WO2024092399A1

WO2024092399A1 - Data transmission method and communication apparatus

Info

Publication number: WO2024092399A1
Application number: PCT/CN2022/128607
Authority: WO
Inventors: 习燕; 严学强; 赵明宇; 邢玮俊; 武绍芸; 吴建军
Original assignee: 华为技术有限公司
Priority date: 2022-10-31
Filing date: 2022-10-31
Publication date: 2024-05-10

Abstract

The present application provides a data transmission method. The method comprises: a first device (a data sending end) performing integrity protection processing and encryption processing on first data by means of a first protocol layer to obtain second data; and the first device transparently transmits the second data to a second device (a data receiving end) by means of an access network device; wherein the first protocol layer is deployed in both the first device and the second device, and the first protocol layer has a function of encrypting/decrypting data and a function of performing integrity protection/verification on the data. When the first device is a terminal device, the second device is a first core network element; and when the first device is a first core network element, the second device is a terminal device. According to the data transmission method, encryption/decryption and integrity protection/verification are performed on data by means of the terminal device and the first core network element in a data transmission process, thereby preventing the access network device from performing encryption/decryption and integrity protection/verification on user plane data, and improving data security.

Description

Data transmission method and communication device

Technical Field

The present application relates to the field of communication technology, and in particular to a data transmission method and a communication device.

Background technique

Access network equipment can connect user equipment (or terminal equipment) to the wireless network so that the terminal equipment can exchange data with other terminal equipment. In order to ensure the security of user data during the data exchange process, the terminal equipment can usually encrypt the user data through the packet data convergence protocol (PDCP) layer when transmitting user data.

However, the communication between the access network equipment and the terminal equipment follows the same protocol layer structure, that is, the access network equipment side can decrypt the encrypted data of the terminal equipment at the PDCP layer, and the access network equipment side can see the plaintext user plane data (that is, unencrypted user data). Therefore, the access network equipment is often suspected of leaking and modifying the user plane data.

Summary of the invention

The present application provides a data transmission method and a communication device to prevent access network equipment from encrypting/decrypting and performing integrity protection/verification on user plane data, thereby improving data security.

In the first aspect, the present application provides a data transmission method, which includes: a first device (data sending end) performs integrity protection processing and encryption processing on first data through a first protocol layer to obtain second data; the first device transparently transmits the second data to a second device (data receiving end) through an access network device; wherein the first device and the second device are both deployed with a first protocol layer, and the first protocol layer has the function of encrypting/decrypting data and the function of integrity protection/verification of data. And when the first device is a terminal device, the second device is a first core network element; when the first device is a first core network element, the second device is a terminal device.

Based on the method described in the first aspect, during the data transmission process, the first core network element and the terminal device encrypt/decrypt and integrity protect/verify the user plane data through the deployed first protocol layer, avoiding the access network device from decrypting the user plane data during the transmission process, thereby avoiding the access network from knowing the plaintext user plane data, and improving the security of the data. And after the user plane data is encrypted and integrity protected from the terminal device to the core network element, the link between the access network device and the core network element may not be encrypted, which reduces the operating cost compared to the transmission method that requires two encryptions (i.e., encryption between the terminal device and the access network device, and encryption of the link between the access network device and the core network element).

In a possible implementation, the protocol stack deployed by the terminal device is the first protocol layer, the service data adaptation protocol SDAP layer, the second protocol layer, the radio link control RLC layer, the media access control MAC layer and the first physical layer in sequence; wherein the second protocol layer has the data packet sorting function and the data packet replication function. The protocol layers deployed by the first core network network element are the first protocol layer, the general packet radio service tunneling protocol GTP-U of the user plane part, the user datagram protocol UDP, the Internet protocol IP, the data link layer protocol and the second physical layer protocol in sequence. The protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence, and the access network device is also deployed with GTP-U, UDP, IP, the data link layer protocol and the second physical layer protocol in sequence. By implementing this possible implementation method, the protocol stack supports flexible deployment, so that it can adapt to different scenarios.

In a possible implementation, the protocol stack deployed by the terminal device is the SDAP layer, the first protocol layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the second protocol layer has the functions of data packet sorting, diversion and data packet replication. The protocol layers deployed by the first core network element are the first protocol layer, GTP-U, UDP, IP, data link layer protocol and the second physical layer protocol in sequence; the protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence, and the access network device is also deployed with GTP-U, UDP, IP, data link layer protocol and the second physical layer protocol in sequence. By implementing this possible implementation method, the protocol stack supports flexible deployment, so that it can adapt to different scenarios.

In a possible implementation, the protocol stack deployed by the terminal device is the first protocol layer, the third protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the first protocol layer also has the function of IP header compression and the data packet sorting function, and the third protocol layer has the function of the SDAP layer and the data packet replication function. The protocol layers deployed by the first core network network element are the first protocol layer, GTP-U, UDP, IP, data link layer protocol and the second physical layer protocol in sequence. The protocol stack deployed by the access network device includes the third protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence, and the access network device is also deployed with GTP-U, UDP, IP, data link layer protocol and the second physical layer protocol in sequence. By implementing this possible implementation method, the protocol stack supports flexible deployment, so that it can adapt to different scenarios. In addition, IP header compression is performed on the terminal device and the core network network element, which can reduce the load of the GTP-U link compared to the method in which IP header compression is performed on the terminal device and the access network device.

In a possible implementation, when the first device is a terminal device, the first device sends a protocol data unit PDU session establishment request message to the second core network element; the PDU session establishment request message is used to request the establishment of a PDU session for transmitting the first data. The first device receives a PDU session establishment response message from the second core network element, and the PDU session establishment response message includes a target encryption integrity policy. The target encryption integrity policy is determined according to one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the session management function SMF, the encryption integrity policy of the application function AF, or the encryption integrity policy of the policy control function PCF. Further, the first device generates a first key and a second key according to the target encryption integrity policy; the first key is used to perform integrity protection/verification processing on the first data, and the second key is used to perform encryption/decryption processing on the first data. By implementing this possible implementation method, the terminal device generates a key through the target encryption integrity policy issued by the second core network element, ensuring that the terminal device and the first core network element correspond to the same encryption integrity policy, so as to ensure the normal encryption/decryption and integrity protection/verification of the data.

In a possible implementation, the PDU session establishment request message includes the encryption and security policy of the terminal device. By implementing this possible implementation, the terminal device carries the encryption and security policy of the terminal device in the PDU session establishment request message, and no additional signaling is required to transmit the encryption and security policy of the terminal device, thereby saving communication resources; and the second core network element can determine the target encryption and security policy in combination with the encryption and security policy of the terminal device, so that the target encryption and security policy can be more in line with user needs.

In a possible implementation, when the first device is a first core network element, the first device receives a target encryption integrity policy from a second core network element; wherein the target encryption integrity policy is determined according to one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the SMF, the encryption integrity policy of the AF, or the encryption integrity policy of the PCF; the first device receives a first key and a second key from the second core network element; wherein the first key is used to perform integrity protection/verification processing on the first data, and the second key is used to perform encryption/decryption processing on the first data; the first key and the second key are generated according to the target encryption integrity policy. By implementing this possible implementation method, the first core network element performs data encryption/decryption and integrity protection/verification through the target encryption integrity policy and key (including the first key and the second key) issued by the second core network element, ensuring that the terminal device and the first core network element correspond to the same encryption integrity policy, so as to ensure the normal data encryption/decryption and integrity protection/verification.

In a possible implementation, at the first protocol layer, the first device performs integrity protection processing on the first data according to the target encryption integrity policy and the first key; the first device performs encryption processing on the first data according to the target encryption integrity policy and the second key.

In a possible implementation, the encryption integrity strategy includes a granularity for encrypting/decrypting or integrity protection/verification of the first data, and the granularity is one of a PDU session, a quality of service flow QoS Flow, or a data flow. By implementing this possible implementation method, the execution efficiency and accuracy of encryption/decryption or integrity protection/verification of the data can be selected by controlling the granularity for encrypting/decrypting or integrity protection/verification of the data, thereby improving the flexibility of encryption integrity in the data transmission method of the present application.

In one possible implementation, the first device performs integrity protection processing on the first data according to the first key and the granularity identifier; the first device performs encryption processing on the first data according to the second key and the granularity identifier; wherein the granularity identifier is one of a QoS Flow identifier, a PDU session identifier, or a data flow identifier.

In a possible implementation, the encryption integrity policy is also used to instruct the terminal device to perform encryption/decryption processing or integrity protection/verification processing with the first core network element; or, it is also used to instruct the terminal device to perform encryption/decryption processing or integrity protection/verification processing with the access network device. By implementing this possible implementation method, the diversity of devices that encrypt and protect data can be improved, thereby improving the compatibility of the data transmission method provided by this application.

In a second aspect, the present application provides a data transmission method, the method comprising: a second device receives second data transmitted from a first device through an access network device; the second device decrypts and performs integrity verification on the second data through a first protocol layer to obtain first data; wherein the first device and the second device are both deployed with a first protocol layer, and the first protocol layer has a function of encrypting/decrypting data and a function of performing integrity protection/verification on data; the first device is a terminal device, and the second device is a first core network network element; or, the first device is a first core network network element, and the second device is a terminal device.

The beneficial effects of the method provided in the second aspect can be found in the description of the beneficial effects of the method in the first aspect, which will not be repeated here.

In a possible implementation, the protocol stack deployed by the terminal device is the first protocol layer, the service data adaptation protocol SDAP layer, the second protocol layer, the radio link control RLC layer, the media access control MAC layer and the first physical layer in sequence; wherein the second protocol layer has a data packet sorting function and a data packet duplication function;

The protocol layers deployed by the first core network element are the first protocol layer, the general packet radio service tunneling protocol GTP-U of the user plane part, the user datagram protocol UDP, the Internet protocol IP, the data link layer protocol and the second physical layer protocol;

The protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence. The access network device also deploys GTP-U, UDP, IP, the data link layer protocol and the second physical layer protocol in sequence.

In a possible implementation, the protocol stack deployed by the terminal device is the SDAP layer, the first protocol layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the second protocol layer has a data packet sorting function, a flow distribution function and a data packet replication function;

The protocol layers deployed by the first core network element are the first protocol layer, GTP-U, UDP, IP, data link layer protocol and the second physical layer protocol in sequence;

In a possible implementation, the protocol stack deployed by the terminal device is the first protocol layer, the third protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the first protocol layer also has the function of IP header compression and data packet sorting, and the third protocol layer has the function of the SDAP layer and the data packet replication function;

The protocol stack deployed by the access network device includes the third protocol layer, RLC layer, MAC layer and the first physical layer in sequence. The access network device also deploys GTP-U, UDP, IP, data link layer protocol and the second physical layer protocol in sequence.

