WO2024065549A1 - 直连通信密钥生成方法及装置 - Google Patents

直连通信密钥生成方法及装置 Download PDF

Info

Publication number
WO2024065549A1
WO2024065549A1 PCT/CN2022/122942 CN2022122942W WO2024065549A1 WO 2024065549 A1 WO2024065549 A1 WO 2024065549A1 CN 2022122942 W CN2022122942 W CN 2022122942W WO 2024065549 A1 WO2024065549 A1 WO 2024065549A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
related information
direct communication
pkmf
network element
Prior art date
Application number
PCT/CN2022/122942
Other languages
English (en)
French (fr)
Inventor
陆伟
Original Assignee
北京小米移动软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京小米移动软件有限公司 filed Critical 北京小米移动软件有限公司
Priority to PCT/CN2022/122942 priority Critical patent/WO2024065549A1/zh
Priority to CN202280003879.8A priority patent/CN118120177A/zh
Publication of WO2024065549A1 publication Critical patent/WO2024065549A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present disclosure relates to the field of mobile communication technology, and in particular to a method and device for generating a direct communication key.
  • any UE may be used in the sidelink positioning service.
  • any UE may be designated as a positioning UE by the network, or may be designated as a target UE by the network.
  • the present disclosure proposes a direct communication key generation method and device, which can be applied to long term evolution (LTE) system, fifth generation (5G) mobile communication system, 5G new radio (NR) system, or other future new mobile communication systems and other communication systems.
  • LTE long term evolution
  • 5G fifth generation
  • NR 5G new radio
  • the technology disclosed in the present disclosure can generate a direct communication intermediate key that can be shared by a first UE and a second UE, so that integrity protection and/or encryption protection of the direct communication of the side link positioning service between the first UE and the second UE can be implemented according to the direct communication intermediate key, thereby improving the security of data transmission in the direct communication of the side link positioning service.
  • a first aspect of the present disclosure provides a method for generating a direct communication key, which is executed by a first user equipment UE.
  • the method includes:
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted through the side link between the first UE and the second UE.
  • the first key-related information includes root key-related information used to obtain a root key, a positioning service code used to indicate a positioning service type, and a first random number; and the second key-related information includes a second random number.
  • the root key related information includes a valid root key identifier or a user hidden identifier SUCI of the first UE.
  • the method further includes:
  • Root key acquisition response sent by the first PKMF network element, wherein the root key acquisition response includes a valid root key identifier and a root key corresponding to the valid root key identifier.
  • the root key acquisition request includes a local root key identifier stored by the first UE, wherein the first PKMF network element determines the valid root key identifier and the root key according to the local root key identifier.
  • the direct communication session key includes a confidentiality key for encrypting and decrypting information and an integrity key for verifying data integrity.
  • a second aspect of the present disclosure provides a method for generating a direct communication key, which is executed by a second user equipment UE.
  • the method includes:
  • the direct communication request is used to request to create a sidelink for a sidelink positioning service between the first UE and the second UE, and wherein the direct communication request includes first key related information;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE via a side link.
  • the first key-related information includes root key-related information used to obtain a root key, a positioning service code used to indicate a positioning service type, and a first random number; and the second key-related information includes a second random number.
  • the root key related information includes a valid root key identifier or a user hidden identifier SUCI of the first UE.
  • the direct communication session key includes a confidentiality key for encrypting and decrypting information and an integrity key for verifying data integrity.
  • a third aspect of the present disclosure provides a method for generating a direct communication key, which is executed by a first positioning key management function PKMF network element of a first user equipment UE, and the method includes:
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE when performing a sidelink positioning service.
  • the first key-related information includes root key-related information used to obtain a root key, a positioning service code used to indicate a positioning service type, and a first random number; and the second key-related information includes a second random number.
  • the root key related information includes a valid root key identifier or a user hidden identifier SUCI of the first UE.
  • the method further includes:
  • a root key acquisition response is sent to the first UE, wherein the root key acquisition response includes a valid root key identifier and a root key corresponding to the valid root key identifier.
  • the root key acquisition request includes a local root key identifier stored by the first UE, and the method further includes:
  • the effective root key identifier and the root key are determined according to the local root key identifier.
  • the direct communication session key includes a confidentiality key for encrypting and decrypting information and an integrity key for verifying data integrity.
  • a fourth aspect of the present disclosure provides a method for generating a direct communication key, which is executed by a second positioning key management function PKMF network element of a second user equipment UE, and the method includes:
  • the second UE When the second UE is able to use the sidelink positioning service, sending the first key related information to the first PKMF network element of the first UE, wherein the first key related information and the second key related information generated by the first PKMF network element are used by the first PKMF network element to generate a direct communication intermediate key;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE when performing a sidelink positioning service.
  • the first key-related information includes root key-related information used to obtain a root key, a positioning service code used to indicate a positioning service type, and a first random number; and the second key-related information includes a second random number.
  • the root key related information includes a valid root key identifier or a user hidden identifier SUCI of the first UE.
  • the direct communication session key includes a confidentiality key for encrypting and decrypting information and an integrity key for verifying data integrity.
  • the fifth aspect of the present disclosure provides a communication device, which has some or all of the functions of the user equipment in the method described in the first aspect above.
  • the functions of the communication device may have some or all of the functions in the embodiments of the present application, or may have the functions of implementing any one of the embodiments of the present application separately.
  • the functions may be implemented by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above functions.
  • the structure of the communication device may include a transceiver module and a processing module, and the processing module is configured to support the communication device to perform the corresponding functions in the above method.
  • the transceiver module is used to support communication between the communication device and other devices.
  • the communication device may also include a storage module, which is coupled to the transceiver module and the processing module, and stores computer programs and data necessary for the communication device.
  • the processing module may be a processor
  • the transceiver module may be a transceiver or a communication interface
  • the storage module may be a memory.
  • the communication device includes a transceiver module and a processing module, wherein:
  • the transceiver module is used for:
  • the processing module is used to: generate the direct communication intermediate key according to the first key related information and the second key related information;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted via a side link between the first UE and the second UE.
  • the sixth aspect of the present disclosure provides another communication device, which has some or all of the functions of the network device in the method example described in the second aspect above, such as the functions of the communication device can have some or all of the functions in the embodiments of the present application, or can have the functions of implementing any one of the embodiments of the present application separately.
  • the functions can be implemented by hardware, or can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above functions.
  • the structure of the communication device may include a transceiver module and a processing module, and the processing module is configured to support the communication device to perform the corresponding functions in the above method.
  • the transceiver module is used to support communication between the communication device and other devices.
  • the communication device may also include a storage module, which is coupled to the transceiver module and the processing module, and stores computer programs and data necessary for the communication device.
  • the processing module may be a processor
  • the transceiver module may be a transceiver or a communication interface
  • the storage module may be a memory.
  • the communication device includes:
  • the transceiver module is used for:
  • the direct communication request is used to request to create a sidelink for a sidelink positioning service between the first UE and the second UE, and wherein the direct communication request includes first key related information;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE via a side link.
  • the seventh aspect of the present disclosure provides another communication device, which has some or all of the functions of the network device in the method example described in the second aspect above, such as the functions of the communication device can have some or all of the functions in the embodiments of the present application, or can have the functions of implementing any one of the embodiments of the present application separately.
  • the functions can be implemented by hardware, or can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above functions.
  • the structure of the communication device may include a transceiver module and a processing module, and the processing module is configured to support the communication device to perform the corresponding functions in the above method.
  • the transceiver module is used to support communication between the communication device and other devices.
  • the communication device may also include a storage module, which is coupled to the transceiver module and the processing module, and stores computer programs and data necessary for the communication device.
  • the processing module may be a processor
  • the transceiver module may be a transceiver or a communication interface
  • the storage module may be a memory.
  • the communication device includes a transceiver module and a processing module, wherein:
  • the transceiver module is used to receive first key related information sent by a second PKMF network element of a second UE;
  • the processing module is used to generate the second key related information; generate the direct communication intermediate key according to the first key related information and the second key related information;
  • the transceiver module is used to send the second key related information and the direct communication intermediate key to the second PKMF network element of the second UE;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE.
  • the eighth aspect of the present disclosure provides another communication device, which has some or all of the functions of the network device in the method example described in the second aspect above, such as the functions of the communication device can have some or all of the functions in the embodiments of the present application, or can have the functions of implementing any one of the embodiments of the present application separately.
  • the functions can be implemented by hardware, or can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above functions.
  • the structure of the communication device may include a transceiver module and a processing module, and the processing module is configured to support the communication device to perform the corresponding functions in the above method.
  • the transceiver module is used to support communication between the communication device and other devices.
  • the communication device may also include a storage module, which is coupled to the transceiver module and the processing module, and stores computer programs and data necessary for the communication device.
  • the processing module may be a processor
  • the transceiver module may be a transceiver or a communication interface
  • the storage module may be a memory.
  • the communication device includes a transceiver module and a processing module, wherein:
  • the transceiver module is used to receive first key related information sent by the second UE;
  • the processing module is used to verify whether the second UE can use the sidelink positioning service
  • the transceiver module is used to, when the second UE is able to use the sidelink positioning service, send the first key related information to the first PKMF network element of the first UE, wherein the first PKMF network element generates a direct communication intermediate key according to the first key related information and the second key related information; receive the direct communication intermediate key and the second key related information sent by the first PKMF network element; and send the direct communication intermediate key and the second key related information to the second UE;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE.
  • a ninth aspect of the present disclosure provides a communication device, which includes a processor.
  • the processor calls a computer program in a memory, the method described in the first aspect, the second aspect, the third aspect or the fourth aspect is executed.
  • the tenth aspect of the present disclosure provides a communication device, which includes a processor and a memory, in which a computer program is stored; the processor executes the computer program stored in the memory so that the communication device executes the method described in the first aspect, the second aspect, the third aspect or the fourth aspect above.
  • the eleventh aspect of the present disclosure provides a communication device, which includes a processor and an interface circuit, the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to enable the device to execute the method described in the first aspect, the second aspect, the third aspect or the fourth aspect above.
  • the twelfth aspect of the present disclosure provides a direct communication key generation system, which includes the communication device described in the fifth aspect, the sixth aspect, the seventh aspect or the eighth aspect, or the system includes the communication device described in the ninth aspect, or the system includes the communication device described in the tenth aspect, or the system includes the communication device described in the eleventh aspect.
  • the thirteenth aspect of the present disclosure provides a computer-readable storage medium for storing instructions for the above-mentioned user device.
  • the user device executes the method described in the first aspect, the second aspect, the third aspect or the fourth aspect.
  • a fourteenth aspect of the present disclosure is a computer program product comprising a computer program, which, when executed on a computer, enables the computer to execute the method described in the first, second, third or fourth aspect above.
  • the fifteenth aspect of the present disclosure provides a chip system, which includes at least one processor and an interface, and is used to support a user device to implement the functions involved in the first aspect, the second aspect, the third aspect, or the fourth aspect, for example, to determine or process at least one of the data and information involved in the above method.
  • the chip system also includes a memory, which is used to store computer programs and data necessary for the user device.
  • the chip system can be composed of a chip, or it can include a chip and other discrete devices.
  • a sixteenth aspect of the present disclosure provides a computer program, which, when executed on a computer, enables the computer to execute the method described in the first, second, third or fourth aspect above.
  • FIG1 is a schematic diagram of the architecture of a communication system provided in an embodiment of the present application.
  • FIG2 is a flow chart of a method for generating a direct communication key according to an embodiment of the present application.
  • FIG3 is a flow chart of a direct communication key generation method provided in an embodiment of the present application.
  • FIG4 is a flow chart of a direct communication key generation method provided in an embodiment of the present application.
  • FIG5 is a schematic diagram of a flow chart of a direct communication key generation method provided in an embodiment of the present application.
  • FIG6 is a schematic diagram of a flow chart of a direct communication key generation method provided in an embodiment of the present application.
  • FIG7 is a schematic diagram of a flow chart of a direct communication key generation method provided in an embodiment of the present application.
  • FIG8 is a schematic diagram of a flow chart of a direct communication key generation method provided in an embodiment of the present application.
  • FIG9 is a schematic diagram of the structure of a communication device provided in an embodiment of the present application.
  • FIG10 is a schematic diagram of the structure of another communication device provided in an embodiment of the present application.
  • FIG. 11 is a schematic diagram of the structure of a chip provided in an embodiment of the present application.
  • the network device configures various transmission parameters for data transmission for directly connected communication device 1.
  • Directly connected communication device 1 acts as a data transmitter
  • directly connected communication device 2 acts as a data receiver, and the two communicate directly.
  • the link for communication between the network device and the directly connected communication device is an uplink and downlink
  • the link between the directly connected communication device and the directly connected communication device is a sidelink.
  • the wireless communication system shown in FIG1 is only for schematic illustration, and the wireless communication system may also include other network devices, such as core network devices, wireless relay devices, and wireless backhaul devices, which are not shown in FIG1.
  • the embodiments of the present disclosure do not limit the number of network devices and terminals included in the wireless communication system.
  • the wireless communication system of the embodiment of the present disclosure is a network that provides wireless communication functions.
  • the wireless communication system can adopt different communication technologies, such as code division multiple access (code division multiple access, CDMA), wideband code division multiple access (wideband code division multiple access, WCDMA), time division multiple access (time division multiple access, TDMA), frequency division multiple access (frequency division multiple access, FDMA), orthogonal frequency division multiple access (orthogonal frequency-division multiple access, OFDMA), single carrier frequency division multiple access (single carrier FDMA, SC-FDMA), carrier sense multiple access/collision avoidance (Carrier Sense Multiple Access with Collision Avoidance).
  • code division multiple access code division multiple access
  • CDMA code division multiple access
  • wideband code division multiple access wideband code division multiple access
  • WCDMA wideband code division multiple access
  • time division multiple access time division multiple access
  • FDMA frequency division multiple access
  • OFDMA orthogonal frequency division multiple access
  • single carrier frequency division multiple access single carrier frequency division multiple access
  • the network can be divided into 2G (English: generation) network, 3G network, 4G network or future evolution network, such as 5G network, 5G network can also be called new wireless network (New Radio, NR).
  • 2G English: generation
  • 3G network 4G network or future evolution network, such as 5G network
  • 5G network can also be called new wireless network (New Radio, NR).
  • NR New Radio
  • the present disclosure sometimes simply refers to a wireless communication network as a network.
  • the network equipment involved in the present disclosure may also be referred to as a wireless access network equipment.
