CN108366369B - Method for data secure transmission, access network, terminal and core network equipment - Google Patents
Method for data secure transmission, access network, terminal and core network equipment Download PDFInfo
- Publication number
- CN108366369B CN108366369B CN201710064248.8A CN201710064248A CN108366369B CN 108366369 B CN108366369 B CN 108366369B CN 201710064248 A CN201710064248 A CN 201710064248A CN 108366369 B CN108366369 B CN 108366369B
- Authority
- CN
- China
- Prior art keywords
- access network
- network device
- user plane
- equipment
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 94
- 238000000034 method Methods 0.000 title claims abstract description 77
- 230000004044 response Effects 0.000 claims abstract description 16
- 230000006870 function Effects 0.000 claims description 79
- 238000004891 communication Methods 0.000 claims description 18
- 230000006835 compression Effects 0.000 claims description 17
- 238000007906 compression Methods 0.000 claims description 17
- 230000008569 process Effects 0.000 claims description 15
- 238000012790 confirmation Methods 0.000 claims description 11
- 238000007726 management method Methods 0.000 description 29
- 230000004048 modification Effects 0.000 description 16
- 238000012986 modification Methods 0.000 description 16
- 238000012545 processing Methods 0.000 description 14
- 230000007246 mechanism Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 239000003550 marker Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 102100038254 Cyclin-F Human genes 0.000 description 1
- 101000884183 Homo sapiens Cyclin-F Proteins 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/037—Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A method for data security transmission includes receiving request message sent by terminal device by first access network device, sending one or more network slice selection information to first core network device, receiving response message sent by first core network device, sending user plane security information to terminal device, receiving encrypted data transmitted by terminal device by first access network device and transmitting said encrypted data to first core network device. The first core network equipment transmits the user plane security information configured for the terminal equipment by the first core network equipment to the terminal equipment, so that the terminal equipment encrypts the data according to the user plane security information during data transmission, and the security and reliability of the data transmission process under the network slicing network architecture can be improved.
Description
Technical Field
The present invention relates to the field of wireless communication technologies, and in particular, to a method for secure data transmission, an access network, a terminal, and a core network device.
Background
The fifth generation mobile communication system (5G) proposes a Network Slice (NS) network architecture in order to cope with the difference in user requirements, and Software Defined Network (SDN) and Network Function Virtualization (NFV) technologies are core technologies of the network slice architecture, and the NFV technology implements virtualization of underlying physical resources and loads a virtual Network Function (NF) to a general platform. For example, the virtual machines and the SDN technology implement logical connections between the virtual machines, and construct a path for carrying signaling and data streams. An end-to-end service chain is configured through dynamic connection between NF of an access network (RAN) and a Core Network (CN), so that a network slice is constructed. Operators can form a specific network function set and contain network resources required by the operation of the network functions according to the requirements of each user on Key Performance Indicators (KPIs) such as capacity, coverage, rate, time delay and reliability, so that required telecommunication service and network capacity service can be provided, and specific market scenes and requirements can be met.
As shown in fig. 1: the third generation partnership project (3 GPP) has classified the main types of 5G network slices into the following three major categories: enhanced mobile broadband service (eMBB), massive machine type connectivity (mtc), and ultra-reliable and low latency communications (URLLC). The eMBB mainly faces to terminals with high requirements on speed and mobility, such as mobile phones, multimedia equipment and the like, the mMTC mainly aims at Internet of things equipment and has large-scale, low-mobility and low-speed requirements, and the URLLC mainly refers to Internet of vehicles, services and equipment types with harsh requirements on time delay and reliability, such as safety information and the like. For example, a mobile phone user may access an eMBB-type network slice to download or watch a 4K high-definition video at a high speed, and a sensor device may access an mtc network slice to transmit a small data packet and update system configuration. The user can access one or more or all network slices simultaneously, service requirements are met, and better user experience is achieved.
Currently, the discussion of the network architecture of the network slice by the 3GPP mainly focuses on network slice selection, and the purpose of the network slice selection is to select an appropriate network slice for a User Equipment (UE), and associate the UE with a specific network slice, so as to establish a corresponding Control Plane (CP) and/or User Plane (UP) connection with the network slice.
In the process of communication with the network slice, the UE needs to use a secure channel in order to ensure the security of the communication. The existing security mechanism maintains a master key at the RAN device side, such as eNB, and derives three sub-keys respectively, which is suitable for all radio bearers established by UE, and at this time, the influence of other network slices is not considered. Since the security levels of different network slices are different, the encryption/decryption function can be moved from the RAN device side to the CN device side for a network slice with a high security level, thereby improving the security of communication. At this time, if the eNB maintains one master key by using the existing security mechanism, the network element on the RAN side is attacked, which may cause the master key maintained by the eNB to be cracked, thereby possibly threatening the security of other network slices.
Disclosure of Invention
The embodiment of the invention provides a method for data secure transmission, an access network, a terminal and core network equipment, which are used for improving the security and reliability of a data transmission process under a network architecture of a network slice and improving the compatibility of data encryption.
In a first aspect, a method for secure transmission of data is provided.
The method comprises the following steps: the first access network equipment receives a request message sent by the terminal equipment; the request message comprises one or more network slice selection information; the first access network device sends the one or more network slice selection information to a first core network device; the first access network equipment receives a response message sent by the first core network equipment; and the first access network equipment sends the response message to the terminal equipment, receives the encrypted data transmitted by the terminal equipment and transmits the encrypted data to the first core network equipment.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the response message includes user plane security information configured by the first core network device for the terminal device; the first access network device wants the terminal device to send the response message, which includes: and the first access network equipment sends the user plane safety information to the terminal equipment.
With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the user plane security information includes user plane encryption/decryption location indication information, which is used to encrypt/decrypt a user plane data packet of service transmission associated with a network slice selected by the terminal device.
With reference to the first aspect or the first possible implementation manner or the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the encrypted data is data processed by the terminal device according to the user plane security information.
Receiving, by the first access network device, the user plane security information sent by the first core network device, so that the first access network device can acquire the user plane security information related to the service associated with the network slice, for example, whether the first access network is required to encrypt/decrypt the user plane data packet of service transmission, the first access network device sends the user plane security information configured for the terminal device by the first core network device to the terminal device, so that the terminal device encrypts/decrypts the data transmission according to the user plane security information, thereby realizing the safety and reliability of the data transmission process under the network architecture of the network slice, since the first core network device is user plane security information configured according to the one or more network slice selection information, different requirements of different network slices on user plane security can be met, and flexibility and difference of data encryption/decryption are improved.
With reference to the first aspect or any one of the first to third possible implementation manners of the first aspect, in a fourth possible implementation manner of the first aspect, after the first access network device transmits the encrypted data to the first core network device, the method further includes: the first access network equipment sends a switching request message to second access network equipment, and the second access network equipment is equipment to be switched to by the terminal equipment; the first access network equipment receives a switching request confirmation message sent by the second access network equipment; the first access network device sends a switching instruction to the terminal device and caches encrypted data to be transmitted to the second access network device, the encrypted data to be transmitted to the second access network device is data encrypted by first core network device and transmitted to the terminal device, and the switching instruction is used for instructing the terminal device to switch from the first access network device to the second access network device; the first access network device sends a Sequence Number (SN) state transmission message to the second access network device, where the SN state transmission message is used to indicate one or more uplink and downlink SN states in a Radio Link Control (RLC) mode; and the first access network equipment sends the cached encrypted data to the second access network equipment.
The first access network equipment sends the cached encrypted data to the second core network equipment, so that the problem of data packet loss in the switching process can be solved, and meanwhile, the cached data sent to the terminal equipment by the second access network equipment can be continuously decrypted at the terminal equipment side due to the fact that the encrypted data is forwarded by the first access network equipment, and the safety of data transmission is guaranteed.
With reference to the first aspect or the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the second access network device communicates with a second core network device; the sending, by the first access network device, the cached encrypted data to the second access network device includes: and the first access network equipment sends the cached encrypted data to the first core network equipment.
The encrypted data is sent to the first core network device by using the first access network device, so that the encrypted data cached by the first access network device is transmitted to the second access network device by using the first core network device and the second core network device, the data loss in the switching process can be solved, the unencrypted data can be transmitted to the second core network device by using the first core network device, the second core network device can encrypt the data by using a new security mechanism applicable to the device, a data packet transmitted to the terminal device by using the second access network device can use the security mechanism applicable to the second core network device, and the security of data transmission and the smooth replacement of the security mechanism after switching are ensured.
With reference to the first aspect or the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, before the sending, by the first access network device, the cached encrypted data to the first core network device, the method further includes: and the first access network equipment sends the SN state transmission message to the first core network equipment.
With reference to the first aspect or any one of the first to sixth possible implementation manners of the first aspect, in a seventh possible implementation manner of the first aspect, the cached encrypted data includes data to be sent to the terminal device that is cached by the first access network device and data that has been sent to the terminal device and has not received feedback from the terminal device.
With reference to the first aspect or any possible implementation manner of the first possible implementation manner to the seventh possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, the user plane security information further includes header compression function position indication information and integrity protection function position indication information.
With reference to the first aspect or any one possible implementation manner of the first possible implementation manner to the eighth possible implementation manner of the first aspect, in a ninth possible implementation manner of the first aspect, before the first access network device receives the encrypted data transmitted by the terminal device, the method further includes: the first access network equipment receives a network slice management message sent by operation and management equipment, wherein the network slice management message comprises user plane security information of a basic network slice; the first access network device stores user plane security information for the underlying network slice.
In a second aspect, a method for secure transmission of data is provided.
The method comprises the following steps: the terminal equipment sends a request message to the first access network equipment, wherein the request message comprises one or more pieces of network slice selection information; the terminal equipment receives user plane safety information which is sent by the first access network equipment and is configured for the terminal equipment by first core network equipment, wherein the user plane safety information comprises user plane encryption/decryption position indication information; and the terminal equipment processes the data to be transmitted according to the user plane safety information, generates encrypted data and transmits the encrypted data to the first access network equipment.
The terminal device encrypts data to be transmitted to the first core network device by using the user plane security information configured for the terminal device by the first core network device sent by the first access network device, so that the security and reliability of the data transmission process under the network architecture of the network slice are improved.
With reference to the second aspect, in a first possible implementation manner of the second aspect, after the terminal device transmits the encrypted data to the first access network device, the method further includes: the terminal equipment receives a switching instruction sent by the first access network equipment; and the terminal equipment establishes RRC connection with the second access network equipment and sends a switching completion message to the second access network equipment.