In one possible implementation, when the second device is a terminal device, the second device sends a protocol data unit PDU session establishment request message to the second core network network element; the PDU session establishment request message is used to request the establishment of a PDU session for transmitting the second data; the second device receives a PDU session establishment response message from the second core network network element, and the PDU session establishment response message includes a target encryption integrity policy; wherein the target encryption integrity policy is determined based on one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the session management function SMF, the encryption integrity policy of the application function AF, or the encryption integrity policy of the policy control function PCF; the second device generates a first key and a second key according to the target encryption integrity policy; wherein the first key is used to perform integrity protection/verification processing on the second data, and the second key is used to perform encryption/decryption processing on the second data.

In a possible implementation, the PDU session establishment request message includes an encryption security policy of the terminal device.

In one possible implementation, when the second device is a first core network element, the second device receives a target encryption integrity policy from the second core network element; wherein the target encryption integrity policy is determined based on one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the SMF, the encryption integrity policy of the AF, or the encryption integrity policy of the PCF; the second device receives a first key and a second key from the second core network element; wherein the first key is used to perform integrity protection/verification on the second data, and the second key is used to perform encryption/decryption on the second data; the first key and the second key are generated based on the target encryption integrity policy.

In a possible implementation, at the first protocol layer, the second device decrypts the second data according to the target encryption security policy and the second key; the second device performs integrity verification on the second data according to the target encryption security policy and the first key.

In one possible implementation, the encryption integrity strategy includes the granularity of encryption/decryption or integrity protection/verification of the second data, and the granularity is one of PDU session, quality of service flow QoS Flow or data flow.

In one possible implementation, the second device decrypts the second data according to the second key and the granularity identifier; the second device performs integrity verification on the second data according to the first key and the granularity identifier; wherein the granularity identifier is one of a QoS Flow identifier, a PDU session identifier, or a data flow identifier.

In one possible implementation, the encryption integrity policy is also used to instruct the terminal device and the first core network element to perform encryption/decryption processing or integrity protection/verification processing; or, it is also used to instruct the terminal device and the access network device to perform encryption/decryption processing or integrity protection/verification processing.

In the third aspect, the present application provides a method for determining an encryption integrity policy, the method comprising: a second core network network element determines a target encryption integrity policy for target data; the target encryption integrity policy is determined based on one or more of the following policies: the encryption integrity policy of a terminal device, the encryption integrity policy of a session management function SMF, the encryption integrity policy of an application function AF, or the encryption integrity policy of a policy control function PCF; the second core network network element sends the target encryption integrity policy to the terminal device, the access network device corresponding to the terminal device, and the first core network network element.

Based on the method described in the third aspect, after the second core network network element determines the target encryption and security policy, it sends the target encryption and security policy to the terminal device, the access network device and the first core network network element, so that during the transmission of the target data, each transmission node (including the terminal device, the access network device and the first core network network element) reaches a consensus on the encryption and security policy of the target data, which is conducive to improving the transmission efficiency of the target data and the security of the target data.

In a possible implementation, the second core network element receives a protocol data unit (PDU) session establishment request message sent from a terminal device; the PDU session establishment request message is used to request the establishment of a PDU session for transmitting target data; the second core network element sends a PDU session establishment response message to the terminal device, and the PDU session establishment response message includes a target encryption integrity policy. By implementing this possible implementation method, the second core network element carries the target encryption integrity policy in the PDU session establishment response message, and no additional signaling is required to transmit the target encryption integrity policy, thereby saving communication resources.

In a possible implementation, the PDU session establishment request message includes the encryption and security policy of the terminal device. By implementing this possible implementation, the second core network element can determine the target encryption and security policy in combination with the encryption and security policy of the terminal device, so that the target encryption and security policy can better meet the needs of users. In addition, the terminal device carries the encryption and security policy of the terminal device in the PDU session establishment request message, and no additional signaling is required to transmit the encryption and security policy of the terminal device, thereby saving communication resources.

In one possible implementation, the second core network network element generates a first key and a second key based on the target encryption integrity policy; wherein the first key is used to perform integrity protection/verification processing on the target data, and the second key is used to perform encryption/decryption processing on the target data; the second core network network element sends the first key and the second key to the first core network network element.

In one possible implementation, the encryption integrity strategy includes the granularity of encryption/decryption or integrity protection/verification of the target data, and the granularity is one of a PDU session, a quality of service flow QoS Flow, or a data flow. By implementing this possible implementation method, the execution efficiency and accuracy of encryption/decryption or integrity protection/verification of the data can be selected by controlling the granularity of encryption/decryption or integrity protection/verification of the data, thereby improving the flexibility of encryption integrity in the data transmission method of the present application.

In a fourth aspect, the present application provides a communication device, which may be a first device, or a device in the first device, or a device that can be used in combination with the first device; wherein the communication device may also be a chip system, and the communication device may execute the method executed by the first device in the first aspect to the third aspect. The functions of the communication device may be implemented by hardware, or by hardware executing corresponding software implementations. The hardware or software includes one or more units corresponding to the above functions. The unit may be software and/or hardware. The operations and beneficial effects performed by the communication device may refer to the methods and beneficial effects described in the first aspect to the third aspect above, and the repetitive parts will not be repeated.

In a fifth aspect, the present application provides a communication device, which may be a second device, or a device in the second device, or a device that can be used in combination with the second device; wherein the communication device may also be a chip system, and the communication device may execute the method executed by the second device in the first aspect to the third aspect, or the communication device may execute the method executed by the second device in the first aspect to the third aspect. The functions of the communication device may be implemented by hardware, or by hardware executing corresponding software implementations. The hardware or software includes one or more units corresponding to the above functions. The unit may be software and/or hardware. The operations and beneficial effects performed by the communication device may refer to the methods and beneficial effects described in the first aspect to the third aspect above, and the repeated parts will not be repeated.

In a sixth aspect, the present application provides a communication device, which may be a second core network element, or a device in the second core network element, or a device that can be used in combination with the second core network element; wherein the communication device may also be a chip system, and the communication device may execute the method executed by the second core network element in the first aspect to the third aspect, or the communication device may execute the method executed by the second core network element in the first aspect to the third aspect. The functions of the communication device may be implemented by hardware, or by hardware executing corresponding software implementations. The hardware or software includes one or more units corresponding to the above functions. The unit may be software and/or hardware. The operations and beneficial effects performed by the communication device may refer to the methods and beneficial effects described in the first aspect to the third aspect above, and the repeated parts will not be repeated.

In the seventh aspect, the present application provides a communication device, which includes a processor. When the processor calls a computer program in a memory, the method executed by the first device, the second device or the second core network element in the methods described in the first aspect to the third aspect is executed.

In an eighth aspect, the present application provides a communication device, comprising a processor and a memory, the memory being used to store computer execution instructions; the processor being used to execute the computer execution instructions stored in the memory, so that the communication device executes the method executed by the first device, the second device or the second core network element in the methods described in the first aspect to the third aspect.

In the ninth aspect, the present application provides a communication device, which includes a processor, a memory and a transceiver, wherein the transceiver is used to receive a signal or send a signal; the memory is used to store a computer program; and the processor is used to call the computer program from the memory to execute the method executed by the first device, the second device or the second core network element in the methods described in the first aspect to the third aspect.

In the tenth aspect, the present application provides a communication device, which includes a processor and an interface circuit, wherein the interface circuit is used to receive computer execution instructions and transmit them to the processor; the processor runs the computer execution instructions to execute the method executed by the first device, the second device or the second core network element in the methods described in the first aspect to the third aspect.

In the eleventh aspect, the present application provides a computer-readable storage medium, which is used to store computer execution instructions. When the computer execution instructions are executed, the first device, the second device or the second core network element in the methods described in the first aspect to the third aspect executes the method.

In a twelfth aspect, the present application provides a communication device, comprising a function or unit for executing the method as described in any one of the first to third aspects.

In a thirteenth aspect, the present application provides a computer program product comprising a computer program. When the computer program is executed, the method executed by the first device, the second device or the second core network element in the methods described in the first to third aspects is implemented.

In the fourteenth aspect, the present application provides a communication system, which includes a first device, a second device and a second core network element; wherein the first device is used to execute the method described in the first aspect, the second device is used to indicate the method of the second aspect, and the second core network element is used to execute the method described in the third aspect.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a network system architecture provided in an embodiment of the present application;

FIG2 is a schematic diagram of a core network architecture provided in an embodiment of the present application;

FIG3 is a schematic diagram of transmission of downlink data between protocol layers provided in an embodiment of the present application;

FIG4a is a schematic diagram of a protocol stack structure provided in an embodiment of the present application;

FIG4b is a schematic diagram of another protocol stack structure provided in an embodiment of the present application;

FIG4c is a schematic diagram of another protocol stack structure provided in an embodiment of the present application;

FIG5 is a schematic diagram of a flow chart of a data transmission method provided in an embodiment of the present application;

FIG6 is a schematic diagram of a data flow of integrity protection processing and encryption processing provided by an embodiment of the present application;

FIG7 is a data flow diagram of a decryption process and an integrity check process provided by an embodiment of the present application;

FIG8a is a schematic diagram of a flow chart of a method for determining target encryption integrity provided in an embodiment of the present application;

FIG8b is a schematic diagram of a flow chart of a key generation method provided in an embodiment of the present application;

FIG9 is a schematic diagram of the structure of a communication device provided in an embodiment of the present application;

FIG. 10 is a schematic diagram of the structure of another communication device provided in an embodiment of the present application.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application more clear, the present application will be further described in detail below in conjunction with the accompanying drawings.

The terms "first" and "second" and the like in the specification, claims and drawings of this application are used to distinguish different objects, rather than to describe a specific order. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions. For example, a process, method, system, product or device that includes a series of operations or units is not limited to the listed operations or units, but may optionally include operations or units that are not listed, or may optionally include other operations or units that are inherent to these processes, methods, products or devices.

Reference to "embodiments" herein means that a particular feature, structure, or characteristic described in conjunction with the embodiments may be included in at least one embodiment of the present application. The appearance of the phrase in various locations in the specification does not necessarily refer to the same embodiment, nor is it an independent or alternative embodiment that is mutually exclusive with other embodiments. It is explicitly and implicitly understood by those skilled in the art that the embodiments described herein may be combined with other embodiments.