  • the wireless access network equipment may be: a base station, an evolved node B (eNB), a home base station, an access point (AP) in a wireless fidelity (WIFI) system, a wireless relay node, a wireless backhaul node, a transmission point (TP) or a transmission and reception point (TRP), etc. It may also be a gNB in an NR system, or it may also be a component or a part of a base station.
  • V2X vehicle-to-everything
  • the network equipment may also be a vehicle-mounted device. It should be understood that in the embodiments of the present disclosure, the specific technology and specific device form adopted by the network equipment are not limited.
  • the terminal involved in the present disclosure may also be referred to as a terminal device, a user equipment (User Equipment, UE), a mobile station (Mobile Station, MS), a mobile terminal (Mobile Terminal, MT), etc., which is a device that provides voice and/or data connectivity to users.
  • the terminal may be a handheld device with a wireless connection function, a vehicle-mounted device, etc.
  • some examples of terminals are: a smart phone (Mobile Phone), a pocket computer (Pocket Personal Computer, PPC), a handheld computer, a personal digital assistant (Personal Digital Assistant, PDA), a laptop computer, a tablet computer, a wearable device, or a vehicle-mounted device, etc.
  • V2X vehicle-to-everything
  • the terminal device may also be a vehicle-mounted device. It should be understood that the embodiments of the present disclosure do not limit the specific technology and specific device form adopted by the terminal.
  • the communication scenario of direct communication between directly connected communication devices may also be a device-to-device (D2D) communication scenario.
  • the directly connected communication devices for direct communication may include various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices, or other processing devices connected to a wireless modem, as well as various forms of user equipment (UE), mobile stations (MS), terminals, terminal equipment, etc.
  • UE user equipment
  • MS mobile stations
  • terminals terminal equipment
  • the communication system described in the embodiment of the present application is for more clearly illustrating the technical solution of the embodiment of the present application, and does not constitute a limitation on the technical solution provided in the embodiment of the present application.
  • Ordinary technicians in this field can know that with the evolution of the system architecture and the emergence of new business scenarios, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
  • each application or service provider provides a long-term credential for the UE involved in direct communication, which is used as the root key to protect the security of direct communication.
  • the current sidelink positioning service is mainly triggered by the operator network.
  • the UE involved is not bound to a specific application service, and the role of the UE in the positioning service may change (for example, the UE may be a UE that needs to be located, or it may be a UE that assists in positioning). In this case, it cannot be ensured that long-term credentials are provided to the UE involved. Due to the lack of long-term credentials, the existing security mechanism for direct communication of V2X services or proximity-based services (Pro Se) cannot continue to be practical. Therefore, it is necessary to study different security mechanisms to protect the direct communication of sidelink positioning services.
  • the present disclosure proposes a direct communication key generation method and device, which can be applied to long term evolution (LTE) system, fifth generation (5G) mobile communication system, 5G new radio (NR) system, or other future new mobile communication systems and other communication systems.
  • LTE long term evolution
  • 5G fifth generation
  • NR 5G new radio
  • the technology disclosed in the present disclosure can generate a direct communication intermediate key that can be shared by a first UE and a second UE, so that the integrity protection and/or encryption protection of the direct communication of the side link positioning service between the first UE and the second UE can be implemented according to the direct communication intermediate key, thereby improving the security of data transmission in the direct communication of the side link positioning service.
  • Figure 2 is a flow chart of a method for generating a direct communication key provided in an embodiment of the present application.
  • the method is applied to a first user equipment UE.
  • the method may include but is not limited to the following steps:
  • Step S201 sending a direct communication request to a second UE, wherein the direct communication request is used to request to create a side link for a sidelink positioning service between the first UE and the second UE, and the direct communication request includes first key related information, wherein the second UE obtains a direct communication intermediate key and second key related information according to the first key related information;
  • PKMF positioning key management function
  • PLMN public land mobile network
  • the PKMF network element is used to generate relevant information for protecting the security of direct communication and provide it to the UE.
  • at least two UEs are required to locate each other, such as a first UE and a second UE, and the first UE corresponds to a first PKMF network element, and the second UE corresponds to a second PKMF network element.
  • the first UE When the first UE receives a request from the network side, it starts to measure the distance/position with the second UE, and the first UE sends a direct communication request to the second UE to request to create a sidelink for the sidelink positioning service between the first UE and the second UE.
  • the first key-related information included in the direct communication request can be used by the second UE to obtain the direct communication intermediate key and the second key-related information.
  • the first key-related information can be used by the second UE to obtain the direct communication intermediate key and the second key-related information from the first PKMF network element through the second PKMF network element.
  • the second UE can feed back the second key-related information to the first UE.
  • Step S202 receiving the second key related information sent by the second UE.
  • Step S203 Generate the direct communication intermediate key according to the first key related information and the second key related information
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted via a side link between the first UE and the second UE.
  • the first UE generates the direct communication intermediate key based on the second key related information and the first key related information received and sent by the second UE, and can protect the information transmitted between the first UE and the second UE through the side link (the side link is used for the side link positioning service) according to the direct communication intermediate key.
  • the specific steps are: generating a direct communication session key based on the direct communication intermediate key, and the direct communication session key can perform integrity protection and/or encryption protection on the information transmitted on the side link.
  • a direct communication intermediate key that can be shared by the first UE and the second UE can be generated, so that integrity protection and/or encryption protection of the direct communication of the sidelink positioning service between the first UE and the second UE can be implemented based on the direct communication intermediate key, thereby improving the security of data transmission in the direct communication of the sidelink positioning service.
  • the first key-related information includes root key-related information used to obtain a root key, a positioning service code used to indicate a positioning service type, and a first random number; and the second key-related information includes a second random number.
  • the root key related information is used to indicate the corresponding root key, which is also called the side link positioning key (SL Positioning Key, SLPK).
  • the positioning service code is also called the side link positioning code (SL Positioning Code, SLPC), which is a temporary randomly generated number used to uniquely determine the corresponding positioning service type and to prevent the execution of the wrong positioning service type.
  • the first random number is generated by the first UE, and the second random number is generated by the PKMF of the first UE.
  • the root key related information includes a valid root key identifier or a user hidden identifier SUCI of the first UE.
  • the effective root key identifier is a side link positioning key identifier SLPK ID.
  • Figure 3 is a flow chart of a method for generating a direct communication key provided in an embodiment of the present application.
  • the method is applied to a first user equipment UE.
  • the method may include but is not limited to the following steps:
  • Step S301 Sending a root key acquisition request to the first PKMF network element.
  • Step S302 receiving a root key acquisition response sent by the first PKMF network element, wherein the root key acquisition response includes a valid root key identifier and a root key corresponding to the valid root key identifier.
  • the first UE When the first UE receives a network request to start ranging/positioning with the second UE, the first UE needs to send a root key acquisition request to its corresponding first PKMF network element to request the root key used for security establishment, and then the first UE can send a direct communication request to the second UE. After receiving the root key acquisition request, the first PKMF feeds back a root key acquisition response to the first UE, which includes a valid root key identifier and a root key corresponding to the valid root key identifier.
  • the effective root key identifier is SLPK ID
  • the root key corresponding to the effective root key identifier SLPK ID is SLPK.
  • the root key acquisition request includes a local root key identifier stored by the first UE, wherein the first PKMF network element determines the valid root key identifier and the root key according to the local root key identifier.
  • one or more local root key identifiers are stored in the storage module of the first UE.
  • the local root key identifier is provided to the first PKMF.
  • the first PKMF can select a suitable root key according to the local root key identifier, and feed back the corresponding root key identifier to the first UE to instruct the first UE to select the corresponding root key to encrypt the information transmitted by direct communication.
  • the direct communication session key includes a confidentiality key for encrypting and decrypting information and an integrity key for verifying data integrity.
  • the direct communication session key is generated based on the direct communication intermediate key, wherein the confidentiality key contained therein is used to encrypt and decrypt data transmitted in the direct communication for the side link positioning service between the first UE and the second UE, and the integrity key is used to verify the data integrity of the data transmitted in the direct communication for the side link positioning service between the first UE and the second UE.
  • the direct communication session key protects a session confidentiality key and a session integrity key
  • the confidentiality key is SLPEK
  • the integrity key is SLPIK
  • Figure 4 is a flow chart of a method for generating a direct communication key provided in an embodiment of the present application.
  • the method is applied to a second user equipment UE.
  • the method may include but is not limited to the following steps:
  • Step S401 receiving a direct communication request sent by a first UE, wherein the direct communication request is used to request to create a sidelink for a sidelink positioning service between the first UE and the second UE, and wherein the direct communication request includes first key related information;
  • PKMF positioning key management function
  • PLMN public land mobile network
  • the PKMF network element is used to generate relevant information for protecting the security of direct communication and provide it to the UE.
  • PLMN public land mobile network
  • at least two UEs are required to locate each other, such as a first UE and a second UE, and the first UE corresponds to a first PKMF network element, and the second UE corresponds to a second PKMF network element.
  • the first UE When the first UE receives a request from the network side, it starts to measure the distance/position with the second UE, and the first UE sends a direct communication request to the second UE to request to create a sidelink for the sidelink positioning service between the first UE and the second UE.
  • Step S402 sending the first key related information to the second positioning key management function PKMF network element of the second UE, so that the second PKMF network element obtains the direct communication intermediate key and the second key related information from the first PKMF network element of the first UE according to the first key related information;
  • Step S403 receiving the direct communication intermediate key and the second key related information sent by the second PKMF network element;
  • Step S404 Sending the second key related information to the first UE, wherein the first key related information and the second key related information are used by the first UE to generate the direct communication intermediate key;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE via a side link.
  • the direct communication request sent by the first UE includes the first key related information, which can be used by the second UE to obtain the direct communication intermediate key and the second key related information from the first PKMF network element through the second PKMF network element.
  • the second UE can then feed back the second key related information to the first UE.
  • the first key-related information includes root key-related information used to obtain a root key, a positioning service code used to indicate a positioning service type, and a first random number; and the second key-related information includes a second random number.
  • the root key related information is used to indicate the corresponding root key, which is also called the side link positioning key (SL Positioning Key, SLPK).
  • the positioning service code is also called the side link positioning code (SL Positioning Code, SLPC), which is a temporary randomly generated number used to uniquely determine the corresponding positioning service type and to prevent the execution of the wrong positioning service type.
  • the first random number is provided by the first UE, and the second random number is provided by the first PKMF network element.
  • the root key related information includes a valid root key identifier or a user hidden identifier SUCI of the first UE.
  • the direct communication session key includes a confidentiality key for encrypting and decrypting information and an integrity key for verifying data integrity.
  • Figure 5 is a flow chart of a method for generating a direct communication key provided by an embodiment of the present application.
  • the method is applied to a first positioning key management function PKMF network element of a first user equipment UE.
  • the method may include but is not limited to the following steps:
  • Step S501 receiving first key related information sent by a second PKMF network element of a second UE;
  • the first key-related information is obtained by the second UE from a direct communication request received from the first UE, wherein the direct communication request is used to request to create a side link for a side link positioning service between the first UE and the second UE.
  • the second UE sends the first key-related information to the second PKMF network element, so that the first PKMF network element can receive the first key-related information from the second PKMF network element.
  • Step S502 Generate second key related information
  • Step S503 Generate a direct communication intermediate key according to the first key related information and the second key related information.
  • Step S504 Sending the second key related information and the direct communication intermediate key to the second PKMF network element of the second UE;
  • the direct communication intermediate key is sent by the second PKMF network element to the second UE, and the second key related information is sent by the second PKMF network element to the first UE through the second UE so that the first UE can generate the direct communication intermediate key based on the first key related information and the second key related information.
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE when performing a sidelink positioning service.
  • the second UE after receiving the direct communication request sent by the first UE, the second UE sends the first key related information contained therein to the first PKMF network element through the second PKMF network element, and the first PKMF network element generates the second key related information.
  • the first PKMF network element can generate the direct communication intermediate key according to the second key related information and the first key related information. Finally, the generated second key related information and the direct communication intermediate key are fed back to the second PKMF.
  • the first key-related information includes root key-related information used to obtain a root key, a positioning service code used to indicate a positioning service type, and a first random number; and the second key-related information includes a second random number.
  • the root key related information includes a valid root key identifier or a user hidden identifier SUCI of the first UE.
  • the first PKMF network element of the first UE generates an intermediate key based on the first key-related information and the second key-related information, and sends the intermediate key and the second key-related information to the second PKMF network element of the second UE.
  • the order in which the first PKMF network element obtains the first key-related information and the second key-related information can be adjusted as needed.
  • the first PKMF network element first obtains the first key-related information and then generates the second key-related information.
  • Figure 6 is a flow chart of a method for generating a direct communication key provided in an embodiment of the present application.
  • the method is applied to a first PKMF network element.
  • the method in Figure 5 may also include but is not limited to the following steps:
  • Step S601 receiving a root key acquisition request sent by the first UE;
  • Step S602 verifying whether the first UE can use the sidelink positioning service.
  • Step S603 When the first UE is able to use the sidelink positioning service, a root key acquisition response is sent to the first UE, wherein the root key acquisition response includes a valid root key identifier and a root key corresponding to the valid root key identifier.
  • the first UE when the first UE receives a network request to start ranging/positioning with the second UE, the first UE needs to send a root key acquisition request to its corresponding first PKMF network element to request a root key used as a securely established root key, and then the first UE can send a direct communication request to the second UE.
  • the first PKMF After receiving the root key acquisition request, the first PKMF first verifies whether the first UE can use the sidelink positioning service. When the first UE can use the sidelink positioning service, a root key acquisition response is fed back to the first UE, which includes a valid root key identifier and a root key corresponding to the valid root key identifier.
  • the root key acquisition request includes a local root key identifier stored by the first UE, and the method further includes:
  • the effective root key identifier and the root key are determined according to the local root key identifier.
  • one or more local root key identifiers are stored in the storage module of the first UE.
  • the local root key identifier is provided to the first PKMF.
  • the first PKMF can select a suitable root key according to the local root key identifier, and feed back the corresponding root key identifier to the first UE to instruct the first UE to select the corresponding root key to encrypt the information transmitted by direct communication.
  • the direct communication session key includes a confidentiality key for encrypting and decrypting information and an integrity key for verifying data integrity.
  • Figure 7 is a flow chart of a method for generating a direct communication key provided in an embodiment of the present application.
  • the method is applied to a second PKMF network element.
  • the method may include but is not limited to the following steps:
  • Step S701 receiving first key related information sent by a second UE
  • the first key-related information is obtained by the second UE from a direct communication request received from the first UE, wherein the direct communication request is used to request the creation of a sidelink for a sidelink positioning service between the first UE and the second UE.
  • Step S702 verifying whether the second UE can use the sidelink positioning service.
