phone), a wearable device, a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal equipment, an augmented reality (AR) terminal equipment, a wireless terminal equipment in industrial control (industrial control), a wireless terminal equipment in self-driving, a wireless terminal equipment in remote medical surgery, a wireless terminal equipment in smart grid (smart grid), a wireless terminal equipment in transportation safety (transportation safety), a wireless terminal equipment in a smart city (smart city), a wireless terminal equipment in a smart home (smart home), etc.
  • the embodiments of the present disclosure do not limit the specific technology and specific device form adopted by the terminal device.
  • the communication system described in the embodiment of the present disclosure is for the purpose of more clearly illustrating the technical solution of the embodiment of the present disclosure, and does not constitute a limitation on the technical solution provided by the embodiment of the present disclosure.
  • a person skilled in the art can know that with the evolution of the system architecture and the emergence of new business scenarios, the technical solution provided by the embodiment of the present disclosure is also applicable to similar technical problems.
  • the second UE sends a discovery message to the first UE and the third UE respectively, and the discovery message is protected by a key used for the discovery phase, including a confidentiality protection key and/or an integrity protection key.
  • a key used for the discovery phase including a confidentiality protection key and/or an integrity protection key.
  • the first UE can send a direct communication request to the second UE to create a PC5 link between the first UE and the second UE, and negotiate a first key shared by the first UE and the second UE in the process, and the first key is used to protect the information transmitted between the first UE and the second UE; and the second UE can send a direct communication request to the third UE to create a PC5 link between the second UE and the third UE, and negotiate a second key shared by the second UE and the third UE in the process, and the second key is used to protect the information transmitted between the second UE and the third UE.
  • an end-to-end link via the second UE can be created between the first UE and the third UE by the method described in this embodiment.
  • the first UE is a source UE
  • the second UE is a layer 2 relay UE
  • the third UE is a target UE.
  • FIG. 2 is a flow chart of a method for establishing a direct link provided in an embodiment of the present disclosure.
  • the method is performed by the first UE, and the method may include but is not limited to the following steps:
  • S201 Send a first message to a third UE via a second UE, wherein the first message is used to request to create an end-to-end link between the first UE and the third UE via the second UE, and the second UE is a layer 2 relay UE.
  • a first message sent by a first UE to a second UE is encrypted using a first key, and the first key is generated by negotiation between the first UE and the second UE when creating a PC5 link between the first UE and the second UE and is shared by the first UE and the second UE.
  • the first message sent by the first UE to the second UE is encrypted and protected.
  • the first UE can encrypt the first message using a first key, and the first key is generated by negotiation between the first UE and the second UE when creating a PC5 link between the first UE and the second UE.
  • the first UE and the second UE create a PC5 link between them, they generate a first key (such as a ProSe security key) through direct authentication and a key generation process, and store the generated first key locally.
  • the second UE receives the first message, it can decrypt the first message using the locally stored first key.
  • the specific process of the first UE and the second UE creating a PC5 link between them can be referred to Figure 5, which will not be repeated here.
  • the first message may include a destination identification ID, and the destination ID is the layer 2 ID of the third UE or the layer 2 ID of the second UE.
  • the second UE when the second UE receives the first message including the layer 2 ID of the third UE whose destination ID is the third UE, the second UE confirms to forward the first message to the third UE (i.e., the target UE) based on the destination ID.
  • the third UE i.e., the target UE
  • the second UE when the second UE receives the first message including the layer 2 ID of the second UE whose destination ID is the second UE, the second UE confirms forwarding the first message to the third UE (i.e., the target UE) according to the user ID information.
  • the user ID information includes at least one of the following: the first UE identifier, the second UE identifier, and the third UE identifier. That is, the user ID information may include at least one of the source UE identifier, the relay UE identifier, and the target UE identifier.
  • the first UE identifier is the source UE identifier
  • the second UE identifier is the relay UE identifier
  • the third UE identifier is the target UE identifier.
  • the second UE confirms forwarding the first message to the corresponding target UE according to the user ID information, which is the third UE in this case.
  • the first UE may send user ID information to the second UE.
  • the first UE may be a source UE
  • the second UE may be a relay UE
  • the third UE may be a target UE
  • S202 Receive a second message sent by the third UE via the second UE, wherein the second message is used to request negotiation with the first UE on an end-to-end shared key shared by the first UE and the third UE.
  • S203 The second UE and the third UE perform a security negotiation process to generate an end-to-end shared key, wherein the end-to-end shared key is used to encrypt and decrypt information transmitted between the first UE and the third UE via the end-to-end link.
  • the first UE performs a security negotiation process via the second UE and the third UE.
  • the second UE is required to forward messages sent by the first UE and the third UE to complete the security negotiation process.
  • performing a security negotiation process with a third UE to generate an end-to-end shared key includes:
  • An IKEv2 authentication process is performed via the second UE and the third UE to generate an end-to-end shared key.
  • the first UE may perform a security negotiation process with the third UE to establish an end-to-end connection.
  • a security negotiation process in order to ensure security, an IKEv2 verification process may be performed to verify the first UE and the third UE. For example, identity authentication, key distribution verification, or IPsec establishment may be used for verification.
  • the first UE and the third UE may generate and share an end-to-end secure shared key.
  • S204 Receive a third message sent by the third UE via the second UE, where the third message indicates that the end-to-end link establishment is complete.
  • the third message may be encrypted using an end-to-end shared key.
  • the third message may be encrypted using the end-to-end shared key and the first key.
  • the first UE first sends a request to establish an end-to-end link to the third UE through the second UE. After receiving feedback from the first UE, it can negotiate with the first UE to share a shared key for the end-to-end link, and then perform a negotiation process to generate a shared key, and wait for an indication that the creation of the end-to-end link is complete.
  • the information communicated and transmitted between the first UE (i.e., the source UE) and the third UE (i.e., the target UE) is encrypted and decrypted using a shared key, thereby avoiding information leakage caused by attacks on the layer 2 relay UE, so as to establish a secure direct link.
  • the layer 2 relay UE participates in the process of establishing a direct link, so that a secure direct link can be effectively established.
  • FIG3 is a flow chart of a method for establishing a direct link provided in an embodiment of the present disclosure.
  • the method is performed by a third UE, and the method may include but is not limited to the following steps:
  • S301 Receive a first message sent by a first UE via a second UE, wherein the first message is used to request to create an end-to-end link between the first UE and a third UE via the second UE, and the second UE is a layer 2 relay UE.
  • the first message received by the third UE from the second UE is encrypted using a second key
  • the second key is generated by negotiation between the third UE and the second UE when creating a PC5 link between the third UE and the second UE and is shared by the third UE and the second UE.
  • the first message may include a destination identification ID, and the destination ID is the layer 2 ID of the third UE or the layer 2 ID of the second UE.
  • the first UE may send user ID information to the second UE.
  • the third UE may also receive user ID information sent by the second UE, where the user ID information includes at least one of the following:
  • Source UE identifier the UE identifier
  • relay UE identifier the UE identifier
  • target UE identifier the UE identifier
  • S302 Send a second message to the first UE via the second UE, where the second message is used to request negotiation with the first UE on an end-to-end shared key shared by the first UE and a third UE.
  • the end-to-end shared key is used to encrypt and decrypt information transmitted between the first UE and the third UE through the end-to-end link.
  • S303 The second UE performs a security negotiation process with the first UE to generate an end-to-end shared key.
  • performing a security negotiation process with the first UE to generate an end-to-end shared key includes:
  • An IKEv2 authentication process is performed via the second UE and the first UE to generate an end-to-end shared key.
  • S304 Send a third message to the first UE via the second UE, where the third message indicates that the end-to-end link establishment is complete.
  • the third message is encrypted using an end-to-end shared key.
  • the third message is encrypted using the end-to-end shared key and the second key.
  • the third UE receives the link creation request sent by the first UE, then negotiates with the first UE and generates an end-to-end shared key based on the execution of the IKEv2 authentication process, and finally instructs the first UE that the end-to-end link creation is completed.
  • the first UE i.e., the source UE
  • the third UE i.e., the target UE
  • can directly communicate based on the end-to-end link can generate an end-to-end shared key based on the execution of the KEv2 authentication process, can use the shared key to protect communication information, provide security of communication between the source UE and the target UE, avoid information leakage caused by attacks on the relay UE, and achieve the establishment of a secure direct link.
  • the layer 2 relay UE participates in the process of establishing a direct link, so that a secure direct link can be effectively established.
  • FIG4 is a flow chart of a method for establishing a direct link provided in an embodiment of the present disclosure.
  • the method is performed by the second UE, and the method may include but is not limited to the following steps:
  • S401 Receive a first message sent by a first UE, where the first message is used to request to create an end-to-end link between the first UE and a third UE via a second UE, where the second UE is a layer 2 relay UE.
  • the second UE stores a preconfigured long-term credential related to the Relay Service Code (RSC)/ProSe code, and the long-term credential is used to generate a first key and a second key.
  • RSC Relay Service Code
  • a ProSe key request is sent to a PKMF network element or a DDNMF network element of a second UE, the ProSe key request including a credential ID and an RSC/ProSe code, so as to request a long-term credential related to the credential ID and the RSC/ProSe code from the PKMF network element or the DDNMF network element, the long-term credential being used to generate a first key and the second key; and a ProSe key response is received from the PKMF network element/DDNMF network element, the ProSe key response carrying the long-term credential.
  • the first message may include a destination identification ID, and the destination ID is the layer 2 ID of the third UE or the layer 2 ID of the second UE.
  • the second UE when the second UE receives the first message including the layer 2 ID of the third UE whose destination ID is the third UE, the second UE confirms to forward the first message to the third UE (i.e., the target UE) based on the destination ID.
  • the third UE i.e., the target UE
  • the second UE when the second UE receives the first message including the layer 2 ID of the second UE whose destination ID is the second UE, the second UE confirms forwarding the first message to the third UE (i.e., the target UE) according to the user ID information.
  • the user ID information includes at least one of the following: the first UE identifier, the second UE identifier, and the third UE identifier. That is, the user ID information may include at least one of the source UE identifier, the relay UE identifier, and the target UE identifier.
  • the first UE identifier is the source UE identifier
  • the second UE identifier is the relay UE identifier
  • the third UE identifier is the target UE identifier.
  • the second UE confirms forwarding the first message to the corresponding target UE according to the user ID information, which is the third UE in this case.
  • the first UE may send user ID information to the second UE.
  • the first message received by the second UE from the first UE is encrypted using a first key
  • the first key is generated by negotiation between the first UE and the second UE when creating a PC5 link between the first UE and the second UE and is shared by the first UE and the second UE
  • the method may also include:
  • a first message received from the first UE is decrypted based on the first key.
  • the first message sent by the first UE to the second UE is encrypted and protected.
  • the first UE can encrypt the first message using a first key, and the first key is generated by negotiation between the first UE and the second UE when creating a PC5 link between the first UE and the second UE.
  • the first UE and the second UE create a PC5 link between them, they generate a first key (such as a ProSe security key) through direct authentication and a key generation process, and store the generated first key locally.
  • the second UE receives the first message, it can decrypt the first message using the locally stored first key.
  • the specific process of the first UE and the second UE creating a PC5 link between them can be referred to Figure 5, which will not be repeated here.
  • S402 Send a first message to a third UE.
  • S403 Receive a second message sent by the third UE, where the second message is used to request negotiation with the first UE on an end-to-end shared key shared by the first UE and the third UE.
  • the end-to-end shared key is used to encrypt and decrypt information transmitted between the first UE and the third UE through the end-to-end link.
  • S404 Send the second message to the first UE, so that the first UE and the third UE perform a security negotiation process to generate an end-to-end shared key.
  • the first message sent by the second UE to the third UE is encrypted using a second key
  • the second key is generated by negotiation between the third UE and the second UE when creating a PC5 link between the third UE and the second UE and is shared by the third UE and the second UE
  • the method may further include:
  • the first message obtained from the first UE is encrypted based on the second key.
  • the second UE can use the second key to encrypt the first message and then forward it to the third UE, and the second key is generated by negotiation between the second UE and the third UE when creating a PC5 link between the second UE and the third UE.
  • the second UE and the third UE can generate a second key (such as a ProSe security key) through direct authentication and key generation procedures when creating a PC5 link between them, and store the second key locally.
  • the third UE receives the first message, it can use the locally stored second key to decrypt the encrypted first message.
  • the specific process of the second UE and the third UE creating a PC5 link between them can be referred to Figure 5, which will not be repeated here.
  • S405 Receive a third message sent by a third UE, where the third message indicates that the end-to-end link establishment is complete.
  • the third message received by the second UE from the third UE is encrypted using the end-to-end shared key and the second key, and the method may further include:
  • a third message received from a third UE is decrypted based on the second key.
  • S406 Send a third message to the first UE.
  • the third message sent by the second UE to the first UE is encrypted using the end-to-end shared key and the first key, and the method may further include:
  • a third message obtained from the third UE is encrypted based on the first key.
  • the second UE assists in interacting with the first UE and the third UE, receives the link creation request sent by the first UE, and forwards it to the third UE; receives the second message sent by the third UE, and forwards it to the first UE, so that the first UE and the third UE perform a security negotiation process to generate an end-to-end shared key; thereafter, receives the third message sent by the third UE, and forwards it to the first UE.
  • the information communicated and transmitted between the first UE (i.e., the source UE) and the third UE (i.e., the target UE) is encrypted and decrypted using a shared key, thereby avoiding information leakage caused by attacks on the layer 2 relay UE, so as to achieve the establishment of a secure direct link.
  • the layer 2 relay UE participates in the process of establishing a direct link, so that a secure direct link can be effectively established.
  • Figure 5 is a schematic diagram of a direct link establishment method provided by the present disclosure.
  • both the target UE and the source UE can be pre-configured with the same long-term credential and long-term credential ID.
  • Step 1 before relaying the UE discovery and link establishment process, provide the source UE and the target UE with security keys for the discovery process.
  • Step 1 Using the security key used for the discovery process, a discovery and relay selection process is performed between the source UE, the target UE and the relay UE.
  • the source UE and the target UE discover each other and select the same layer 2 relay UE.
  • Step 2 the source UE sends a direct communication request including a long-term credential ID, a user information ID, a source UE security function, an RSC/ProSe code for a 5G ProSe end-to-end relay (U2U Relay) service, and a first random number (nonce 1) to the layer 2 relay UE.
  • the message may also include a Knrp ID, which corresponds to the Knrp, so that after the layer 2 relay receives the message, it can know the Knrp possessed by the source UE.
  • the user information ID may include at least one of source user information, target user information and relay user information.
  • Step 3a if the layer 2 relay UE already has a long-term credential identified by the long-term credential ID, skip steps 3a and 3b. Otherwise, the layer 2 relay UE sends a ProSe Key Request message to its 5G PKMF/DDNMF network element, which may contain the layer 2 relay UE identity, the long-term credential ID, and the RSC/ProSe code, indicating that the layer 2 relay UE requests a long-term credential.
  • 5G PKMF/DDNMF network element which may contain the layer 2 relay UE identity, the long-term credential ID, and the RSC/ProSe code, indicating that the layer 2 relay UE requests a long-term credential.
  • Step 3b upon receiving the ProSe Key Request message, the 5G PKMF/DDNMF network element of the relay UE shall check whether the layer 2 relay UE is authorized to provide relay/ProSe services based on the layer 2 relay UE's relay identity and the received RSC/ProSe code. If the layer 2 relay UE authorization information is not available locally, the 5G PKMF/DDNMF network element shall request authorization information from the UDM of the layer 2 relay UE (not shown in the figure). If the layer 2 relay UE is authorized to provide relay services based on the ProSe subscription data, the 5G PKMF/DDNMF network element of the relay UE shall send the long-term credentials to the layer 2 relay UE.