In the present application, "at least one (item)" means one or more, "more than one" means two or more, "at least two (items)" means two or three and more than three, and "and/or" is used to describe the corresponding relationship of corresponding objects, indicating that there may be three relationships. For example, "A and/or B" can mean: only A exists, only B exists, and A and B exist at the same time, where A and B can be singular or plural. The character "/" generally indicates that the corresponding objects before and after are in an "or" relationship. "At least one of the following items" or similar expressions refers to any combination of these items, including any combination of single items or plural items. For example, at least one of a, b or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", where a, b, c can be single or multiple.

In order to better understand the embodiments of the present application, the system architecture involved in the embodiments of the present application is first introduced below:

The technical solutions of the embodiments of the present application can be applied to various communication systems, for example: long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (TDD), new radio (NR), the 3rd generation partner project (3GPP) service-based architecture (SBA), and other fifth generation (5G) communication systems or sixth generation (6G) communication systems and other communication systems evolved after 5G.

Please refer to Figure 1, which is a schematic diagram of a network system architecture provided by an embodiment of the present application. As shown in Figure 1, a terminal device can access a wireless network to obtain services of an external network (such as a data network (data network, DN)) through the wireless network, or communicate with other devices through the wireless network, such as communicating with other terminal devices. The wireless network includes a (radio) access network ((radio) access network, (R) AN) and a core network (core network, CN), wherein the (R) AN (hereinafter described as RAN) is used to access the terminal device to the wireless network, and the CN is used to manage the terminal device and provide a gateway for communicating with the DN. The terminal device, RAN, CN and DN involved in the system architecture in Figure 1 are described in detail below.

1. Terminal equipment

The terminal device includes a device that provides voice and/or data connectivity to the user. For example, the terminal device is a device with wireless transceiver function, which can be deployed on land, including indoors or outdoors, handheld, wearable or vehicle-mounted; it can also be deployed on the water surface (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons and satellites, etc.). The terminal device can be a mobile phone, a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, a wireless terminal in industrial control, a vehicle-mounted terminal, a wireless terminal in self-driving, a wireless terminal in remote medical, a wireless terminal in smart grid, a wireless terminal in transportation safety, a wireless terminal in smart city, a wireless terminal in smart home, a wearable terminal, etc. The embodiments of the present application do not limit the application scenarios. Terminal equipment may sometimes also be referred to as terminal, user equipment (UE), access terminal, vehicle-mounted terminal, industrial control terminal, UE unit, UE station, mobile station, mobile station, remote station, remote terminal, mobile device, UE terminal, wireless communication equipment, UE agent or UE device, etc. The terminal may also be fixed or mobile. It is understood that all or part of the functions of the terminal in this application may also be implemented by software functions running on hardware, or by virtualization functions instantiated on a platform (such as a cloud platform). The terminal equipment in this application may be a terminal for 5G or a terminal for 6G, and this application does not limit this.

RAN

The RAN may include one or more RAN devices (or access network devices). The interface between the access network device and the terminal device may be a Uu interface (or air interface). Of course, in communications evolved after 5G, the names of these interfaces may remain unchanged, or may be replaced by other names, which is not limited in this application.

Access network equipment refers to the node or device that connects the terminal device to the wireless network. Access network equipment includes, but is not limited to: next generation node B (gNB), evolved node B (eNB), next generation evolved node B (ng-eNB), wireless backhaul equipment, radio network controller (RNC), node B (NB), home base station (HeNB) or (HNB), baseband unit (BBU), transmitting and receiving point (TP), etc. The RAN in the present application may be a RAN for 5G or a RAN for 6G, and the present application does not limit this.

3. CN

The CN may include one or more CN devices (which may be understood as network element devices or network function (NF)). In the following text, the CN devices are collectively referred to as core network elements (such as the first core network element and the second core network element in the following text).

Please refer to Figure 2, which is a structural diagram of a CN provided in this application. The CN in Figure 2 is a schematic diagram of the CN in the 5G network architecture. The CN shown in Figure 2 includes multiple CN devices: network slice selection function (NSSF), network exposure function (NEF), network function repository function (NRF), policy control function (PCF), unified data management (UDM), application function (AF), network control function (NCF), network slice specific authentication and authorization function (NSSAAF), authentication server function (AUSF), access and mobility management function (AMF), session management function (SMF), user plane function (UPF), service communication proxy (SCP), and network slice admission control function (NSSACF). in:

AMF is a control plane function provided by the operator network, responsible for access control and mobility management of terminal devices accessing the operator network, such as mobility status management, allocation of user temporary identity, authentication and authorization of users, etc.

SMF is a control plane function provided by the operator network, responsible for managing the protocol data unit (PDU) session of the terminal device. A PDU session is a channel for transmitting PDUs. The terminal device needs to transmit PDUs to and from the DN through the PDU session. SMF is responsible for establishing, maintaining, and deleting PDU sessions. SMF includes session management (such as session establishment, modification, and release, including tunnel maintenance between UPF and RAN), UPF selection and control, service and session continuity (SSC) mode selection, roaming, and other session-related functions.

PCF is a control plane function provided by the operator, including user subscription data management function, policy control function, charging policy control function, quality of service (QoS) control, etc. It is mainly used to provide PDU session strategy to SMF. Among them, the strategy can include charging-related strategy, QoS-related strategy and authorization-related strategy.

UPF is a gateway provided by the operator and is the gateway for the operator network to communicate with the DN. UPF includes functions related to the user plane, such as packet routing and transmission, packet detection, quality of service (QoS) processing, uplink packet detection, and downlink packet storage.

UDM is mainly used to manage the user's contract data and authentication data, as well as to perform authentication credit processing, user identity processing, access authorization, registration/mobility management, subscription management, and short message management. In some embodiments, UDM may also include a unified data repository (UDR). Alternatively, in other embodiments, the 3GPP SBA of the 5G system may also include a UDR. Among them, UDR is used to provide storage and retrieval for PCF policies, storage and retrieval of open structured data, and storage of user information requested by application functions.

It should be noted that the above-mentioned CN equipment may also be referred to as a network element or a functional network element. In a 5G communication system, each functional network element may be the name of each functional network element shown in FIG2. In a communication system evolved after 5G (such as a 6G communication system), each functional network element may still be the name of each functional network element shown in FIG2, or may have other names. For example, in a 5G communication system, the user plane function may be a UPF. In a communication system evolved after 5G (such as a 6G communication system), the user plane function may still be a UPF, or may have other names, which is not limited in this application.

It should also be noted that in the 5G communication system, the functions implemented by each functional network element can be independent as shown in Figure 2. In the communication system evolved after 5G (such as the 6G communication system), each functional network element can still be independent as shown in Figure 2, or the functions of multiple functional network elements in Figure 2 can be implemented by an integrated functional network element. For example, in the 5G communication system, the functions related to the user plane are implemented by the UPF, and the functions related to access and mobility management are implemented by the AMF. In the communication system evolved after 5G (such as the 6G communication system), the functions related to the user plane can still be implemented by the UPF, and the functions related to access and mobility management can still be implemented by the AMF, or the functions related to the user plane and the functions related to access and mobility management can also be implemented by an integrated functional network element at the same time, which is not limited in this application.

In Figure 2, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers. The meanings of these interface serial numbers can be found in the meanings defined in the relevant standard protocols and are not limited here.

4.DN

DN, also known as packet data network (PDN), is a network located outside the operator network. The operator network can access multiple DNs. Application servers corresponding to various services can be deployed in the DN to provide a variety of possible services for terminal devices.

In order to better understand the solution provided by this application, the following is an introduction to the protocol layer structure:

The communication between the terminal equipment and the access network equipment follows a certain protocol layer structure, and the communication between the access network equipment and the core network elements (such as UPF) must also follow a certain protocol layer structure. For example, the user plane protocol layer structure between the access network equipment and the terminal equipment (which can be understood as the user plane protocol layer structure of air interface transmission) includes: service data adaptation protocol (SDAP) layer, PDCP layer, radio link control (RLC) layer, media access control (MAC) layer and the first physical layer (Physical Layer, PHY layer); the user plane protocol layer structure between the access network equipment and the core network element (which can be understood as the user plane protocol structure of wired transmission) includes: general packet radio service tunneling protocol for the user plane (GTP-U), user datagram protocol (UDP), internet protocol (IP), data link layer (hereinafter collectively referred to as L2), and second physical layer (hereinafter collectively referred to as L1) in the user plane part.

Taking downlink data transmission as an example, FIG3 is a schematic diagram of downlink data transmission between protocol layers. The downward arrow in FIG3 indicates data transmission, and the upward arrow indicates data reception. In FIG3, the data on the UPF side is processed by GTP-U, UDP, IP, L2, and L1 in sequence. UPF transmits the data to the access network device. On the access network device side, the data is first processed by the wired transmission protocol, and is processed by L1, L2, IP, UDP, and GTP-U in sequence; then, on the access network device side, the data is processed by the air interface transmission protocol, and is processed by the SDAP layer, PDCP layer, RLC layer, MAC layer, and PHY layer in sequence. Further, the access network device transmits the data to the terminal device through air interface transmission, and the data is processed by the air interface transmission protocol on the terminal device side, and is processed by the PHY layer, MAC layer, RLC layer, PDCP layer, and SDAP layer in sequence. The uplink data transmission process is opposite to the direction indicated by the arrow in FIG3, and will not be described in detail here.

Taking the protocol layer in 5G as an example, the functions of some protocol layers involved in this application are introduced below:

(1)SDAP

The SDAP layer is located above the PDCP layer and directly carries the IP data packets of the user plane. The functions of the SDAP layer include but are not limited to: processing the mapping between QoS flows and data radio bearers (DRBs), and adding QoS flow indicators (QFIs) to data packets.

(2)PDCP

The functions of the PDCP layer include but are not limited to: user IP header compression function (the specific compression algorithm is jointly determined by the terminal device and the access network device); encryption/decryption (for control plane/user plane data); data integrity protection/verification (in 4G, the PDCP layer only performs integrity protection/verification on control plane data; in 5G, the PDCP layer can perform integrity protection/verification on control plane data, and can also perform integrity protection/verification on user plane data (optionally)); data packet sorting function; data packet replication function; diversion function, etc.