  • Step S703 When the second UE is able to use the sidelink positioning service, the first key related information is sent to the first PKMF network element of the first UE, wherein the first key related information and the second key related information generated by the first PKMF network element are used by the first PKMF network element to generate a direct communication intermediate key;
  • the second PKMF after the second PKMF receives the first key-related information from the second UE, it first verifies whether the second UE can use the sidelink positioning service. When the second UE can use the sidelink positioning service, the second PKMF sends the first key-related information to the first PKMF so that the first PKMF can generate a direct communication intermediate key and the second key-related information.
  • Step S704 receiving the direct communication intermediate key and the second key related information sent by the first PKMF network element;
  • Step S705 Sending the direct communication intermediate key and the second key related information to the second UE;
  • the second key related information is sent by the second UE to the first UE so that the first UE can generate the direct communication intermediate key according to the first key related information and the second key related information.
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE when performing a sidelink positioning service.
  • the direct communication intermediate key and the second key related information fed back by the first PKMF After receiving the direct communication intermediate key and the second key related information fed back by the first PKMF, it can be fed back to the second UE for the second UE to communicate directly with the first UE, and generate a direct communication session key to protect data transmitted in the direct communication.
  • Figure 8 is a flow chart of a method for generating a direct communication key provided in an embodiment of the present application.
  • the method is applied to a first user equipment UE.
  • the method may include but is not limited to the following steps:
  • NF 5GC network function
  • AF application function
  • AMF access and mobility management function
  • the positioning service request is a sidelink positioning service request.
  • the first AMF After receiving the positioning service request, the first AMF will send the positioning service request to the first location management function (Location Management Function, LMF) network element corresponding to the first UE.
  • LMF Location Management Function
  • the first LMF After receiving the positioning service request, the first LMF sends a positioning service request to the first UE.
  • the positioning service request includes the ID of the second UE to indicate that the first UE needs to be positioned with the second UE.
  • the first UE After receiving the positioning service request from the LMF, the first UE first sends a root key acquisition request to the first PKMF network element corresponding to the first UE, including the local root key identifier stored by the first UE, to request the first PKMF to provide the root key.
  • the root key acquisition request also includes an identifier of the valid root key.
  • the first PKMF After receiving the root key acquisition request, the first PKMF confirms whether the first UE is authorized to use the sidelink positioning service. When the first UE is able to use the sidelink positioning service, a root key acquisition response is sent to the first UE, wherein the root key acquisition response includes a valid root key identifier SLPK ID and a root key SLPK corresponding to the valid root key identifier.
  • the first UE and the second UE perform a discovery process to find each other.
  • a direct communication request is sent to the second UE, wherein the direct communication request is used to request to create a side link for a sidelink positioning service between the first UE and the second UE.
  • the direct communication request includes first key related information, including root key related information for obtaining a root key (valid root key identifier SLPK ID and user hidden identifier SUCI), a positioning service code SLPC for indicating a positioning service type, and a first random number K SLP nonce1,
  • the second UE After receiving the direct communication request sent by the first UE, the second UE forwards the direct communication request to its corresponding second PKMF.
  • the second PKMF After receiving the direct communication request, the second PKMF forwards the direct communication request to the first PKMF.
  • the first PKMF After receiving the direct communication request, the first PKMF generates second key-related information (second random number K SLP nonce2), and generates a direct communication intermediate key K SLP according to the first key-related information and the second key-related information, and then feeds back the second key-related information and the direct communication intermediate key to the second PKMF.
  • second key-related information second random number K SLP nonce2
  • the first PKMF may also generate GPI (GBA Push Info), which is used to generate a root key and a root key identifier together with SUCI.
  • GPI GBA Push Info
  • the second PKMF sends the acquired second key related information and the direct communication intermediate key to the second UE.
  • the second UE After receiving the second key related information and the direct communication intermediate key, the second UE sends the second key related information to the first UE.
  • the first UE After the first UE receives the second key-related information, it can generate the direct communication intermediate key according to the second random number and the first key-related information, and then generate the direct communication session key based on the direct communication intermediate key, which includes a confidentiality key (SLPEK) for encrypting and decrypting information and an integrity key (SLPIK) for verifying data integrity, and send a direct communication security confirmation message to the second UE to notify the second UE that the key configuration is complete.
  • SLPEK confidentiality key
  • SLPIK integrity key
  • the second UE responds to the first UE with a direct communication request reception message to inform the first UE that its direct connection request has been received.
  • the methods provided by the embodiments of the present application are introduced from the perspective of network devices.
  • the network device may include a hardware structure and a software module, and implement the functions in the form of a hardware structure, a software module, or a hardware structure plus a software module.
  • a function in the functions may be executed in the form of a hardware structure, a software module, or a hardware structure plus a software module.
  • the present disclosure also provides a direct communication key generation device. Since the direct communication key generation device provided in the embodiment of the present disclosure corresponds to the direct communication key generation method provided in the above-mentioned embodiments, the implementation method of the direct communication key generation method is also applicable to the direct communication key generation device provided in this embodiment, and will not be described in detail in this embodiment.
  • the methods provided by the embodiments of the present application are introduced from the perspectives of network equipment and user equipment, respectively.
  • the network equipment and the user equipment may include hardware structures and software modules, and the functions are implemented in the form of hardware structures, software modules, or hardware structures plus software modules.
  • a function of the functions may be executed in the form of hardware structures, software modules, or hardware structures plus software modules.
  • FIG 9 is a schematic diagram of the structure of a communication device 90 provided in an embodiment of the present application.
  • the communication device 90 shown in Figure 9 may include a transceiver module 901 and a processing module 902.
  • the transceiver module 901 may include a sending module and/or a receiving module, the sending module is used to implement the sending function, the receiving module is used to implement the receiving function, and the transceiver module 901 may implement the sending function and/or the receiving function.
  • the communication device 90 may be a user device (such as the user device in the aforementioned method embodiment), or a device in the user device, or a device that can be used in conjunction with the user device.
  • the communication device 90 may be a network device, or a device in the network device, or a device that can be used in conjunction with the network device.
  • the communication device 90 is a user equipment (such as the first user equipment UE in the aforementioned method embodiment), and the device includes:
  • Transceiver module and processing module including:
  • the transceiver module is used for:
  • the processing module is used to: generate the direct communication intermediate key according to the first key related information and the second key related information;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted via a side link between the first UE and the second UE.
  • the communication device 90 is a user equipment (such as the second user equipment UE in the aforementioned method embodiment), and the device includes:
  • the transceiver module is used for:
  • the direct communication request is used to request to establish a sidelink for a sidelink positioning service between the first UE and the second UE, and wherein the direct communication request includes first key related information;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE via a side link.
  • the communication device 90 is a network device (such as a first positioning key management function PKMF network element of a first user equipment UE in the aforementioned method embodiment), and the device includes:
  • Transceiver module and processing module including:
  • the transceiver module is used to receive first key related information sent by a second PKMF network element of a second UE;
  • the processing module is used to generate the second key related information; generate the direct communication intermediate key according to the first key related information and the second key related information;
  • the transceiver module is used to send the second key related information and the direct communication intermediate key to the second PKMF network element of the second UE;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE.
  • the communication device 90 is a network device (such as a second positioning key management function PKMF network element of the second user equipment UE in the aforementioned method embodiment), and the device includes:
  • Transceiver module and processing module including:
  • the transceiver module is used to receive first key related information sent by the second UE;
  • the processing module is used to verify whether the second UE can use the sidelink positioning service
  • the transceiver module is used to, when the second UE is able to use the sidelink positioning service, send the first key related information to the first PKMF network element of the first UE, wherein the first key related information and the second key related information generated by the first PKMF network element are used by the first PKMF network element to generate a direct communication intermediate key; receive the direct communication intermediate key and the second key related information sent by the first PKMF network element; and send the direct communication intermediate key and the second key related information to the second UE;
  • the direct communication intermediate key is used to generate a direct communication session key to perform integrity protection and/or encryption protection on information transmitted between the first UE and the second UE.
  • FIG 10 is a schematic diagram of the structure of another communication device 100 provided in an embodiment of the present application.
  • the communication device 100 can be a network device, or a user device (such as the user device in the aforementioned method embodiment), or a chip, a chip system, or a processor that supports the network device to implement the above method, or a chip, a chip system, or a processor that supports the user device to implement the above method.
  • the device can be used to implement the method described in the above method embodiment, and the details can be referred to the description in the above method embodiment.
  • the communication device 100 may include one or more processors 1001.
  • the processor 1001 may be a general-purpose processor or a dedicated processor, etc.
  • it may be a baseband processor or a central processing unit.
  • the baseband processor may be used to process the communication protocol and communication data
  • the central processing unit may be used to control the communication device (such as a base station, a baseband chip, a terminal device, a terminal device chip, a DU or a CU, etc.), execute a computer program, and process the data of the computer program.
  • the communication device 100 may further include one or more memories 1002, on which a computer program 1003 may be stored, and the processor 1001 executes the computer program 1003 so that the communication device 100 performs the method described in the above method embodiment.
  • data may also be stored in the memory 1002.
  • the communication device 100 and the memory 1002 may be provided separately or integrated together.
  • the communication device 100 may further include a transceiver 1004 and an antenna 1005.
  • the transceiver 1004 may be referred to as a transceiver unit, a transceiver, or a transceiver circuit, etc., for implementing a transceiver function.
  • the transceiver 1004 may include a receiver and a transmitter, the receiver may be referred to as a receiver or a receiving circuit, etc., for implementing a receiving function; the transmitter may be referred to as a transmitter or a transmitting circuit, etc., for implementing a transmitting function.
  • the communication device 100 may further include one or more interface circuits 1006.
  • the interface circuit 1006 is used to receive code instructions and transmit them to the processor 1001.
  • the processor 1001 runs the code instructions to enable the communication device 100 to perform the method described in the above method embodiment.
  • the processor 1001 may include a transceiver for implementing receiving and sending functions.
  • the transceiver may be a transceiver circuit, an interface, or an interface circuit.
  • the transceiver circuit, interface, or interface circuit for implementing the receiving and sending functions may be separate or integrated.
  • the above-mentioned transceiver circuit, interface, or interface circuit may be used for reading and writing code/data, or the above-mentioned transceiver circuit, interface, or interface circuit may be used for transmitting or delivering signals.
  • the processor 1001 may store a computer program 1003, which runs on the processor 1001 and enables the communication device 100 to perform the method described in the above method embodiment.
  • the computer program 1003 may be fixed in the processor 1001, in which case the processor 1001 may be implemented by hardware.
  • the communication device 100 may include a circuit that can implement the functions of sending or receiving or communicating in the aforementioned method embodiment.
  • the processor and transceiver described in the present application can be implemented in an integrated circuit (IC), an analog IC, a radio frequency integrated circuit RFIC, a mixed signal IC, an application specific integrated circuit (ASIC), a printed circuit board (PCB), an electronic device, etc.
  • the processor and transceiver can also be manufactured using various IC process technologies, such as complementary metal oxide semiconductor (CMOS), N-type metal oxide semiconductor (nMetal-oxide-semiconductor, NMOS), P-type metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (bipolar junction transistor, BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
  • CMOS complementary metal oxide semiconductor
  • N-type metal oxide semiconductor nMetal-oxide-semiconductor
  • PMOS bipolar junction transistor
  • BJT bipolar junction transistor
  • BiCMOS bipolar CMOS
  • SiGe silicon germanium
  • GaAs gallium arsenide
  • the communication device described in the above embodiments may be a network device or a user device (such as the user device in the aforementioned method embodiment), but the scope of the communication device described in the present application is not limited thereto, and the structure of the communication device may not be limited by FIG. 10.
  • the communication device may be an independent device or may be part of a larger device.
  • the communication device may be:
  • the IC set may also include a storage component for storing data and computer programs;
  • ASIC such as modem
  • the communication device can be a chip or a chip system
  • the communication device can be a chip or a chip system
  • the schematic diagram of the chip structure shown in Figure 11 includes a processor 1101 and an interface 1102.
  • the number of processors 1101 can be one or more, and the number of interfaces 1102 can be multiple.
  • the chip further includes a memory 1103, and the memory 1103 is used to store necessary computer programs and data.
  • An embodiment of the present application also provides a direct communication key generation system, which includes a communication device as a user device (such as the user device in the aforementioned method embodiment) in the aforementioned FIG. 9 embodiment and a communication device as a network device, or the system includes a communication device as a user device (such as the user device in the aforementioned method embodiment) in the aforementioned FIG. 9 embodiment and a communication device as a network device.
  • a direct communication key generation system which includes a communication device as a user device (such as the user device in the aforementioned method embodiment) in the aforementioned FIG. 9 embodiment and a communication device as a network device, or the system includes a communication device as a user device (such as the user device in the aforementioned method embodiment) in the aforementioned FIG. 9 embodiment and a communication device as a network device.
  • the present application also provides a readable storage medium having instructions stored thereon, which implement the functions of any of the above method embodiments when executed by a computer.
  • the present application also provides a computer program product, which implements the functions of any of the above method embodiments when executed by a computer.
  • the computer program product includes one or more computer programs.
  • the computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer program can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer program can be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center.
  • the computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server or data center that contains one or more available media integrated.
  • the available medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a high-density digital video disc (DVD)), or a semiconductor medium (e.g., a solid state disk (SSD)), etc.
  • a magnetic medium e.g., a floppy disk, a hard disk, a magnetic tape
  • an optical medium e.g., a high-density digital video disc (DVD)
  • DVD high-density digital video disc
  • SSD solid state disk
  • At least one in the present application can also be described as one or more, and a plurality can be two, three, four or more, which is not limited in the present application.
  • the technical features in the technical feature are distinguished by “first”, “second”, “third”, “A”, “B”, “C” and “D”, etc., and there is no order of precedence or size between the technical features described by the "first”, “second”, “third”, “A”, “B”, “C” and “D”.
  • the corresponding relationships shown in each table in the present application can be configured or predefined.
  • the values of the information in each table are only examples and can be configured as other values, which are not limited by the present application.
  • the corresponding relationships shown in some rows may not be configured.
  • appropriate deformation adjustments can be made based on the above table, such as splitting, merging, etc.
  • the names of the parameters shown in the titles in the above tables can also use other names that can be understood by the communication device, and the values or representations of the parameters can also be other values or representations that can be understood by the communication device.
  • other data structures can also be used, such as arrays, queues, containers, stacks, linear lists, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables or hash tables.
  • the predefined in the present application may be understood as defined, predefined, stored, pre-stored, pre-negotiated, pre-configured, solidified, or pre-burned.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本公开提出了一种直连通信密钥生成方法及装置,涉及通信领域,可以应用于长期演进(long term evolution,LTE)系统、第五代移动通信系统、5G新空口(new radio,NR)系统,或者其他未来的新型移动通信系统等通信系统,包括:向第二UE发送直接通信请求,所述直接通信请求包括第一密钥相关信息,从所述第二UE接收所述第二密钥相关信息;以及根据所述第一密钥相关信息以及所述第二密钥相关信息生成所述直连通信中间密钥。通过本公开技术能够生成可被第一UE与第二UE共享的直连通信中间密钥,从而能够根据该直连通信中间密钥实现对该第一UE与第二UE之间的测距链路定位业务直接通信的完整性保护和/或加密保护,提高了在测距链路定位业务的直接通信中的数据传输的安全性。