  • the layer 2 relay UE identifier can be set to the ProSe application ID of the layer 2 relay UE or the SUCI of the layer 2 relay UE or the user ID information (User Info ID) of the layer 2 relay UE.
  • long-term credentials can also be pre-configured in the layer 2 relay UE. In this case, steps 3a and 3b are skipped.
  • the layer 2 relay UE may initiate a direct authentication and key generation process with the source UE to generate a Knrp. If the direct communication request includes a Knrp ID, this step is skipped and the corresponding Knrp may be determined directly based on the Knrp ID.
  • Step 5 the Layer 2 Relay UE shall derive the session key (Knrp-sess) from Knrp and then the confidentiality key (NRPEK) (if used) and integrity key (NRPIK) (if used) according to the PC5 security policy specified in the protocol.
  • the Layer 2 Relay UE sends a Direct Security Mode Command message to the Source UE.
  • the message shall include the selected security algorithm, the second random number (nonce 2) and shall be protected as specified in the protocol.
  • Step 6 According to the protocol, the source UE completes the message response to the layer 2 relay UE in direct security mode.
  • a PC5 link is created between the source UE and the relay UE, and a first key is generated through negotiation, so that information transmitted between the source UE and the relay UE can be protected by using the first key.
  • Step 7 The Layer 2 relay UE sends a direct communication request to the target UE, which contains the long-term credential ID, user information ID, security functions of the relay UE, RSC/ProSe code for the 5G ProSe U2U relay service, and nonce 1'. If the Layer 2 relay UE has Knrp' (second key) with the target UE it is trying to communicate with, the message may also include Knrp ID'.
  • Step 8 the target UE may initiate the direct authentication and key generation process with the layer 2 relay UE to generate Knrp'. This step is skipped if Knrp ID' is included in the direct communication request.
  • Step 9 The target UE shall derive the session key (Knrp-sess’) from Knrp’ and then the confidentiality key (NRPEK’) (if used) and integrity key (NRPIK’) (if used) according to the PC5 security policy specified in the protocol.
  • the target UE sends a Direct Security Mode Command message to the Layer 2 Relay UE.
  • the message shall include the selected security algorithm, nonce 2’ and shall be protected as specified in the protocol.
  • Step 10 the Layer 2 Relay UE responds with the Direct Security Mode Complete message specified in TS 33.536[4].
  • Step 11 upon receiving the direct security mode complete message from the layer 2 relay UE, the target UE sends a direct communication accept message to the layer 2 relay UE.
  • a PC5 link is created between the target UE and the relay UE, and a second key is generated through negotiation, so that information transmitted between the target UE and the relay UE can be protected by using the second key.
  • Step 12 upon receiving the Direct Communication Accept message, the Layer 2 Relay UE sends the Direct Communication Accept message to the source UE.
  • Step 13 the source UE sends an end-to-end direct communication request to the target UE, which is forwarded by the layer 2 relay UE.
  • the end-to-end direct communication request is protected by NRPIK/NRPEK.
  • the end-to-end direct communication request is protected by NRPIK’/NRPEK’.
  • the destination ID of the end-to-end direct communication request can be set to the layer 2 ID of the target UE or the layer 2 ID of the relay UE. If the destination 2 ID is set to the layer 2 ID of the relay UE, the relay UE confirms the destination ID according to the user information ID to forward the end-to-end DCR message to the corresponding target UE.
  • the target UE may initiate a security negotiation process with the source UE to establish an end-to-end IPSec connection, which may be achieved by performing an IKEv2 authentication process. After IKEv2 authentication, the source UE and the target UE generate an end-to-end shared security key.
  • step 15 the target UE responds with an end-to-end direct communication acceptance forwarded by the layer 2 relay UE.
  • the end-to-end direct communication acceptance is protected by the end-to-end security keys generated in step 14 and the prose security keys (ie, NRPIK/NRPEK and NRPIK'/NRPEK') generated in step 2-12.
  • Step 16 Establish a secure L2PC5 link between the source UE and the target UE via the layer 2 relay UE.
  • the source UE and the target UE may start to communicate, in which the layer 2 relay UE relays the service data between the source UE and the target UE.
  • FIG6 is a structural diagram of a direct link establishment device provided by an embodiment of the present disclosure.
  • the direct link establishment device is used for the first UE, and includes a transceiver module, which is used to:
  • the end-to-end shared key is used to encrypt and decrypt information transmitted between the first UE and the third UE through the end-to-end link.
  • the first message sent by the first UE to the second UE is encrypted using a first key
  • the first key is generated by negotiation between the first UE and the second UE when creating a PC5 link between the first UE and the second UE and is shared by the first UE and the second UE.
  • performing a security negotiation process with the third UE to generate the end-to-end shared key includes:
  • IKEv2 Internet Key Exchange protocol
  • the third message is encrypted using the end-to-end shared key.
  • the third message is encrypted using the end-to-end shared key and the first key.
  • the device is further used for:
  • the user ID information includes at least one of the following:
  • Source UE identifier the UE identifier
  • relay UE identifier the UE identifier
  • target UE identifier the UE identifier
  • the first UE first sends a request to establish an end-to-end link to the third UE through the second UE. After receiving feedback from the first UE, it can negotiate with the first UE to share the shared key of the end-to-end link, and then execute the shared key generated during the negotiation process, and wait for the indication that the creation of the end-to-end link is complete. Based on this, UEs can communicate directly with each other using the created end-to-end link, and the communication content can be encrypted and decrypted by the shared key, providing security for communication between UEs, avoiding information leakage caused by attacks on relay UEs, and realizing the establishment of a secure direct link.
  • the layer 2 relay UE participates in the process of establishing a direct link, so that a secure direct link can be effectively established.
  • FIG. 7 is a structural diagram of a direct link establishment device provided in an embodiment of the present disclosure.
  • the direct link establishment device used for the third UE, includes a transceiver module, which is used to:
  • a third message is sent to the first UE via the second UE, wherein the third message indicates that the end-to-end link establishment is completed.
  • the end-to-end shared key is used to encrypt and decrypt information transmitted between the first UE and the third UE through the end-to-end link.
  • the first message received by the third UE from the second UE is encrypted using a second key, where the second key is generated by negotiation between the third UE and the second UE when creating a PC5 link between the third UE and the second UE and is shared by the third UE and the second UE.
  • the transceiver module is further used to:
  • IKEv2 Internet Key Exchange protocol
  • the third message is encrypted using the end-to-end shared key.
  • the third message is encrypted using the end-to-end shared key and the second key.
  • the device is further used for:
  • the user ID information includes at least one of the following:
  • Source UE identifier the UE identifier
  • relay UE identifier the UE identifier
  • target UE identifier the UE identifier
  • the third UE receives the link creation request sent by the first UE, then negotiates with the first UE and generates an end-to-end shared key based on the execution of the IKEv2 authentication process, and finally instructs the first UE that the end-to-end link creation is completed.
  • UEs can communicate directly based on end-to-end links, can generate end-to-end shared keys based on the execution of the KEv2 authentication process, can use shared keys to protect communication information, provide security for communication between UEs, avoid information leakage caused by attacks on relay UEs, and achieve the establishment of a secure direct link.
  • the layer 2 relay UE participates in the process of establishing a direct link, so that a secure direct link can be effectively established.
  • FIG8 is a structural diagram of a direct link establishment device provided in an embodiment of the present disclosure.
  • the direct link establishment device is used for the second UE, and includes a transceiver module, which is used to:
  • the end-to-end shared key is used to encrypt and decrypt information transmitted between the first UE and the third UE through the end-to-end link.
  • the transceiver module is further used to:
  • a first message received from the first UE is decrypted based on the first key.
  • the first message sent by the second UE to the third UE is encrypted using the second key, where the second key is generated by negotiation between the third UE and the second UE when creating a PC5 link between the third UE and the second UE and is shared by the third UE and the second UE, and the method further includes:
  • a first message obtained from the first UE is encrypted based on the second key.
  • the transceiver module is further used to:
  • a third message received from the third UE is decrypted based on the second key.
  • the third message sent by the second UE to the first UE is encrypted using the end-to-end shared key and the first key, and the device is further used to:
  • a third message obtained from the third UE is encrypted based on the first key.
  • the second UE stores a preconfigured long-term credential related to a relay service code RSC/proximity service ProSe code, and the long-term credential is used to generate the first key and the second key.
  • the device is further used for:
  • ProSe key request to a proximity communication key management function PKMF network element or a DDNMF network element of the second UE, where the ProSe key request includes a credential ID and an RSC/ProSe code, so as to request a long-term credential associated with the credential ID and the RSC/ProSe code from the PKMF network element or the DDNMF network element, where the long-term credential is used to generate the first key and the second key;
  • a ProSe key response is received from the PKMF network element or/DDNMF network element, where the ProSe key response carries the long-term credential.
  • the second UE assists in interacting with the first UE and the third UE, receives the link creation request sent by the first UE, and forwards it to the third UE; receives the second message sent by the third UE, and forwards it to the first UE, so that the first UE and the third UE perform a security negotiation process to generate an end-to-end shared key; thereafter, receives the third message sent by the third UE, and forwards it to the first UE.
  • the information communicated and transmitted between the first UE (i.e., the source UE) and the third UE (i.e., the target UE) is encrypted and decrypted using a shared key, thereby avoiding information leakage caused by attacks on the layer 2 relay UE, so as to achieve the establishment of a secure direct link.
  • the layer 2 relay UE participates in the process of establishing a direct link, so that a secure direct link can be effectively established.
  • FIG. 9 is a schematic diagram of the structure of a communication device 900 provided in an embodiment of the present application.
  • the communication device 900 can be a network device, or a terminal device, or a chip, a chip system, or a processor that supports the network device to implement the above method, or a chip, a chip system, or a processor that supports the terminal device to implement the above method.
  • the device can be used to implement the method described in the above method embodiment, and the details can be referred to the description in the above method embodiment.
  • the communication device 900 may include one or more processors 901.
  • the processor 901 may be a general-purpose processor or a dedicated processor, etc. For example, it may be a baseband processor or a central processing unit.
  • the baseband processor may be used to process the communication protocol and the communication data
  • the central processing unit may be used to control the communication device (such as a base station, a baseband chip, a terminal device, a terminal device chip, a DU or a CU, etc.), execute a computer program, and process the data of the computer program.
  • the communication device 900 may further include one or more memories 902, on which a computer program 904 may be stored, and the processor 901 executes the computer program 904 so that the communication device 900 performs the method described in the above method embodiment.
  • data may also be stored in the memory 902.
  • the communication device 900 and the memory 902 may be provided separately or integrated together.
  • the communication device 900 may further include a transceiver 905 and an antenna 906.
  • the transceiver 905 may be referred to as a transceiver unit, a transceiver, or a transceiver circuit, etc., and is used to implement a transceiver function.
  • the transceiver 905 may include a receiver and a transmitter, the receiver may be referred to as a receiver or a receiving circuit, etc., and is used to implement a receiving function; the transmitter may be referred to as a transmitter or a transmitting circuit, etc., and is used to implement a transmitting function.
  • the communication device 900 may further include one or more interface circuits 907.
  • the interface circuit 907 is used to receive code instructions and transmit them to the processor 901.
  • the processor 901 runs the code instructions to enable the communication device 900 to perform the method described in the above method embodiment.
  • the processor 901 may include a transceiver for implementing the receiving and sending functions.
  • the transceiver may be a transceiver circuit, an interface, or an interface circuit.
  • the transceiver circuit, interface, or interface circuit for implementing the receiving and sending functions may be separate or integrated.
  • the above-mentioned transceiver circuit, interface, or interface circuit may be used for reading and writing code/data, or the above-mentioned transceiver circuit, interface, or interface circuit may be used for transmitting or delivering signals.
  • the processor 901 may store a computer program 903, which runs on the processor 901 and enables the communication device 900 to perform the method described in the above method embodiment.
  • the computer program 903 may be fixed in the processor 901, in which case the processor 901 may be implemented by hardware.
  • the communication device 900 may include a circuit that can implement the functions of sending or receiving or communicating in the aforementioned method embodiments.
  • the processor and transceiver described in the present application can be implemented in an integrated circuit (IC), an analog IC, a radio frequency integrated circuit RFIC, a mixed signal IC, an application specific integrated circuit (ASIC), a printed circuit board (PCB), an electronic device, etc.
  • the processor and transceiver can also be manufactured using various IC process technologies, such as complementary metal oxide semiconductor (CMOS), N-type metal oxide semiconductor (nMetal-oxide-semiconductor, NMOS), P-type metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (bipolar junction transistor, BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
  • CMOS complementary metal oxide semiconductor
  • N-type metal oxide semiconductor nMetal-oxide-semiconductor
  • PMOS bipolar junction transistor
  • BJT bipolar junction transistor
  • BiCMOS bipolar CMOS
  • SiGe silicon germanium
  • GaAs gallium arsenide
  • the communication device described in the above embodiments may be a network device or a terminal device, but the scope of the communication device described in the present application is not limited thereto, and the structure of the communication device may not be limited by FIG. 9.
  • the communication device may be an independent device or may be part of a larger device.
  • the communication device may be:
  • the IC set may also include a storage component for storing data and computer programs;
  • ASIC such as modem
  • the communication device can be a chip or a chip system
  • the communication device can be a chip or a chip system
  • the schematic diagram of the chip structure shown in Figure 10 includes a processor 1001 and an interface 1002.
  • the number of processors 1001 can be one or more, and the number of interfaces 1002 can be multiple.
  • the chip further includes a memory 1003, and the memory 1003 is used to store necessary computer programs and data.
  • the present application also provides a readable storage medium having instructions stored thereon, which implement the functions of any of the above method embodiments when executed by a computer.
  • the present application also provides a computer program product, which implements the functions of any of the above method embodiments when executed by a computer.
  • the computer program product includes one or more computer programs.
  • the computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer program can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer program can be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center.
  • the computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server or data center that includes one or more available media integrated.
  • the available medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a high-density digital video disc (DVD)), or a semiconductor medium (e.g., a solid state disk (SSD)), etc.
  • a magnetic medium e.g., a floppy disk, a hard disk, a magnetic tape
  • an optical medium e.g., a high-density digital video disc (DVD)
  • DVD high-density digital video disc
  • SSD solid state disk
  • At least one in the present application can also be described as one or more, and a plurality can be two, three, four or more, which is not limited in the present application.
  • the technical features in the technical feature are distinguished by “first”, “second”, “third”, “A”, “B”, “C” and “D”, etc., and there is no order of precedence or size between the technical features described by the "first”, “second”, “third”, “A”, “B”, “C” and “D”.
  • the corresponding relationships shown in each table in the present application can be configured or predefined.
  • the values of the information in each table are only examples and can be configured as other values, which are not limited by the present application.
  • the corresponding relationships shown in some rows may not be configured.
  • appropriate deformation adjustments can be made based on the above table, such as splitting, merging, etc.
  • the names of the parameters shown in the titles in the above tables can also use other names that can be understood by the communication device, and the values or representations of the parameters can also be other values or representations that can be understood by the communication device.
  • other data structures can also be used, such as arrays, queues, containers, stacks, linear lists, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables or hash tables.
  • the predefined in the present application may be understood as defined, predefined, stored, pre-stored, pre-negotiated, pre-configured, solidified, or pre-burned.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本公开提出一种直连链路建立方法、装置及存储介质。该方法包括:第一UE经由第二UE向第三UE发送第一消息,其中,第一消息用于请求在第一UE与第三UE之间创建经由第二UE的端到端链路,第二UE为层2中继UE;接收第三UE经由第二UE发送的第二消息,其中,第二消息用于请求与第一UE协商被第一UE与第三UE共享的端到端共享密钥;经由第二UE与第三UE执行安全协商过程以生成端到端共享密钥;以及接收第三UE经由第二UE发送的第三消息,其中第三消息指示端到端链路创建完成。基于此,第一UE与第三UE之间可以使用创建完成的端到端链路进行直接通信,实现建立安全的直连链路。在本申请中,层2中继UE参与建立直连链路的过程,从而能够有效的建立安全的直连链路。