With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, after the sending, by the terminal device, a handover complete message to the second access network device, the method further includes: and the terminal equipment receives the SN indication message sent by the second access network equipment and is used for indicating the SN boundary value of the data received or sent by the terminal equipment.
In a third aspect, a method for secure transmission of data is provided.
The method comprises the following steps: the method comprises the steps that a first core network device receives one or more pieces of network slice selection information sent by a first access network device;
the first core network equipment configures user plane security information of the terminal equipment according to the one or more network slice selection information; and the first core network equipment sends the user plane security information to the first access network equipment.
With reference to the third aspect, in a first possible implementation manner of the third aspect, after the sending, by the first core network device, the user plane security information to the first access network device, the method further includes: and the first core network equipment receives the SN state transmission message sent by the first access network equipment and the cached encrypted data to be transmitted to the second access network equipment.
In a fourth aspect, a method for secure transmission of data is provided.
The method comprises the following steps: the second access network equipment receives a switching request message sent by the first access network equipment; the second access network equipment sends a switching request confirmation message to the first access network equipment and receives a Serial Number (SN) state transmission message sent by the first access network equipment; and the second access network equipment receives the encrypted data sent by the first access network equipment.
With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the first access network device communicates with a first core network device, and the second access network device communicates with a second core network device; the second access network device receiving the encrypted data sent by the first access network device, including: and the second access network equipment receives the data sent by the second core network equipment.
With reference to the fourth aspect or the first possible implementation manner of the fourth aspect, in a second possible implementation manner of the fourth aspect, the first access network device communicates with a first core network device, and the second access network device communicates with a second core network device; after the second access network device receives the encrypted data sent by the first access network device, the method further includes: the second access network equipment establishes RRC connection with the terminal equipment; and the second access network equipment sends SN indication information to the terminal equipment, wherein the SN indication information is used for indicating an SN boundary value of data received or sent by the terminal equipment.
In a fifth aspect, an access network device is provided.
The access network device includes: the processor is used for controlling the receiver to receive the request message sent by the terminal equipment; the request message comprises one or more network slice selection information; and control the transmitter to transmit the one or more network slice selection information to a first core network device; the processor is further configured to control the receiver to receive a response message sent by the first core network device; the response message comprises user plane security information configured for the terminal equipment by the first core network equipment; the user plane safety information comprises user plane encryption/decryption position indication information and is used for encrypting/decrypting a user plane data packet of service transmission related to the network slice selected by the terminal equipment; the processor is further configured to control the transmitter to transmit the user plane security information to the terminal device; and controlling the receiver to receive the encrypted data transmitted by the terminal device, and controlling the transmitter to transmit the encrypted data to the first core network device, wherein the encrypted data is processed by the terminal device according to the user plane security information.
With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect, the access network device further includes a memory;
the processor is further configured to: after transmitting the encrypted data to the first core network device, controlling the transmitter to transmit a switching request message to a second access network device, where the second access network device is a device to which the terminal device is to be switched; controlling the receiver to receive a handover request acknowledgement message sent by the second access network device; the sender is controlled to send a switching instruction to the terminal and the memory is controlled to cache encrypted data to be transmitted to the second access network device, the encrypted data to be transmitted to the second access network device is data encrypted by first core network equipment and transmitted to the terminal device, and the switching instruction is used for indicating the terminal device to be switched from the first access network device to the second access network device; controlling the transmitter to transmit an SN state transmission message to the second access network equipment, wherein the SN state transmission message is used for indicating one or more uplink and downlink SN states in an RLC mode;
and controlling the transmitter to transmit the cached encrypted data to the second access network device.
With reference to the fifth aspect or the first possible implementation manner of the fifth aspect, in a second possible implementation manner of the fifth aspect, the second access network device communicates with a second core network device; the processor is specifically configured to: and controlling the transmitter to transmit the cached encrypted data to the first core network device.
With reference to the fifth aspect or the second possible implementation manner of the fifth aspect, in a third possible implementation manner of the fifth aspect, the processor is further configured to: and before controlling the transmitter to transmit the cached encrypted data to the first core network device, controlling the transmitter to transmit the SN status transmission message to the first core network device.
With reference to the fifth aspect or any possible implementation manner of the first possible implementation manner to the third possible implementation manner of the fifth aspect, in a fourth possible implementation manner of the fifth aspect, the cached encrypted data includes data to be sent to the terminal device that is cached by the access network device and data that has been sent to the terminal device and has not received feedback from the terminal device.
With reference to the fifth aspect or any possible implementation manner of the first possible implementation manner to the fourth possible implementation manner of the fifth aspect, in a fifth possible implementation manner of the fifth aspect, the user plane security information further includes header compression function position indication information and integrity protection function position indication information.
With reference to the fifth aspect or any possible implementation manner of the first possible implementation manner to the fifth possible implementation manner of the fifth aspect, in a sixth possible implementation manner of the fifth aspect, the processor is further configured to: before controlling the receiver to receive the encrypted data transmitted by the terminal equipment, controlling the receiver to receive a network slice management message sent by an operation and management equipment, wherein the network slice management message comprises user plane security information of a basic network slice; controlling the memory to store user plane security information for the underlying network slice.
In a sixth aspect, a terminal device is provided.
The terminal device includes: a receiver, a processor and a transmitter, and the transmitter is configured to transmit a request message to a first access network device, where the request message includes one or more network slice selection information; the receiver is configured to receive user plane security information configured for the terminal device by the first core network device and sent by the first access network device, where the user plane security information includes user plane encryption/decryption position indication information; the processor is configured to process data to be transmitted according to the user plane security information, generate encrypted data, and control the transmitter to transmit the encrypted data to the first access network device.
With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, the processor is further configured to: after controlling the transmitter to transmit the encrypted data to the first access network device, controlling the receiver to receive a switching instruction sent by the first access network device; and establishing RRC connection with the second access network equipment, and controlling the transmitter to transmit a switching completion message to the second access network equipment.
With reference to the sixth aspect or the first possible implementation manner of the sixth aspect, in a second possible implementation manner of the sixth aspect, the processor is further configured to: and after controlling the transmitter to transmit a switching completion message to the second access network device, controlling the receiver to receive a Serial Number (SN) indication message transmitted by the second access network device, wherein the SN indication message is used for indicating an SN boundary value of data received or transmitted by the terminal device.
In a seventh aspect, a core network device is provided.
The core network device includes: a receiver, a processor and a transmitter, and the receiver is configured to receive one or more network slice selection information transmitted by a first access network device; the processor is used for configuring user plane security information of the terminal equipment according to the one or more network slice selection information; the transmitter is configured to transmit the user plane security information to the first access network device.
With reference to the seventh aspect, in a first possible implementation manner of the seventh aspect, the processor is further configured to: and after controlling the transmitter to transmit the user plane security information to the first access network device, controlling the receiver to receive the SN state transmission message transmitted by the first access network device and the cached encrypted data to be transmitted to the second access network device.
In an eighth aspect, an access network device is provided.
The access network device includes: the processor is used for controlling the receiver to receive a switching request message sent by first access network equipment; the processor is further configured to control the transmitter to send a handover request acknowledgement message to the first access network device, and receive an SN status transmission message sent by the first access network device; and controlling the receiver to receive the encrypted data sent by the first access network equipment.
With reference to the eighth aspect, in a first possible implementation manner of the eighth aspect, the first access network device communicates with a first core network device, and the access network device communicates with a second core network device; the processor is specifically configured to: and controlling the receiver to receive the data sent by the second core network equipment.
With reference to the eighth aspect or the first possible implementation manner of the eighth aspect, in a second possible implementation manner of the eighth aspect, the first access network device communicates with a first core network device, and the access network device communicates with a second core network device; the processor is further configured to: after controlling the receiver to receive the encrypted data sent by the first access network device, establishing RRC connection with the terminal device; and controlling the transmitter to transmit SN indication information to the terminal equipment, wherein the SN indication information is used for indicating an SN boundary value of data received or transmitted by the terminal equipment.
In a ninth aspect, an access network apparatus is provided. The access network device includes a receiving unit, a processing unit, and a transmitting unit, where the receiving unit performs the steps performed by the receiver in the fifth aspect or any implementation manner thereof, the processing unit performs the steps performed by the processor in the fifth aspect or any implementation manner thereof, and the transmitting unit performs the steps performed by the transmitter in the fifth aspect or any implementation manner thereof.
In a tenth aspect, a terminal device is provided. The terminal device comprises a receiving unit, a processing unit and a transmitting unit, wherein the receiving unit executes the steps executed by the receiver in the sixth aspect or any implementation manner thereof, the processing unit executes the steps executed by the processor in the sixth aspect or any implementation manner thereof, and the transmitting unit executes the steps executed by the transmitter in the sixth aspect or any implementation manner thereof.
In an eleventh aspect, a core network device is provided. The core network device includes a receiving unit, a processing unit, and a transmitting unit, where the receiving unit performs steps performed by the receiver in the seventh aspect or any implementation manner thereof, the processing unit performs steps performed by the processor in the seventh aspect or any implementation manner thereof, and the transmitting unit performs steps performed by the transmitter in the seventh aspect or any implementation manner thereof.
In a twelfth aspect, an access network device is provided. The access network device comprises a receiving unit, a processing unit and a transmitting unit, wherein the receiving unit executes the steps executed by the receiver in the eighth aspect or any implementation manner thereof, the processing unit executes the steps executed by the processor in the eighth aspect or any implementation manner thereof, and the transmitting unit executes the steps executed by the transmitter in the eighth aspect or any implementation manner thereof.
In a thirteenth aspect, an embodiment of the present application provides an access network device, where the access network device includes a memory, a transceiver, and a processor, where: the memory is used for storing instructions; the processor is configured to control the transceiver to perform signal receiving and signal transmitting according to instructions stored in the execution memory, and when the processor executes the instructions stored in the execution memory, the access network device is configured to perform the method of the first aspect or any one of the possible implementation manners of the first aspect.
In a fourteenth aspect, an embodiment of the present application provides a terminal device, where the terminal device includes a memory, a transceiver, and a processor, where: the memory is used for storing instructions; the processor is configured to execute the instructions stored in the memory and control the transceiver to perform signal receiving and signal transmitting, and when the processor executes the instructions stored in the memory, the terminal device is configured to perform the method of any one of the second aspect and the possible implementation manner of the second aspect.
In a fifteenth aspect, an embodiment of the present application provides a core network device, where the core network device includes a memory, a transceiver, and a processor, where: the memory is used for storing instructions; the processor is configured to control the transceiver to perform signal receiving and signal transmitting according to the instructions stored in the execution memory, and when the processor executes the instructions stored in the execution memory, the core network device is configured to perform the method according to any one of the third aspect and the possible implementation manner of the third aspect.