Description

直连通信密钥生成方法及装置 技术领域
本公开涉及移动通信技术领域,特别涉及一种直连通信密钥生成方法及装置。
背景技术
相关技术中,为了实现对用户设备之间特定应用服务直接通信的安全保护,需要为进行直接通信的UE配置用于特定应用服务的相同的长期有效凭证以建立直连通信安全。但是,在侧行链路定位业务中,由于UE不与特定的应用服务绑定,任意UE都可能被用在侧行链路定位业务中,比如任意UE都可能被网络指定为定位UE,也可能被网络指定为目标UE,但为所有UE提供用于侧行链路定位业务的相同的长期有效凭证并不实际且不安全,目前尚缺乏保护侧行链路定位业务中UE进行直接通信安全性的手段。
发明内容
本公开提出了一种直连通信密钥生成方法及装置,可以应用于长期演进(long term evolution,LTE)系统、第五代(5th generation,5G)移动通信系统、5G新空口(new radio,NR)系统,或者其他未来的新型移动通信系统等通信系统,通过本公开技术能够生成可被第一UE与第二UE共享的直连通信中间密钥,从而能够根据该直连通信中间密钥实现对该第一UE与第二UE之间的侧行链路定位业务直接通信的完整性保护和/或加密保护,提高了在侧行链路定位业务的直接通信中的数据传输的安全性。
本公开的第一方面实施例提供了一种直连通信密钥生成方法,由第一用户设备UE执行,所述方法包括:
向第二UE发送直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息,所述第一密钥相关信息供所述第二UE从所述第一UE的第一定位密钥管理功能PKMF网元获取直连通信中间密钥与第二密钥相关信息;
接收所述第二UE发送的所述第二密钥相关信息;以及
根据所述第一密钥相关信息以及所述第二密钥相关信息生成所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以在所述第一UE与所述第二UE之间对通过所述侧行链路传输的信息进行完整性保护和/或加密保护。
可选的,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
可选的,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
可选的,所述方法还包括:
向所述第一PKMF网元发送根密钥获取请求;以及
接收所述第一PKMF网元发送的根密钥获取响应,其中所述根密钥获取响应包括有效根密钥标识以及与所述有效根密钥标识对应的根密钥。
可选的,所述根密钥获取请求包括所述第一UE存储的本地根密钥标识,其中所述第一PKMF网元根据所述本地根密钥标识确定所述有效根密钥标识以及所述根密钥。
可选的,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
本公开的第二方面实施例提供了一种直连通信密钥生成方法,由第二用户设备UE执行,所述方法包括:
接收第一UE发送的直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息;
向所述第二UE的第二定位密钥管理功能PKMF网元发送所述第一密钥相关信息,以使所述第二PKMF网元根据所述第一密钥相关信息从所述第一UE的第一PKMF网元获取直连通信中间密钥与第二密钥相关信息;
接收所述第二PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及
向所述第一UE发送所述第二密钥相关信息,其中所述第一密钥相关信息以及所述第二密钥相关信息供所述第一UE生成所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间通过侧行链路传输的信息进行完整性保护和/或加密保护。
可选的,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
可选的,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
可选的,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
本公开的第三方面实施例提供了一种直连通信密钥生成方法,由第一用户设备UE的第一定位密钥管理功能PKMF网元执行,所述方法包括:
接收第二UE的第二PKMF网元发送的第一密钥相关信息;
生成第二密钥相关信息;
根据所述第一密钥相关信息以及所述第二密钥相关信息,生成直连通信中间密钥;以及
向所述第二UE的第二PKMF网元发送所述第二密钥相关信息与所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在执行侧行链路定位业务时在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
可选的,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
可选的,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
可选的,所述方法还包括:
从所述第一UE接收根密钥获取请求;
验证所述第一UE是否能够使用侧行链路定位业务;以及
当所述第一UE能够使用侧行链路定位业务时,向所述第一UE发送根密钥获取响应,其中所述根密钥获取响应包括有效根密钥标识以及与所述有效根密钥标识对应的根密钥。
可选的,所述根密钥获取请求包括所述第一UE存储的本地根密钥标识,所述方法还包括:
根据所述本地根密钥标识确定所述有效根密钥标识与所述根密钥。
可选的,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
本公开的第四方面实施例提供了一种直连通信密钥生成方法,由第二用户设备UE的第二定位密钥管理功能PKMF网元执行,所述方法包括:
接收第二UE发送的第一密钥相关信息;
验证所述第二UE是否能够使用侧行链路定位业务;以及
当所述第二UE能够使用侧行链路定位业务时,向第一UE的第一PKMF网元发送所述第一密钥相关信息,其中所述第一密钥相关信息与所述第一PKMF网元生成的第二密钥相关信息被所述第一PKMF网元用来生成直连通信中间密钥;
接收所述第一PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及
向所述第二UE发送所述直连通信中间密钥与所述第二密钥相关信息;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在执行侧行链路定位业务时在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
可选的,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
可选的,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
可选的,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
本公开的第五方面实施例提供一种通信装置,该通信装置具有实现上述第一方面所述的方法中用户设备的部分或全部功能,比如通信装置的功能可具备本申请中的部分或全部实施例中的功能,也可以具备单独实施本申请中的任一个实施例的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或模块。
在一种实现方式中,该通信装置的结构中可包括收发模块和处理模块,所述处理模块被配置为支持通信装置执行上述方法中相应的功能。所述收发模块用于支持通信装置与其他设备之间的通信。所述通信装置还可以包括存储模块,所述存储模块用于与收发模块和处理模块耦合,其保存通信装置必要的计算机程序和数据。
作为示例,处理模块可以为处理器,收发模块可以为收发器或通信接口,存储模块可以为存储器。在一种实现方式中,所述通信装置包括收发模块和处理模块,其中:
所述收发模块用于:
向第二UE发送直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息,所述第一密钥相关信息供所述第二UE从所述第一UE的第一定位密钥管理功能PKMF网元获取直连通信中间密钥与第二密钥相关信息;
接收所述第二UE发送的所述第二密钥相关信息;
所述处理模块用于:根据所述第一密钥相关信息以及所述第二密钥相关信息生成所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以在所述第一UE与所述第二UE之间对通过侧行链路传输的信息进行完整性保护和/或加密保护。
本公开的第六方面实施例提供另一种通信装置,该通信装置具有实现上述第二方面所述的方法示例中网络设备的部分或全部功能,比如通信装置的功能可具备本申请中的部分或全部实施例中的功能,也可以具备单独实施本申请中的任一个实施例的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或模块。
在一种实现方式中,该通信装置的结构中可包括收发模块和处理模块,该处理模块被配置为支持通信装置执行上述方法中相应的功能。收发模块用于支持通信装置与其他设备之间的通信。所述通信装置还可以包括存储模块,所述存储模块用于与收发模块和处理模块耦合,其保存通信装置必要的计算机程序和数据。
作为示例,处理模块可以为处理器,收发模块可以为收发器或通信接口,存储模块可以为存储器。在一种实现方式中,所述通信装置包括:
收发模块用于:
接收第一UE发送的直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息;
向所述第二UE的第二定位密钥管理功能PKMF网元发送所述第一密钥相关信息,以使所述第二PKMF网元根据所述第一密钥相关信息从所述第一UE的第一PKMF网元获取直连通信中间密钥与第二密钥相关信息;
接收所述第二PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及
向所述第一UE发送所述第二密钥相关信息,其中所述第一密钥相关信息以及所述第二密钥相关信息供所述第一UE生成所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间通过侧行链路传输的信息进行完整性保护和/或加密保护。
本公开的第七方面实施例提供另一种通信装置,该通信装置具有实现上述第二方面所述的方法示例中网络设备的部分或全部功能,比如通信装置的功能可具备本申请中的部分或全部实施例中的功能,也可以具备单独实施本申请中的任一个实施例的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或模块。
在一种实现方式中,该通信装置的结构中可包括收发模块和处理模块,该处理模块被配置为支持通信装置执行上述方法中相应的功能。收发模块用于支持通信装置与其他设备之间的通信。所述通信装置还可以包括存储模块,所述存储模块用于与收发模块和处理模块耦合,其保存通信装置必要的计算机程序和数据。
作为示例,处理模块可以为处理器,收发模块可以为收发器或通信接口,存储模块可以为存储器。在一种实现方式中,所述通信装置包括收发模块和处理模块,其中:
所述收发模块用于接收第二UE的第二PKMF网元发送的第一密钥相关信息;
所述处理模块用于生成第二密钥相关信息;根据所述第一密钥相关信息以及所述第二密钥相关信息,生成直连通信中间密钥;
所述收发模块用于向所述第二UE的第二PKMF网元发送所述第二密钥相关信息与所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
本公开的第八方面实施例提供另一种通信装置,该通信装置具有实现上述第二方面所述的方法示例中网络设备的部分或全部功能,比如通信装置的功能可具备本申请中的部分或全部实施例中的功能,也可以具备单独实施本申请中的任一个实施例的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或模块。
在一种实现方式中,该通信装置的结构中可包括收发模块和处理模块,该处理模块被配置为支持通信装置执行上述方法中相应的功能。收发模块用于支持通信装置与其他设备之间的通信。所述通信装置还可以包括存储模块,所述存储模块用于与收发模块和处理模块耦合,其保存通信装置必要的计算机程序和数据。
作为示例,处理模块可以为处理器,收发模块可以为收发器或通信接口,存储模块可以为存储器。在一种实现方式中,所述通信装置包括收发模块和处理模块,其中:
所述收发模块用于接收第二UE发送的第一密钥相关信息;
所述处理模块用于验证所述第二UE是否能够使用侧行链路定位业务;
所述收发模块用于当所述第二UE能够使用侧行链路定位业务时,向第一UE的第一PKMF网元发送所述第一密钥相关信息,其中所述第一PKMF网元根据所述第一密钥相关信息与第二密钥相关信息生成直连通信中间密钥;接收所述第一PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及向所述第二UE发送所述直连通信中间密钥与所述第二密钥相关信息;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
本公开的第九方面提供一种通信装置,该通信装置包括处理器,当该处理器调用存储器中的计算机程序时,执行上述第一方面、第二方面、第三方面或第四方面所述的方法。
本公开的第十方面提供一种通信装置,该通信装置包括处理器和存储器,该存储器中存储有计算机程序;所述处理器执行该存储器所存储的计算机程序,以使该通信装置执行上述第一方面、第二方面、第三方面或第四方面所述的方法。
本公开的第十一方面提供一种通信装置,该装置包括处理器和接口电路,该接口电路用于接收代码指令并传输至该处理器,该处理器用于运行所述代码指令以使该装置执行上述第一方面、第二方面、第三方面或第四方面所述的方法。
本公开的第十二方面提供一种直连通信密钥生成系统,该系统包括第五方面、第六方面、第七方面或第八方面所述的通信装置,或者,该系统包括第九方面所述的通信装置,或者,该系统包括第十方面所述的通信装置,或者,该系统包括第十一方面所述的通信装置。
本公开的第十三方面例提供一种计算机可读存储介质,用于储存为上述用户设备所用的指令,当所述指令被执行时,使所述用户设备执行上述第一方面、第二方面、第三方面或第四方面所述的方法。
本公开的第十四方面一种包括计算机程序的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面、第二方面、第三方面或第四方面所述的方法。
本公开的第十五方面提供一种芯片系统,该芯片系统包括至少一个处理器和接口,用于支持用户设备实现第一方面、第二方面、第三方面或第四方面所涉及的功能,例如,确定或处理上述方法中所涉及的数据和信息中的至少一种。在一种可能的设计中,所述芯片系统还包括存储器,所述存储器,用于保存用户设备必要的计算机程序和数据。该芯片系统,可以由芯片构成,也可以包括芯片和其他分立器件。
本公开的第十六方面提供一种计算机程序,当其在计算机上运行时,使得计算机执行上述第一方面、第二方面、第三方面或第四方面所述的方法。
本公开附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本公开的实践了解到。
附图说明
本公开上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:
图1是本申请实施例提供的一种通信系统的架构示意图;
图2是本申请实施例提供的一种直连通信密钥生成方法的流程示意图。
图3是本申请实施例提供的一种直连通信密钥生成方法的流程示意图
图4为本申请实施例提供的一种直连通信密钥生成方法的流程示意图
图5是本申请实施例提供的一种直连通信密钥生成方法的流程示意图;
图6为本申请实施例提供的一种直连通信密钥生成方法的流程示意图;
图7为本申请实施例提供的一种直连通信密钥生成方法的流程示意图;
图8为本申请实施例提供的一种直连通信密钥生成方法的流程示意图;
图9是本申请实施例提供的一种通信装置的结构示意图;
图10是本申请实施例提供的另一种通信装置的结构示意图;
图11是本申请实施例提供的一种芯片的结构示意图。
具体实施方式
下面详细描述本公开的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,旨在用于解释本公开,而不能理解为对本公开的限制。
为了更好的理解本申请实施例公开的一种直连通信密钥生成方法,下面首先对本申请实施例适用的通信系统进行描述。
请参见图1,直连通信设备之间进行直连通信的场景中,网络设备为直连通信设备1配置各种用于数据传输的传输参数。直连通信设备1作为数据发送端,直连通信设备2作为数据接收端,二者进行直接通信。网络设备与直连通信设备之间进行通信的链路为上下行链路,直连通信设备与直连通信设备之间的链路是侧行链路(sidelink)。
可以理解的是,图1所示的无线通信系统仅是进行示意性说明,无线通信系统中还可包括其它网络设备,例如还可以包括核心网设备、无线中继设备和无线回传设备等,在图1中未画出。本公开实施例对该无线通信系统中包括的网络设备数目和终端数目不做限定。
进一步可以理解的是,本公开实施例的无线通信系统,是一种提供无线通信功能的网络。无线通信系统可以采用不同的通信技术,例如码分多址(code division multiple access,CDMA)、宽带码分多址(wideband code division multiple access,WCDMA)、时分多址(time division multiple access,TDMA)、频分多址(frequency division multiple access,FDMA)、正交频分多址(orthogonal frequency-division multiple access,OFDMA)、单载波频分多址(single Carrier FDMA,SC-FDMA)、载波侦听多路访问/冲突避免(Carrier Sense Multiple Access with Collision Avoidance)。根据不同网络的容量、速率、时延等因素可以将网络分为2G(英文:generation)网络、3G网络、4G网络或者未来演进网络,如5G网络,5G网络也可称为是新无线网络(New Radio,NR)。为了方便描述,本公开有时会将无线通信网络简称为网络。