(3)RLC

The RLC layer is located below the PDCP layer. Since the RLC entity transmits data in three modes: Transparent Mode (TM), Unacknowledged Mode (UM) and Acknowledged Mode (AM), the RLC entity can be classified into TM entity, UM entity and AM entity. AM data transmission and reception share one entity, while UM and TM transmission and reception entities are separate. The functions of RLC include but are not limited to:

TM (broadcast message), UM (voice service, with delay requirements), AM (ordinary service, high accuracy); segmentation and reassembly (UM/AM, the size of the segmented data packet is determined by MAC, the data packet is larger when the wireless environment is good, and smaller when the wireless environment is poor); error correction (only for AM transmission, automatic repeat-request (ARQ) transmission, high-accuracy transmission).

(4)MAC

The functions of the MAC layer in 5G are similar to those in 4G, and its main function is scheduling. The functions of the MAC layer in 5G include but are not limited to: resource scheduling, mapping between logical channels and transport channels, multiplexing/demultiplexing, and asynchronous hybrid automatic repeat request (HARQ) for uplink and downlink.

(5)PHY

The functions of the 5G physical layer include but are not limited to: error detection, forward error correction (FEC) encryption and decryption, rate matching, physical channel mapping, adjustment and demodulation, frequency synchronization and time synchronization, wireless measurement, and multiple-in multiple-out (MIMO) processing.

(6)GTP-U

General Packet Radio Service (GPRS) is a wireless packet switching technology based on the Global System for Mobile Communications (GSM system), providing end-to-end, wide-area wireless IP connection. GPRS Tunneling Protocol (GTP) is a set of communication protocols based on the Internet Protocol (IP), used to carry GPRS in the GSM network, including the control plane protocol (also known as GTP-C) and the user plane protocol (GTP-U). The payload in GTP-U refers to the user's original data packet, such as IP data packet or Ethernet data packet.

During the data transmission process, the access network device and the terminal device perform encryption/decryption at the PDCP layer. That is, in the downlink data transmission process shown in Figure 3, the user plane data is integrity protected and encrypted at the PDCP layer on the access network device side, and decrypted and integrity checked at the PDCP layer on the terminal device side. Similarly, during the uplink data transmission process, the user plane data is integrity protected and encrypted at the PDCP layer on the terminal device side, and decrypted and integrity checked at the PDCP layer on the access network device side. It can be seen that the access network device can see the unencrypted user plane data, which poses security risks such as data leakage.

The present application provides a data transmission method, which can improve the security of data during data transmission. The data transmission method and communication device provided by the present application are further introduced below in conjunction with the accompanying drawings:

To facilitate understanding, before introducing the data transmission method provided in the present application, the protocol stack structure followed by the terminal device, access network device and the first core network network element in the present application is first described.

In the present application, the terminal device and the first core network element are deployed with a first protocol layer (having the function of encrypting/decrypting data and the function of protecting/verifying the integrity of data). Furthermore, the terminal device and the first core network element can perform integrity protection/verification on the data, as well as encrypt/decrypt the data through the first protocol layer. Specifically, in the present application, any one of the following three protocol stack structures can be followed between the terminal device, the first core network element and the access network device. In one possible implementation, the first protocol layer can be a service data protection protocol (SDPP).

Structure 1: See Figure 4a.

The protocol stack deployed by the terminal device (which can be understood as the air interface transmission protocol stack) is the first protocol layer, SDAP, the second protocol layer, RLC, MAC, and PHY. The protocol stack deployed by the first core network element (which can be understood as the wired transmission protocol stack) is the first protocol layer, GTP-U, UDP, IP, L2, and L1. The air interface transmission protocol stack deployed by the access network device is SDAP, the second protocol layer, RLC, MAC, and PHY; the wired transmission protocol stack deployed by the access network device includes GTP-U, UDP, IP, L2, and L1. Among them, the functions of the second protocol layer include packet sorting function and packet replication function.

In other words, the functions of the aforementioned PDCP are divided into two parts, and the part including the functions of integrity protection/verification of data and encryption/decryption of data (i.e., the first protocol layer) is deployed as the upper layer protocol of SDAP; the part including the data packet sorting function and data packet replication function (i.e., the second protocol layer) is deployed as the lower layer protocol of SDAP. The access network equipment does not deploy the first protocol layer, so it cannot process the data packet through the first protocol layer.

In one possible implementation, the first protocol layer also has an IP header compression function, that is, the IP header compression function in PDCP is placed in the first protocol layer. In another possible implementation, the second protocol layer also has an IP header compression function, that is, the IP header compression function in PDCP is placed in the second protocol layer.

It should be noted that, in the process of sending data, the protocol layer that processes the data packet first in the protocol stack can be considered as the upper protocol layer of the protocol layer that processes the data packet later; or, in the process of receiving data, the protocol layer that processes the data packet first can be considered as the lower protocol layer of the protocol layer that processes the data packet later. The order of "sequentially" mentioned in this application can be understood as the order in which the data packet is processed in each protocol layer during the data transmission process of the device deploying the protocol stack (that is, in the order from upper layer protocol to lower layer protocol in the protocol stack). The first core network element mentioned in this application is a user plane function that can transmit user plane data. For example, the first core network element is the UPF in the 5G CN shown in Figure 2. The full text is as follows.

Structure 2: See Figure 4b.

The protocol stack deployed by the terminal device (which can be understood as the air interface transmission protocol stack) is SDAP, the first protocol layer, the second protocol layer, RLC, MAC, and PHY. The protocol stack deployed by the first core network element (which can be understood as the wired transmission protocol stack) is the first protocol layer, GTP-U, UDP, IP, L2, and L1. The air interface transmission protocol stack deployed by the access network device is SDAP, the second protocol layer, RLC, MAC, and PHY; the wired transmission protocol stack deployed by the access network device includes GTP-U, UDP, IP, L2, and L1.

In other words, in structure 2, the functions of PDCP are divided into two parts: a part including the functions of integrity protection/verification of data and encryption/decryption of data (i.e., the first protocol layer) and a part including the functions of data packet sorting and data packet duplication (i.e., the second protocol layer). The terminal device and the first core network element are deployed with the first protocol layer, while the access network device is not deployed with the first protocol layer. Therefore, the terminal device and the first core network element can process the data packet through the first protocol layer, and the access network device cannot process the data packet through the first protocol layer. For example, after the terminal device processes the first data through the first protocol layer (i.e., encryption processing and integrity protection processing), the second data is obtained; after the access network device receives the second data from the terminal device, the second data is encapsulated in the load part of GTP-U and sent to the first core network element; after the first core network element receives the second data, the first core network element processes the second data through the first protocol layer (i.e., decryption processing and integrity verification processing) to obtain the first data.

Structure three: see Figure 4c.

The protocol stack deployed by the terminal device (which can be understood as the air interface transmission protocol stack) is the first protocol layer, the third protocol layer, RLC, MAC and PHY. The protocol stack deployed by the first core network element (which can be understood as the wired transmission protocol stack) is the first protocol layer, GTP-U, UDP, IP, L2, and L1. The air interface transmission protocol stack deployed by the access network device is the third protocol layer, RLC, MAC, and PHY; the wired transmission protocol stack deployed by the access network device includes GTP-U, UDP, IP, L2, and L1. Among them, the third protocol layer has the functions of the aforementioned SDAP and the data packet replication function of the aforementioned PDCP.

It can be understood that in structure 3, the data packet replication function of PDCP is deployed in the SDAP layer, and the first protocol layer with other functions (such as data encryption/decryption function, data integrity protection/verification function, IP header compression function, etc.) except the data packet replication function is deployed above SDAP. The access network equipment does not deploy the first protocol layer, so it cannot process the data packet through the first protocol layer.

It should be noted that in Structure 3, the aforementioned PDCP offloading function is mainly used in non-standalone (NSA) scenarios, and the first protocol layer in this application may not have the original PDCP offloading function.

The transmission method provided by the present application is explained in detail below in conjunction with the accompanying drawings. Please refer to Figure 5, which is a flow chart of a data transmission method provided by an embodiment of the present application. As shown in Figure 5, the data transmission method includes the following S501~S503. The execution subject of the method shown in Figure 5 can be a first device (sending device), a second device (receiving device), an access network device, and a second core network element, or the execution subject of the method shown in Figure 5 can be a chip of the first device, a chip of the second device, a chip of the access network device, and a chip of the second core network element. Figure 5 takes the first device, the second device, the access network device, and the second core network element as the execution subject of the method as an example for explanation. Among them:

S501. A first device performs integrity protection processing and encryption processing on first data through a first protocol layer to obtain second data.

The first device is deployed with a first protocol layer, which has the functions of encrypting/decrypting data and protecting/verifying the integrity of data.

That is to say, the first device performs integrity protection on the first data at the first protocol layer through the first key (the key used for data integrity protection/verification) to ensure the integrity of the first data during transmission; and encrypts the first data through the second key (the key used for data encryption/decryption) to ensure the security of the first data during transmission.

Among them, the first key and the second key are generated according to the target encryption security policy, and the target encryption security policy is determined by the second core network element according to one or more of the following policies: the encryption security policy of the terminal device (the first device or the second device in Figure 5), the encryption security policy of the SMF, the encryption security policy of the AF, or the encryption security policy of the PCF.

In one possible implementation, the second core network element obtains one or more of the encryption integrity policy of the terminal device (the first device or the second device in FIG. 5 ), the encryption integrity policy of the SMF, the encryption integrity policy of the AF, or the encryption integrity policy of the PCF, and then determines the target encryption integrity policy. Furthermore, the second core network element sends the target encryption integrity policy to the first device, the second device, and the access network device so that the first device, the second device, and the access network device reach a consensus on the encryption/decryption and integrity protection/verification of the first data. It should be noted that the second core network element is an access and mobility management function. For example, the second core network element is the AMF in the 5G CN shown in FIG. 2 .

That is to say, after the second core network network element obtains the encryption integrity policy from one or more of the terminal device, SMF, AF or PCF, the second core network network element coordinates according to certain determination rules (such as device priority, encryption/decryption processing efficiency, integrity protection/verification processing efficiency, data security requirement level, etc.), determines the target encryption integrity policy, and sends the target encryption integrity policy to the first device, the second device and the access network device.

The encryption integrity policy includes a granularity for encrypting/decrypting or integrity protection/verification of the first data, and the granularity is one of a packet data unit (PDU) session, a QoS flow (also known as a QoS Flow), or a data flow. In addition, the encryption integrity policy can also be used to instruct: the terminal device to perform encryption/decryption processing or integrity protection/verification processing with the first core network element; or, it can also be used to instruct the terminal device to perform encryption/decryption processing or integrity protection/verification processing with the access network device.