In a sixteenth aspect, an embodiment of the present application provides an access network device, where the access network device includes a memory, a transceiver, and a processor, where: the memory is used for storing instructions; the processor is configured to control the transceiver to perform signal receiving and signal transmitting according to the instructions stored in the execution memory, and when the processor executes the instructions stored in the execution memory, the access network device is configured to perform the method of any one of the above-mentioned fourth aspect or possible implementation manner of the fourth aspect.
A seventeenth aspect provides a computer storage medium having program code stored thereon, the program code comprising instructions for implementing any possible implementation of the methods of the first, second, third or fourth aspects.
Drawings
FIG. 1 is a schematic diagram of a network slice classification;
FIG. 2 is a diagram illustrating a system architecture according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a method for secure data transmission according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a terminal device handover provided in an embodiment of the present invention;
fig. 5 is a flowchart illustrating a method for data transmission according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating a method for data transmission according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of a user plane security information transmission according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a data security transmission apparatus according to an embodiment of the present invention.
Detailed Description
Fig. 2 exemplarily shows a system architecture to which an embodiment of the present invention is applicable, based on which a flow of data secure transmission can be implemented, and the system architecture for data secure transmission provided in the embodiment of the present invention may include a network device 110 and a terminal device 120.
The Network device 110 may include an Access Network (RAN) device and a Core Network (Core Network, CN) device, where the RAN device may be an Access POINT (Access POINT, AP) in a WLAN, a Base Station (BTS) in GSM or CDMA, a Base Station (NodeB, NB) in WCDMA, an evolved Node B (eNB, eNodeB) in LTE, a relay Station or an Access POINT, a vehicle-mounted device, a wearable device, and a Network device in a future 5G Network or a Network device in a future evolved PLMN Network, such as a Base Station that may be connected to a 5G Core Network device, a Transmission and Reception POINT (TRP), a Centralized processing Unit (Centralized Unit, CU), a Distributed processing Unit (Distributed processing Unit, Unit), and the like, and the RAN device may communicate with the terminal device 120. The CN device may be a Mobile Management Entity (MME) and a Gateway (Gateway) in LTE, and may also be a Control Plane (CP) Network Function (Network Function, NF) and a User plane (User plane, UP) Network Function in a 5G Network, such as a Common Control plane Network Function (Common CP NF, CCNF), a Session Management Network Function (Session Management NF, SMF), and the like. Each network slice comprises RAN equipment and CN equipment, wherein a plurality of network slices can share the network function of one RAN equipment; the CN device may include two parts, i.e., a network function shared among network slices and a network function unique to a network Slice, where some network slices may share the shared network function in the CN device, and some network slices may also use the network function unique to the network Slice in the CN device separately, such as Slice a and Slice B, and these two slices share the network function in the CN device; the network Slice may also not share network functions with other network slices, such as Slice C, which solely own the network functions of the CN devices.
In the embodiment of the present invention, the terminal device 120 may be a device having a wireless fidelity (WiFi) module, such as a Mobile phone, a bracelet, a tablet Computer, a notebook Computer, an Ultra-Mobile Personal Computer (UMPC), a Personal Digital Assistant (PDA) device, a vehicle-mounted device, a wearable device, a sensor having a network access function, and the like, but is not limited to a communication terminal.
In the 5G system, because the security levels required by the network slices are different, the encryption/decryption function of the network slice with a high security level is moved from the RAN device side to the CN device side, and data sent by the CN device to the terminal device 120 needs to be encrypted on the CN device and then sent to the terminal device 120 through the RAN device after being encrypted, at this time, when the terminal device 120 receives or sends data, the encryption/decryption key and the location information of the encryption/decryption function need to be known.
Therefore, before the terminal device 120 initiates a user plane data packet of service transmission to the CN device, it needs to determine an encryption/decryption key of received or transmitted data to realize secure transmission of the data.
Based on the above description, fig. 3 exemplarily shows a flow of a method for securely transmitting data, which is provided by an embodiment of the present invention, and the flow can implement secure transmission of data in a 5G system, and the method for securely transmitting data will be described below with reference to fig. 2 and fig. 3.
As shown in fig. 3, the specific steps of the process include:
in step 301, the terminal device sends a request message to the first RAN device.
The request message sent to the first RAN device includes one or more network slice selection information for indicating the network slice for which the terminal device is to initiate a connection. The request message may carry a Non-access stratum (NAS) message, where the NAS message includes the one or more pieces of network slice selection information, so that after receiving the request message, the first RAN device forwards the one or more pieces of network slice selection information in the request message to the first CN device, where the one or more pieces of network slice selection information are used to initiate network slice selection or Protocol Data Unit (PDU) session establishment. Further, the request message may be an RRC message, a MAC message, or a physical layer message.
The network slice selection information includes, but is not limited to, the following related information: a network slice Type, such as enhanced Mobile Broadband service (eMBB), Ultra-Reliable Low latency Communications (URLLC), mass Machine Type Communications (mtc), and the like, indicating a network slice Type, and further, the network slice Type may refer to an end-to-end network slice Type, which includes a RAN side and a CN side, or a RAN side network slice Type, or a CN side network slice Type. The service type, which is related to a specific service, such as video service, car networking service, voice service, etc., indicates the service characteristics or information of the specific service. Tenant (Tenant) information indicating customer information to create or lease the network slice, such as Tencent, national grid, etc. User group information indicating grouping information for grouping users according to a certain characteristic, such as a user's class, etc. Slice group information for indicating grouping information grouped according to a certain characteristic, such as a network slice accessed by a user. The network slice instance information is used to indicate an instance identifier created for the network slice and feature information, for example, an identifier is allocated to the network slice instance to indicate the network slice instance, a new identifier may also be mapped on the basis of the network slice instance identifier, the network slice instance is associated, and the receiver may identify the represented specific network slice instance according to the identifier. Optionally, the DCN identifier may be mapped with a Network slice identifier, and the Network slice identifier may be mapped by the DCN identifier, and the DCN identifier may also be mapped by the Network slice identifier.
After receiving the request message sent by the terminal device, the first RAN device may send, to the first CN device, the NAS message carried in the received request message through an interface message between the first RAN device and the first CN device, so that the first CN device configures user plane security information for the terminal device according to one or more network slice selection information in the request message.
After receiving the one or more network slice selection information sent by the first RAN device, the first CN device may optionally send the network slice selection information to a CN device related to network slice security, and the CN device related to network slice may configure different user plane security information according to the one or more network slice selection information, for example, network slices with different security levels, or may configure different user plane security information according to different services that the network slice may be associated with. The user plane security information configured for the terminal device at least can include user plane encryption/decryption position indication information, and is used for the terminal device to decrypt received data or encrypt transmitted data, so that the security of data transmission is improved.
Specifically, the user plane security information may further include, but is not limited to, the following related information: the location information of the encryption/decryption function, i.e. the location anchor point of the encryption/decryption function, is located at the RAN side, the CN side, the RAN and the CN side, and the like, further, if the encryption/decryption function is located at the RAN side, the RAN side is required to encrypt/decrypt the user plane data packet, if the encryption/decryption function is located at the CN side, the RAN side may not encrypt/decrypt the user plane data packet, and if the encryption/decryption function is located at the RAN side and the CN side, the RAN side is also required to encrypt/decrypt the user plane data packet; further, the RAN side may be located in a Packet Data Convergence Protocol (PDCP) layer or a Radio Resource Control (RRC) layer; the CN side may be located in a control plane or user plane network function for taking charge of security functions, such as a session management network function or a network management network function. The encryption/decryption function enables switching information, such as turning on or off the encryption/decryption function of the RAN side, the CN side, or both the RAN and CN sides. The encryption/decryption keys are, for example, encryption/decryption keys that need to be used on the RAN side and the UE side, or encryption/decryption keys that need to be used on the UE side and the CN side. Encryption/decryption function algorithms, such as those used by the RAN-side, CN-side, or RAN-and CN-side encryption/decryption functions. Header Compression (ROHC) function location information, for example, located at the RAN side, the CN side, the RAN and the CN side, further, if the Header Compression function is located at the RAN side, the RAN side is required to perform Header Compression on the user plane data packet, if the encryption/decryption function is located at the CN side, the RAN side may not perform Header Compression on the user plane data packet, and if the encryption/decryption function is located at the RAN side and the CN side, the RAN side is also required to perform Header Compression function on the user plane data packet; further, the location in the RAN side may be in the PDCP layer, or in the RRC layer; the CN side may be located in a control plane or user plane network function for taking charge of security functions, such as a session management network function, or a network management. The header compression function enables switching information, such as turning on or off the header compression function on the RAN side, the CN side, or both the RAN and CN sides. Header compression function algorithms, such as those used by the header compression functions of the RAN side, the CN side, or both the RAN and CN sides. Header compression types such as compressing Real-time Transport Protocol (RTP) headers, User Datagram Protocol (UDP) packets and Internet Protocol (IP) headers, or compressing UDP/IP headers, or compressing only IP headers, etc.
Further, the user plane security information may also include, but is not limited to, the following related information: integrity protection function location information, for example, located at the RAN side, located at the CN side, located at the RAN and CN sides, and the like, further, if the integrity protection function is located at the RAN side, the RAN side is required to perform the integrity protection function on the user plane data packet, if the integrity protection function is located at the CN side, the RAN side may not perform the integrity protection function on the user plane data packet, and if the encryption/decryption function is located at the RAN side and CN side, the RAN side is also required to perform the integrity protection function on the user plane data packet; further, the location in the RAN side may be in the PDCP layer, or in the RRC layer; the CN side may be located in a control plane or user plane network function for taking charge of security functions, such as a session management network function, or a network management. The integrity protection function enables switching information, such as turning on or off integrity functions on the RAN side, the CN side, or both the RAN and CN sides. Integrity protection function algorithm information, such as an algorithm used by the integrity protection function on the RAN side, the CN side, or both the RAN and CN sides. The key updating function information may be, for example, an algorithm used by the terminal device for key updating in a handover or RRC Connection Re-establishment (RRC Connection Re-establishment), and further, the algorithm may indicate whether the UE uses or derives a new key in the handover or RRC Connection Re-establishment procedure, or may indicate that the UE does not need to use or derive a new key in the handover or RRC Connection Re-establishment procedure.
In step 304, the first CN device sends user plane security information to the first RAN device.