进一步的,本公开中涉及的网络设备也可以称为无线接入网设备。该无线接入网设备可以是:基站、演进型基站(evolved node B,eNB)、家庭基站、无线保真(wireless fidelity,WIFI)系统中的接入点(access point,AP)、无线中继节点、无线回传节点、传输点(transmission point,TP)或者发送接收点(transmission and reception point,TRP)等,还可以为NR系统中的gNB,或者,还可以是构成基站的组件或一部分设备等。当为车联网(V2X)通信系统时,网络设备还可以是车载设备。应理解,本公开的实施例中,对网络设备所采用的具体技术和具体设备形态不做限定。
进一步的,本公开中涉及的终端,也可以称为终端设备、用户设备(User Equipment,UE)、移动台(Mobile Station,MS)、移动终端(Mobile Terminal,MT)等,是一种向用户提供语音和/或数据连通性的设备,例如,终端可以是具有无线连接功能的手持式设备、车载设备等。目前,一些终端的举例为:智能手机(Mobile Phone)、口袋计算机(Pocket Personal Computer,PPC)、掌上电脑、个人数字助理(Personal Digital Assistant,PDA)、笔记本电脑、平板电脑、可穿戴设备、或者车载设备等。此外,当为车联网(V2X)通信系统时,终端设备还可以是车载设备。应理解,本公开实施例对终端所采用的具体技术和具体设备形态不做限定。
本公开中,直连通信设备之间直接通信的通信场景也可以是终端到终端(Device to Device,D2D)的通信场景。本公开实施例中进行直接通信的直连通信设备可以包括各种具有无线通信功能的手持设备、车载设备、可穿戴设备、计算设备或连接到无线调制解调器的其它处理设备,以及各种形式的用户设备(User Equipment,UE),移动台(Mobile station,MS),终端(terminal),终端设备(Terminal Equipment)等等。为方便描述,本公开实施例以下以直连通信设备为终端为例进行说明。
可以理解的是,本申请实施例描述的通信系统是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。
在当前用于支持测距定位或侧行链路(Sidelink,SL)定位的增强型5G架构的通信标准中,存在多种定位解决方案,其中参与定位的UE需要为测距业务或侧行链路定位业务建立用于侧行链路定位业务的侧行链路以进行直接通信。
对于定位业务直接通信的安全保护,目前可以复用通信标准中的V2X业务和ProSe业务直接通信的现有安全保护机制。在此方案下,每个应用程序或业务的提供者为直接通信涉及的UE提供了一个长期的凭证,该凭证被用作保护直连通信安全的根密钥。
然而,目前的侧行链路定位业务主要由运营商网络触发,对于这种的侧行链路定位业务对应的直接通信的安全保护中,因为涉及的UE不绑定特定的应用业务,并且UE在定位业务中的角色可能发生变化(例如,UE有可能是需要被定位的UE,也可能是辅助进行定位的UE)。这种情况下就不能确保向所涉及的UE提供长期的凭证。由于缺乏长期凭证,现有的V2X业务或基于邻近感应的业务(proximity-based services,Pro Se)直接通信的安全机制无法继续实用。因此,需要研究不同的安全机制来保护侧行定位业务的直接通信。
为此,本公开提出了一种直连通信密钥生成方法及装置,可以应用于长期演进(long term evolution,LTE)系统、第五代(5th generation,5G)移动通信系统、5G新空口(new radio,NR)系统,或者其他未来的新型移动通信系统等通信系统,通过本公开技术能够生成可被第一UE与第二UE共享的直连通信中间密钥,从而能够根据该直连通信中间密钥实现对该第一UE与第二UE之间的侧行链路定位业务直接通信的完整性保护和/或加密保护,提高了在侧行链路定位业务的直接通信中的数据传输的安全性。
下面结合附图对本申请所提供的直连通信密钥生成方法及其装置进行详细地介绍。
请参见图2,图2是本申请实施例提供的一种直连通信密钥生成方法的流程示意图。所述方法应用于第一用户设备UE。如图2所示,该方法可以包括但不限于如下步骤:
步骤S201:向第二UE发送直接通信请求,其中所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,且所述直接通信请求包括第一密钥相关信息,其中,所述第二UE根据所述第一密钥相关信息获取直连通信中间密钥与第二密钥相关信息;
本申请实施例中,为支持侧行链路定位业务,在每个公共迁移移动网(Public Land Mobile Network,PLMN)中都有一个对应的定位密钥管理功能(Positioning Key Management Function,PKMF)网元,PKMF网元用于生成用于保护直接通信安全的相关信息并提供给UE。在侧行链路定位业务中,需要至少两个UE来相互定位,例如第一UE和第二UE,且第一UE对应第一PKMF网元,第二UE对应第二PKMF网元,当第一UE收到网络侧的请求之后,开始与第二UE进行测距/定位,第一UE向第二UE发送直接通信请求,以请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路。
所述直接通信请求中包含第一密钥相关信息可以供第二UE获取直连通信中间密钥与第二密钥相关信息,例如,第一密钥相关信息可以供第二UE通过第二PKMF网元从第一PKMF网元获取直连通信中间密钥与第二密钥相关信息。之后,第二UE可以将第二密钥相关信息反馈给所述第一UE。
步骤S202:接收所述第二UE发送的所述第二密钥相关信息;以及
步骤S203:根据所述第一密钥相关信息以及所述第二密钥相关信息生成所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以在所述第一UE与所述第二UE之间对通过侧行链路传输的信息进行完整性保护和/或加密保护。
本申请实施例中,第一UE根据接收到的第二UE发送的第二密钥相关信息和所述第一密钥相关信息生成所述直连通信中间密钥,即可根据所述直连通信中间密钥对第一UE和第二UE之间的通过侧行链路(该侧行链路用于侧行链路定位业务)传输的信息进行保护,具体步骤为:根据直连通信中间密钥生成直连通信会话密钥,所述直连通信会话密钥可以对所述侧行链路传输的信息进行完整性保护和/或加密保护。
通过本实施例能够生成可被第一UE与第二UE共享的直连通信中间密钥,从而能够根据该直连通信中间密钥实现对该第一UE与第二UE之间的侧行链路定位业务直接通信的完整性保护和/或加密保护,提高了在侧行链路定位业务的直接通信中的数据传输的安全性。
可选的,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
在一种可能的实施例中,第一密钥相关信息中,根密钥相关信息用于指示对应的根密钥,根密钥也称作侧行链路定位密钥(SL Positioning Key,SLPK)。定位业务码也称为侧行链路定位码(SL Positioning Code,SLPC),为临时随机生成的号码,用于唯一地确定对应的定位业务类型,用于防止执行错误的定位业务类型。第一随机数由第一UE生成,第二随机数由第一UE的PKMF生成。
可选的,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
本申请实施例中,根密钥有多个,但是在直连通信中无法使用无效的密钥进行加密,所以需要在根密钥相关信息中提供有效根密钥对应的标识,以指示对应的有效根密钥。所述用户隐藏标识符(SUbscription Concealed Identifier,SUCI)可以用于获取所述有效根密钥,保证UE获取到有效根密钥。
在一种可能的实施例中,所述有效根密钥标识为侧行链路定位密钥标识SLPK ID。
请参见图3,图3是本申请实施例提供的一种直连通信密钥生成方法的流程示意图。所述方法应用于第一用户设备UE。如图3所示,该方法可以包括但不限于如下步骤:
步骤S301:向所述第一PKMF网元发送根密钥获取请求;以及
步骤S302:接收所述第一PKMF网元发送的根密钥获取响应,其中所述根密钥获取响应包括有效根密钥标识以及与所述有效根密钥标识对应的根密钥。
当第一UE收到网络请求开始与第二UE进行测距/定位,第一UE需要向其对应的第一PKMF网元发送根密钥获取请求,以请求用作安全建立的根密钥,然后第一UE才能向第二UE发送直接通信请求。第一PKMF接收到根密钥获取请求后,将根密钥获取响应反馈给第一UE,其中包含有效根密钥标识以及与所述有效根密钥标识对应的根密钥。
在一种可能的实施例中,所述有效根密钥标识为SLPK ID,与所述有效根密钥标识SLPK ID对应的根密钥为SLPK。
可选的,所述根密钥获取请求包括所述第一UE存储的本地根密钥标识,其中所述第一PKMF网元根据所述本地根密钥标识确定所述有效根密钥标识以及与所述根密钥。
本申请实施例中,第一UE的存储模块中存储有一个或多个本地的根密钥标识,在向第一PKMF发送根密钥获取请求时,会本地的根密钥标识提供给第一PKMF,第一PKMF即可根据本地的根密钥标识选取合适的根密钥,并将对应的根密钥标识反馈给第一UE,以指示第一UE选择对应的根密钥来对直接通信传输的信息进行加密。
可选的,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
本申请实施例中,直连通信会话密钥根据所述直连通信中间密钥生成,其中包含的机密密钥用于对第一UE和第二UE之间进行侧行链路定位业务的直接通信中传输的数据进行加解密,其中的完整性密钥用于对第一UE和第二UE之间进行侧行链路定位业务的直接通信中传输的数据进行数据完整性的验证。
在一种可能的实施例中,所述直连通信会话密钥保护会话机密密钥和会话完整性密钥,机密密钥为SLPEK,完整性密钥为SLPIK。
请参见图4,图4是本申请实施例提供的一种直连通信密钥生成方法的流程示意图。所述方法应用于第二用户设备UE。如图4所示,该方法可以包括但不限于如下步骤:
步骤S401:接收第一UE发送的直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息;
本申请实施例中,为支持侧行链路定位业务,在每个公共迁移移动网(Public Land Mobile Network,PLMN)中都有一个对应的定位密钥管理功能(Positioning Key Management Function,PKMF)网元,PKMF网元用于生成用于保护直接通信安全的相关信息并提供给UE。在定位业务中,需要至少两个UE来相互定位,例如第一UE和第二UE,且第一UE对应第一PKMF网元,第二UE对应第二PKMF网元,当第一UE收到网络侧的请求之后,开始与第二UE进行测距/定位,第一UE向第二UE发送直接通信请求,以请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路。
步骤S402:向所述第二UE的第二定位密钥管理功能PKMF网元发送所述第一密钥相关信息,以使所述第二PKMF网元根据所述第一密钥相关信息从所述第一UE的第一PKMF网元获取直连通信中间密钥与第二密钥相关信息;
步骤S403:接收所述第二PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及
步骤S404:向所述第一UE发送所述第二密钥相关信息,其中所述第一密钥相关信息以及所述第二密钥相关信息供所述第一UE生成所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间通过侧行链路传输的信息进行完整性保护和/或加密保护。
本申请实施例中,第一UE发送的所述直接通信请求中包含第一密钥相关信息可以供第二UE通过第二PKMF网元从第一PKMF网元获取直连通信中间密钥与第二密钥相关信息。之后第二UE可以将第二密钥相关信息反馈给所述第一UE。
可选的,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
在一种可能的实施例中,第一密钥相关信息中,根密钥相关信息用于指示对应的根密钥,根密钥也称作侧行链路定位密钥(SL Positioning Key,SLPK)。定位业务码也称为侧行链路定位码(SL Positioning Code,SLPC),为临时随机生成的号码,用于唯一地确定对应的定位业务类型,用于防止执行错误的定位业务类型。第一随机数由第一UE提供,第二随机数由第一PKMF网元提供。
可选的,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
本申请实施例中,根密钥有多个,但是在直连通信中无法使用无效的密钥进行加密,所以需要在根密钥相关信息中提供有效根密钥对应的标识,以指示对应的有效根密钥。所述用户隐藏标识符(SUbscription Concealed Identifier,SUCI)可以用于获取所述有效根密钥,保证UE获取到有效根可选的,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
请参见图5,图5是本申请实施例提供的一种直连通信密钥生成方法的流程示意图。所述方法应用于第一用户设备UE的第一定位密钥管理功能PKMF网元。如图5所示,该方法可以包括但不限于如下步骤:
步骤S501:接收第二UE的第二PKMF网元发送的第一密钥相关信息;
其中,所述第一密钥相关信息为所述第二UE从接收自第一UE的直接通信请求中获得,其中所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路。第二UE将该第一密钥相关信息发送给第二PKMF网元,从而第一PKMF网元能够从第二PKMF网元接收第一密钥相关信息。
步骤S502:生成第二密钥相关信息;
步骤S503:根据所述第一密钥相关信息以及所述第二密钥相关信息,生成直连通信中间密钥;以及
步骤S504:向所述第二UE的第二PKMF网元发送所述第二密钥相关信息与所述直连通信中间密钥;
其中,所述直连通信中间密钥被所述第二PKMF网元发送给所述第二UE,以及所述第二密钥相关信息被所述第二PKMF网元通过所述第二UE发送给第一UE以使得所述第一UE能够根据所述第一密钥相关信息和所述第二密钥相关信息生成所述直连通信中间密钥。
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在执行侧行链路定位业务时在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
本申请实施例中,第二UE在接收到第一UE发送的直接通信请求后,将其中包含的第一密钥相关信息通过第二PKMF网元发送至第一PKMF网元,第一PKMF网元即生成第二密钥相关信息。之后第一PKMF网元即可根据第二密钥相关信息和第一密钥相关信息生成直连通信中间密钥。最终将生成的第二密钥相关信息和直连通信中间密钥反馈给第二PKMF。
可选的,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
可选的,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
应当理解,第一UE的第一PKMF网元基于第一密钥相关信息和第二密钥相关信息生成中间密钥,并将中间密钥和第二密钥相关信息发送给第二UE的第二PKMF网元,然而,第一PKMF网元获取第一密钥相关信息和第二密钥相关信息的顺序可以根据需要进行调整,在上述实施例中,第一PKMF网元先获取第一密钥相关信息,再生成第二密钥相关信息,然而,应当理解,第一PKMF网元先生成第二密钥相关信息,再从第一PKMF网元获取第一密钥相关信息也是可能的,或者,这两个步骤可以同时执行。即,步骤S501和步骤S502的执行顺序可以根据需要进行调整。可以一个在一个之前执行,也可以同时执行。
请参见图6,图6是本申请实施例提供的一种直连通信密钥生成方法的流程示意图。所述方法应用于第一PKMF网元。如图6所示,图5中地方法还可以包括但不限于如下步骤:
步骤S601:接收所述第一UE发送的根密钥获取请求;
步骤S602:验证所述第一UE是否能够使用侧行链路定位业务;以及
步骤S603:当所述第一UE能够使用侧行链路定位业务时,向所述第一UE发送根密钥获取响应,其中所述根密钥获取响应包括有效根密钥标识以及与所述有效根密钥标识对应的根密钥。
本申请实施例中,当第一UE收到网络请求开始与第二UE进行测距/定位,第一UE需要向其对应的第一PKMF网元发送根密钥获取请求,以请求用作安全建立的根密钥,然后第一UE才能向第二UE发送直接通信请求。第一PKMF接收到根密钥获取请求后,首先验证所述第一UE是否能够使用侧行链路定位业务,当所述第一UE能够使用侧行链路定位业务时,将根密钥获取响应反馈给第一UE,其中包含有效根密钥标识以及与所述有效根密钥标识对应的根密钥。
可选的,所述根密钥获取请求包括所述第一UE存储的本地根密钥标识,所述方法还包括:
根据所述本地根密钥标识确定所述有效根密钥标识与所述根密钥。
本申请实施例中,第一UE的存储模块中存储有一个或多个本地的根密钥标识,在向第一PKMF发送根密钥获取请求时,会本地的根密钥标识提供给第一PKMF,第一PKMF即可根据本地的根密钥标识选取合适的根密钥,并将对应的根密钥标识反馈给第一UE,以指示第一UE选择对应的根密钥来对直接通信传输的信息进行加密。
可选的,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
请参见图7,图7是本申请实施例提供的一种直连通信密钥生成方法的流程示意图。所述方法应用于第二PKMF网元。如图7所示,该方法可以包括但不限于如下步骤:
步骤S701:接收第二UE发送的第一密钥相关信息;