Description

一种直连链路建立方法、设备及存储介质 技术领域
本公开涉及通信技术领域,尤其涉及一种直连链路建立方法、设备及存储介质。
背景技术
在通信系统中,为了能够更好地使用户设备(User Equipment,UE)之间实现直接通信,可以引进5G ProSe服务。
相关技术中,5G ProSe服务可以更好地解决以下问题,如果源UE无法直接和目标UE进行通信,则源UE可以尝试先与UE到UE中继进行通信,通过UE到UE中继连接到目标UE进行通信。
但是,相关技术中,若通过不受信任节点的层2中继UE进行通信,传输的信息可能会受到损害,从而导致UE之间通信信息的安全性(包括完整性和机密性)受到损害,可能导致与源UE和目标UE建立的直连链路遭受中间人攻击(Man-in-the-MiddleAttack,MITM),使通信内容遭到泄露,这会损害5G Prose服务的安全性。
发明内容
本公开提出的直连链路建立方法、设备及存储介质,可以实现建立安全的直连链路,提供UE之间通信的安全性,避免通信内容泄露。
第一方面,本公开实施例提供一种直连链路建立方法,该方法由第一UE执行,包括:
经由第二UE向第三UE发送第一消息,其中,所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2中继UE;
接收所述第三UE经由所述第二UE发送的第二消息,其中,所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
经由所述第二UE与所述第三UE执行安全协商过程以生成所述端到端共享密钥;以及
接收所述第三UE经由所述第二UE发送的第三消息,其中所述第三消息指示所述端到端链路创建完成。
可选地,在本公开的一个实施例之中,所述第一UE向所述第二UE发送的第一消息是使用第一密钥加密的,所述第一密钥为所述第一UE与所述第二UE在创建所述第一UE与所述第二UE之间的PC5链路时协商生成并被所述第一UE与所述第二UE共享。
可选地,在本公开的一个实施例之中,所述经由所述第二UE与所述第三UE进行安全协商过程以生成所述端到端共享密钥包括:
经由所述第二UE与所述第三UE执行互联网密钥交换协议(IKEv2)认证过程以生成所述端到端共享密钥。
可选地,在本公开的一个实施例之中,所述第三消息为使用所述端到端共享密钥加密的。
可选地,在本公开的一个实施例之中,所述第三消息为使用所述端到端共享密钥与所述第一密钥加密的。
可选地,在本公开的一个实施例之中,还包括:
向所述第二UE发送用户ID信息,所述用户ID信息包括以下至少之一:
第一UE标识、第二UE标识以及第三UE标识。
第二方面,本公开实施例提供一种直连链路建立方法,该方法由第三UE执行,包括:
接收第一UE经由第二UE发送的第一消息,其中所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2中继UE;
经由所述第二UE向所述第一UE发送第二消息,其中所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
经由所述第二UE与所述第一UE执行安全协商过程以生成所述端到端共享密钥;以及
经由所述第二UE向所述第一UE发送第三消息,其中所述第三消息指示所述端到端链 路创建完成。
可选地,在本公开的一个实施例之中,所述第三UE从所述第二UE接收的第一消息是使用第二密钥加密的,所述第二密钥为所述第三UE与所述第二UE在创建所述第三UE与所述第二UE之间的PC5链路时协商生成并被所述第三UE与所述第二UE共享。
可选地,在本公开的一个实施例之中,所述经由所述第二UE与所述第一UE进行安全协商过程以生成所述端到端共享密钥包括:
经由所述第二UE与所述第一UE执行互联网密钥交换协议(IKEv2)认证过程以生成所述端到端共享密钥。
可选地,在本公开的一个实施例之中,所述第三消息为使用所述端到端共享密钥加密的。
可选地,在本公开的一个实施例之中,所述第三消息为使用所述端到端共享密钥与所述第二密钥加密的。
可选地,在本公开的一个实施例之中,还包括:
接收所述第二UE发送的用户ID信息,所述用户ID信息包括以下至少之一:
第一UE标识、第二UE标识以及第三UE标识。
第三方面,本公开实施例提供一种直连链路建立方法,该方法由第二UE执行,包括:
接收第一UE发送的第一消息,所述第一消息用于请求在所述第一UE与第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2中继UE;
向所述第三UE发送所述第一消息;
接收所述第三UE发送的第二消息,所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
将所述第二消息发送至第一UE,以使得所述第一UE与所述第三UE执行安全协商过程以生成所述端到端共享密钥;
接收所述第三UE发送的第三消息,所述第三消息指示所述端到端链路创建完成;以及
向所述第一UE发送所述第三消息。
可选地,在本公开的一个实施例之中,所述第二UE从所述第一UE接收的第一消息是使用第一密钥加密的,所述第一密钥为所述第一UE与所述第二UE在创建所述第一UE与所述第二UE之间的PC5链路时协商生成并被所述第一UE与所述第二UE共享,所述方法还包括:
基于所述第一密钥对从所述第一UE接收的第一消息进行解密。
可选地,在本公开的一个实施例之中,所述第二UE向所述第三UE发送的第一消息是使用第二密钥加密的,所述第二密钥为所述第三UE与所述第二UE在创建所述第三UE与所述第二UE之间的PC5链路时协商生成并被所述第三UE与所述第二UE共享,所述方法还包括:
基于所述第二密钥对从所述第一UE得到的第一消息进行加密。
可选地,在本公开的一个实施例之中,所述第二UE从所述第三UE接收的第三消息为使用所述端到端共享密钥与所述第二密钥加密的,所述方法还包括:
基于所述第二密钥对从所述第三UE接收的第三消息进行解密。
可选地,在本公开的一个实施例之中,所述第二UE向所述第一UE发送的第三消息为使用所述端到端共享密钥与所述第一密钥加密的,所述方法还包括:
基于所述第一密钥对从所述第三UE得到的第三消息进行加密。
可选地,在本公开的一个实施例之中,所述第二UE存储有与中继服务码RSC/邻近业务ProSe码相关的预配置的长期凭证,所述长期凭证用于生成所述第一密钥和所述第二密钥。
可选地,在本公开的一个实施例之中,还包括:
向所述第二UE的邻近通信密钥管理功能PKMF网元或直接发现名称管理功能DDNMF网元发送ProSe密钥请求,所述ProSe密钥请求包括凭证ID以及RSC/ProSe码,以用于向所述PKMF网元或DDNMF网元请求与所述凭证ID和所述RSC/ProSe码相关的长期凭证,所述长期凭证用于生成所述第一密钥和所述第二密钥;以及
从所述PKMF网元或DDNMF网元接收ProSe密钥响应,所述ProSe密钥响应中携带所述长期凭证。
第四方面,本公开实施例提供一种直连链路建立装置,用于第一UE,所述装置包括收发模块,用于:
经由第二UE向第三UE发送第一消息,其中所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2UE;
接收所述第三UE经由所述第二UE发送的第二消息,其中所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
经由所述第二UE与所述第三UE进行安全协商过程以生成所述端到端共享密钥;
接收所述第三UE经由所述第二UE发送的第三消息,其中所述第三消息指示所述端到端链路创建完成。
第五方面,本公开实施例提供一种直连链路建立装置,其特征在于,用于第三UE,所述装置包括收发模块,用于:
接收第一UE经由第二UE发送的第一消息,其中所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2UE;
经由所述第二UE向所述第一UE发送第二消息,其中所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
经由所述第二UE与所述第一UE进行安全协商过程以生成所述端到端共享密钥;以及
经由所述第二UE向所述第一UE发送第三消息,其中所述第三消息指示所述端到端链路创建完成。
第六方面,本公开实施例提供一种直连链路建立装置,其特征在于,用于第二UE,所述装置包括收发模块,用于:
接收第一UE发送的第一消息,所述第一消息用于请求在所述第一UE与第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2中继UE;
向所述第三UE发送所述第一消息;
接收所述第三UE发送的第二消息,所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
将所述第二消息发送至第一UE,以使得所述第一UE与所述第三UE执行安全协商过程以生成所述端到端共享密钥;
接收所述第三UE发送的第三消息,所述第三消息指示所述端到端链路创建完成;以及
向所述第一UE发送所述第三消息。
第七方面,本公开实施例提供一种通信装置,该通信装置包括处理器,当该处理器调用存储器中的计算机程序时,执行上述第一方面所述的方法。
第八方面,本公开实施例提供一种通信装置,该通信装置包括处理器,当该处理器调用存储器中的计算机程序时,执行上述第二方面所述的方法。
第九方面,本公开实施例提供一种通信装置,该通信装置包括处理器,当该处理器调用存储器中的计算机程序时,执行上述第三方面所述的方法。
第十方面,本公开实施例提供一种通信装置,该通信装置包括处理器和存储器,该存储器中存储有计算机程序;所述处理器执行该存储器所存储的计算机程序,以使该通信装置执行上述第一方面所述的方法。
第十一方面,本公开实施例提供一种通信装置,该通信装置包括处理器和存储器,该存储器中存储有计算机程序;所述处理器执行该存储器所存储的计算机程序,以使该通信装置执行上述第二方面所述的方法。
第十二方面,本公开实施例提供一种通信装置,该通信装置包括处理器和存储器,该存储器中存储有计算机程序;所述处理器执行该存储器所存储的计算机程序,以使该通信装置执行上述第三方面所述的方法。
第十三方面,本公开实施例提供一种通信装置,该装置包括处理器和接口电路,该接口电路用于接收代码指令并传输至该处理器,该处理器用于运行所述代码指令以使该装置执行上述第一方面所述的方法。
第十四方面,本公开实施例提供一种通信装置,该装置包括处理器和接口电路,该接口电路用于接收代码指令并传输至该处理器,该处理器用于运行所述代码指令以使该装置执行上述第二方面所述的方法。
第十五方面,本公开实施例提供一种通信装置,该装置包括处理器和接口电路,该接口电路用于接收代码指令并传输至该处理器,该处理器用于运行所述代码指令以使该装置执行上述第三方面所述的方法。
第十六方面,本公开实施例提供一种通信系统,该系统包括第四方面所述的通信装置至第六方面所述的通信装置,或者,该系统包括第七方面所述的通信装置至第九方面所述的通信装置,或者,该系统包括第十方面所述的通信装置至第十二方面所述的通信装置,或者,该系统包括第十三方面所述的通信装置至第十五方面所述的通信装置。
第十七方面,本发明实施例提供一种计算机可读存储介质,用于储存为上述网络设备所用的指令,当所述指令被执行时,使所述终端设备执行上述第一方面至第三方面的任一方面所述的方法。
第十八方面,本公开还提供一种包括计算机程序的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面至第三方面的任一方面所述的方法。
第十九方面,本公开提供一种芯片系统,该芯片系统包括至少一个处理器和接口,用于支持网络设备实现第一方面至第三方面的任一方面所述的方法所涉及的功能,例如,确定或处理上述方法中所涉及的数据和信息中的至少一种。在一种可能的设计中,所述芯片系统还包括存储器,所述存储器,用于保存源辅节点必要的计算机程序和数据。该芯片系统,可以由芯片构成,也可以包括芯片和其他分立器件。
第二十方面,本公开提供一种计算机程序,当其在计算机上运行时,使得计算机执行上述第一方面至第三方面的任一方面所述的方法。
本公开中,提供了一种直连链路建立方法、设备及存储介质,第一UE先请求创建用于经由第二UE并与第三UE进行通信的端到端链路,在接收到第三UE反馈的共享密钥之后,与第三UE共同生成端到端共享密钥,并获取链路创建完成消息。基于此,第一UE(即源UE)与第三UE(即目标UE)之间进行通信传递的信息通过共享密钥来进行加密解密,避免了层2中继UE遭受攻击导致的信息泄露,以实现建立安全的直连链路。在本申请中,层2中继UE参与建立直连链路的过程,从而能够有效的建立安全的直连链路。
附图说明
本公开上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:
图1为本公开实施例提供的一种通信系统的架构示意图;
图2是本公开实施例提供的一种直连链路建立方法的流程图;
图3是本公开实施例提供的另一种直连链路建立方法的流程图;