The first CN device notifies the first RAN device of the user plane security information configured by the first CN device for the terminal device through an interface message, where the user plane security information may enable the first RAN device to obtain the user plane security information, and the user plane security information may be explicitly or implicitly carried in the interface message, and may be specifically applicable to the following service-related configuration information:
the CN side selects user plane safety information corresponding to at least one network slice selected by the UE, and the user plane safety information is used for user plane data transmitted by the network slice; RAN side needs to establish user plane safety information corresponding to at least one radio bearer (radio bearer) for UE, and the user plane safety information is used for user plane data transmitted by the radio bearer; the CN side establishes user plane safety information corresponding to at least one PDU conversation for the UE, and the user plane safety information is used for user plane data transmitted by the PDU conversation; and the CN side is the user plane safety information corresponding to at least one flow (flow) in the PDU session established by the UE and is used for the user plane data transmitted by the flow.
The first RAN device may learn, through the message, network slice, radio bearer, PDU session, or user plane security information of a flow included in the PDU session, for example, whether the first RAN device needs to perform functions of ciphering and/or header compression, and the like.
Optionally, the interface message may also carry an identifier of a network slice selected by the first CN device for the terminal device, or may also carry PDU session information established by the first CN device for the terminal device.
Step 305, the first RAN device receives the response message sent by the first CN device, and sends the user plane information to the terminal device.
The response message includes user plane security information configured by the first CN device for the terminal device, where the user plane security information at least includes user plane encryption/decryption position indication information, and then the first RAN device sends the user plane security information to the terminal device, so that the terminal device processes the data to be transmitted according to the user plane security information to generate encrypted data, for example, decrypt received data or encrypt sent data, thereby improving the security of data transmission.
The first CN device may send, to the terminal device, user plane security information through an air interface configuration message, where the air interface configuration message may be an RRC message, an MAC message, or a physical layer message, the configuration message may explicitly or implicitly carry the user plane security key, and the user plane security key may be applicable to one or more radio bearers, one or more PDU sessions, or one or more flows included in the PDU session, or a network slice corresponding to the PDU session, and the terminal device learns, through the message, the radio bearers, the PDU sessions, or flows included in the PDU session, or security information of the network slice corresponding to the PDU session, for example, whether the UE side needs to perform an encryption/decryption and/or header compression function on the PDCP layer.
And after receiving the user plane security information configured for the terminal equipment by the first CN equipment sent by the first RAN equipment, the terminal equipment stores the user plane security information. When initiating a user plane data packet for service transmission, the terminal device encrypts the user plane data packet for service transmission by using the stored user plane security information, and transmits the encrypted data to the first RAN device.
In step 307, the first RAN device receives the encrypted data transmitted by the terminal device, and transmits the encrypted data to the first CN device.
And the first RAN equipment receives the encrypted data transmitted by the terminal equipment and then forwards the encrypted data to the first CN equipment. The encrypted data is configured for the terminal device by the terminal device using the first CN device. The data is encrypted by using the user plane security information configured by the first CN equipment, so that the security in the data transmission process can be further improved, and the situation that the security of other network slices is threatened due to the fact that the main secret key is invalid after the first RAN equipment is attacked is avoided.
When the encryption/decryption function of the user plane is moved from the RAN device side to the CN device side, if the terminal device needs to be switched from the first RAN device to the second RAN device, or a second RAN device is added to perform a multi-connection operation to provide a network connection service for the terminal device together, at this time, the first RAN device and the second RAN device are both connected to the same CN device, and if the terminal device needs to be switched from the first RAN device to the second RAN device, the first RAN device needs to transmit encrypted data to the second RAN device. The first RAN device is a source RAN node and the second RAN device is a target RAN node.
As shown in fig. 4, the handover/multi-connection procedure includes the following specific steps:
in step 401, a first RAN device sends a handover request message to a second RAN device.
The handover request message is used to instruct the second RAN device to initiate handover preparation. Further, the handover request message includes, but is not limited to, the following information: handover reason for indicating the reason for this handover, e.g. radio network layer reason (handover triggered due to signal reasons, resource based optimization, etc.). And the target cell identification is used for uniquely indicating the identification of the target cell. The handover restriction list includes a serving PLMN, an equivalent PLMN, a forbidden service area, and the like. And the temporary identifier corresponding to the terminal equipment is used for the CN equipment to search the stored context of the terminal equipment. And the core network control function entity identification associated with the terminal equipment. And respectively identifying the network slices corresponding to one or more or all the network slices selected by the terminal equipment. The radio bearer information to be established, such as the radio bearer identifier, the QoS parameter of the radio bearer level, the tunnel termination point, the user plane security information corresponding to the radio bearer, and the specific message content, corresponding to one or more or all of the network slices selected by the terminal device, may refer to the interface message in step 304. The session information to be established, such as the session identifier, the QoS parameter of the session level, the tunnel termination point, the user plane security information corresponding to the session, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. The flow information to be established, such as the flow identifier, the QoS parameter of the flow class, the tunnel termination point, the user plane security information corresponding to the flow, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. The radio bearer information, such as the radio bearer identifier, the QoS parameter of the radio bearer level, the tunnel termination point, the user plane security information corresponding to the radio bearer, and the specific message content, may refer to the interface message in step 304. Other session information to be established, such as session identifier, QoS parameter of session level, tunnel termination point, user plane security information corresponding to the session, and specific message content, may refer to the interface message in step 304. Other flow information to be established, such as flow identification, QoS parameter of flow level, tunnel termination point, user plane security information corresponding to the flow, and specific message content, may refer to the interface message in step 304. Context information of the terminal device, for example, network slice identifiers corresponding to one or more or all network slices subscribed by the terminal device, and the like.
Optionally, the first RAN device may send a RAN device addition request to the second RAN device, for requesting the second RAN device to establish a multi-connection operation, so as to allocate radio resources to the terminal device. Further, the RAN device add request includes, but is not limited to, the following information: the radio bearer information to be established, such as the radio bearer identifier, the QoS parameter of the radio bearer level, the tunnel termination point, the user plane security information corresponding to the radio bearer, and the specific message content, corresponding to one or more or all of the network slices selected by the terminal device, may refer to the interface message in step 304. The session information to be established, such as the session identifier, the QoS parameter of the session level, the tunnel termination point, the user plane security information corresponding to the session, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. The flow information to be established, such as the flow identifier, the QoS parameter of the flow class, the tunnel termination point, the user plane security information corresponding to the flow, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. Other radio bearer information to be established, such as radio bearer identifier, QoS parameter of radio bearer level, tunnel termination point, user plane security information corresponding to the radio bearer, and specific message content, may refer to the interface message in step 304. Other session information to be established, such as session identifier, QoS parameter of session level, tunnel termination point, user plane security information corresponding to the session, and specific message content, may refer to the interface message in step 304. Other flow information to be established, such as flow identification, QoS parameter of flow level, tunnel termination point, user plane security information corresponding to the flow, and specific message content, may refer to the interface message in step 304.
Optionally, the first RAN device may send a RAN device modification request to the second RAN device, where the RAN device modification request is used to request to modify context information of the current terminal device of the second RAN device and radio resource allocation prepared for the terminal device by the second RAN device, so as to allocate radio resources to the terminal device. Further, the RAN device modification request includes, but is not limited to, the following information: the radio bearer information to be established, modified and released, such as the radio bearer identifier, the QoS parameter of the radio bearer level, the tunnel termination point, the user plane security information corresponding to the radio bearer, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. The session information to be established, modified and released, such as the session identifier, the QoS parameter of the session level, the tunnel end point, the user plane security information corresponding to the session, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. The flow information to be established, modified, and released, such as the flow identifier, the QoS parameter of the flow level, the tunnel end point, the user plane security information corresponding to the flow, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. Other radio bearer information to be established, modified and released, such as radio bearer identifier, QoS parameter of radio bearer level, tunnel termination point, user plane security information corresponding to the radio bearer, and specific message content, may refer to the interface message in step 304. Other session information to be established, modified and released, such as session identifier, QoS parameter of session level, tunnel endpoint, user plane security information corresponding to the session, and specific message content, may refer to the interface message in step 304. Other flow information to be established, modified and released, such as flow identification, QoS parameter of flow level, tunnel termination point, user plane security information corresponding to the flow, and specific message content, may refer to the interface message in step 304.
Optionally, the first RAN device may send a RAN device modification requirement to the second RAN device, where the RAN device modification requirement is used to trigger release of radio resources, modification of a main serving cell, imminent rollover of a PDCP SN number, and the like. Further, the RAN device modification requirements include, but are not limited to, the following information: the radio bearer information to be released, such as the radio bearer identifier, the QoS parameter of the radio bearer level, the tunnel termination point, the user plane security information corresponding to the radio bearer, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. The session information to be released, such as the session identifier, the QoS parameter of the session level, the tunnel termination point, the user plane security information corresponding to the session, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. The flow information to be released, such as the flow identifier, the QoS parameter of the flow class, the tunnel termination point, the user plane security information corresponding to the flow, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. Other radio bearer information to be released, such as radio bearer identifier, QoS parameter of radio bearer level, tunnel termination point, user plane security information corresponding to the radio bearer, and specific message content, may refer to the interface message in step 304. Other session information that needs to be released, such as session identifier, QoS parameter of session level, tunnel termination point, user plane security information corresponding to the session, and specific message content, may refer to the interface message in step 304. Other flow information to be released, such as flow id, QoS parameter of flow level, tunnel end point, user plane security information corresponding to the flow, and specific message content, may refer to the interface message in step 304.
In step 402, the second RAN device receives a handover request message sent by the first RAN device, and sends a handover request acknowledgement message to the first RAN device.
The second RAN equipment sends a handover request confirm message to the first RAN equipment indicating that the second RAN equipment is ready for resources and ready for handover. The handover request confirm message includes, but is not limited to, the following information: an identification of the first RAN device. An identification of the second RAN device. A transparent container (container) from the second RAN device to the first RAN device, containing the handover command of the RRC. The unadmitted radio bearer information, such as the radio bearer identifier, the QoS parameter of the radio bearer level, the tunnel termination point, the user plane security information corresponding to the radio bearer, and the specific message content, corresponding to one or more or all network slices selected by the terminal device, may refer to the interface message in step 304. The unadmitted session information, such as the session identifier, the QoS parameter of the session level, the tunnel termination point, the user plane security information corresponding to the session, and the specific message content corresponding to one or more or all network slices selected by the terminal device may refer to the interface message in step 304. The unaccepted flow information corresponding to one or more or all network slices selected by the terminal device, for example, the flow identifier, the QoS parameter of the flow level, the tunnel termination point, the user plane security information corresponding to the flow, and the specific message content may refer to the interface message in step 304. Other unaccepted radio bearer information, such as radio bearer identification, QoS parameters of a radio bearer level, tunnel termination point, and user plane security information corresponding to a radio bearer, and specific message content, may refer to the interface message in step 304. Other unapproved session information, such as session id, QoS parameters of session level, tunnel termination point, user plane security information corresponding to the session, and specific message content, can refer to the interface message of step 304. Other unapproved flow information, such as flow id, QoS parameters at flow level, tunnel termination point, user plane security information corresponding to the flow, and specific message content, may refer to the interface message of step 304.