其中,所述第一密钥相关信息为所述第二UE从接收自第一UE的直接通信请求中获得,其中所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路。
步骤S702:验证所述第二UE是否能够使用侧行链路定位业务;以及
步骤S703:当所述第二UE能够使用侧行链路定位业务时,向第一UE的第一PKMF网元发送所述第一密钥相关信息,其中所述第一密钥相关信息与所述第一PKMF网元生成的第二密钥相关信息被所述第一PKMF网元用来生成直连通信中间密钥;
本申请实施例中,第二PKMF从第二UE接收到所述第一密钥相关信息后,首先验证所述第二UE是否能够使用侧行链路定位业务,当所述第二UE能够使用侧行链路定位业务时,第二PKMF向第一PKMF发送第一密钥相关信息,以供第一PKMF生成直连通信中间密钥与所述第二密钥相关信息。
步骤S704:接收所述第一PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及
步骤S705:向所述第二UE发送所述直连通信中间密钥与所述第二密钥相关信息;
其中,所述第二密钥相关信息被所述第二UE发送给第一UE以使得所述第一UE能够根据所述第一密钥相关信息和所述第二密钥相关信息生成所述直连通信中间密钥。
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在执行侧行链路定位业务时在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
当接收到第一PKMF反馈的直连通信中间密钥与所述第二密钥相关信息后,即可将其反馈给第二UE,供第二UE和第一UE进行直连通信,并生成直连通信会话密钥来保护直连通信中传输的数据。
请参见图8,图8是本申请实施例提供的一种直连通信密钥生成方法的流程示意图。所述方法应用于第一用户设备UE。如图8所示,该方法可以包括但不限于如下步骤:
801.在任意的5GC网络功能(Network Functions,NF)或应用功能(Application Function,AF)请求进行第一UE的定位时,会向第一UE对应的第一接入和移动性管理功能(Access and Mobility Management Function,AMF)网元发送定位业务请求,以请求第一UE和第二UE之间的定位结果。
可选的,所述定位业务请求为侧行链路定位业务请求。
802.第一AMF接收到定位业务请求后,会将所述定位业务请求发送至第一UE对应的第一位置管理功能(Location Management Function,LMF)网元。
803.第一LMF接收到所述定位业务请求后,向第一UE发送定位业务请求,定位业务请求中包含所述第二UE的ID,以指示所述第一UE需要与第二UE进行定位。
804.第一UE接收到LMF的定位业务请求后,首先向第一UE对应的第一PKMF网元发送根密钥获取请求,其中包括所述第一UE存储的本地根密钥标识。以请求第一PKMF提供根密钥。
可选的,如果此时第一UE已经有来自第一PKMF的有效根密钥,所述根密钥获取请求中还包含该有效根密钥的标识。
805.第一PKMF接收到所述根密钥获取请求后,确认第一UE是否被授权使用侧行链路定位业务。当所述第一UE能够使用侧行链路定位业务时,向所述第一UE发送根密钥获取响应,其中所述根密钥获取响应包括有效根密钥标识SLPK ID以及与所述有效根密钥标识对应的根密钥SLPK。
806.第一UE和第二UE之间执行发现(discovery)的过程,以寻找到对方。
807.如果第一UE中不存在有效的根密钥,则向第二UE发送直接通信请求,其中所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路。直接通信请求包括第一密钥相关信息,其中包含用于获取根密钥的根密钥相关信息(有效根密钥标识SLPK ID和用户隐藏标识符SUCI)、用于指示定位业务类型的定位业务码SLPC以及第一随机数K SLP nonce1,
808.第二UE在接收到所述第一UE发送的直接通信请求后,将所述直接通信请求转发给其对应的第二PKMF。
809.第二PKMF接收到所述直接通信请求后,将所述直接通信请求转发给第一PKMF。
810.第一PKMF接收到所述直接通信请求后,生成第二密钥相关信息(第二随机数K SLPnonce2),并根据所述第一密钥相关信息以及所述第二密钥相关信息,生成直连通信中间密钥K SLP。然后将第二密钥相关信息和直连通信中间密钥反馈给第二PKMF。
可选的,第一PKMF还可以生成GPI(GBA Push Info),所述GPI用于和SUCI一起生成根密钥和根密钥标识。
811.所述第二PKMF将获取到的第二密钥相关信息和直连通信中间密钥发送给第二UE。
812.第二UE接收到第二密钥相关信息和直连通信中间密钥后,将第二密钥相关信息发送给第一UE。
813.第一UE接收到所述第二密钥相关信息后,即可根据其中的第二随机数,结合第一密钥相关信息生成所述直连通信中间密钥,再基于直连通信中间密钥生成直连通信会话密钥,其中包括用于对信息进行加解密的机密密钥(SLPEK)以及用于验证数据完整性的完整性密钥(SLPIK),并向第二UE发送直接通信安全性确认消息,以通知第二UE密钥配置完成。
814.第二UE向第一UE响应直接通信请求接收消息,以通知第一UE其直接连接的请求已经被接收。
815.继续进行定位过程。
上述本申请提供的实施例中,分别从网络设备的角度对本申请实施例提供的方法进行了介绍。为了实现上述本申请实施例提供的方法中的各功能,网络设备可以包括硬件结构、软件模块,以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能可以以硬件结构、软件模块、或者硬件结构加软件模块的方式来执行。
与上述几种实施例提供的直连通信密钥生成方法相对应,本公开还提供一种直连通信密钥生成装置,由于本公开实施例提供的直连通信密钥生成装置与上述几种实施例提供的直连通信密钥生成方法相对应,因此直连通信密钥生成方法的实施方式也适用于本实施例提供的直连通信密钥生成装置,在本实施例中不再详细描述。
上述本申请提供的实施例中,分别从网络设备、用户设备的角度对本申请实施例提供的方法进行了介绍。为了实现上述本申请实施例提供的方法中的各功能,网络设备和用户设备可以包括硬件结构、软件模块,以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能可以以硬件结构、软件模块、或者硬件结构加软件模块的方式来执行。
请参见图9,为本申请实施例提供的一种通信装置90的结构示意图。图9所示的通信装置90可包括收发模块901和处理模块902。收发模块901可包括发送模块和/或接收模块,发送模块用于实现发送功能,接收模块用于实现接收功能,收发模块901可以实现发送功能和/或接收功能。
通信装置90可以是用户设备(如前述方法实施例中的用户设备),也可以是用户设备中的装置,还可以是能够与用户设备匹配使用的装置。或者,通信装置90可以是网络设备,也可以是网络设备中的装置,还可以是能够与网络设备匹配使用的装置。
通信装置90为用户设备(如前述方法实施例中的第一用户设备UE),所述装置包括:
收发模块和处理模块,其中:
所述收发模块用于:
向第二UE发送直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息,所述第一密钥相关信息供所述第二UE从所述第一UE的第一定位密钥管理功能PKMF网元获取直连通信中间密钥与第二密钥相关信息;
接收所述第二UE发送的所述第二密钥相关信息;
所述处理模块用于:根据所述第一密钥相关信息以及所述第二密钥相关信息生成所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以在所述第一UE与所述第二UE之间对通过侧行链路传输的信息进行完整性保护和/或加密保护。
通信装置90为用户设备(如前述方法实施例中的第二用户设备UE),所述装置包括:
收发模块用于:
接收第一UE发送的直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息;
向所述第二UE的第二定位密钥管理功能PKMF网元发送所述第一密钥相关信息,以使所述第二PKMF网元根据所述第一密钥相关信息从所述第一UE的第一PKMF网元获取直连通信中间密钥与第二密钥相关信息;
接收所述第二PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及
向所述第一UE发送所述第二密钥相关信息,其中所述第一密钥相关信息以及所述第二密钥相关信息供所述第一UE生成所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间通过侧行链路传输的信息进行完整性保护和/或加密保护。
通信装置90为网络设备(如前述方法实施例中的第一用户设备UE的第一定位密钥管理功能PKMF网元),所述装置包括:
收发模块和处理模块,其中:
所述收发模块用于接收第二UE的第二PKMF网元发送的第一密钥相关信息;
所述处理模块用于生成第二密钥相关信息;根据所述第一密钥相关信息以及所述第二密钥相关信息,生成直连通信中间密钥;
所述收发模块用于向所述第二UE的第二PKMF网元发送所述第二密钥相关信息与所述直连通信中间密钥;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
通信装置90为网络设备(如前述方法实施例中的第二用户设备UE的第二定位密钥管理功能PKMF网元),所述装置包括:
收发模块和处理模块,其中:
所述收发模块用于接收第二UE发送的第一密钥相关信息;
所述处理模块用于验证所述第二UE是否能够使用侧行链路定位业务;
所述收发模块用于当所述第二UE能够使用侧行链路定位业务时,向第一UE的第一PKMF网元发送所述第一密钥相关信息,其中所述第一密钥相关信息与所述第一PKMF网元生成的第二密钥相关信息被所述第一PKMF网元用来生成直连通信中间密钥;接收所述第一PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及向所述第二UE发送所述直连通信中间密钥与所述第二密钥相关信息;
其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
请参见图10,图10是本申请实施例提供的另一种通信装置100的结构示意图。通信装置100可以是网络设备,也可以是用户设备(如前述方法实施例中的用户设备),也可以是支持网络设备实现上述方法的芯片、芯片系统、或处理器等,还可以是支持用户设备实现上述方法的芯片、芯片系统、或处理器等。该装置可用于实现上述方法实施例中描述的方法,具体可以参见上述方法实施例中的说明。
通信装置100可以包括一个或多个处理器1001。处理器1001可以是通用处理器或者专用处理器等。例如可以是基带处理器或中央处理器。基带处理器可以用于对通信协议以及通信数据进行处理,中央处理器可以用于对通信装置(如,基站、基带芯片,终端设备、终端设备芯片,DU或CU等)进行控制,执行计算机程序,处理计算机程序的数据。
可选的,通信装置100中还可以包括一个或多个存储器1002,其上可以存有计算机程序1003,处理器1001执行所述计算机程序1003,以使得通信装置100执行上述方法实施例中描述的方法。可选的,所述存储器1002中还可以存储有数据。通信装置100和存储器1002可以单独设置,也可以集成在一起。
可选的,通信装置100还可以包括收发器1004、天线1005。收发器1004可以称为收发单元、收发机、或收发电路等,用于实现收发功能。收发器1004可以包括接收器和发送器,接收器可以称为接收机或接收电路等,用于实现接收功能;发送器可以称为发送机或发送电路等,用于实现发送功能。
可选的,通信装置100中还可以包括一个或多个接口电路1006。接口电路1006用于接收代码指令并传输至处理器1001。处理器1001运行所述代码指令以使通信装置100执行上述方法实施例中描述的方法。
在一种实现方式中,处理器1001中可以包括用于实现接收和发送功能的收发器。例如该收发器可以是收发电路,或者是接口,或者是接口电路。用于实现接收和发送功能的收发电路、接口或接口电路可以是分开的,也可以集成在一起。上述收发电路、接口或接口电路可以用于代码/数据的读写,或者,上述收发电路、接口或接口电路可以用于信号的传输或传递。
在一种实现方式中,处理器1001可以存有计算机程序1003,计算机程序1003在处理器1001上运行,可使得通信装置100执行上述方法实施例中描述的方法。计算机程序1003可能固化在处理器1001中,该种情况下,处理器1001可能由硬件实现。
在一种实现方式中,通信装置100可以包括电路,所述电路可以实现前述方法实施例中发送或接收或者通信的功能。本申请中描述的处理器和收发器可实现在集成电路(integrated circuit,IC)、模拟IC、射频集成电路RFIC、混合信号IC、专用集成电路(application specific integrated circuit,ASIC)、印刷电路板(printed circuit board,PCB)、电子设备等上。该处理器和收发器也可以用各种IC工艺技术来制造,例如互补金属氧化物半导体(complementary metal oxide semiconductor,CMOS)、N型金属氧化物半导体(nMetal-oxide-semiconductor,NMOS)、P型金属氧化物半导体(positive channel metal oxide semiconductor,PMOS)、双极结型晶体管(bipolar junction transistor,BJT)、双极CMOS(BiCMOS)、硅锗(SiGe)、砷化镓(GaAs)等。
以上实施例描述中的通信装置可以是网络设备或者用户设备(如前述方法实施例中的用户设备),但本申请中描述的通信装置的范围并不限于此,而且通信装置的结构可以不受图10的限制。通信装置可以是独立的设备或者可以是较大设备的一部分。例如所述通信装置可以是:
(1)独立的集成电路IC,或芯片,或,芯片系统或子系统;
(2)具有一个或多个IC的集合,可选的,该IC集合也可以包括用于存储数据,计算机程序的存储部件;
(3)ASIC,例如调制解调器(Modem);
(4)可嵌入在其他设备内的模块;
(5)接收机、终端设备、智能终端设备、蜂窝电话、无线设备、手持机、移动单元、车载设备、网络设备、云设备、人工智能设备等等;
(6)其他装置。
对于通信装置可以是芯片或芯片系统的情况,可参见图11所示的芯片的结构示意图。图11所示的芯片包括处理器1101和接口1102。其中,处理器1101的数量可以是一个或多个,接口1102的数量可以是多个。
可选的,芯片还包括存储器1103,存储器1103用于存储必要的计算机程序和数据。
本领域技术人员还可以了解到本申请实施例列出的各种说明性逻辑块(illustrative logical block)和步骤(step)可以通过电子硬件、电脑软件,或两者的结合进行实现。这样的功能是通过硬件还是软件来实现取决于特定的应用和整个系统的设计要求。本领域技术人员可以对于每种特定的应用,可以使用各种方法实现所述的功能,但这种实现不应被理解为超出本申请实施例保护的范围。
本申请实施例还提供一种直连通信密钥生成系统,该系统包括前述图9实施例中作为用户设备(如前述方法实施例中的用户设备)的通信装置和作为网络设备的通信装置,或者,该系统包括前述图9实施例中作为用户设备(如前述方法实施例中的用户设备)的通信装置和作为网络设备的通信装置。
本申请还提供一种可读存储介质,其上存储有指令,该指令被计算机执行时实现上述任一方法实施例的功能。
本申请还提供一种计算机程序产品,该计算机程序产品被计算机执行时实现上述任一方法实施例的功能。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机程序。在计算机上加载和执行所述计算机程序时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机程序可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例 如,所述计算机程序可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,高密度数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。
本领域普通技术人员可以理解:本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。
本申请中的至少一个还可以描述为一个或多个,多个可以是两个、三个、四个或者更多个,本申请不做限制。在本申请实施例中,对于一种技术特征,通过“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”等区分该种技术特征中的技术特征,该“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”描述的技术特征间无先后顺序或者大小顺序。
本申请中各表所示的对应关系可以被配置,也可以是预定义的。各表中的信息的取值仅仅是举例,可以配置为其他值,本申请并不限定。在配置信息与各参数的对应关系时,并不一定要求必须配置各表中示意出的所有对应关系。例如,本申请中的表格中,某些行示出的对应关系也可以不配置。又例如,可以基于上述表格做适当的变形调整,例如,拆分,合并等等。上述各表中标题示出参数的名称也可以采用通信装置可理解的其他名称,其参数的取值或表示方式也可以通信装置可理解的其他取值或表示方式。上述各表在实现时,也可以采用其他的数据结构,例如可以采用数组、队列、容器、栈、线性表、指针、链表、树、图、结构体、类、堆、散列表或哈希表等。
本申请中的预定义可以理解为定义、预先定义、存储、预存储、预协商、预配置、固化、或预烧制。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (27)