图4是本公开实施例提供的又一种直连链路建立方法的流程图;
图5为本公开所提供的一种直连链路建立方法示意图;
图6是本公开实施例提供的一种直连链路建立装置的结构图;
图7是本公开实施例提供的另一种直连链路建立装置的结构图;
图8是本公开实施例提供的又一种直连链路建立装置的结构图。
图9是本公开一个实施例所提供的一种通信装置的框图;
图10为本公开一个实施例所提供的一种芯片装置的框图。
具体实施方式
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本公开实施例相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本公开实施例的一些方面相一致的装置和方法的例子。
在本公开实施例使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本公开实施例。在本公开实施例和所附权利要求书中所使用的单数形式的“一种”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。
应当理解,尽管在本公开实施例可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本公开实施例范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”及“若”可以被解释成为“在……时”或“当……时”或“响应于确定”。
为了便于理解,首先介绍本申请涉及的术语。
1、5G邻近服务(Proximity Service,ProSe)
ProSe是指设备到设备之间或附近移动设备之间的直接通信。通过UE到UE中继,5G ProSe可以进一步扩大直接通信的范围。
2、互联网密钥交换协议(Internet Key Exchange Vision2,IKEv2)
IKEv2是一套安全密钥协商机制,可以在不安全的网络上安全地进行身份认证、密钥分发以及密钥协商,从而建立互联网安全协议(Internet Protocol Security,IPSec)通道。
3、邻近通信密钥管理功能(Proximity Key Management Function,PKMF)
主要功能有密钥的产生、分配、使用、更新和销毁。
为了更好的理解本公开实施例公开的一种授权的方法,下面首先对本公开实施例适用的通信系统进行描述。
下面详细描述本公开的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的要素。下面通过参考附图描述的实施例是示例性的,旨在用于解释本公开,而不能理解为对本公开的限制。
图1为本公开实施例提供的一种通信系统的架构示意图。该通信系统可包括但不限于一个第一UE、第二UE和第三UE,图1所示的设备数量和形态仅用于举例并不构成对本公开实施例的限定,实际应用中可以包括两个或两个以上的第一UE、第二UE和第三UE。图1所示的通信系统10以包括一个第一UE11、第二UE12和第三UE13为例。
需要说明的是,本公开实施例的技术方案可以应用于各种通信系统。例如:长期演进(long term evolution,LTE)系统、第五代(5th generation,5G)移动通信系统、5G新空口(new radio,NR)系统,或者其他未来的新型移动通信系统等。还需要说明的是,本公开实施例中的直行链路还可以称为侧行链路或直通链路。
本公开实施例中的第一UE11、第二UE12和第三UE13是用户侧的一种用于接收或发射信号的实体,如手机。UE也可以称为终端设备(terminal)、用户设备(user equipment,UE)、移动台(mobile station,MS)、移动终端设备(mobile terminal,MT)等。终端设备可以是具备通信功能的汽车、智能汽车、手机(mobile phone)、穿戴式设备、平板电脑(Pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制(industrial control)中的无线终端设备、无人驾驶(self- driving)中的无线终端设备、远程手术(remote medical surgery)中的无线终端设备、智能电网(smart grid)中的无线终端设备、运输安全(transportation safety)中的无线终端设备、智慧城市(smart city)中的无线终端设备、智慧家庭(smart home)中的无线终端设备等等。本公开的实施例对终端设备所采用的具体技术和具体设备形态不做限定。
可以理解的是,本公开实施例描述的通信系统是为了更加清楚的说明本公开实施例的技术方案,并不构成对于本公开实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本公开实施例提供的技术方案对于类似的技术问题,同样适用。
下面结合附图对本公开所提供的一种直连链路建立方法和装置进行详细地介绍。
需要说明的是,在本公开的一个实施例之中,第二UE分别向第一UE和第三UE发送发现消息,发现消息使用用于发现阶段的密钥保护,其中包括机密性保护密钥和/或完整性保护密钥。通过执行发现过程和中继选择过程,第一UE和第三UE可以相互发现并选择第二UE作为中继UE。然后,第一UE可以向第二UE发送直连通信请求以创建第一UE与第二UE之间的PC5链路,并在此过程中协商由第一UE和第二UE共享的第一密钥,该第一密钥用于对在第一UE和第二UE之间传输的信息进行保护;而第二UE可以向第三UE发送直连通信请求以创建第二UE与第三UE之间的PC5链路,并在此过程中协商由第二UE和第三UE共享的第二密钥,第二密钥用于对在第二UE和第三UE之间传输的信息进行保护。然后,可以通过本实施例所述方法在第一UE与第三UE之间创建经由第二UE的端到端链路。值得注意的是,该第一UE为源UE、该第二UE为层2中继UE、以及该第三UE为目标UE。
图2是本公开实施例提供的一种直连链路建立方法的流程图。
如图2所示,该方法由第一UE执行,该方法可以包括但不限于如下步骤:
S201:经由第二UE向第三UE发送第一消息,其中,第一消息用于请求在第一UE与第三UE之间创建经由第二UE的端到端链路,第二UE为层2中继UE。
其中,在本公开的一个实施例之中,第一UE向第二UE发送的第一消息是使用第一密钥加密的,第一密钥为第一UE与第二UE在创建第一UE与第二UE之间的PC5链路时协商生成并被第一UE与第二UE共享。
具体的,在本公开的一个实施例之中,为了安全起见,第一UE向第二UE所发送的第一消息是经过加密保护的。第一UE可以利用第一密钥对该第一消息进行加密,而该第一密钥是第一UE与第二UE在创建第一UE与第二UE之间的PC5链路时协商生成的。例如,第一UE与第二UE在创建其间的PC5链路时通过直接认证和密钥生成流程来生成第一密钥(例如ProSe安全密钥),并将所生成的第一密钥进行本地存储。而当第二UE接收到该第一消息后,则可以利用本地存储的第一密钥对该第一消息进行解密。其中,第一UE与第二UE在创建其间的PC5链路的具体过程可以参考图5,在此不再赘述。
以及,在本公开的一个实施例之中,该第一消息可以包括目的地标识ID,目的地ID为所述第三UE的层2 ID或所述第二UE的层2 ID。
例如,当第二UE收到包括目的地ID为第三UE的层2 ID的第一消息后,该第二UE根据该目的地ID确认将该第一消息转发至第三UE(即目标UE)。
又如,当第二UE收到包括目的地ID为第二UE的层2 ID的第一消息后,该第二UE根据用户ID信息确认将该第一消息转发至第三UE(即目标UE)。其中,该用户ID信息包括以下至少之一:第一UE标识、第二UE标识以及第三UE标识。即,用户ID信息可以包括源UE标识、中继UE标识以及目标UE标识中的至少一个,在此实施例中,第一UE标识即为源UE标识,第二UE标识即为中继UE标识以及第三UE标识即为目标UE标识。第二UE根据该用户ID信息确认将该第一消息转发至相应的目标UE,在此,为第三UE。
以及,在本公开的一个实施例之中,第一UE可以向第二UE发送用户ID信息。
示例的,在本公开的一个实施例之中,第一UE可以为源UE,第二UE可以为中继UE, 第三UE可以为目标UE。
S202:接收第三UE经由第二UE发送的第二消息,其中,第二消息用于请求与第一UE协商被第一UE与第三UE共享的端到端共享密钥。
S203:经由第二UE与第三UE执行安全协商过程以生成端到端共享密钥。其中,端到端共享密钥用于对在第一UE与第三UE之间通过端到端链路传输的信息进行加解密。
第一UE经由第二UE与第三UE执行安全协商过程,在第一UE与第三UE进行的安全协商过程中,需要第二UE对该第一UE与第三UE发送的消息进行转发以完成该安全协商过程。
其中,在本公开的一个实施例之中,经由第二UE与第三UE进行安全协商过程以生成端到端共享密钥包括:
经由第二UE与第三UE执行IKEv2认证过程以生成端到端共享密钥。
具体的,在本公开的一个实施例之中,第一UE在接收到第二消息之后,可以与第三UE进行安全协商过程,以建立端到端的连接。在协商过程中,为了保证安全性,可以执行IKEv2验证过程来对第一UE和第三UE进行验证。比如,使用身份验证、密钥分发验证或建立IPsec进行验证。在验证通过后,第一UE和第三UE可以生成并共享端到端的安全共享密钥。
S204:接收第三UE经由第二UE发送的第三消息,其中第三消息指示端到端链路创建完成。
其中,在本公开的一个实施例之中,第三消息可以为使用端到端共享密钥加密的。
以及,在本公开的一个实施例之中,第三消息可以为使用端到端共享密钥与第一密钥加密的。
综上所述,在本公开实施例提供的直连链路建立方法之中,第一UE先通过第二UE向第三UE发送建立端到端链路请求,在得到第一UE的反馈后,可以与第一UE进行协商以共享端到端链路的共享密钥,之后执行协商过程以生成共享密钥,并等待指示端到端链路的创建完成。基于此,第一UE(即源UE)与第三UE(即目标UE)之间进行通信传递的信息通过共享密钥来进行加密解密,避免了层2中继UE遭受攻击导致的信息泄露,以实现建立安全的直连链路。在本申请中,层2中继UE参与建立直连链路的过程,从而能够有效的建立安全的直连链路。
图3是本公开实施例提供的一种直连链路建立方法的流程图。
如图3所示,该方法由第三UE执行,该方法可以包括但不限于如下步骤:
S301:接收第一UE经由第二UE发送的第一消息,其中,第一消息用于请求在第一UE与第三UE之间创建经由第二UE的端到端链路,第二UE为层2中继UE。
其中,在本公开的一个实施例之中,第三UE从第二UE接收的第一消息是使用第二密钥加密的,第二密钥为第三UE与第二UE在创建第三UE与第二UE之间的PC5链路时协商生成并被第三UE与第二UE共享。
以及,在本公开的一个实施例之中,该第一消息可以包括目的地标识ID,目的地ID为所述第三UE的层2 ID或所述第二UE的层2 ID。
以及,在本公开的一个实施例之中,第一UE可以向第二UE发送用户ID信息。
以及,在本公开的一个实施例之中,第三UE还可以接收第二UE发送的用户ID信息,用户ID信息包括以下至少之一:
源UE标识、中继UE标识以及目标UE标识。
S302:经由第二UE向第一UE发送第二消息,其中第二消息用于请求与第一UE协商被第一UE与第三UE共享的端到端共享密钥。
其中,端到端共享密钥用于对在第一UE与第三UE之间通过端到端链路传输的信息进行加解密。
S303:经由第二UE与第一UE执行安全协商过程以生成端到端共享密钥。
其中,在本公开的一个实施例之中,经由第二UE与第一UE进行安全协商过程以生成端到端共享密钥包括:
经由第二UE与第一UE执行IKEv2认证过程以生成端到端共享密钥。
S304:经由第二UE向第一UE发送第三消息,其中第三消息指示端到端链路创建完成。
其中,在本公开的一个实施例之中,第三消息为使用端到端共享密钥加密的。
以及,在本公开的一个实施例之中,第三消息为使用端到端共享密钥与第二密钥加密的。
综上所述,在本公开实施例提供的直连链路建立方法之中,第三UE接收第一UE发送的创建链路请求,之后与第一UE协商并基于执行IKEv2认证过程生成端到端共享密钥,最后指示第一UE端到端链路创建完成。基于此,第一UE(即源UE)与第三UE(即目标UE)之间能够基于端到端链路间直接通信,能够基于执行KEv2认证过程生成端到端共享密钥,能够使用共享密钥保护通信信息,提供源UE与目标UE之间通信的安全性,避免了中继UE遭受攻击导致信息泄露,以实现建立安全的直连链路。在本申请中,层2中继UE参与建立直连链路的过程,从而能够有效的建立安全的直连链路。
图4是本公开实施例提供的一种直连链路建立方法的流程图。
如图4所示,该方法由第二UE执行,该方法可以包括但不限于如下步骤:
S401:接收第一UE发送的第一消息,第一消息用于请求在第一UE与第三UE之间创建经由第二UE的端到端链路,第二UE为层2中继UE。