It is understandable that a PDU session can include one or more QoS Flows, and a QoS Flow can include one or more data flows, that is, the granularity of encryption and integrity protection is PDU session granularity, QoS Flow granularity, and data flow granularity from large to small. In this way, the granularity of encryption/decryption or integrity protection/verification can be selected according to business needs (or data encryption needs), thereby improving the flexibility of data encryption/decryption or integrity protection/verification.

For example, the PDU session corresponding to the first data (or understood as being used to transmit the first data) includes three QoS Flows: QoS Flow 1, QoS Flow 2, and QoS Flow 3; each QoS Flow includes two data flows, for example, QoS Flow 1 includes data flow 11 and data flow 12. In this case, if the encryption requirement of the first data is to encrypt all data transmitted in the PDU session (i.e., all QoS Flows or all data flows), the granularity of encryption/decryption or integrity protection/verification corresponding to the first data may be the PDU session granularity. If the encryption requirement of the first data is to encrypt QoS Flow 1 and QoS Flow 2, and not to encrypt QoS Flow 3, the granularity of encryption/decryption or integrity protection/verification corresponding to the first data may be the QoS Flow granularity. If the encryption requirement of the first data is to encrypt only data flow 11, the granularity of encryption/decryption or integrity protection/verification corresponding to the first data may be the data flow granularity.

Furthermore, after the first device receives the target encryption integrity policy for the target data (i.e., the first data) from the second core network network element, the first device performs integrity protection processing on the first data at the first protocol layer according to the target encryption integrity policy and the first key; and encrypts the first data at the first protocol layer according to the target encryption integrity policy and the second key.

Specifically, in a possible implementation, the first device performs integrity protection processing on the first data according to the first key and the granularity identifier in the target encryption integrity policy; and encrypts the first data according to the second key and the granularity identifier in the target encryption integrity policy. The granularity identifier is one of QFI (i.e., QoS Flow identifier), PDU session identifier, or data flow identifier. The identifier of the data flow can be an IP quintuple or an L2 address, etc.

Exemplarily, as shown in 6a in FIG6 , the first device uses the first key and the granularity identifier as input parameters of the integrity algorithm, generates a message authentication code corresponding to the first data, and appends the message authentication code to the first data to obtain the first data processed with integrity protection. Further, as shown in 6b in FIG6 , the first device uses the second key and the granularity identifier as input parameters of the encryption algorithm, generates a data key stream block (also called keystream block), and uses the data key stream block to encrypt the first data processed with integrity protection (i.e., the first data containing the message authentication code) to obtain the second data.

S502: The first device transparently transmits the second data to the second device through the access network device. Correspondingly, the second device receives the second data transparently transmitted by the first device through the access network device.

In other words, the first device sends the second data to the access network device, the access network device does not perform decryption processing and integrity verification processing on the second data, and the access network device sends the second data to the second device.

Among them, when the first device is a terminal device, the second device is a first core network element; or, when the first device is a first core network element, the second device is a terminal device.

S503: The second device performs decryption processing and integrity verification processing on the second data through the first protocol layer to obtain the first data.

The second device is deployed with a first protocol layer, which has the function of encrypting/decrypting data and the function of protecting/verifying the integrity of data.

That is to say, the second device decrypts the second data through the second key (key used for data encryption/decryption) at the first protocol layer to ensure the security of the first data during transmission; and performs integrity verification on the second data through the first key (key used for data integrity protection/verification) to ensure the integrity of the first data during transmission.

It should be noted that the description of the first key, the second key and the target encryption security policy (used to generate the first key and the second key) can be found in the relevant description in the aforementioned S501, which will not be repeated here.

In one possible implementation, the second device receives a target encryption integrity policy for target data (i.e., second data) from a second core network element. Further, the second device performs integrity verification processing on the second data at the first protocol layer according to the target encryption integrity policy and the first key; and decrypts the second data at the first protocol layer according to the target encryption integrity policy and the second key.

Specifically, in one possible implementation, the second device performs integrity check processing on the second data according to the first key and the granularity identifier in the target encryption security policy; and decrypts the second data according to the second key and the granularity identifier in the target encryption security policy. The granularity identifier is one of a QFI, a PDU session identifier, or a data flow identifier. The identifier of the data flow can be an IP quintuple or an L2 address, etc.

Exemplarily, as shown in 7a of FIG7 , the second device uses the second key and the granularity identifier as input parameters of the encryption algorithm, generates a data key stream block, and uses the data key stream block to decrypt the second data to obtain the first data including the message authentication code. Further, as shown in 7b of FIG7 , the second device uses the first key and the granularity identifier as input parameters of the integrity algorithm, verifies the message authentication code in the first data, and obtains the first data processed by the integrity verification.

In summary, in the data transmission process described in Figure 5, the devices that perform encryption/decryption and integrity protection/verification on the first data (such as user plane data) are the terminal device and the first core network network element. That is, when the terminal device encrypts the first data and performs data integrity protection, the first core network network element decrypts the first data and performs data integrity verification; when the first core network network element encrypts the first data and performs data integrity protection, the terminal device decrypts the first data and performs data integrity verification. Through such a data transmission method, it is possible to avoid the access network device from decrypting the user plane data during the transmission process, thereby avoiding the access network from knowing the plaintext user plane data, thereby improving the security of the data.

According to the foregoing, whether it is the first key used for data integrity protection/verification or the second key used for data encryption/decryption, they are all generated according to the target encryption integrity policy. The following will explain how to determine the target encryption integrity policy in the data transmission process. Please refer to Figure 8a, which is a flow chart of a method for determining an encryption integrity policy. It should be noted that, for ease of understanding, Figure 8a only uses the core network element in the CN of 5G as an example for a schematic introduction, and it cannot be regarded as a specific limitation of the present application. Among them, when the terminal device in Figure 8a is the first device in Figure 5, the first core network element in Figure 8a is the second device in Figure 5; when the terminal device in Figure 8a is the second device in Figure 5, the first core network element in Figure 8a is the first device in Figure 5.

As shown in Figure 8a, the key generation method includes the following S801~S802. The execution subject of the method shown in Figure 8a can be a terminal device, a first core network element, an access network device, and a second core network element, or the execution subject of the method shown in Figure 8a can be a chip of a terminal device, a chip of a first core network element, a chip of an access network device, and a chip of a second core network element. Figure 8a takes the terminal device, the first core network element (such as the UPF in Figure 8a), the access network device, and the second core network element (such as the AMF in Figure 8a) as the execution subject of the method as an example for explanation. Among them:

S801. AMF determines the target encryption and security policy of the target data; the target encryption and security policy is determined based on one or more of the following policies: the encryption and security policy of the terminal device, the encryption and security policy of the SMF, the encryption and security policy of the AF, or the encryption and security policy of the PCF.

The target data may be the first data in FIG5 or the second data (i.e. the first data after encryption and integrity protection). The description of the encryption integrity protection strategy can be found in the description of the encryption integrity protection strategy in S501, which will not be described here.

That is to say, one or more devices in the terminal device, SMF, AF or PCF can send encryption and security policies to AMF according to their own needs. Furthermore, AMF coordinates the received encryption and security policies according to certain determination rules (such as device priority, encryption/decryption processing efficiency, integrity protection/verification processing efficiency, data security requirements, etc.) to determine the target encryption and security policy. Among them, the determination rule can be a rule preset on the network side or a rule determined according to business needs, and can be adaptively adjusted according to specific application scenarios, which is not specifically limited here.

Exemplarily, AMF receives the encryption security policy from the terminal device, the encryption security policy of SMF, the encryption security policy of AF, and the encryption security policy of PCF. Among them, the preset device priorities corresponding to the encryption security policy are SMF, PCF, terminal device, and AF from high to low. In this case, AMF can determine the encryption security policy of SMF as the target encryption security policy.

S802. AMF sends the target encryption security policy to the terminal device, access network device and UPF.

After AMF determines the target encryption and security policy, it sends the target encryption and security policy to the terminal device, access network device, and UPF respectively, so that during the transmission of the target data, each transmission node (i.e., including the terminal device, access network device, and the first core network element) reaches a consensus on the encryption and security policy of the target data, which is beneficial to improving the transmission efficiency and security of the target data. It should be noted that when UPF receives the target encryption and security policy sent by AMF, it can also receive the first key and the second key generated by AMF according to the target encryption and security policy. After the terminal device receives the target encryption and security policy sent by AMF, the terminal device can generate the first key and the second key according to the target encryption and security policy. After the access network device receives the target encryption and security policy, it cannot obtain the first key and the second key.

In a possible implementation, the terminal device sends a PDU session establishment request or a PDU session modification request to the AMF through the access network device. Furthermore, the way in which the AMF sends the target encryption and security policy to the terminal device can be: the AMF sends a PDU session establishment response or a PDU session modification response to the terminal device through the access network device, and the PDU session establishment response or the PDU session modification response carries the target encryption and security policy.

In a possible implementation, the way in which AMF obtains the encryption integrity policy of the terminal device can be: when the terminal device sends a PDU session establishment request or a PDU session modification request to the AMF through the access network device, the PDU session establishment request or the PDU session modification request carries the encryption integrity policy of the terminal device.

In order to more intuitively demonstrate the method for determining the target encryption integrity strategy described in Figure 8a, Figure 8b takes the example of a terminal device sending a PDU session establishment request to AMF for exemplary explanation. Please refer to Figure 8b, which is a flow chart of a key generation method. As shown in Figure 8b, the key generation method includes the following S8001 to S8012. The execution subject of the method shown in Figure 8b can be a terminal device, a first core network element, an access network device, and a second core network element, or the execution subject of the method shown in Figure 8b can be a chip of a terminal device, a chip of a first core network element, a chip of an access network device, and a chip of a second core network element. Figure 8b takes the terminal device, the first core network element (such as the UPF in Figure 8b), the access network device, and the second core network element (such as the AMF in Figure 8b) as the execution subject of the method as an example for explanation. Among them:

(Optionally) S8001. AMF receives encryption protection policy for target data from SMF, PCF or AF.

The description of the encryption integrity protection strategy can refer to the description of the encryption integrity protection strategy in S501 above, which will not be described here. The target data can be the first data in Figure 5 above, or the second data (i.e. the first data after encryption and integrity protection).

S8002. AMF sends a security mode command (also known as security mode command) to the terminal device.

The security mode command is used to configure security-related information, such as configuring encryption algorithms and integrity protection algorithms.