Optionally, the second RAN apparatus may send a RAN apparatus addition request acknowledgement to the first RAN apparatus, indicating that the second RAN apparatus is ready for resources, so as to allocate radio resources to the terminal apparatus. Further, the RAN device add request acknowledgement includes, but is not limited to, the following information: the interface message in step 304 may be referred to by the specific message content, where the specific message content includes the unadmitted and admitted radio bearer information corresponding to one or more or all network slices selected by the terminal device, respectively, such as a radio bearer identifier, a QoS parameter of a radio bearer level, a tunnel endpoint, and user plane security information corresponding to a radio bearer. The non-admitted session information and the admitted session information corresponding to one or more or all network slices selected by the terminal device, such as the session identifier, the QoS parameter of the session level, the tunnel termination point, the user plane security information corresponding to the session, and the specific message content may refer to the interface message in step 304. The interface message in step 304 may be referred to by the specific message content, such as the flow identifier, the QoS parameter of the flow level, the tunnel termination point, and the user plane security information corresponding to the flow, corresponding to the unadmitted flow and the admitted flow information respectively corresponding to one or more or all network slices selected by the terminal device. Other unapproved and admitted radio bearer information, such as radio bearer identification, QoS parameters of radio bearer level, tunnel termination point, user plane security information corresponding to the radio bearer, and specific message content, may refer to the interface message of step 304. Other unapproved and admitted session information, such as session id, QoS parameters of session level, tunnel termination point, and user plane security information corresponding to the session, and specific message content, can refer to the interface message of step 304. Other unapproved and admitted flow information, such as flow identification, QoS parameters at flow level, tunnel termination point, user plane security information corresponding to the flow, and specific message content, may refer to the interface message of step 304.
Optionally, the second RAN device may send a RAN device modification request acknowledgement to the first RAN device, for responding to the modification request of the first RAN device. Further, the RAN device modification request acknowledgement includes, but is not limited to, the following information: the interface message in step 304 may be referred to by the specific message content, where the specific message content includes information of the unadmitted radio bearers and the admitted radio bearers corresponding to one or more or all network slices selected by the terminal device, such as radio bearer identifiers, QoS parameters of radio bearer levels, tunnel end points, and user plane security information corresponding to the radio bearers. The non-admitted session information and the admitted session information corresponding to one or more or all network slices selected by the terminal device, such as the session identifier, the QoS parameter of the session level, the tunnel termination point, the user plane security information corresponding to the session, and the specific message content may refer to the interface message in step 304. The interface message in step 304 may be referred to by the specific message content, where the specific message content includes information of flows that are not admitted and admitted respectively corresponding to one or more or all network slices selected by the terminal device, such as a flow identifier, QoS parameters of a flow level, a tunnel termination point, and user plane security information corresponding to the flow. Other unadmitted and admitted radio bearer information, such as radio bearer identification, QoS parameters of a radio bearer level, tunnel termination point, user plane security information corresponding to the radio bearer, and specific message content, may refer to the interface message of step 304. Other unapproved and admitted session information, such as session id, QoS parameters of session level, tunnel termination point, and user plane security information corresponding to the session, and specific message content, can refer to the interface message of step 304. Other unadmitted and admitted flow information, such as flow identification, QoS parameters at flow level, tunnel termination point, user plane security information corresponding to the flow, and specific message content, may refer to the interface message of step 304.
After receiving the handover request acknowledgement message, the first RAN device sends a handover instruction to the terminal device, where the handover instruction is used to instruct the terminal device to perform handover, and the handover instruction may be carried in an RRC message. The RRC message may also include, but is not limited to, the following information: target cell identification and new temporary identification of the terminal equipment. Bearer configuration, such as PDCP, Radio Link Control (RLC), Medium Access Control (MAC), and physical layer configuration.
The first RAN device further needs to cache encrypted data to be transmitted to the second RAN device, where the encrypted data to be transmitted to the second RAN device may be data to be sent to the terminal device cached by the first RAN device and data sent to the terminal device and not received by the terminal device.
In step 404, the first RAN device sends a Sequence Number (SN) status transmission message to the second RAN device, and sends the buffered encrypted data to the second RAN device.
The SN status transmission message is used for indicating the receiving status of the uplink PDCP SN corresponding to one or more loads, sessions and flows in the RLC confirmation mode and/or the sending status of the downlink PDCP SN. For example, the uplink PDCP SN receive status at least includes the SN of the first missing uplink Service Data Unit (SDU), and may include a receive status bitmap of out-of-order uplink SDUs therein, which is used to indicate which uplink SDUs require the UE to retransmit at RAN node 2. The downlink PDCP SN send status is used to indicate the next new PDCP SN number that the RAN node 2 needs to assign.
The first RAN equipment sends the cached encrypted data to the second RAN equipment, so that the problem of data packet loss in the switching process can be solved, and meanwhile, the cached data sent to the UE by the second RAN equipment can be decrypted continuously at the UE side due to the fact that the encrypted data is forwarded by the first RAN equipment, and the safety of data transmission is guaranteed.
After receiving the handover command, the terminal device establishes an RRC connection with the second RAN device, and then sends a handover complete message, such as an RRC connection reconfiguration complete message, to the second RAN device, indicating that the handover is completed.
Optionally, when the encryption/decryption function of the user plane is moved from the RAN device side to the CN device side, if the terminal device needs to be switched from the first RAN device to the second RAN device, and at this time, the first RAN device and the second RAN device are both connected to different CN devices, the first RAN device needs to transmit encrypted data to the second RAN device. The first RAN device is a source RAN node and the second RAN device is a target RAN node.
Optionally, if a handover procedure of an interface between the RAN device and the CN device needs to be triggered, for example, when there is no direct terrestrial side interface or wireless backhaul link between the first RAN device and the second RAN device, the handover request message in step 401 may be forwarded by the first core network device, for example, the first RAN device sends the handover request message to the first core network device, and the specific content of the handover request message may refer to the handover request message in step 401, and then the first core network device sends the handover request message to the second RAN device, thereby implementing that the first RAN device sends the handover request message to the second RAN device. The second RAN device sends a handover request acknowledgement message to the first core network device, where the specific handover request acknowledgement message may refer to the handover request acknowledgement message in step 402, and then the first core network device sends the handover request acknowledgement message to the second RAN device, thereby implementing that the second RAN device sends the handover request acknowledgement message to the first RAN device. And the first RAN equipment receives the switching request confirmation message sent by the second RAN equipment, sends a switching instruction to the terminal equipment and caches the encrypted data to be transmitted to the second RAN equipment. The first RAN device sends a serial number SN) status transmission message to the second RAN device, and sends the cached encrypted data to the first core network, and then the first core network device sends the received data to the second RAN device, thereby realizing that the first RAN device sends the cached encrypted data to the second RAN device.
As shown in fig. 5, the data transmission process includes the following specific steps:
The SN status transmission message is used for indicating the receiving status of the uplink PDCP SN corresponding to one or more loads, sessions and flows in the RLC confirmation mode and/or the sending status of the downlink PDCP SN. For example, the uplink PDCP SN reception status at least includes the SN of the first missing uplink SDU, and may include a reception status bitmap of an out-of-order uplink SDU therein, which is used to indicate which uplink SDUs require the UE to retransmit at RAN node 2. The downlink PDCP SN send status is used to indicate the next new PDCP SN number that the RAN node 2 needs to assign.
Optionally, the first RAN device sends an SN status transfer message to the second CN device.
In step 503, the first CN device receives the encrypted data sent by the first RAN device, decrypts the encrypted data, and sends the unencrypted data to the second CN device.
The data may be data to be sent to the terminal device that is cached by the first RAN device and data that has been sent to the terminal device and has not received feedback from the terminal device.
In step 504, the second CN device receives the unencrypted data sent by the first CN device, and sends the unencrypted data to the second RAN device.
The encrypted data cached by the first RAN equipment is transmitted to the second RAN equipment by using the first CN equipment and the second CN equipment, the problem of data loss in the switching process can be solved, unencrypted data can be transmitted to the second CN equipment by the first CN equipment, so that the second CN equipment can encrypt the data by using a new security mechanism applicable to the equipment, a data packet transmitted to the UE by the second RAN equipment can use a security mechanism applicable to the second CN equipment, and the safety of data transmission and the smooth replacement of the security mechanism after switching are ensured.
Optionally, when the encryption/decryption function of the user plane is moved from the RAN device side to the CN device side, if the terminal device needs to be switched from the first RAN device to the second RAN device, and at this time, the first RAN device and the second RAN device are both connected to different CN devices, the first RAN device needs to transmit encrypted data to the second RAN device. The first RAN device is a source RAN node and the second RAN device is a target RAN node.
As shown in fig. 6, the data transmission process includes the following specific steps:
The SN status transmission message is used for indicating the receiving status of the uplink PDCP SN corresponding to one or more loads, sessions and flows in the RLC confirmation mode and/or the sending status of the downlink PDCP SN. For example, the uplink PDCP SN reception status at least includes the SN of the first missing uplink SDU, and may include a reception status bitmap of an out-of-order uplink SDU therein, which is used to indicate which uplink SDUs require the UE to retransmit at RAN node 2. The downlink PDCP SN send status is used to indicate the next new PDCP SN number that the RAN node 2 needs to assign.
In step 602, the first RAN device sends an SN status transfer message to the first CN device.
Optionally, the first RAN device sends the buffered encrypted data to the first CN device. The data may be data to be sent to the terminal device that is cached by the first RAN device and data that has been sent to the terminal device and has not received feedback from the terminal device.
In step 604, the second CN device receives the unencrypted data sent by the first CN device, and sends the unencrypted data to the second RAN device.
The encrypted data cached by the first RAN equipment is transmitted to the second RAN equipment by using the first CN equipment and the second CN equipment, the problem of data loss in the switching process can be solved, unencrypted data can be transmitted to the second CN equipment by the first CN equipment, so that the second CN equipment can encrypt the data by using a new security mechanism applicable to the equipment, a data packet transmitted to the UE by the second RAN equipment can use a security mechanism applicable to the second CN equipment, and the safety of data transmission and the smooth replacement of the security mechanism after switching are ensured.