其中,在本公开的一个实施例之中,第二UE存储有与中继服务码(Relay Service Code,RSC)/ProSe码相关的预配置的长期凭证,该长期凭证用于生成第一密钥和第二密钥。
以及,在本公开的一个实施例之中,向第二UE的PKMF网元或DDNMF网元发送ProSe密钥请求,该ProSe密钥请求包括凭证ID以及RSC/ProSe码,以用于向PKMF网元或DDNMF网元请求与凭证ID和RSC/ProSe码相关的长期凭证,该长期凭证用于生成第一密钥和所述第二密钥;以及从PKMF网元/DDNMF网元接收ProSe密钥响应,ProSe密钥响应中携带长期凭证。
以及,在本公开的一个实施例之中,该第一消息可以包括目的地标识ID,目的地ID为所述第三UE的层2 ID或所述第二UE的层2 ID。
例如,当第二UE收到包括目的地ID为第三UE的层2 ID的第一消息后,该第二UE根据该目的地ID确认将该第一消息转发至第三UE(即目标UE)。
又如,当第二UE收到包括目的地ID为第二UE的层2 ID的第一消息后,该第二UE根据用户ID信息确认将该第一消息转发至第三UE(即目标UE)。其中,该用户ID信息包括以下至少之一:第一UE标识、第二UE标识以及第三UE标识。即,用户ID信息可以包括源UE标识、中继UE标识以及目标UE标识中的至少一个,在此实施例中,第一UE标识即为源UE标识,第二UE标识即为中继UE标识以及第三UE标识即为目标UE标识。第二UE根据该用户ID信息确认将该第一消息转发至相应的目标UE,在此,为第三UE。
以及,在本公开的一个实施例之中,第一UE可以向第二UE发送用户ID信息。
以及,在本公开的一个实施例之中,第二UE从第一UE接收的第一消息是使用第一密钥加密的,第一密钥为第一UE与第二UE在创建第一UE与第二UE之间的PC5链路时协商生成并被第一UE与第二UE共享,该方法还可以包括:
基于第一密钥对从第一UE接收的第一消息进行解密。
具体的,在本公开的一个实施例之中,为了安全起见,第一UE向第二UE所发送的第一消息是经过加密保护的。第一UE可以利用第一密钥对该第一消息进行加密,而该第一密钥是第一UE与第二UE在创建第一UE与第二UE之间的PC5链路时协商生成的。例如,第一UE与第二UE在创建其间的PC5链路时通过直接认证和密钥生成流程来生成第一密钥(例如ProSe安全密钥),并将所生成的第一密钥进行本地存储。而当第二UE接收到该第一消息后,则可以利用本地存储的第一密钥对该第一消息进行解密。其中,第一UE与第二UE在创建其间的PC5链路的具体过程可以参考图5,在此不再赘述。
S402:向第三UE发送第一消息。
S403:接收第三UE发送的第二消息,第二消息用于请求与第一UE协商被第一UE与第三UE共享的端到端共享密钥。
其中,端到端共享密钥用于对在第一UE与第三UE之间通过端到端链路传输的信息进 行加解密。
S404:将第二消息发送至第一UE,以使得第一UE与第三UE执行安全协商过程以生成端到端共享密钥。
其中,在本公开的一个实施例之中,第二UE向第三UE发送的第一消息是使用第二密钥加密的,第二密钥为第三UE与第二UE在创建第三UE与第二UE之间的PC5链路时协商生成并被第三UE与第二UE共享,该方法还可以包括:
基于第二密钥对从第一UE得到的第一消息进行加密。
具体的,在本公开的一个实施例之中,为了安全起见,第二UE在接收到该第一消息后,可以利用第二密钥对该第一消息进行加密后再转发给第三UE,而该第二密钥是第二UE与第三UE在创建第二UE与第三UE之间的PC5链路时协商生成的。例如,第二UE与第三UE可以在创建其间的PC5链路时通过直接认证和密钥生成流程来生成第二密钥(例如ProSe安全密钥),并将该第二密钥进行本地存储。而当第三UE在接收到第一消息后,可以利用本地存储的第二密钥对该加密的第一消息进行解密。其中,第二UE与第三UE在创建其间的PC5链路的具体过程可以参考图5,在此不再赘述。
S405:接收第三UE发送的第三消息,第三消息指示端到端链路创建完成。
其中,在本公开的一个实施例之中,第二UE从第三UE接收的第三消息为使用端到端共享密钥与第二密钥加密的,该方法还可以包括:
基于第二密钥对从第三UE接收的第三消息进行解密。
S406:向第一UE发送第三消息。
其中,在本公开的一个实施例之中,第二UE向第一UE发送的第三消息为使用端到端共享密钥与第一密钥加密的,该方法还可以包括:
基于第一密钥对从第三UE得到的第三消息进行加密。
综上所述,在本公开实施例提供的直连链路建立方法之中,第二UE协助与第一UE和第三UE进行交互,接收第一UE发送的创建链路请求,并向第三UE转发;接收第三UE发送的第二消息,并向第一UE转发,以使得第一UE与第三UE执行安全协商过程以生成端到端共享密钥;之后,接收第三UE发送的第三消息,以及向第一UE转发。由此,第一UE(即源UE)与第三UE(即目标UE)之间进行通信传递的信息通过共享密钥来进行加密解密,避免了层2中继UE遭受攻击导致的信息泄露,以实现建立安全的直连链路。在本申请中,层2中继UE参与建立直连链路的过程,从而能够有效的建立安全的直连链路。
为了更方便且全面的了解本公开所提供的一种直连链路建立方法。请参见图5,图5为本公开所提供的一种直连链路建立方法示意图。
如图5所示,假设目标UE和源UE都可以预先配置相同的长期凭证和长期凭证ID。
步骤0,在中继UE发现和链路建立过程之前,向源UE和目标UE提供用于发现过程的安全密钥。
步骤1,使用用于发现过程的安全密钥,在源UE、目标UE到中继UE之间执行发现和中继选择过程。
其中,假设在发现过程和中继选择过程之后,源UE和目标UE相互发现并选择相同的层2中继UE。
步骤2,源UE向层2中继UE发送包含长期凭证ID、用户信息ID、源UE安全功能、5G ProSe端到端中继(U2U Relay)服务的RSC/ProSe代码以及第一随机数(nonce 1)的直接通信请求。如果源UE具有其试图与之通信的层2中继UE的Knrp(即源UE和层2中继UE共享的第一密钥),则消息还可能包括Knrp ID,该Knrp ID与Knrp对应,由此层2中继接收到该消息后,可以获知源UE所具有的Knrp。
其中,用户信息ID可能包括源用户信息、目标用户信息和中继用户信息中的至少一个。
步骤3a,如果层2中继UE已经具有由长期凭证ID标识的长期凭证,则跳过步骤3a和步骤3b。否则,层2中继UE向其5G PKMF/DDNMF网元发送一条ProSe Key Request消息,该消息可能包含层2中继UE标识、长期凭证ID、RSC/ProSe代码,表示层2中继UE 请求长期凭证。
步骤3b,一旦接收到ProSe Key Request消息,中继UE的5G PKMF/DDNMF网元应根据层2中继UE的中继身份和接收到的RSC/ProSe代码,检查层2中继UE是否被授权提供中继/ProSe服务。如果层2中继UE授权信息在本地不可用,5G PKMF/DDNMF网元应向层2中继UE的UDM请求授权信息(图中未显示)。如果层2中继UE被授权根据ProSe订阅数据提供中继服务,则中继UE的5G PKMF/DDNMF网元将长期凭证发送给层2中继UE。
其中,层2中继UE标识可以设置为层2中继UE的ProSe应用程序ID或层2中继UE的SUCI或层2中继UE的用户ID信息(User Info ID)。
以及,长期凭证也可以在层2中继UE中预配置。此时,跳过步骤3a和3b。
步骤4,层2中继UE可与源UE启动直接认证和密钥生成流程,以生成Knrp。如果直接通信请求中包含Knrp ID,则跳过此步骤,而可以直接根据Knrp ID确定相应的Knrp。
步骤5,层2中继UE应根据协议中规定的PC5安全策略,从Knrp导出会话密钥(Knrp-sess),然后导出机密密钥(NRPEK)(如果使用)和完整性密钥(NRPIK)(如果使用)。层2中继UE向源UE发送直接安全模式命令消息。该消息应包括所选的安全算法、第二随机数(nonce 2),并应按照协议中的规定进行保护。
步骤6,根据协议规定,源UE用直接安全模式完成消息响应层2中继UE。
通过步骤2-6,在源UE与中继UE之间创建了PC5链路,并协商生成了第一密钥,从而在源UE与中继UE之间传输的信息能够使用第一密钥进行保护。
步骤7,层2中继UE向目标UE发送一个直接通信请求,其中包含长期凭证ID、用户信息ID、中继UE的安全功能、5G ProSe U2U relay服务的RSC/ProSe代码,nonce 1'。如果层2中继UE与其试图通信的目标UE存在Knrp'(第二密钥),则消息还可能包括Knrp ID'。
步骤8,目标UE可以使用层2中继UE启动直接认证和密钥生成流程,以生成Knrp'。如果直接通信请求中包含Knrp ID',则跳过此步骤。
步骤9,目标UE应根据协议规定的PC5安全策略,从Knrp'推导会话密钥(Knrp-sess’),然后推导机密密钥(NRPEK’)(如果使用)和完整性密钥(NRPIK’)(如果使用)。目标UE向层2中继UE发送直接安全模式命令消息。该消息应包括选定的安全算法、nonce 2',并应按照协议规定进行保护。
步骤10,层2中继UE响应TS 33.536[4]中规定的直接安全模式完成消息。
步骤11,一旦从层2中继UE接收到直接安全模式完成消息,目标UE将直接通信接受消息发送到层2中继UE。
通过步骤7-11,在目标UE与中继UE之间创建了PC5链路,并协商生成了第二密钥,从而在目标UE与中继UE之间传输的信息能够使用第二密钥进行保护。
步骤12,一旦接收到将直接通信接受消息(Direct Communication Accept)消息,层2中继UE将直接通信接受消息发送给源UE。
步骤13,源UE向目标UE发送端到端直接通信请求,该请求由层2中继UE转发。在第一跳中(即源UE和层2中继UE之间的PC5链路),端到端直接通信请求受NRPIK/NRPEK保护。在第二跳中(即层2中继UE和目标UE之间的PC5链路),端到端直接通信请求受NRPIK’/NRPEK’保护。
其中,端到端直接通信请求的目的地ID可以设置为目标UE的层2 ID或中继UE的层2 ID。如果目的地2 ID设置为中继UE的层2 ID,则中继UE根据用户信息ID确认目的地ID以将端到端DCR消息转发到相应的目标UE。
步骤14,目标UE可以启动与源UE的安全协商过程,以建立端到端的IPSec连接,这可以通过执行IKEv2身份验证过程来实现。IKEv2认证后,源UE和目标UE生成端到端共 享安全密钥。
步骤15,目标UE响应由层2中继UE转发的端到端直接通信接受。端到端直接通信接受受步骤14中生成的端到端安全密钥和步骤2-12中生成的散文安全密钥(即NRPIK/NRPEK和NRPIK'/NRPEK')保护。
步骤16,在源UE和目标UE之间通过层2中继UE建立安全的L2PC5链路。源UE和目标UE可以开始进行通信,在该通信中,层2中继UE对源UE和目标UE之间的业务数据进行中继。
图6是本公开实施例提供的一种直连链路建立装置的结构图。
如图6所示,该直连链路建立装置,用于第一UE,包括收发模块,用于:
经由第二UE向第三UE发送第一消息,其中所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2UE;
接收所述第三UE经由所述第二UE发送的第二消息,其中所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
经由所述第二UE与所述第三UE进行安全协商过程以生成所述端到端共享密钥;
接收所述第三UE经由所述第二UE发送的第三消息,其中所述第三消息指示所述端到端链路创建完成;
其中,所述端到端共享密钥用于对在所述第一UE与所述第三UE之间通过所述端到端链路传输的信息进行加解密。
可选地,在本公开的一个实施例之中,所述第一UE向所述第二UE发送的第一消息是使用第一密钥加密的,所述第一密钥为所述第一UE与所述第二UE在创建所述第一UE与所述第二UE之间的PC5链路时协商生成并被所述第一UE与所述第二UE共享。
可选地,在本公开的一个实施例之中,所述经由所述第二UE与所述第三UE进行安全协商过程以生成所述端到端共享密钥包括:
经由所述第二UE与所述第三UE执行互联网密钥交换协议(IKEv2)认证过程以生成所述端到端共享密钥。
可选地,在本公开的一个实施例之中,所述第三消息为使用所述端到端共享密钥加密的。
可选地,在本公开的一个实施例之中,所述第三消息为使用所述端到端共享密钥与所述第一密钥加密的。
可选地,在本公开的一个实施例之中,所述装置,还用于:
向所述第二UE发送用户ID信息,所述用户ID信息包括以下至少之一:
源UE标识、中继UE标识以及目标UE标识。
综上所述,在本公开实施例提供的直连链路建立装置之中,第一UE先通过第二UE向第三UE发送建立端到端链路请求,在得到第一UE的反馈后,可以与第一UE进行协商以共享端到端链路的共享密钥,之后执行协商过程中生成的共享密钥,并等待指示端到端链路的创建完成。基于此,UE与UE之间可以使用创建完成的端到端链路进行直接通信,且通信内容可以被共享密钥加解密,提供UE之间通信的安全性,避免了中继UE遭受攻击导致信息泄露,以实现建立安全的直连链路。在本申请中,层2中继UE参与建立直连链路的过程,从而能够有效的建立安全的直连链路。
图7是本公开实施例提供的一种直连链路建立装置的结构图。
如图7所示,该直连链路建立装置,用于第三UE,包括收发模块,用于:
接收第一UE经由第二UE发送的第一消息,其中所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2UE;
经由所述第二UE向所述第一UE发送第二消息,其中所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
经由所述第二UE与所述第一UE进行安全协商过程以生成所述端到端共享密钥;以及
经由所述第二UE向所述第一UE发送第三消息,其中所述第三消息指示所述端到端链路创建完成。
可选地,所述端到端共享密钥用于对在所述第一UE与所述第三UE之间通过所述端到端链路传输的信息进行加解密。
可选地,在本公开的一个实施例之中,所述第三UE从所述第二UE接收的第一消息是使用第二密钥加密的,所述第二密钥为所述第三UE与所述第二UE在创建所述第三UE与所述第二UE之间的PC5链路时协商生成并被所述第三UE与所述第二UE共享。
可选地,在本公开的一个实施例之中,所述收发模块,还用于:
经由所述第二UE与所述第一UE执行互联网密钥交换协议(IKEv2)认证过程以生成所述端到端共享密钥。
可选地,在本公开的一个实施例之中,所述第三消息为使用所述端到端共享密钥加密的。
可选地,在本公开的一个实施例之中,所述第三消息为使用所述端到端共享密钥与所述第二密钥加密的。
可选地,在本公开的一个实施例之中,所述装置,还用于:
接收所述第二UE发送的用户ID信息,所述用户ID信息包括以下至少之一:
源UE标识、中继UE标识以及目标UE标识。
综上所述,在本公开实施例提供的直连链路建立装置之中,第三UE接收第一UE发送的创建链路请求,之后与第一UE协商并基于执行IKEv2认证过程生成端到端共享密钥,最后指示第一UE端到端链路创建完成。基于此,UE之间能够基于端到端链路间直接通信,能够基于执行KEv2认证过程生成端到端共享密钥,能够使用共享密钥保护通信信息,提供UE之间通信的安全性,避免了中继UE遭受攻击导致信息泄露,以实现建立安全的直连链路。在本申请中,层2中继UE参与建立直连链路的过程,从而能够有效的建立安全的直连链路。
图8是本公开实施例提供的一种直连链路建立装置的结构图。
如图8所示,该直连链路建立装置,用于第二UE,包括收发模块,用于:
接收第一UE发送的第一消息,第一消息用于请求在第一UE与第三UE之间创建经由第二UE的端到端链路,第二UE为层2中继UE;
向第三UE发送第一消息;
接收第三UE发送的第二消息,第二消息用于请求与第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
将所述第二消息发送至第一UE,以使得所述第一UE与所述第三UE执行安全协商过程以生成所述端到端共享密钥;
接收所述第三UE发送的第三消息,所述第三消息指示所述端到端链路创建完成;以及
向所述第一UE发送所述第三消息。
可选地,所述端到端共享密钥用于对在所述第一UE与所述第三UE之间通过所述端到端链路传输的信息进行加解密。
可选地,在本公开的一个实施例之中,所述收发模块,还用于:
基于所述第一密钥对从所述第一UE接收的第一消息进行解密。
可选地,在本公开的一个实施例之中,所述第二UE向所述第三UE发送的所述第一消息是使用所述第二密钥加密的,所述第二密钥为所述第三UE与所述第二UE在创建所述第三UE与所述第二UE之间的PC5链路时协商生成并被所述第三UE与所述第二UE共享,所述方法还包括:
基于所述第二密钥对从所述第一UE得到的第一消息进行加密。
可选地,在本公开的一个实施例之中,所述收发模块,还用于:
基于所述第二密钥对从所述第三UE接收的第三消息进行解密。
可选地,在本公开的一个实施例之中,所述第二UE向所述第一UE发送的第三消息为使用所述端到端共享密钥与所述第一密钥加密的,所述装置,还用于:
基于所述第一密钥对从所述第三UE得到的第三消息进行加密。
可选地,在本公开的一个实施例之中,所述第二UE存储有与中继服务码RSC/邻近业 务ProSe码相关的预配置的长期凭证,所述长期凭证用于生成所述第一密钥和所述第二密钥。
可选地,在本公开的一个实施例之中,所述装置,还用于:
向所述第二UE的邻近通信密钥管理功能PKMF网元或DDNMF网元发送ProSe密钥请求,所述ProSe密钥请求包括凭证ID以及RSC/ProSe码,以用于向所述PKMF网元或DDNMF网元请求与所述凭证ID和所述RSC/ProSe码相关的长期凭证,所述长期凭证用于生成所述第一密钥和所述第二密钥;以及
从所述PKMF网元或/DDNMF网元接收ProSe密钥响应,所述ProSe密钥响应中携带所述长期凭证。
综上所述,在本公开实施例提供的直连链路建立装置之中,综上所述,在本公开实施例提供的直连链路建立方法之中,第二UE协助与第一UE和第三UE进行交互,接收第一UE发送的创建链路请求,并向第三UE转发;接收第三UE发送的第二消息,并向第一UE转发,以使得第一UE与第三UE执行安全协商过程以生成端到端共享密钥;之后,接收第三UE发送的第三消息,以及向第一UE转发。由此,第一UE(即源UE)与第三UE(即目标UE)之间进行通信传递的信息通过共享密钥来进行加密解密,避免了层2中继UE遭受攻击导致的信息泄露,以实现建立安全的直连链路。在本申请中,层2中继UE参与建立直连链路的过程,从而能够有效的建立安全的直连链路。
请参见图9,图9是本申请实施例提供的一种通信装置900的结构示意图。通信装置900可以是网络设备,也可以是终端设备,也可以是支持网络设备实现上述方法的芯片、芯片系统、或处理器等,还可以是支持终端设备实现上述方法的芯片、芯片系统、或处理器等。该装置可用于实现上述方法实施例中描述的方法,具体可以参见上述方法实施例中的说明。
通信装置900可以包括一个或多个处理器901。处理器901可以是通用处理器或者专用处理器等。例如可以是基带处理器或中央处理器。基带处理器可以用于对通信协议以及通信数据进行处理,中央处理器可以用于对通信装置(如,基站、基带芯片,终端设备、终端设备芯片,DU或CU等)进行控制,执行计算机程序,处理计算机程序的数据。
可选的,通信装置900中还可以包括一个或多个存储器902,其上可以存有计算机程序904,处理器901执行所述计算机程序904,以使得通信装置900执行上述方法实施例中描述的方法。可选的,所述存储器902中还可以存储有数据。通信装置900和存储器902可以单独设置,也可以集成在一起。
可选的,通信装置900还可以包括收发器905、天线906。收发器905可以称为收发单元、收发机、或收发电路等,用于实现收发功能。收发器905可以包括接收器和发送器,接收器可以称为接收机或接收电路等,用于实现接收功能;发送器可以称为发送机或发送电路等,用于实现发送功能。
可选的,通信装置900中还可以包括一个或多个接口电路907。接口电路907用于接收代码指令并传输至处理器901。处理器901运行所述代码指令以使通信装置900执行上述方法实施例中描述的方法。
在一种实现方式中,处理器901中可以包括用于实现接收和发送功能的收发器。例如该收发器可以是收发电路,或者是接口,或者是接口电路。用于实现接收和发送功能的收发电路、接口或接口电路可以是分开的,也可以集成在一起。上述收发电路、接口或接口电路可以用于代码/数据的读写,或者,上述收发电路、接口或接口电路可以用于信号的传输或传递。
在一种实现方式中,处理器901可以存有计算机程序903,计算机程序903在处理器901上运行,可使得通信装置900执行上述方法实施例中描述的方法。计算机程序903可能固化在处理器901中,该种情况下,处理器901可能由硬件实现。
在一种实现方式中,通信装置900可以包括电路,所述电路可以实现前述方法实施例中发送或接收或者通信的功能。本申请中描述的处理器和收发器可实现在集成电路(integrated circuit,IC)、模拟IC、射频集成电路RFIC、混合信号IC、专用集成电路(application specific integrated circuit,ASIC)、印刷电路板(printed circuit board,PCB)、电子设备等上。该处理器和收发器也可以用各种IC工艺技术来制造,例如互补金属氧化物半导体(complementary metal oxide semiconductor,CMOS)、N型金属氧化物半导体(nMetal-oxide-semiconductor,NMOS)、P型金属氧化物半导体(positive channel metal oxide semiconductor,PMOS)、双极结型晶体管(bipolar junction transistor,BJT)、双极CMOS(BiCMOS)、硅锗(SiGe)、砷化镓(GaAs)等。
以上实施例描述中的通信装置可以是网络设备或者终端设备,但本申请中描述的通信装置的范围并不限于此,而且通信装置的结构可以不受图9的限制。通信装置可以是独立的设备或者可以是较大设备的一部分。例如所述通信装置可以是:
(1)独立的集成电路IC,或芯片,或,芯片系统或子系统;
(2)具有一个或多个IC的集合,可选的,该IC集合也可以包括用于存储数据,计算机程序的存储部件;
(3)ASIC,例如调制解调器(Modem);
(4)可嵌入在其他设备内的模块;
(5)接收机、终端设备、智能终端设备、蜂窝电话、无线设备、手持机、移动单元、车载设备、网络设备、云设备、人工智能设备等等;
(6)其他等等。
对于通信装置可以是芯片或芯片系统的情况,可参见图10所示的芯片的结构示意图。图10所示的芯片包括处理器1001和接口1002。其中,处理器1001的数量可以是一个或多个,接口1002的数量可以是多个。
可选的,芯片还包括存储器1003,存储器1003用于存储必要的计算机程序和数据。
本领域技术人员还可以了解到本申请实施例列出的各种说明性逻辑块(illustrative logical block)和步骤(step)可以通过电子硬件、电脑软件,或两者的结合进行实现。这样的功能是通过硬件还是软件来实现取决于特定的应用和整个系统的设计要求。本领域技术人员可以对于每种特定的应用,可以使用各种方法实现所述的功能,但这种实现不应被理解为超出本申请实施例保护的范围。
本申请还提供一种可读存储介质,其上存储有指令,该指令被计算机执行时实现上述任一方法实施例的功能。
本申请还提供一种计算机程序产品,该计算机程序产品被计算机执行时实现上述任一方法实施例的功能。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机程序。在计算机上加载和执行所述计算机程序时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机程序可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机程序可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,高密度数字视频光盘(digital  video disc,DVD))、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。
本领域普通技术人员可以理解:本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。
本申请中的至少一个还可以描述为一个或多个,多个可以是两个、三个、四个或者更多个,本申请不做限制。在本申请实施例中,对于一种技术特征,通过“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”等区分该种技术特征中的技术特征,该“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”描述的技术特征间无先后顺序或者大小顺序。
本申请中各表所示的对应关系可以被配置,也可以是预定义的。各表中的信息的取值仅仅是举例,可以配置为其他值,本申请并不限定。在配置信息与各参数的对应关系时,并不一定要求必须配置各表中示意出的所有对应关系。例如,本申请中的表格中,某些行示出的对应关系也可以不配置。又例如,可以基于上述表格做适当的变形调整,例如,拆分,合并等等。上述各表中标题示出参数的名称也可以采用通信装置可理解的其他名称,其参数的取值或表示方式也可以通信装置可理解的其他取值或表示方式。上述各表在实现时,也可以采用其他的数据结构,例如可以采用数组、队列、容器、栈、线性表、指针、链表、树、图、结构体、类、堆、散列表或哈希表等。
本申请中的预定义可以理解为定义、预先定义、存储、预存储、预协商、预配置、固化、或预烧制。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (24)