S8003. The terminal device sends a security mode configuration completion (also known as security mode complete) to AMF.

S8004. AMF receives the PDU session establishment request (also known as PDU session establishment request) sent by the terminal device through the access network device.

The PDU session establishment request is used to request the establishment of a PDU session for transmitting target data.

In a possible implementation method, the PDU session establishment request carries the encryption and security policy of the terminal device. That is, when the terminal device requests AMF to establish a PDU session, it sends the encryption and security policy of the terminal device to AMF.

S8005. AMF determines the target encryption protection strategy for the target data.

The AMF determines the target encryption and security policy for the target data based on one or more of the following policies: the encryption and security policy of the terminal device, the encryption and security policy of the SMF, the encryption and security policy of the AF, or the encryption and security policy of the PCF.

Among them, the method for AMF to determine the target encryption protection strategy can be found in the description of the second core network element determining the target encryption protection strategy in S801, which will not be described in detail here.

S8006. AMF sends a PDU session establishment request to the access network device, wherein the PDU session establishment request includes a target encryption security policy.

AMF sends the target encryption integrity policy to the access network device through a PDU session establishment request, so that the access network device knows whether it needs to encrypt the target data. Exemplarily, when the target encryption integrity policy indicates that the terminal device and the first core network element perform encryption/decryption processing or integrity protection/verification processing, the access network device determines that it does not need to encrypt the target data; when the target encryption integrity policy indicates that the terminal device and the access network device perform encryption/decryption processing or integrity protection/verification processing, the access network device determines that it needs to encrypt the target data. Among them, the PDU session establishment request carries information for establishing a PDU session (for example, a PDU session resource establishment request list (PDU Session Resource Setup Request List), for example, the PDU session establishment request is a PDU session establishment request (PDU session setup request) message or an initial context setup request (initial context setup request) message.

S8007. The access network device sends a radio resource control (RRC) reconfiguration message (also known as RRC Reconfiguration) to the terminal device.

Among them, the function of the RRC reconfiguration message includes but is not limited to: sending the configuration information of the DRB or the configuration information of the logical channel corresponding to the PDU session to the terminal device.

S8008. The terminal device sends an RRC reconfiguration completion message (also known as RRC Reconfiguration complete) to the access network device.

S8009. The access network device sends a PDU session establishment response to the AMF.

It can be understood that the response of S8009 corresponds to the request of S8006, that is, it is used to reply to the request message of S8006. For example, when the message sent in S8006 is a PDU session setup request message, the PDU session setup response in S8009 is a PDU session setup response message; when the message sent in S8006 is an initial context setup request message, the PDU session setup response in S8009 is an initial context setup response message.

S8010. AMF sends a PDU session establishment response (also called PDU session establishment accept) to the terminal device through the access network device. The PDU session establishment response includes the target encryption security policy.

That is to say, AMF sends the target encryption security policy to the terminal device through the PDU session establishment response. In one possible implementation, when the target encryption security policy indication granularity is PDU session, a new information element (such as pdcp-config) is added in the PDU session establishment response to indicate the target encryption security policy; when the target encryption security policy indication granularity is QoS Flow, a new pdcp-config information is added to the information element (such as QoS-rule-info) used to indicate QoS configuration in the PDU session establishment response to indicate the target encryption security policy; when the target encryption security policy indication granularity is data flow, a new pdcp-config information is added to the information used to indicate data flow configuration in a certain information element (used to indicate QoS configuration) in the PDU session establishment response to indicate the target encryption security policy.

S8011. The terminal device generates a first key and a second key according to the target encryption security policy.

The first key and the second key generated by the terminal device according to the target encryption and security policy are the same as the first key and the second key generated by the AMF according to the target encryption and security policy in S812. Further, the terminal device performs encryption/decryption processing and integrity protection/verification processing on the data according to the first key and the second key and the target encryption and security policy.

S8012. AMF sends the target encryption security policy and the first key and second key generated according to the target encryption security policy to UPF through SMF.

That is, after AMF generates the first key and the second key according to the target encryption security policy, AMF sends the target encryption security policy, the first key and the second key to SMF; SMF sends the target encryption security policy, the first key and the second key to UPF, so that UPF encrypts/decrypts the data and performs integrity protection/verification according to the first key and the second key, as well as the target encryption security policy.

It can be seen that by implementing the key generation method described in Figure 8b of the present application, during the transmission of the target data, each transmission node (i.e., including terminal equipment, access network equipment and the first core network network element) can reach a consensus on the encryption and security strategy of the target data, which is beneficial to improving the transmission efficiency and security of the target data.

Please refer to Figure 9, which shows a schematic diagram of the structure of a communication device 900 of an embodiment of the present application. The communication device shown in Figure 9 can be a first device, or a device in the first device, or a device that can be used in combination with the first device; or the communication device shown in Figure 9 can be a second device, or a device in the second device, or a device that can be used in combination with the second device; the communication device shown in Figure 9 can be a second core network element, or a device in the second core network element, or a device that can be used in combination with the second core network element; the communication device shown in Figure 9 can include a communication unit 901 and a processing unit 902. Specifically, the processing unit 902 is used to process data, and the data can be data received by the communication unit 901, and the processed data can also be sent by the communication unit 901;

In one implementation, the communication device 900 is a first device, or may be a device in the first device, or may be a device that can be used in conjunction with the first device, wherein:

The processing unit 902 is used to perform integrity protection processing and encryption processing on the first data through the first protocol layer to obtain second data; the communication unit 901 is used to transparently transmit the second data to the second device through the access network device;

Among them, both the first device and the second device are deployed with a first protocol layer, which has the function of encrypting/decrypting data and the function of protecting/verifying the integrity of data; the first device is a terminal device, and the second device is a first core network network element; or, the first device is a first core network network element, and the second device is a terminal device.

In a possible implementation, the protocol stack deployed by the terminal device is the first protocol layer, SDAP layer, the second protocol layer, RLC layer, MAC layer and the first physical layer in sequence; wherein the second protocol layer has a data packet sorting function and a data packet replication function; the protocol layers deployed by the first core network network element are the first protocol layer, GTP-U, UDP, IP, data link layer and the second physical layer in sequence; the protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, RLC layer, MAC layer and the first physical layer in sequence, and the access network device is also deployed with GTP-U, UDP, IP, data link layer and the second physical layer in sequence.

In a possible implementation, the protocol stack deployed by the terminal device is the SDAP layer, the first protocol layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the second protocol layer has packet sorting function, diversion function and packet replication function; the protocol layers deployed by the first core network network element are the first protocol layer, GTP-U, UDP, IP, data link layer and the second physical layer in sequence; the protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence, and the access network device is also deployed with GTP-U, UDP, IP, data link layer and the second physical layer in sequence.

In a possible implementation, the protocol stack deployed by the terminal device is, in sequence, the first protocol layer, the third protocol layer, the RLC layer, the MAC layer and the first physical layer; wherein the first protocol layer also has the function of IP header compression and the data packet sorting function, and the third protocol layer has the function of the SDAP layer and the data packet replication function; the protocol layers deployed by the first core network network element are, in sequence, the first protocol layer, GTP-U, UDP, IP, the data link layer and the second physical layer; the protocol stack deployed by the access network device includes, in sequence, the third protocol layer, the RLC layer, the MAC layer and the first physical layer, and the access network device is also deployed with GTP-U, UDP, IP, the data link layer and the second physical layer in sequence.

In one possible implementation, when the first device is a terminal device, the communication unit 901 is also used to send a PDU session establishment request message to the second core network network element; the PDU session establishment request message is used to request the establishment of a PDU session for transmitting the first data; the communication unit 901 is also used to receive a PDU session establishment response message from the second core network network element, and the PDU session establishment response message includes a target encryption integrity policy; wherein the target encryption integrity policy is determined according to one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the SMF, the encryption integrity policy of the AF, or the encryption integrity policy of the PCF; the processing unit 902 is also used to generate a first key and a second key according to the target encryption integrity policy; wherein the first key is used to perform integrity protection/verification processing on the first data, and the second key is used to perform encryption/decryption processing on the first data.

In one possible implementation, when the first device is a first core network element, the communication unit 901 is also used to receive a target encryption integrity policy from a second core network element; wherein the target encryption integrity policy is determined based on one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the SMF, the encryption integrity policy of the AF, or the encryption integrity policy of the PCF; the communication unit 901 is also used to receive a first key and a second key from the second core network element; wherein the first key is used to perform integrity protection/verification processing on the first data, and the second key is used to perform encryption/decryption processing on the first data; the first key and the second key are generated according to the target encryption integrity policy.

In a possible implementation, the processing unit 902 is specifically configured to perform integrity protection processing on the first data according to the target encryption integrity policy and the first key; and perform encryption processing on the first data according to the target encryption integrity policy and the second key.

In one possible implementation, the encryption integrity strategy includes the granularity of encryption/decryption or integrity protection/verification of the first data, and the granularity is one of PDU session, QoS Flow or data flow.

In one possible implementation, the processing unit 902 is specifically used to perform integrity protection processing on the first data according to the first key and the granularity identifier; and to perform encryption processing on the first data according to the second key and the granularity identifier; wherein the granularity identifier is one of the QoS Flow identifier, the PDU session identifier, or the data flow identifier.

In one implementation, the communication device shown in FIG. 9 may be a second device, or may be a device in the second device, or may be a device that can be used in conjunction with the second device, wherein:

The communication unit 901 is used to receive second data transparently transmitted from the first device through the access network device;

The processing unit 902 is used to perform decryption processing and integrity verification processing on the second data through the first protocol layer to obtain the first data; wherein, the first device and the second device are both deployed with the first protocol layer, and the first protocol layer has the function of encrypting/decrypting data and the function of performing integrity protection/verification on data; the first device is a terminal device, and the second device is a first core network element; or, the first device is a first core network element, and the second device is a terminal device.

In a possible implementation, the protocol stack deployed by the terminal device is the first protocol layer, SDAP layer, the second protocol layer, RLC layer, MAC layer and the first physical layer in sequence; wherein the second protocol layer has a data packet sorting function and a data packet replication function; the protocol layers deployed by the first core network network element are the first protocol layer, GTP-U, UDP, Internet Protocol IP, data link layer and the second physical layer in sequence; the protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, RLC layer, MAC layer and the first physical layer in sequence, and the access network device is also deployed with GTP-U, UDP, IP, data link layer and the second physical layer in sequence.

In a possible implementation, the protocol stack deployed by the terminal device is the SDAP layer, the first protocol layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the second protocol layer has data packet sorting function, diversion function and data packet replication function; the protocol layers deployed by the first core network network element are the first protocol layer, GTP-U, UDP, IP, data link layer and the second physical layer in sequence; the protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence, and the access network device is also deployed with GTP-U, UDP, IP, data link layer and the second physical layer in sequence.

In one possible implementation, when the second device is a terminal device, the communication unit 901 is also used to send a protocol data unit PDU session establishment request message to the second core network network element; the PDU session establishment request message is used to request the establishment of a PDU session for transmitting the second data; the communication unit 901 is also used to receive a PDU session establishment response message from the second core network network element, and the PDU session establishment response message includes a target encryption integrity policy; wherein the target encryption integrity policy is determined according to one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the session management function SMF, the encryption integrity policy of the application function AF, or the encryption integrity policy of the policy control function PCF; the processing unit 902 is also used to generate a first key and a second key according to the target encryption integrity policy; wherein the first key is used to perform integrity protection/verification processing on the second data, and the second key is used to perform encryption/decryption processing on the second data.

In one possible implementation, when the second device is the first core network element, the communication unit 901 is also used to receive a target encryption integrity policy from the second core network element; wherein the target encryption integrity policy is determined based on one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the SMF, the encryption integrity policy of the AF, or the encryption integrity policy of the PCF; the communication unit 901 is also used to receive a first key and a second key from the second core network element; wherein the first key is used to perform integrity protection/verification processing on the second data, and the second key is used to perform encryption/decryption processing on the second data; the first key and the second key are generated according to the target encryption integrity policy.

In a possible implementation, the processing unit 902 is specifically used to decrypt the second data at the first protocol layer according to the target encryption integrity policy and the second key; and perform integrity verification on the second data according to the target encryption integrity policy and the first key.

In one possible implementation, the encryption integrity strategy includes the granularity of encryption/decryption or integrity protection/verification of the second data, and the granularity is one of PDU session, QoS Flow or data flow.

In one possible implementation, the processing unit 902 is specifically used to decrypt the second data according to the second key and the granularity identifier; and to perform integrity verification on the second data according to the first key and the granularity identifier; wherein the granularity identifier is one of a QoS Flow identifier, a PDU session identifier, or a data flow identifier.

In one implementation, the communication device shown in FIG. 9 may be a second core network element, or may be a device in the second core network element, or may be a device that can be matched with the second core network element for use, wherein:

The processing unit 902 is used to determine the target encryption and security policy of the target data; the target encryption and security policy is determined based on one or more of the following policies: the encryption and security policy of the terminal device, the encryption and security policy of the session management function SMF, the encryption and security policy of the application function AF or the encryption and security policy of the policy control function PCF; the communication unit 901 is used to send the target encryption and security policy to the terminal device, the access network device corresponding to the terminal device and the first core network network element.

In one possible implementation, the communication unit 901 is also used to receive a protocol data unit PDU session establishment request message sent from a terminal device; the PDU session establishment request message is used to request the establishment of a PDU session for transmitting target data; and a PDU session establishment response message is sent to the terminal device, and the PDU session establishment response message includes a target encryption security policy.

In one possible implementation, the processing unit 902 is also used to generate a first key and a second key based on the target encryption integrity policy; wherein the first key is used to perform integrity protection/verification on the target data, and the second key is used to perform encryption/decryption on the target data; the communication unit 901 is also used to send the first key and the second key to the first core network element.

In one possible implementation, the encryption integrity policy includes the granularity of encryption/decryption or integrity protection/verification of the target data, and the granularity is one of the PDU session, QoS Flow or data flow.

As shown in Figure 10, a communication device 1000 provided in an embodiment of the present application is used to implement the functions of the above-mentioned first device, second device or second core network element. The device can be a first device or a device used in a first device; or the device can be a second device or a device used in a second device; or the device can be a second core network element or a device used in a second core network element. The device used in a device (such as a first device, a second device or a second core network element) can be a chip system or a chip in the device. Among them, the chip system can be composed of chips, and can also include chips and other discrete devices.

The communication device 1000 includes at least one processor 1020, which is used to implement the data transmission function of the device (such as the first device, the second device or the second core network element) in the method provided in the embodiment of the present application. The communication device 1000 may also include a communication interface 1010, which is used to implement the transceiver operation of the device (such as the first device, the second device or the second core network element) in the method provided in the embodiment of the present application. In the embodiment of the present application, the communication interface can be a transceiver, a circuit, a bus, a module or other type of communication interface, which is used to communicate with other devices through a transmission medium. For example, the communication interface 1010 is used for the device in the communication device 1000 to communicate with other devices. The processor 1020 uses the communication interface 1010 to send and receive data, and is used to implement the method described in the above method embodiment.

The communication device 1000 may also include at least one memory 1030 for storing program instructions and/or data. The memory 1030 is coupled to the processor 1020. The coupling in the embodiment of the present application is an indirect coupling or communication connection between devices, units or modules, which may be electrical, mechanical or other forms, and is used for information exchange between devices, units or modules. The processor 1020 may operate in conjunction with the memory 1030. The processor 1020 may execute program instructions stored in the memory 1030. At least one of the at least one memory may be included in the processor.

The specific connection medium between the communication interface 1010, the processor 1020 and the memory 1030 is not limited in the embodiment of the present application. In FIG. 10 , the memory 1030, the processor 1020 and the communication interface 1010 are connected via a bus 1040. The bus is represented by a bold line in FIG. 10 . The connection mode between other components is only for schematic illustration and is not limited thereto. The bus can be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG. 10 is represented by only one bold line, but it does not mean that there is only one bus or one type of bus.

When the communication device 1000 is specifically a device for a device (e.g., a first device, a second device, or a second core network element), for example, when the communication device 1000 is specifically a chip or a chip system, the communication interface 1010 may output or receive a baseband signal. When the communication device 1000 is specifically a device (e.g., a first device, a second device, or a second core network element), the communication interface 1010 may output or receive a radio frequency signal. In an embodiment of the present application, the processor may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array, or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present application. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present application may be directly embodied as being executed by a hardware processor, or may be executed by a combination of hardware and software modules in the processor.

An embodiment of the present application also provides a computer-readable storage medium, which stores computer execution instructions. When the computer execution instructions are executed, the method executed by the first device, the second device or the second core network element in the above method embodiment is implemented.

An embodiment of the present application also provides a computer program product, which includes a computer program. When the computer program is executed, the method executed by the first device, the second device or the second core network element in the above method embodiment is implemented.

The embodiment of the present application also provides a communication system, which includes a first device, a second device, an access network device, and a second core network element. The first device is used to execute the method executed by the first device in the above method embodiment; the second device is used to execute the method executed by the second device in the above method embodiment; and the second core network element is used to execute the method executed by the second core network element in the above method embodiment.

It should be noted that, for the aforementioned method embodiments, for the sake of simplicity, they are all expressed as a series of action combinations, but those skilled in the art should be aware that the present application is not limited by the described order of actions, because according to the present application, certain steps can be performed in other orders or simultaneously. Secondly, those skilled in the art should also be aware that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present application.

The descriptions of the various embodiments provided in this application can refer to each other, and the descriptions of the various embodiments have different focuses. For parts that are not described in detail in a certain embodiment, refer to the relevant descriptions of other embodiments. For the convenience and simplicity of description, for example, the functions of the various devices and equipment provided in the embodiments of this application and the steps of execution can refer to the relevant descriptions of the method embodiments of this application, and the various method embodiments and the various device embodiments can also refer to, combine or quote each other.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit it. Although the present application has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or replace some or all of the technical features therein with equivalents. However, these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present application.

Claims

A data transmission method, characterized in that the method comprises:

The first device performs integrity protection processing and encryption processing on the first data through the first protocol layer to obtain second data;

The first device transparently transmits the second data to the second device through the access network device;

The first device and the second device are both deployed with the first protocol layer, and the first protocol layer has a function of encrypting/decrypting data and a function of performing integrity protection/verification on data;

The first device is a terminal device, and the second device is a first core network element; or, the first device is a first core network element, and the second device is a terminal device.
The method according to claim 1, characterized in that

The protocol stack deployed by the terminal device is the first protocol layer, the service data adaptation protocol SDAP layer, the second protocol layer, the radio link control RLC layer, the media access control MAC layer and the first physical layer in sequence; wherein the second protocol layer has a data packet sorting function and a data packet duplication function;

The protocol layers deployed by the first core network element are the first protocol layer, the general packet radio service tunneling protocol GTP-U of the user plane part, the user datagram protocol UDP, the Internet protocol IP, the data link layer and the second physical layer in sequence;

The protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence, and the access network device also deploys GTP-U, UDP, IP, the data link layer and the second physical layer in sequence.
The method according to claim 1, characterized in that

The protocol stack deployed by the terminal device is the SDAP layer, the first protocol layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the second protocol layer has data packet sorting function, diversion function and data packet duplication function;

The protocol layers deployed by the first core network element are the first protocol layer, GTP-U, UDP, IP, data link layer and the second physical layer in sequence;

The protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence, and the access network device also deploys GTP-U, UDP, IP, the data link layer and the second physical layer in sequence.
The method according to claim 1, characterized in that

The protocol stack deployed by the terminal device is the first protocol layer, the third protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the first protocol layer also has the function of IP header compression and data packet sorting, and the third protocol layer has the function of the SDAP layer and the data packet replication function;

The protocol layers deployed by the first core network element are the first protocol layer, GTP-U, UDP, IP, data link layer and the second physical layer in sequence;

The protocol stack deployed by the access network device includes the third protocol layer, RLC layer, MAC layer and the first physical layer in sequence, and the access network device also deploys GTP-U, UDP, IP, data link layer and the second physical layer in sequence.
The method according to any one of claims 1 to 4, characterized in that when the first device is a terminal device, the method further comprises:

The first device sends a protocol data unit (PDU) session establishment request message to the second core network element; the PDU session establishment request message is used to request to establish a PDU session for transmitting the first data;

The first device receives a PDU session establishment response message from the second core network element, wherein the PDU session establishment response message includes the target encryption integrity policy; wherein the target encryption integrity policy is determined according to one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the session management function SMF, the encryption integrity policy of the application function AF, or the encryption integrity policy of the policy control function PCF;

The first device generates a first key and a second key according to the target encryption integrity policy; wherein the first key is used to perform integrity protection/verification processing on the first data, and the second key is used to encrypt/decrypt the first data.
The method according to claim 5 is characterized in that the PDU session establishment request message includes an encryption security policy of the terminal device.
The method according to any one of claims 1 to 4, characterized in that when the first device is a first core network element, the method further comprises:

The first device receives a target encryption and security policy from a second core network element; wherein the target encryption and security policy is determined according to one or more of the following policies: an encryption and security policy of the terminal device, an encryption and security policy of the SMF, an encryption and security policy of the AF, or an encryption and security policy of the PCF;

The first device receives a first key and a second key from the second core network element; wherein the first key is used to perform integrity protection/verification on the first data, and the second key is used to perform encryption/decryption on the first data; the first key and the second key are generated according to the target encryption integrity policy.
The method according to any one of claims 5 to 7, wherein the first device performs integrity protection processing and encryption processing on the first data through the first protocol layer, comprising:

At the first protocol layer, the first device performs integrity protection processing on the first data according to the target encryption integrity protection policy and the first key;

The first device encrypts the first data according to the target encryption security policy and the second key.
The method according to claim 8 is characterized in that the encryption integrity strategy includes the granularity of encryption/decryption or integrity protection/verification of the first data, and the granularity is one of PDU session, quality of service flow QoS Flow or data flow.
The method according to claim 9, characterized in that

The first device performs integrity protection processing on the first data according to the target encryption integrity protection policy and the first key, including:

The first device performs integrity protection processing on the first data according to the first key and the identifier of the granularity;

The first device encrypts the first data according to the target encryption integrity policy and the second key, including:

The first device encrypts the first data according to the second key and the identifier of the granularity;

Among them, the granularity identifier is one of the QoS Flow identifier, PDU session identifier or data flow identifier.
According to the method according to any one of claims 5-10, it is characterized in that the encryption integrity policy is also used to instruct the terminal device and the first core network network element to perform encryption/decryption processing or integrity protection/verification processing; or, it is also used to instruct the terminal device and the access network device to perform encryption/decryption processing or integrity protection/verification processing.
A data transmission method, characterized in that the method comprises:

The second device receives second data transparently transmitted from the first device through the access network device;

The second device performs decryption processing and integrity verification processing on the second data through the first protocol layer to obtain first data;

The first device and the second device are both deployed with the first protocol layer, and the first protocol layer has a function of encrypting/decrypting data and a function of performing integrity protection/verification on data;

The first device is a terminal device, and the second device is a first core network element; or, the first device is a first core network element, and the second device is a terminal device.
The method according to claim 12, characterized in that

The protocol stack deployed by the terminal device is the first protocol layer, the service data adaptation protocol SDAP layer, the second protocol layer, the radio link control RLC layer, the media access control MAC layer and the first physical layer in sequence; wherein the second protocol layer has a data packet sorting function and a data packet duplication function;

The protocol layers deployed by the first core network element are the first protocol layer, the general packet radio service tunneling protocol GTP-U of the user plane part, the user datagram protocol UDP, the Internet protocol IP, the data link layer and the second physical layer in sequence;

The protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence, and the access network device also deploys GTP-U, UDP, IP, the data link layer and the second physical layer in sequence.
The method according to claim 12, characterized in that

The protocol stack deployed by the terminal device is the SDAP layer, the first protocol layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the second protocol layer has data packet sorting function, diversion function and data packet duplication function;

The protocol layers deployed by the first core network element are the first protocol layer, GTP-U, UDP, IP, data link layer and the second physical layer in sequence;

The protocol stack deployed by the access network device includes the SDAP layer, the second protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence, and the access network device also deploys GTP-U, UDP, IP, the data link layer and the second physical layer in sequence.
The method according to claim 12, characterized in that

The protocol stack deployed by the terminal device is the first protocol layer, the third protocol layer, the RLC layer, the MAC layer and the first physical layer in sequence; wherein the first protocol layer also has the function of IP header compression and data packet sorting, and the third protocol layer has the function of the SDAP layer and the data packet replication function;

The protocol layers deployed by the first core network element are the first protocol layer, GTP-U, UDP, IP, data link layer and the second physical layer in sequence;

The protocol stack deployed by the access network device includes the third protocol layer, RLC layer, MAC layer and the first physical layer in sequence, and the access network device also deploys GTP-U, UDP, IP, data link layer and the second physical layer in sequence.
The method according to any one of claims 12 to 15, characterized in that when the second device is a terminal device, the method further comprises:

The second device sends a protocol data unit (PDU) session establishment request message to the second core network element; the PDU session establishment request message is used to request to establish a PDU session for transmitting the second data;

The second device receives a PDU session establishment response message from the second core network element, where the PDU session establishment response message includes the target encryption integrity policy; wherein the target encryption integrity policy is determined according to one or more of the following policies: the encryption integrity policy of the terminal device, the encryption integrity policy of the session management function SMF, the encryption integrity policy of the application function AF, or the encryption integrity policy of the policy control function PCF;

The second device generates a first key and a second key according to the target encryption integrity policy; wherein the first key is used to perform integrity protection/verification processing on the second data, and the second key is used to encrypt/decrypt the second data.
The method according to claim 16 is characterized in that the PDU session establishment request message includes an encryption security policy of the terminal device.
The method according to any one of claims 12 to 15, characterized in that when the second device is a first core network element, the method further comprises:

The second device receives a target encryption and security policy from a second core network element; wherein the target encryption and security policy is determined according to one or more of the following policies: an encryption and security policy of the terminal device, an encryption and security policy of the SMF, an encryption and security policy of the AF, or an encryption and security policy of the PCF;

The second device receives a first key and a second key from the second core network element; wherein the first key is used to perform integrity protection/verification on the second data, and the second key is used to perform encryption/decryption on the second data; the first key and the second key are generated according to the target encryption integrity policy.
The method according to any one of claims 15 to 18, characterized in that the second device sequentially performs decryption processing and integrity verification processing on the second data through the first protocol layer, comprising:

At the first protocol layer, the second device decrypts the second data according to the target encryption integrity policy and the second key;

The second device performs integrity verification processing on the second data according to the target encryption integrity policy and the first key.
The method according to claim 19 is characterized in that the encryption integrity strategy includes the granularity of encryption/decryption or integrity protection/verification of the second data, and the granularity is one of PDU session, quality of service flow QoS Flow or data flow.
The method according to claim 20, characterized in that

The second device decrypts the second data according to the target encryption integrity policy and the second key, including:

The second device decrypts the second data according to the second key and the identifier of the granularity;

The second device performs integrity verification processing on the second data according to the target encryption integrity policy and the first key, including:

The second device performs integrity verification processing on the second data according to the first key and the identifier of the granularity;

Among them, the granularity identifier is one of the QoS Flow identifier, PDU session identifier or data flow identifier.
According to the method according to any one of claims 12-21, it is characterized in that the encryption integrity policy is also used to instruct the terminal device and the first core network network element to perform encryption/decryption processing or integrity protection/verification processing; or, it is also used to instruct the terminal device and the access network device to perform encryption/decryption processing or integrity protection/verification processing.
A method for determining an encryption integrity strategy, characterized in that the method comprises:

The second core network element determines a target encryption and security policy for the target data; the target encryption and security policy is determined according to one or more of the following policies: an encryption and security policy of a terminal device, an encryption and security policy of a session management function SMF, an encryption and security policy of an application function AF, or an encryption and security policy of a policy control function PCF;

The second core network element sends the target encryption security policy to the terminal device, the access network device corresponding to the terminal device and the first core network element.
The method according to claim 23, characterized in that the method further comprises:

The second core network element receives a protocol data unit (PDU) session establishment request message sent by the terminal device; the PDU session establishment request message is used to request the establishment of a PDU session for transmitting the target data;

The second core network element sends the target encryption security policy to the terminal device, including:

The second core network element sends a PDU session establishment response message to the terminal device, and the PDU session establishment response message includes the target encryption security policy.
The method according to claim 24 is characterized in that the PDU session establishment request message includes an encryption security policy of the terminal device.
The method according to any one of claims 23 to 25, characterized in that the method further comprises:

The second core network element generates a first key and a second key based on the target encryption integrity policy; wherein the first key is used to perform integrity protection/verification processing on the target data, and the second key is used to perform encryption/decryption processing on the target data;

The second core network element sends the first key and the second key to the first core network element.
The method according to any one of claims 23-26 is characterized in that the encryption integrity strategy includes the granularity of encryption/decryption or integrity protection/verification of the target data, and the granularity is one of PDU session, quality of service flow QoSFlow or data flow.
According to the method according to any one of claims 23-27, it is characterized in that the encryption integrity policy is also used to instruct the terminal device and the first core network network element to perform encryption/decryption processing or integrity protection/verification processing; or, it is also used to instruct the terminal device and the access network device to perform encryption/decryption processing or integrity protection/verification processing.
A communication device, characterized in that it comprises a function or unit for executing the method according to any one of claims 1 to 11, or executing the method according to any one of claims 12 to 22, or executing the method according to any one of claims 23 to 28.
A communication device, characterized in that it includes a processor and a memory, the processor and the memory are coupled, the processor is used to implement the method as described in any one of claims 1-11, or the processor is used to implement the method as described in any one of claims 12-22, or the processor is used to implement the method as described in any one of claims 23-28.
A communication device, characterized in that it includes a processor and an interface circuit, wherein the interface circuit is used to receive signals from other communication devices outside the communication device and transmit them to the processor or send signals from the processor to other communication devices outside the communication device, and the processor is used to implement the method described in any one of claims 1 to 11 through a logic circuit or execute code instructions, or the processor is used to implement the method described in any one of claims 12 to 22 through a logic circuit or execute code instructions, or the processor is used to implement the method described in any one of claims 23 to 28 through a logic circuit or execute code instructions.
A computer-readable storage medium, characterized in that a computer program or instruction is stored in the storage medium, and when the computer program or instruction is executed by a communication device, the method as described in any one of claims 1 to 11 is implemented, or the method as described in any one of claims 12 to 22 is implemented, or the method as described in any one of claims 23 to 28 is implemented.
A computer program product, characterized in that when a computer reads and executes the computer program product, the computer executes the method described in any one of claims 1 to 11, or the computer executes the method described in any one of claims 12 to 22, or the computer executes the method described in any one of claims 23 to 28.
A communication system, characterized in that it includes a terminal device, a first core network element and a second core network element; wherein the terminal device is used to execute the method described in any one of claims 1-11, the first core network element is used to execute the method described in any one of claims 12-22, and the second core network element is used to execute the method described in any one of claims 23-28.