Further, when the terminal device is handed over from the first RAN device to the second RAN device, if the first RAN device and the second RAN device are both connected to different CN devices, in the above-mentioned flow shown in fig. 4, after receiving the handover complete message sent by the terminal device, the second RAN device sends a SN indication message to the terminal device, where the SN indication message may be an RRC message, a MAC message, or a physical layer message, and includes but is not limited to the following related information: the SN boundary value is used to indicate which received and transmitted data packets need to use the original encryption/decryption key and which need to use the new encryption/decryption key, for example, if the data packet whose SN number of the PDCP SDU corresponding to these data packets is before the SN boundary value needs to use the original encryption/decryption key, the later data packet needs to use the new encryption/decryption key.
Optionally, the SN indication message may further include a key indication for notifying the terminal device that the key used for encrypting and decrypting the data packet has changed and needs to use the channel key, by adding the key indication to the data packet.
Optionally, the SN indication message may also start to use a new key by sending an end-marker data packet to indicate that the encryption/decryption key previously stored on the UE side is invalid, in the form of an end-marker data packet.
In order to enable the first RAN device to determine that the user plane security information of the network slice is on the first RAN device side or the first CN device side, the first RAN device may further receive a network slice Management message sent by an Operation and Management plane device (OAM).
Specifically, the process shown in fig. 7 includes the following steps:
in step 701, an OAM device sends a network slice management message to a first RAN device.
The network slice management message includes user plane security information for the underlying network slice. The OAM may be a Slice Management (Slice manager) device, and/or a Slice Management device in the RAN domain, and/or a device Management System (EMS) on the RAN side, and the like. The content included in the message may be the description of the user plane security information in the above embodiments, and is not described herein again.
The specific representation form of the message is not limited, and the message can be encoded according to specific information content, can represent different user plane security information by different fields, and can also be encoded in an index mode.
In step 702, the first RAN device receives a network slice management message sent by the OAM device, and sends a confirmation message to the OAM device.
After receiving the network slice management message, the first RAN device may or may not send an acknowledgement message to the OAM device. The confirmation message may contain one or more of the following combinations of information: a confirm success message to indicate to the RAN device that the OAM device agrees to generate and/or modify the configuration for the network slice instance sent by the OAM device via message 1. The confirmation failure message is used to instruct the RAN device to reject generation and/or modification of the configuration of the network slice instance sent by the OAM device through the network slice management message, and further, the message may also indicate a reason of the failure, for example, a certain configuration requirement of the network slice management message, such as that an encryption/decryption function algorithm configuration cannot be completed.
In step 703, the first RAN device stores the user plane security information of the basic network slice, and optionally, the first RAN device may send the user plane security information of the network slice to the UE through an air interface message.
The air interface message may be an RRC message, such as an RRC connection setup message, an RRC connection reconfiguration message, and the like.
The foregoing embodiment shows that a first access network device receives a request message sent by a terminal device, the first access network device sends one or more pieces of network slice selection information to the first core network device, the first access network device receives a response message sent by the first core network device, user plane security information includes user plane encryption/decryption position indication information, and a user plane data packet for encrypting/decrypting service transmission associated with a network slice selected by the terminal device, the first access network device sends user plane security information to the terminal device, the first access network device receives encrypted data transmitted by the terminal device, and transmits the encrypted data to the first core network device, and the encrypted data is data processed by the terminal device according to the user plane security information. Receiving, by the first access network device, the user plane security information sent by the first core network device, so that the first access network device can acquire the user plane security information related to the service associated with the network slice, for example, whether the first access network is required to encrypt/decrypt the user plane data packet of service transmission, the first access network device sends the user plane security information configured for the terminal device by the first core network device to the terminal device, so that the terminal device encrypts/decrypts the data transmission according to the user plane security information, thereby realizing the safety and reliability of the data transmission process under the network architecture of the network slice, since the first core network device is user plane security information configured according to the one or more network slice selection information, different requirements of different network slices on user plane security can be met, and flexibility and difference of data encryption/decryption are improved.
The terminal device mentioned in the embodiments of the present invention may be a wireless terminal device or a wired terminal device, and the wireless terminal device may be a device providing voice and/or other service data connectivity to a user, a handheld device having a wireless connection function, or other processing device connected to a wireless modem. Wireless terminal devices, which may be mobile terminals such as mobile phones (or "cellular" phones) and computers with mobile terminals, for example, portable, pocket, hand-held, computer-included, or vehicle-mounted mobile devices, may communicate with one or more core networks via a Radio Access Network (RAN). For example, Personal Communication Service (PCS) phones, cordless phones, Session Initiation Protocol (SIP) phones, Wireless Local Loop (WLL) stations, Personal Digital Assistants (PDAs), and the like. The wireless Terminal Device may also be referred to as a system, a Subscriber Unit (Subscriber Unit), a Subscriber Station (Subscriber Station), a Mobile Station (Mobile), a Remote Station (Remote Station), a Remote Terminal (Remote Terminal), an Access Terminal (Access Terminal), a User Terminal (User Terminal), a User Agent (User Agent), and a User Device (User Equipment).
In addition, the term "and/or" in the embodiment of the present invention is only one kind of association relationship describing an associated object, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in the embodiment of the present invention generally indicates that the preceding and following related objects are in an "or" relationship.
Some english in the embodiments of the present invention are simply referred to as descriptions of the embodiment of the present invention by taking the LTE system as an example, which may change with the evolution of the network, and specific evolution may refer to descriptions in corresponding standards.
Referring to fig. 8, fig. 8 is a schematic diagram of a possible structure of a data security transmission apparatus according to an embodiment of the present invention. The apparatus is, for example, one possible structure diagram of the first access network device, the second access network device, the first core network device, the second core network device, and the terminal device. As shown in fig. 8, the apparatus includes: a processor 10, a transmitter 20, a receiver 30, a memory 40 and an antenna 50. The memory 40, the transmitter 20 and the receiver 30, and the processor 10 may be connected by a bus. Of course, in practical applications, the memory 40, the transmitter 20, the receiver 30 and the processor 10 may be not in a bus structure, but may be in other structures, such as a star structure, and the present application is not limited in particular.
Optionally, the processor 10 may be a general-purpose central processing unit or an Application Specific Integrated Circuit (ASIC), may be one or more Integrated circuits for controlling program execution, may be a hardware Circuit developed by using a Field Programmable Gate Array (FPGA), and may be a baseband processor.
Optionally, the processor 10 may include at least one processing core.
Optionally, the Memory 40 may include one or more of a Read Only Memory (ROM), a Random Access Memory (RAM), and a disk Memory. Memory 40 is used to store data and/or instructions required by processor 10 during operation. The number of the memory 40 may be one or more. The portion of memory 40 may be provided integrally with the processor or may be provided independently of the processor.
Alternatively, the transmitter 20 and the receiver 30 may be physically independent of each other or may be integrated together. The transmitter 20 may transmit data via the antenna 50. Receiver 30 may receive data via antenna 50.
Based on the same inventive concept, the embodiment of the present invention further provides a data security transmission apparatus (as shown in fig. 8), which is configured to implement any one of the foregoing methods.
When the apparatus is an access network device, for example, the first access network device, the processor 10 is configured to control the receiver 30 to receive a request message sent by a terminal device; the request message comprises one or more network slice selection information; and controlling the transmitter 20 to transmit the one or more network slice selection information to a first core network device;
the processor 10 is further configured to control the receiver 30 to receive a response message sent by the first core network device; the response message comprises user plane security information configured for the terminal equipment by the first core network equipment; the user plane safety information comprises user plane encryption/decryption position indication information and is used for encrypting/decrypting a user plane data packet of service transmission related to the network slice selected by the terminal equipment;
the processor 10 is further configured to control the transmitter 20 to transmit the user plane security information to the terminal device; and controlling the receiver 30 to receive the encrypted data transmitted by the terminal device, and controlling the transmitter 20 to transmit the encrypted data to the first core network device, where the encrypted data is processed by the terminal device according to the user plane security information.
Optionally, the access network device further includes a memory 40;
the processor 10 is further configured to:
after transmitting the encrypted data to the first core network device, controlling the transmitter 20 to transmit a handover request message to a second access network device, where the second access network device is a device to which the terminal device is to be handed over;
controlling the receiver 30 to receive a handover request acknowledge message sent by the second access network device;
controlling the sender 20 to send a switching instruction to the terminal and controlling the memory 40 to cache encrypted data to be transmitted to the second access network device, where the encrypted data to be transmitted to the second access network device is data encrypted by a first core network device and transmitted to the terminal device, and the switching instruction is used to instruct the terminal device to switch from the first access network device to the second access network device;
controlling the transmitter 20 to transmit an SN status transmission message to the second access network device, for indicating one or more uplink and downlink SN statuses in an RLC mode;
controlling the transmitter 20 to transmit the buffered encrypted data to the second access network device.
Optionally, the second access network device communicates with a second core network device;
the processor 10 is specifically configured to:
controlling the transmitter 20 to transmit the buffered encrypted data to the first core network device.
Optionally, the processor 10 is further configured to:
controlling the transmitter 20 to transmit the SN status transmission message to the first core network device before controlling the transmitter 20 to transmit the buffered encrypted data to the first core network device.
Optionally, the cached encrypted data includes data to be sent to the terminal device that is cached by the access network device and data that has been sent to the terminal device and has not received feedback from the terminal device.
Optionally, the user plane security information further includes header compression function position indication information and integrity protection function position indication information.
Optionally, the processor 10 is further configured to:
before controlling the receiver 30 to receive the encrypted data transmitted by the terminal device, controlling the receiver 30 to receive a network slice management message sent by an operation and management device, where the network slice management message includes user plane security information of a basic network slice;
controlling the memory 40 to store user plane security information for the underlying network slice.
When the apparatus is a terminal device, the transmitter 20 is configured to send a request message to a first access network device, where the request message includes one or more pieces of network slice selection information;
the receiver 30 is configured to receive user plane security information configured by the first core network device for the terminal device, where the user plane security information includes user plane encryption/decryption position indication information;
the processor 10 is configured to process data to be transmitted according to the user plane security information, generate encrypted data, and control the transmitter 20 to transmit the encrypted data to the first access network device.
Optionally, the processor 10 is further configured to:
after controlling the transmitter 20 to transmit the encrypted data to the first access network device, controlling the receiver 30 to receive a handover instruction sent by the first access network device;
establishing an RRC connection with the second access network device and controlling the transmitter 20 to transmit a handover complete message to the second access network device.