  1. 一种直连链路建立方法,其特征在于,所述方法由第一用户设备UE执行,所述方法包括:
    经由第二UE向第三UE发送第一消息,其中,所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2中继UE;
    接收所述第三UE经由所述第二UE发送的第二消息,其中,所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
    经由所述第二UE与所述第三UE执行安全协商过程以生成所述端到端共享密钥;以及
    接收所述第三UE经由所述第二UE发送的第三消息,其中所述第三消息指示所述端到端链路创建完成。
  2. 如权利要求1所述的方法,其特征在于,所述第一UE向所述第二UE发送的第一消息是使用第一密钥加密的,所述第一密钥为所述第一UE与所述第二UE在创建所述第一UE与所述第二UE之间的PC5链路时协商生成并被所述第一UE与所述第二UE共享。
  3. 如权利要求1所述的方法,其特征在于,所述经由所述第二UE与所述第三UE进行安全协商过程以生成所述端到端共享密钥包括:
    经由所述第二UE与所述第三UE执行互联网密钥交换协议(IKEv2)认证过程以生成所述端到端共享密钥。
  4. 如权利要求1所述的方法,其特征在于,所述第三消息为使用所述端到端共享密钥加密的。
  5. 如权利要求2所述的方法,其特征在于,所述第三消息为使用所述端到端共享密钥与所述第一密钥加密的。
  6. 如权利要求1-5中任一项所述的方法,其特征在于,还包括:
    向所述第二UE发送用户ID信息,所述用户ID信息包括以下至少之一:
    源UE标识、中继UE标识以及目标UE标识。
  7. 一种直连链路建立方法,其特征在于,所述方法由第三UE执行,所述方法包括:
    接收第一UE经由第二UE发送的第一消息,其中所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2中继UE;
    经由所述第二UE向所述第一UE发送第二消息,其中所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
    经由所述第二UE与所述第一UE执行安全协商过程以生成所述端到端共享密钥;以及
    经由所述第二UE向所述第一UE发送第三消息,其中所述第三消息指示所述端到端链路创建完成。
  8. 如权利要求7所述的方法,其特征在于,所述第三UE从所述第二UE接收的第一消息是使用第二密钥加密的,所述第二密钥为所述第三UE与所述第二UE在创建所述第三UE与所述第二UE之间的PC5链路时协商生成并被所述第三UE与所述第二UE共享。
  9. 如权利要求7所述的方法,其特征在于,所述经由所述第二UE与所述第一UE进行安全协商过程以生成所述端到端共享密钥包括:
    经由所述第二UE与所述第一UE执行互联网密钥交换协议(IKEv2)认证过程以生成所述端到端共享密钥。
  10. 如权利要求7所述的方法,其特征在于,所述第三消息为使用所述端到端共享密钥加密的。
  11. 如权利要求10所述的方法,其特征在于,所述第三消息为使用所述端到端共享密钥与所述第二密钥加密的。
  12. 如权利要求7-11中任一项所述的方法,其特征在于,还包括:
    接收所述第二UE发送的用户ID信息,所述用户ID信息包括以下至少之一:
    源UE标识、中继UE标识以及目标UE标识。
  13. 一种直连链路建立方法,其特征在于,所述方法由第二UE执行,所述方法包括:
    接收第一UE发送的第一消息,所述第一消息用于请求在所述第一UE与第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2中继UE;
    向所述第三UE发送所述第一消息;
    接收所述第三UE发送的第二消息,所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
    将所述第二消息发送至第一UE,以使得所述第一UE与所述第三UE执行安全协商过程以生成所述端到端共享密钥;
    接收所述第三UE发送的第三消息,所述第三消息指示所述端到端链路创建完成;以及
    向所述第一UE发送所述第三消息。
  14. 如权利要求13所述的方法,其特征在于,所述第二UE从所述第一UE接收的第一消息是使用第一密钥加密的,所述第一密钥为所述第一UE与所述第二UE在创建所述第一UE与所述第二UE之间的PC5链路时协商生成并被所述第一UE与所述第二UE共享,所述方法还包括:
    基于所述第一密钥对从所述第一UE接收的第一消息进行解密。
  15. 如权利要求13所述的方法,其特征在于,所述第二UE向所述第三UE发送的第一消息是使用第二密钥加密的,所述第二密钥为所述第三UE与所述第二UE在创建所述第三UE与所述第二UE之间的PC5链路时协商生成并被所述第三UE与所述第二UE共享,所述方法还包括:
    基于所述第二密钥对从所述第一UE得到的第一消息进行加密。
  16. 如权利要求15所述的方法,其特征在于,所述第二UE从所述第三UE接收的第三消息为使用所述端到端共享密钥与所述第二密钥加密的,所述方法还包括:
    基于所述第二密钥对从所述第三UE接收的第三消息进行解密。
  17. 如权利要求14所述的方法,其特征在于,所述第二UE向所述第一UE发送的第三消息为使用所述端到端共享密钥与所述第一密钥加密的,所述方法还包括:
    基于所述第一密钥对从所述第三UE得到的第三消息进行加密。
  18. 如权利要求14-17中任一项所述的方法,其特征在于,还包括:
    向所述第二UE的邻近通信密钥管理功能PKMF网元或DDNMF网元发送ProSe密钥请求,所述ProSe密钥请求包括凭证ID以及RSC/ProSe码,以用于向所述PKMF网元或DDNMF网元请求与所述凭证ID和所述RSC/ProSe码相关的长期凭证,所述长期凭证用于生成所述第一密钥和所述第二密钥;以及
    从所述PKMF网元或DDNMF网元接收ProSe密钥响应,所述ProSe密钥响应中携带所述长期凭证。
  19. 一种直连链路建立装置,其特征在于,用于第一UE,所述装置包括收发模块,用于:
    经由第二UE向第三UE发送第一消息,其中所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2UE;
    接收所述第三UE经由所述第二UE发送的第二消息,其中所述第二消息用于请求与所 述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
    经由所述第二UE与所述第三UE进行安全协商过程以生成所述端到端共享密钥;
    接收所述第三UE经由所述第二UE发送的第三消息,其中所述第三消息指示所述端到端链路创建完成。
  20. 一种直连链路建立装置,其特征在于,用于第三UE,所述装置包括收发模块,用于:
    接收第一UE经由第二UE发送的第一消息,其中所述第一消息用于请求在所述第一UE与所述第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2UE;
    经由所述第二UE向所述第一UE发送第二消息,其中所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
    经由所述第二UE与所述第一UE进行安全协商过程以生成所述端到端共享密钥;以及
    经由所述第二UE向所述第一UE发送第三消息,其中所述第三消息指示所述端到端链路创建完成。
  21. 一种直连链路建立装置,其特征在于,用于第二UE,所述装置包括收发模块,用于:
    接收第一UE发送的第一消息,所述第一消息用于请求在所述第一UE与第三UE之间创建经由所述第二UE的端到端链路,所述第二UE为层2中继UE;
    向所述第三UE发送所述第一消息;
    接收所述第三UE发送的第二消息,所述第二消息用于请求与所述第一UE协商被所述第一UE与所述第三UE共享的端到端共享密钥;
    将所述第二消息发送至第一UE,以使得所述第一UE与所述第三UE执行安全协商过程以生成所述端到端共享密钥;
    接收所述第三UE发送的第三消息,所述第三消息指示所述端到端链路创建完成;以及
    向所述第一UE发送所述第三消息。
  22. 一种通信设备,其中,包括:收发器;存储器;处理器,分别与所述收发器及所述存储器连接,配置为通过执行所述存储器上的计算机可执行指令,控制所述收发器的无线信号收发,并能够实现权利要求1-18任一项所述的方法。
  23. 一种系统,包括源UE、中继UE和目标UE,其中所述源UE用于执行如权利要求1-6中任一项所述的方法,所述目标UE用于执行如权利要求7-12中任一项所述的方法,所述中继UE用于执行如权利要求13-18中任一项所述的方法。
  24. 一种计算机存储介质,其中,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被处理器执行后,能够实现权利要求1-18任一项所述的方法。
PCT/CN2022/122824 2022-09-29 2022-09-29 一种直连链路建立方法、设备及存储介质 WO2024065469A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202280003895.7A CN118120200A (zh) 2022-09-29 2022-09-29 一种直连链路建立方法、设备及存储介质
PCT/CN2022/122824 WO2024065469A1 (zh) 2022-09-29 2022-09-29 一种直连链路建立方法、设备及存储介质

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/122824 WO2024065469A1 (zh) 2022-09-29 2022-09-29 一种直连链路建立方法、设备及存储介质

Publications (1)

Publication Number Publication Date
WO2024065469A1 true WO2024065469A1 (zh) 2024-04-04

Family

ID=90475361

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/122824 WO2024065469A1 (zh) 2022-09-29 2022-09-29 一种直连链路建立方法、设备及存储介质

Country Status (2)

Country Link
CN (1) CN118120200A (zh)
WO (1) WO2024065469A1 (zh)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101926122A (zh) * 2008-01-30 2010-12-22 华为技术有限公司 建立安全关联的方法和通信系统
CN103533540A (zh) * 2012-07-03 2014-01-22 华为终端有限公司 建立直接链路方法、密钥更新方法和设备
WO2014134786A1 (zh) * 2013-03-05 2014-09-12 华为技术有限公司 一种密钥交互方法及装置
CN112491533A (zh) * 2019-09-12 2021-03-12 华为技术有限公司 一种密钥生成方法及装置
CN112737774A (zh) * 2020-12-28 2021-04-30 苏州科达科技股份有限公司 网络会议中的数据传输方法、装置及存储介质
CN115022850A (zh) * 2022-05-27 2022-09-06 中国电信股份有限公司 一种d2d通信的认证方法、装置、系统、电子设备及介质

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101926122A (zh) * 2008-01-30 2010-12-22 华为技术有限公司 建立安全关联的方法和通信系统
CN103533540A (zh) * 2012-07-03 2014-01-22 华为终端有限公司 建立直接链路方法、密钥更新方法和设备
WO2014134786A1 (zh) * 2013-03-05 2014-09-12 华为技术有限公司 一种密钥交互方法及装置
CN112491533A (zh) * 2019-09-12 2021-03-12 华为技术有限公司 一种密钥生成方法及装置
CN112737774A (zh) * 2020-12-28 2021-04-30 苏州科达科技股份有限公司 网络会议中的数据传输方法、装置及存储介质
CN115022850A (zh) * 2022-05-27 2022-09-06 中国电信股份有限公司 一种d2d通信的认证方法、装置、系统、电子设备及介质

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SAMSUNG: "Solution for key establishment between the Remote UE and UE-to-Network Relay", 3GPP DRAFT; S3-151398-PROSEDISC-RELAYSOLU, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Nanjing; 20150420 - 20150424, 19 April 2015 (2015-04-19), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP050943600 *

Also Published As

Publication number Publication date
CN118120200A (zh) 2024-05-31

Similar Documents

Publication Publication Date Title
EP3691316B1 (en) Parameter protection method, device and system
WO2022067841A1 (zh) 一种安全通信方法、装置及系统
US20230232318A1 (en) Authentication method and apparatus therefor
WO2022237561A1 (zh) 一种通信方法及装置
WO2024065469A1 (zh) 一种直连链路建立方法、设备及存储介质
WO2024168935A1 (zh) 一种消息验证方法及其装置
WO2024065336A1 (zh) 一种侧行链路定位方法及装置
WO2024065335A1 (zh) 一种侧行链路定位方法及装置
WO2024065549A1 (zh) 直连通信密钥生成方法及装置
WO2024092827A1 (zh) 一种测距方法及其装置
WO2024065339A1 (zh) 一种网络卫星覆盖数据的授权方法、设备及存储介质
WO2024216648A1 (zh) 一种密钥交换方法、装置、设备及存储介质
WO2023245520A1 (zh) 一种定位服务的直接通信方法及装置
WO2024082143A1 (zh) 一种设备业务角色的验证方法/装置/设备及存储介质
WO2024065131A1 (zh) 一种多路径传输方法/装置/设备及存储介质
WO2024145902A1 (zh) 密钥获取方法、装置、设备及芯片系统
WO2024092826A1 (zh) 身份验证方法及装置
WO2024138390A1 (zh) 通信控制方法及装置
WO2024098323A1 (zh) 一种通过托管网络提供本地化服务的方法及其装置
WO2024138581A1 (zh) 一种网络切片的授权方法、装置、设备及存储介质
WO2024065844A1 (zh) 一种路径切换能力的交互方法及其装置
WO2024050846A1 (zh) 近邻通信方法和装置
WO2024065121A1 (zh) 一种多路径传输方法/装置/设备及存储介质
WO2024026698A1 (zh) 一种用户设备接入移动网络的方法及其装置
WO2024065334A1 (zh) 一种用户设备ue的授权令牌的生成方法/装置/设备及存储介质

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202280003895.7

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22960106

Country of ref document: EP

Kind code of ref document: A1