  1. 一种直连通信密钥生成方法,其特征在于,所述方法由第一用户设备UE执行,所述方法包括:
    向第二UE发送直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息,所述第一密钥相关信息供所述第二UE从所述第一UE的第一定位密钥管理功能PKMF网元获取直连通信中间密钥与第二密钥相关信息;
    接收所述第二UE发送的所述第二密钥相关信息;以及
    根据所述第一密钥相关信息以及所述第二密钥相关信息生成所述直连通信中间密钥;
    其中,所述直连通信中间密钥用于生成直连通信会话密钥,以在所述第一UE与所述第二UE之间对通过所述侧行链路传输的信息进行完整性保护和/或加密保护。
  2. 如权利要求1所述的方法,其特征在于,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
  3. 如权利要求2所述的方法,其特征在于,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
  4. 如权利要求3所述的方法,其特征在于,所述方法还包括:
    向所述第一PKMF网元发送根密钥获取请求;以及
    接收所述第一PKMF网元发送的根密钥获取响应,其中所述根密钥获取响应包括有效根密钥标识以及与所述有效根密钥标识对应的根密钥。
  5. 如权利要求4所述的方法,其特征在于,所述根密钥获取请求包括所述第一UE存储的本地根密钥标识,其中所述第一PKMF网元根据所述本地根密钥标识确定所述有效根密钥标识以及与所述根密钥。
  6. 如权利要求1-5中任一项所述的方法,其特征在于,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
  7. 一种直连通信密钥生成方法,其特征在于,所述方法由第二用户设备UE执行,所述方法包括:
    接收第一UE发送的直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息;
    向所述第二UE的第二定位密钥管理功能PKMF网元发送所述第一密钥相关信息,以使所述第二PKMF网元根据所述第一密钥相关信息从所述第一UE的第一PKMF网元获取直连通信中间密钥与第二密钥相关信息;
    接收所述第二PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及
    向所述第一UE发送所述第二密钥相关信息,其中,所述第一密钥相关信息以及所述第二密钥相关信息供所述第一UE生成所述直连通信中间密钥;
    其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间通过所述侧行链路定位业务直连通信传输的信息进行完整性保护和/或加密保护。
  8. 如权利要求7所述的方法,其特征在于,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
  9. 如权利要求8所述的方法,其特征在于,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
  10. 如权利要求7-9中任一项所述的方法,其特征在于,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
  11. 一种直连通信密钥生成方法,其特征在于,所述方法由第一用户设备UE的第一定位密钥管理功能PKMF网元执行,所述方法包括:
    接收第二UE的第二PKMF网元发送的第一密钥相关信息;
    生成第二密钥相关信息;
    根据所述第一密钥相关信息以及所述第二密钥相关信息,生成直连通信中间密钥;以及
    向所述第二UE的第二PKMF网元发送所述第二密钥相关信息与所述直连通信中间密钥;
    其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在执行侧行链路定位业务时在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
  12. 如权利要求11所述的方法,其特征在于,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
  13. 如权利要求12所述的方法,其特征在于,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
  14. 如权利要求13所述的方法,其特征在于,所述方法还包括:
    接收所述第一UE发送的根密钥获取请求;
    验证所述第一UE是否能够使用侧行链路定位业务;以及
    当所述第一UE能够使用侧行链路定位业务时,向所述第一UE发送根密钥获取响应,其中所述根密钥获取响应包括有效根密钥标识以及与所述有效根密钥标识对应的根密钥。
  15. 如权利要求14所述的方法,其特征在于,所述根密钥获取请求包括所述第一UE存储的本地根密钥标识,并且其中,所述方法还包括:
    根据所述本地根密钥标识确定所述有效根密钥标识与所述根密钥。
  16. 如权利要求11-15中任一项所述的方法,其特征在于,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
  17. 一种直连通信密钥生成方法,其特征在于,所述方法由第二用户设备UE的第二定位密钥管理功能PKMF网元执行,所述方法包括:
    接收第二UE发送的第一密钥相关信息;
    验证所述第二UE是否能够使用侧行链路定位业务;以及
    当所述第二UE能够使用侧行链路定位业务时,向第一UE的第一PKMF网元发送所述第一密钥相关信息,其中所述第一密钥相关信息与所述第一PKMF网元生成的第二密钥相关信息被所述第一PKMF网元用来生成直连通信中间密钥;
    接收所述第一PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及
    向所述第二UE发送所述直连通信中间密钥与所述第二密钥相关信息;
    其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在执行侧行链路定位业务时在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
  18. 如权利要求17所述的方法,其特征在于,所述第一密钥相关信息包括用于获取根密钥的根密钥相关信息、用于指示定位业务类型的定位业务码以及第一随机数;所述第二密钥相关信息包括第二随机数。
  19. 如权利要求18所述的方法,其特征在于,所述根密钥相关信息包括有效根密钥标识或所述第一UE的用户隐藏标识符SUCI。
  20. 如权利要求17-19中任一项所述的方法,其特征在于,所述直连通信会话密钥包括用于对信息进行加解密的机密密钥以及用于验证数据完整性的完整性密钥。
  21. 一种直连通信密钥生成装置,其特征在于,用于第一用户设备UE,所述装置包括收发模块和处理模块,其中:
    所述收发模块用于:
    向第二UE发送直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息,所述第一密钥相关信息供所述第二UE从所述第一UE的第一定位密钥管理功能PKMF网元获取直连通信中间密钥与第二密钥相关信息;
    接收所述第二UE发送的所述第二密钥相关信息;
    所述处理模块用于:根据所述第一密钥相关信息以及所述第二密钥相关信息生成所述直连通信中间密钥;
    其中,所述直连通信中间密钥用于生成直连通信会话密钥,以在所述第一UE与所述第二UE之间对通过所述侧行链路传输的信息进行完整性保护和/或加密保护。
  22. 一种直连通信密钥生成装置,其特征在于,用于第二用户设备UE,所述装置包括收发模块用于:
    接收第一UE发送的直接通信请求,其中,所述直接通信请求用于请求在所述第一UE与所述第二UE之间创建用于侧行链路定位业务的侧行链路,并且其中,所述直接通信请求包括第一密钥相关信息;
    向所述第二UE的第二定位密钥管理功能PKMF网元发送所述第一密钥相关信息,以使所述第二PKMF网元根据所述第一密钥相关信息从所述第一UE的第一PKMF网元获取直连通信中间密钥与第二密钥相关信息;
    接收所述第二PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及
    向所述第一UE发送所述第二密钥相关信息,其中所述第一密钥相关信息以及所述第二密钥相关信息供所述第一UE生成所述直连通信中间密钥;
    其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间通过所述侧行链路传输的信息进行完整性保护和/或加密保护。
  23. 一种直连通信密钥生成装置,其特征在于,用于第一用户设备UE的第一定位密钥管理功能PKMF网元,所述装置包括收发模块和处理模块,其中:
    所述收发模块用于接收第二UE的第二PKMF网元发送的第一密钥相关信息;
    所述处理模块用于生成第二密钥相关信息;根据所述第一密钥相关信息以及所述第二密钥相关信息,生成直连通信中间密钥;
    所述收发模块用于向所述第二UE的第二PKMF网元发送所述第二密钥相关信息与所述直连通信中间密钥;
    其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
  24. 一种直连通信密钥生成装置,其特征在于,用于第二用户设备UE的第二定位密钥管理功能PKMF网元,所述装置包括收发模块和处理模块,其中:
    所述收发模块用于接收第二UE发送的第一密钥相关信息;
    所述处理模块用于验证所述第二UE是否能够使用侧行链路定位业务;
    所述收发模块用于当所述第二UE能够使用侧行链路定位业务时,向第一UE的第一PKMF网元发送所述第一密钥相关信息,其中所述第一密钥相关信息与所述第一PKMF网元生成的第二密钥相关信息被所述第一PKMF网元用来生成直连通信中间密钥;接收所述第一PKMF网元发送的所述直连通信中间密钥与所述第二密钥相关信息;以及向所述第二UE发送所述直连通信中间密钥与所述第二密钥相关信息;
    其中,所述直连通信中间密钥用于生成直连通信会话密钥,以对在所述第一UE与所述第二UE之间传输的信息进行完整性保护和/或加密保护。
  25. 一种通信设备,其中,包括:收发器;存储器;处理器,分别与所述收发器及所述存储器连接,配置为通过执行所述存储器上的计算机可执行指令,控制所述收发器的无线信号收发,并能够实现权利要求1-20任一项所述的方法。
  26. 一种系统,包括第一UE、第一UE的第一定位密钥管理功能PKMF网元、第二UE以及第二UE的第二PKMF网元,其中所述第一UE用于执行如权利要求1-6中任一项所述的方法,所述第二UE用于执行如权利要求7-10中任一项所述的方法,所述第一PKMF网元用于执行如权利要求11-16中任一项所述的方法,所述第二PKMF网元用于执行如权利要求17-20中任一项所述的方法。
  27. 一种计算机存储介质,其中,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被处理器执行后,能够实现权利要求1-20任一项所述的方法。
PCT/CN2022/122942 2022-09-29 2022-09-29 直连通信密钥生成方法及装置 WO2024065549A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2022/122942 WO2024065549A1 (zh) 2022-09-29 2022-09-29 直连通信密钥生成方法及装置
CN202280003879.8A CN118120177A (zh) 2022-09-29 2022-09-29 直连通信密钥生成方法及装置

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/122942 WO2024065549A1 (zh) 2022-09-29 2022-09-29 直连通信密钥生成方法及装置

Publications (1)

Publication Number Publication Date
WO2024065549A1 true WO2024065549A1 (zh) 2024-04-04

Family

ID=90475509

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/122942 WO2024065549A1 (zh) 2022-09-29 2022-09-29 直连通信密钥生成方法及装置

Country Status (2)

Country Link
CN (1) CN118120177A (zh)
WO (1) WO2024065549A1 (zh)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110809892A (zh) * 2017-06-30 2020-02-18 华为技术有限公司 一种认证方法及终端、网络设备
WO2021196011A1 (zh) * 2020-03-31 2021-10-07 华为技术有限公司 一种终端设备标识的获取方法、装置及系统
US20220109996A1 (en) * 2020-10-01 2022-04-07 Qualcomm Incorporated Secure communication link establishment for a ue-to-ue relay
WO2022088029A1 (zh) * 2020-10-30 2022-05-05 华为技术有限公司 密钥获取方法和通信装置
CN114915407A (zh) * 2021-02-10 2022-08-16 大唐移动通信设备有限公司 Pc5根密钥处理方法、装置、ausf及远程终端

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110809892A (zh) * 2017-06-30 2020-02-18 华为技术有限公司 一种认证方法及终端、网络设备
WO2021196011A1 (zh) * 2020-03-31 2021-10-07 华为技术有限公司 一种终端设备标识的获取方法、装置及系统
US20220109996A1 (en) * 2020-10-01 2022-04-07 Qualcomm Incorporated Secure communication link establishment for a ue-to-ue relay
WO2022088029A1 (zh) * 2020-10-30 2022-05-05 华为技术有限公司 密钥获取方法和通信装置
CN114915407A (zh) * 2021-02-10 2022-08-16 大唐移动通信设备有限公司 Pc5根密钥处理方法、装置、ausf及远程终端

Also Published As

Publication number Publication date
CN118120177A (zh) 2024-05-31

Similar Documents

Publication Publication Date Title
CN102201846A (zh) 基于soft AP技术的无线数据传输系统及其方法
WO2023206033A1 (zh) 混合自动重传请求harq反馈的处理方法及其装置
CN111866989A (zh) 通信方法、装置及系统
WO2024065549A1 (zh) 直连通信密钥生成方法及装置
WO2022082667A1 (zh) 一种数据安全传输的方法及装置
WO2024168935A1 (zh) 一种消息验证方法及其装置
WO2024065469A1 (zh) 一种直连链路建立方法、设备及存储介质
WO2024065336A1 (zh) 一种侧行链路定位方法及装置
WO2024164349A1 (zh) 侧链路通信方法及装置
WO2024164346A1 (zh) 一种网络标识的传输方法及其装置
WO2024092827A1 (zh) 一种测距方法及其装置
WO2024065335A1 (zh) 一种侧行链路定位方法及装置
WO2024182954A1 (zh) 感知节点发现方法及其装置
WO2024207384A1 (zh) 一种随机接入类型确定方法及其装置
WO2024050846A1 (zh) 近邻通信方法和装置
WO2024130561A1 (zh) 一种用户位置信息的可信确定方法及其装置
WO2022222012A1 (zh) 寻呼处理方法及其装置
WO2024207368A1 (zh) 一种卫星覆盖信息确定方法及其装置
WO2024065131A1 (zh) 一种多路径传输方法/装置/设备及存储介质
WO2024138581A1 (zh) 一种网络切片的授权方法、装置、设备及存储介质
WO2024065844A1 (zh) 一种路径切换能力的交互方法及其装置
WO2023143252A1 (zh) 授时的方法及通信装置
WO2024197474A1 (zh) 一种密钥协商方法、装置、设备及存储介质
EP4271071A1 (en) Wireless communication method, and devices and storage medium
WO2023010429A1 (zh) 一种带宽部分的同步方法及其装置

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202280003879.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22960184

Country of ref document: EP

Kind code of ref document: A1