Optionally, the processor 10 is further configured to:
after controlling the transmitter 20 to transmit the handover complete message to the second access network device, controlling the receiver 30 to receive an SN indication message transmitted by the second access network device, where the SN indication message is used to indicate an SN boundary value of data received or transmitted by the terminal device.
When the device is a core network device, the receiver 30 is configured to receive one or more pieces of network slice selection information sent by a first access network device;
the processor 10 is configured to configure user plane security information of the terminal device according to the one or more network slice selection information;
the transmitter 20 is configured to transmit the user plane security information to the first access network device.
Optionally, the processor 10 is further configured to:
after controlling the transmitter 20 to send the user plane security information to the first access network device, controlling the receiver 30 to receive an SN status transmission message sent by the first access network device and the cached encrypted data to be transmitted to a second access network device.
When the apparatus is a second access network device, the processor 10 is configured to control the receiver 30 to receive a handover request message sent by a first access network device;
the processor 10 is further configured to control the transmitter 20 to send a handover request acknowledgement message to the first access network device, and receive an SN status transmission message sent by the first access network device; and controlling the receiver 30 to receive the encrypted data sent by the first access network device.
Optionally, the first access network device communicates with a first core network device, and the access network device communicates with a second core network device;
the processor 10 is specifically configured to:
and controlling the receiver 30 to receive the data sent by the second core network device.
Optionally, the first access network device communicates with a first core network device, and the access network device communicates with a second core network device;
the processor 10 is further configured to:
after controlling the receiver 30 to receive the encrypted data sent by the first access network device, establishing an RRC connection with the terminal device; and controlling the transmitter 20 to transmit SN indication information to the terminal device, wherein the SN indication information is used for indicating an SN boundary value of data received or transmitted by the terminal device.
Based on the same inventive concept, the embodiment of the present invention further provides a data security transmission apparatus, which includes a functional module for executing the foregoing method steps.
Various changes and specific examples in the data transmission method in the foregoing embodiments are also applicable to the data transmission apparatus in this embodiment and the apparatus in fig. 8, and those skilled in the art can clearly know the implementation method of the data transmission apparatus in this embodiment and the apparatus in fig. 8 through the foregoing detailed description of the data transmission method, so that details are not described here for brevity of the description.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications can be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (30)
1. A method for secure transmission of data, the method comprising:
the first access network equipment receives a request message sent by the terminal equipment; the request message comprises one or more network slice selection information;
the first access network device sends the one or more network slice selection information to a first core network device;
the first access network equipment receives a response message sent by the first core network equipment; the response message comprises user plane security information configured for the terminal equipment by the first core network equipment; the user plane safety information comprises user plane encryption/decryption position indication information and is used for encrypting/decrypting a user plane data packet of service transmission related to the network slice selected by the terminal equipment;
the first access network equipment sends the user plane safety information to the terminal equipment;
and the first access network equipment receives the encrypted data transmitted by the terminal equipment and transmits the encrypted data to the first core network equipment, wherein the encrypted data is the data processed by the terminal equipment according to the user plane safety information.
2. The method of claim 1, wherein after the first access network device transmits the encrypted data to the first core network device, further comprising:
the first access network equipment sends a switching request message to second access network equipment, and the second access network equipment is equipment to be switched to by the terminal equipment;
the first access network equipment receives a switching request confirmation message sent by the second access network equipment;
the first access network device sends a switching instruction to the terminal device and caches encrypted data to be transmitted to the second access network device, the encrypted data to be transmitted to the second access network device is data encrypted by first core network device and transmitted to the terminal device, and the switching instruction is used for instructing the terminal device to switch from the first access network device to the second access network device;
the first access network equipment sends a serial number SN state transmission message to the second access network equipment, and the serial number SN state transmission message is used for indicating one or more uplink and downlink SN states in a radio link layer control protocol (RLC) mode;
and the first access network equipment sends the cached encrypted data to the second access network equipment.
3. The method of claim 2, wherein the second access network device communicates with a second core network device;
the sending, by the first access network device, the cached encrypted data to the second access network device includes:
and the first access network equipment sends the cached encrypted data to the first core network equipment.
4. The method of claim 3, wherein prior to the first access network device sending the buffered encrypted data to the first core network device, further comprising:
and the first access network equipment sends the SN state transmission message to the first core network equipment.
5. The method according to any of claims 2 to 4, wherein the buffered encrypted data comprises data to be sent to the terminal device buffered by the first access network device and data sent to the terminal device that has not received feedback from the terminal device.
6. The method of claim 1, wherein the user plane security information further comprises header compression function location indication information, integrity protection function location indication information.
7. The method of claim 1, wherein prior to the first access network device receiving the encrypted data transmitted by the terminal device, further comprising:
the first access network equipment receives a network slice management message sent by operation and management equipment, wherein the network slice management message comprises user plane security information of a basic network slice;
the first access network device stores user plane security information for the underlying network slice.
8. A method for secure transmission of data, the method comprising:
the terminal equipment sends a request message to the first access network equipment, wherein the request message comprises one or more pieces of network slice selection information;
the terminal equipment receives user plane safety information which is sent by the first access network equipment and is configured for the terminal equipment by first core network equipment, wherein the user plane safety information comprises user plane encryption/decryption position indication information;
and the terminal equipment processes the data to be transmitted according to the user plane safety information, generates encrypted data and transmits the encrypted data to the first access network equipment.
9. The method of claim 8, wherein after the terminal device transmits the encrypted data to the first access network device, further comprising:
the terminal equipment receives a switching instruction sent by the first access network equipment;
and the terminal equipment establishes radio resource control protocol RRC connection with second access network equipment and sends a switching completion message to the second access network equipment.
10. The method of claim 9, wherein after the terminal device sends a handover complete message to the second access network device, further comprising:
and the terminal equipment receives a serial number SN indication message sent by the second access network equipment, and is used for indicating an SN boundary value of data received or sent by the terminal equipment.
11. A method for secure transmission of data, the method comprising:
the method comprises the steps that a first core network device receives one or more pieces of network slice selection information sent by a first access network device;
the first core network equipment configures user plane security information of the terminal equipment according to the one or more network slice selection information; the user plane safety information comprises user plane encryption/decryption position indication information and is used for encrypting/decrypting a user plane data packet of service transmission related to the network slice selected by the terminal equipment;
and the first core network equipment sends the user plane security information to the first access network equipment.
12. The method of claim 11, wherein after the first core network device sends the user plane security information to the first access network device, further comprising:
and the first core network equipment receives the SN status transmission message sent by the first access network equipment and the cached encrypted data to be transmitted to the second access network equipment.
13. A method for secure transmission of data, the method comprising:
the second access network equipment receives a switching request message sent by the first access network equipment; the switching request message is sent after the first access network equipment receives encrypted data transmitted by terminal equipment and transmits the encrypted data to a first core network, and the encrypted data transmitted by the terminal equipment is data processed by the terminal equipment according to user plane security information; the user plane safety information comprises user plane encryption/decryption position indication information and is used for encrypting/decrypting a user plane data packet of service transmission related to the network slice selected by the terminal equipment;
the second access network equipment sends a switching request confirmation message to the first access network equipment and receives a Serial Number (SN) state transmission message sent by the first access network equipment;
and the second access network equipment receives the encrypted data sent by the first access network equipment, wherein the encrypted data sent by the first access network equipment is the data encrypted by the first core network equipment and transmitted to the terminal equipment.
14. The method of claim 13, wherein the first access network device is in communication with a first core network device and the second access network device is in communication with a second core network device;
the second access network device receiving the encrypted data sent by the first access network device, including:
and the second access network equipment receives the data sent by the second core network equipment.
15. The method of claim 13 or 14, wherein the first access network device is in communication with a first core network device and the second access network device is in communication with a second core network device;
after the second access network device receives the encrypted data sent by the first access network device, the method further includes:
the second access network equipment establishes radio resource control protocol RRC connection with the terminal equipment;
and the second access network equipment sends serial number SN indication information to the terminal equipment, wherein the serial number SN indication information is used for indicating SN boundary values of data received or sent by the terminal equipment.
16. An access network device, characterized in that the access network device comprises: receiver, processor and transmitter, and
the processor is used for controlling the receiver to receive a request message sent by the terminal equipment; the request message comprises one or more network slice selection information; and control the transmitter to transmit the one or more network slice selection information to a first core network device;
the processor is further configured to control the receiver to receive a response message sent by the first core network device; the response message comprises user plane security information configured for the terminal equipment by the first core network equipment; the user plane safety information comprises user plane encryption/decryption position indication information and is used for encrypting/decrypting a user plane data packet of service transmission related to the network slice selected by the terminal equipment;
the processor is further configured to control the transmitter to transmit the user plane security information to the terminal device; and controlling the receiver to receive the encrypted data transmitted by the terminal device, and controlling the transmitter to transmit the encrypted data to the first core network device, wherein the encrypted data is processed by the terminal device according to the user plane security information.
17. The access network device of claim 16, wherein the access network device further comprises a memory;
the processor is further configured to:
after transmitting the encrypted data to the first core network device, controlling the transmitter to transmit a switching request message to a second access network device, where the second access network device is a device to which the terminal device is to be switched;
controlling the receiver to receive a handover request acknowledgement message sent by the second access network device;
the sender is controlled to send a switching instruction to the terminal and the memory is controlled to cache encrypted data to be transmitted to the second access network device, the encrypted data to be transmitted to the second access network device is data encrypted by the first core network device and transmitted to the terminal device, and the switching instruction is used for indicating the terminal device to be switched from the first access network device to the second access network device;
controlling the transmitter to transmit a Serial Number (SN) state transmission message to the second access network equipment, wherein the SN state transmission message is used for indicating one or more uplink and downlink SN states in a radio link layer control (RLC) mode;
and controlling the transmitter to transmit the cached encrypted data to the second access network device.
18. The access network device of claim 17, wherein the second access network device is in communication with a second core network device;
the processor is specifically configured to:
and controlling the transmitter to transmit the cached encrypted data to the first core network device.
19. The access network device of claim 18, wherein the processor is further configured to:
and before controlling the transmitter to transmit the cached encrypted data to the first core network device, controlling the transmitter to transmit the SN status transmission message to the first core network device.
20. An access network device according to any one of claims 17 to 19, wherein the buffered encrypted data comprises data to be sent to the terminal device buffered by the access network device and data sent to the terminal device that has not received feedback from the terminal device.
21. The access network device of claim 16, wherein the user plane security information further comprises header compression function location indication information, integrity protection function location indication information.
22. The access network device of claim 16, wherein the processor is further configured to:
before controlling the receiver to receive the encrypted data transmitted by the terminal equipment, controlling the receiver to receive a network slice management message sent by an operation and management equipment, wherein the network slice management message comprises user plane security information of a basic network slice;
a control memory stores user plane security information for the underlying network slice.
23. A terminal device, characterized in that the terminal device comprises: receiver, processor and transmitter, and
the transmitter is configured to send a request message to a first access network device, where the request message includes one or more pieces of network slice selection information;
the receiver is configured to receive user plane security information configured for the terminal device by the first core network device and sent by the first access network device, where the user plane security information includes user plane encryption/decryption position indication information;
the processor is configured to process data to be transmitted according to the user plane security information, generate encrypted data, and control the transmitter to transmit the encrypted data to the first access network device.
24. The terminal device of claim 23, wherein the processor is further configured to:
after controlling the transmitter to transmit the encrypted data to the first access network device, controlling the receiver to receive a switching instruction sent by the first access network device;
and establishing Radio Resource Control (RRC) connection with second access network equipment, and controlling the transmitter to transmit a switching completion message to the second access network equipment.
25. The terminal device of claim 24, wherein the processor is further configured to:
and after controlling the transmitter to transmit a switching completion message to the second access network device, controlling the receiver to receive a Serial Number (SN) indication message transmitted by the second access network device, wherein the SN indication message is used for indicating an SN boundary value of data received or transmitted by the terminal device.
26. A core network device, characterized in that the core network device comprises: receiver, processor and transmitter, and
the receiver is configured to receive one or more network slice selection information sent by a first access network device;
the processor is used for configuring user plane security information of the terminal equipment according to the one or more network slice selection information; the user plane safety information comprises user plane encryption/decryption position indication information and is used for encrypting/decrypting a user plane data packet of service transmission related to the network slice selected by the terminal equipment;
the transmitter is configured to transmit the user plane security information to the first access network device.
27. The core network device of claim 26, wherein the processor is further configured to:
and after controlling the transmitter to transmit the user plane security information to the first access network device, controlling the receiver to receive a Serial Number (SN) state transmission message transmitted by the first access network device and the cached encrypted data to be transmitted to a second access network device.
28. An access network device, characterized in that the access network device comprises: receiver, processor and transmitter, and
the processor is configured to control the receiver to receive a handover request message sent by a first access network device; the switching request message is sent after the first access network equipment receives encrypted data transmitted by terminal equipment and transmits the encrypted data to a first core network, and the encrypted data transmitted by the terminal equipment is data processed by the terminal equipment according to user plane security information; the user plane safety information comprises user plane encryption/decryption position indication information and is used for encrypting/decrypting a user plane data packet of service transmission related to the network slice selected by the terminal equipment;
the processor is further configured to control the transmitter to send a handover request acknowledgement message to the first access network device, and receive a Serial Number (SN) status transmission message sent by the first access network device; and controlling the receiver to receive encrypted data sent by first access network equipment, wherein the encrypted data sent by the first access network equipment is data encrypted by first core network equipment and transmitted to the terminal equipment.
29. The access network device of claim 28, wherein the first access network device is in communication with a first core network device, the access network device being in communication with a second core network device;
the processor is specifically configured to:
and controlling the receiver to receive the data sent by the second core network equipment.
30. An access network device according to claim 28 or 29, wherein the first access network device is in communication with a first core network device, the access network device being in communication with a second core network device;
the processor is further configured to:
after controlling the receiver to receive the encrypted data sent by the first access network device, establishing radio resource control protocol (RRC) connection with the terminal device; and controlling the transmitter to transmit Serial Number (SN) indication information to the terminal equipment, wherein the SN indication information is used for indicating SN boundary values of data received or transmitted by the terminal equipment.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710064248.8A CN108366369B (en) | 2017-01-26 | 2017-01-26 | Method for data secure transmission, access network, terminal and core network equipment |
| PCT/CN2018/074201 WO2018137689A1 (en) | 2017-01-26 | 2018-01-25 | Method for secure data transmission, access network, terminal and core network device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710064248.8A CN108366369B (en) | 2017-01-26 | 2017-01-26 | Method for data secure transmission, access network, terminal and core network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108366369A CN108366369A (en) | 2018-08-03 |
| CN108366369B true CN108366369B (en) | 2021-02-12 |
Family
ID=62977804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710064248.8A Active CN108366369B (en) | 2017-01-26 | 2017-01-26 | Method for data secure transmission, access network, terminal and core network equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108366369B (en) |
| WO (1) | WO2018137689A1 (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108966217B (en) * | 2018-08-29 | 2022-05-17 | 焦作市数据安全工程研究中心 | Secret communication method, mobile terminal and secret gateway |
| US11350272B2 (en) * | 2018-11-01 | 2022-05-31 | Qualcomm Incorporated | Encrypting network slice selection assistance information |
| CN111479335A (en) * | 2019-01-24 | 2020-07-31 | 华为技术有限公司 | A data transmission method and communication device |
| CN111585721B (en) * | 2019-02-15 | 2022-08-19 | 华为技术有限公司 | Entity establishment processing method and device |
| CN109981771A (en) * | 2019-03-22 | 2019-07-05 | 长安大学 | A kind of bus or train route communication test system and test method based on 5G technology |
| CN111770498B (en) * | 2019-04-01 | 2022-01-14 | 华为技术有限公司 | Method for determining security protection mode, access network equipment and terminal |
| WO2020258292A1 (en) * | 2019-06-28 | 2020-12-30 | Oppo广东移动通信有限公司 | Wireless communication method, terminal device, access network device and core network device |
| CN110582109A (en) * | 2019-08-31 | 2019-12-17 | 华为技术有限公司 | Wireless Local Area Network (WLAN) network access method and device |
| CN113766607B (en) * | 2020-06-03 | 2023-03-31 | 华为技术有限公司 | Access control method and related equipment |
| US11622282B2 (en) | 2020-10-23 | 2023-04-04 | Dish Wireless L.L.C. | Secondary operator integration with a cellular network |
| WO2022125200A2 (en) * | 2020-10-23 | 2022-06-16 | Dish Wireless L.L.C. | Secondary operator integration with a cellular network |
| CN118283649A (en) * | 2022-12-30 | 2024-07-02 | 华为技术有限公司 | Communication method and related device |
| CN117221894B (en) * | 2023-11-09 | 2024-01-12 | 湖南雷诺科技发展有限公司 | Big data-based 5G communication transmission method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102056226A (en) * | 2009-11-10 | 2011-05-11 | 中兴通讯股份有限公司 | Method for acquiring PDCP (packet data convergence protocol) status report and PDCP entity |
| CN106060900A (en) * | 2016-05-13 | 2016-10-26 | 宇龙计算机通信科技(深圳)有限公司 | Method and apparatus for controlling access to network slicing, terminal small cell and SDN controller |
| CN106210042A (en) * | 2016-07-11 | 2016-12-07 | 清华大学 | A kind of user based on end to end network section services request selection method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047500A (en) * | 2006-03-28 | 2007-10-03 | 华为技术有限公司 | Method for transmitting ciphered data pack in gradual network |
| CN101047998B (en) * | 2006-06-27 | 2010-05-12 | 华为技术有限公司 | Data transmission method in switchover procedure between base station |
| US7995994B2 (en) * | 2006-09-22 | 2011-08-09 | Kineto Wireless, Inc. | Method and apparatus for preventing theft of service in a communication system |
| EP3281434B1 (en) * | 2015-04-08 | 2020-02-12 | Telefonaktiebolaget LM Ericsson (publ) | Method, apparatus, and system for providing encryption or integrity protection in a wireless network |
| US20160352578A1 (en) * | 2015-05-26 | 2016-12-01 | Dell Products L.P. | System and method for adaptive paths locator for virtual network function links |
| US9973578B2 (en) * | 2015-06-01 | 2018-05-15 | Telefonaktiebolaget Lm Ericsson (Publ) | Real time caching efficient check in a content centric networking (CCN) |
-
2017
- 2017-01-26 CN CN201710064248.8A patent/CN108366369B/en active Active
-
2018
- 2018-01-25 WO PCT/CN2018/074201 patent/WO2018137689A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102056226A (en) * | 2009-11-10 | 2011-05-11 | 中兴通讯股份有限公司 | Method for acquiring PDCP (packet data convergence protocol) status report and PDCP entity |
| CN106060900A (en) * | 2016-05-13 | 2016-10-26 | 宇龙计算机通信科技(深圳)有限公司 | Method and apparatus for controlling access to network slicing, terminal small cell and SDN controller |
| CN106210042A (en) * | 2016-07-11 | 2016-12-07 | 清华大学 | A kind of user based on end to end network section services request selection method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2018137689A1 (en) | 2018-08-02 |
| CN108366369A (en) | 2018-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108366369B (en) | Method for data secure transmission, access network, terminal and core network equipment | |
| US10660008B2 (en) | Data transmission system, method, and apparatus | |
| WO2020029938A1 (en) | Secure conversation method and device | |
| TWI762684B (en) | Handover method, a access network equipment and a terminal equipment | |
| CN110463270A (en) | System and method for dynamic data relaying | |
| WO2020052531A1 (en) | Method and apparatus for acquiring security context | |
| CN109315008B (en) | Multi-connection communication method and device | |
| KR20110090812A (en) | How to selectively apply the PDC function in the mobile communication system | |
| JP7035094B2 (en) | Methods for transmitting data, terminal devices and network devices | |
| EP3713297B1 (en) | Layer 2 processing method, central unit and distributed unit | |
| WO2015165051A1 (en) | Data transmission method and device | |
| US20190357105A1 (en) | Method and apparatus for reducing interruption delay, and user device | |
| WO2014175091A1 (en) | Communication control method, user terminal, cellular base station, and access point | |
| CN109246696A (en) | Cipher key processing method and relevant apparatus | |
| JP2017147746A (en) | Method and device for data shunting | |
| EP4013086B1 (en) | Inactive state mobility management through different interfaces of access network device | |
| CN109314899B (en) | Data transmission method and device | |
| CN119605315A (en) | Method and apparatus for controlling user equipment | |
| US11751055B2 (en) | User plane integrity protection in cellular networks | |
| CN115336382A (en) | Method, infrastructure equipment and wireless communication network | |
| CN112789896B (en) | Method and device for switching transmission path | |
| US20220377541A1 (en) | Key Management Method and Communication Apparatus | |
| US10455472B2 (en) | Device and method of handling data transmissions in a wireless communication system | |
| CN109155956A (en) | A kind of data transmission method, apparatus and system | |
| CN115278929A (en) | Method and equipment used for wireless communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |