CN112019489A - Verification method and device - Google Patents

Abstract

The present application provides a verification method and device, which relate to the technical field of communications. In this method, the terminal receives the first verification code and the first node's identification generated according to the first root key and the first node's identification from the first node, and generates the first verification code according to the first node's identification, the first root key and the first node's identification The first verification code verifies the legitimacy of the first node. The first root key is a root key used for communication between the terminal and the access network device.

Description

Verification method and device

technical field

The present application relates to the field of communication technologies, and in particular, to a verification method and device.

Background technique

For device-to-device (D2D for short) communication and vehicle toeverything (V2X for short) communication (a special D2D communication), the sender and receiver The communication (proximity service, ProSe for short) function (function) obtains the shared key, and then handshakes both parties based on the shared key, so as to achieve the purpose of mutual authentication. This method is mainly suitable for mutual authentication between two terminals with symmetrical roles (that is, with the same function). In addition, since the server is located in the data network (DN) of the core network, it takes a long time for the sender or receiver to obtain the shared key, which causes the sender (or receiver) to verify the receiver (or sender). end) for a longer time.

SUMMARY OF THE INVENTION

Embodiments of the present application provide a verification method and apparatus, which are used to reduce the time for a sender (or receiver) to verify the receiver (or sender).

To achieve the above purpose, the embodiments of the present application provide the following technical solutions:

A first aspect provides a verification method, which can be executed by a terminal or a chip in the terminal, including: the terminal receiving from a first node a first verification code and The identity of the first node, and the validity of the first node is verified according to the identity of the first node, the first root key and the first verification code. The first root key is a root key used for communication between the terminal and the access network device. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the first aspect, when verifying the legality of the first node, the terminal can verify the legality of the first node according to the first root key, the received identifier of the first node and the first verification code, There is no need to obtain the shared key from the server, therefore, the time for the terminal to verify the legitimacy of the first node can be shortened.

In a possible implementation manner, the terminal communicates with the first node through a side link.

In a possible implementation manner, the method further includes: the terminal sends a first request message for requesting association with the first node to the first node, the first node is responsible for allocating transmission resources of the side link, and the first request message It includes the RRC message sent by the terminal to the access network device. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation manner, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the RRC message without requiring the first node to obtain the shared key from the server. Therefore, the verification of the terminal can be shortened. time of legitimacy.

In a possible implementation manner, the method further includes: the terminal sends a first request message for requesting association with the first node to the first node, the first node is responsible for allocating transmission resources of the side link, and the first request message It includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation manner, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the third verification code generated by the first root key sent by the terminal, without requiring the first node from the server Therefore, the time to verify the legitimacy of the terminal can be shortened.

In a possible implementation manner, the terminal sending the first request message to the first node includes: the terminal receiving a notification message broadcast by the first node on the side link, and sending the first request message to the first node according to the notification message. Wherein, the notification message includes indication information for indicating that the first node is the node responsible for allocating transmission resources of the side link.

In a possible implementation manner, the terminal verifies the legitimacy of the first node according to the identifier of the first node, the first root key and the first verification code, including: the terminal verifies the legitimacy of the first node according to the identifier of the first node and the first root key A second verification code is generated, and the legitimacy of the first node is verified according to the second verification code and the first verification code.

In a second aspect, a verification method is provided, comprising: a first node receiving a first verification code generated according to a first root key and an identification of the first node from an access network device, and sending the first verification code and The identifier of the first node, the identifier of the first node and the first verification code are used to verify the legitimacy of the first node. The first root key is a root key used for communication between the terminal and the access network device. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the second aspect, when verifying the legality of the first node, the terminal can verify the legality of the first node according to the first root key, the received identifier of the first node and the first verification code, and There is no need to obtain the shared key from the server, therefore, the time for the terminal to verify the legitimacy of the first node can be shortened.

In a possible implementation manner, the terminal communicates with the first node through a side link.

In a possible implementation manner, the method further includes: the first node receives from the terminal a first request message for requesting association with the first node, the first node is responsible for allocating transmission resources of the side link, and the first request message includes an RRC message sent by the terminal to the access network device; the first node sends a second request message including an RRC message to the access network device according to the first request message, and the RRC message is used by the access network device to verify the legitimacy of the terminal. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation manner, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the RRC message without requiring the first node to obtain the shared key from the server. Therefore, the verification of the terminal can be shortened. time of legitimacy.

In a possible implementation manner, the method further includes: the first node receives from the terminal a first request message for requesting association with the first node, the first node is responsible for allocating transmission resources of the side link, and the first request message The third verification code is used to verify the legitimacy of the terminal; the first node sends a second request message including the third verification code to the access network device according to the first request message. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation manner, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the third verification code generated by the first root key sent by the terminal, without requiring the first node from the server Therefore, the time to verify the legitimacy of the terminal can be shortened.

In a possible implementation manner, the method further includes: the first node broadcasts a notification message on the side link, where the notification message includes indication information for indicating that the first node is a node responsible for allocating transmission resources of the side link.

In a third aspect, a verification method is provided. The method can be performed by an access network device or a chip in the access network device, including: the access network device receives from a first node an RRC including an RRC sent by the terminal to the access network device The second request message of the message, and decode the RRC message; if the decoding is successful, the access network device determines that the terminal is legal; if the decoding is unsuccessful, the access network device determines that the terminal is illegal. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In the method provided by the third aspect, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the RRC message, without the need for the first node to obtain the shared key from the server. Therefore, the verification of the terminal can be shortened. time of legitimacy.

In a possible implementation manner, the method further includes: the access network device sends a first verification code for verifying the legitimacy of the first node to the first node.

In a fourth aspect, a verification method is provided, the method can be executed by an access network device or a chip in the access network device, and includes: the access network device receives a second request message including a third verification code from the first node , and verify the legitimacy of the terminal according to the identifier of the first node, the first root key and the third verification code. Wherein, the third verification code is used to verify the legitimacy of the terminal, the third verification code is generated according to the identity of the first node and the first root key, and the first root key is used for communication between the terminal and the access network device. root key. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In the method provided by the fourth aspect, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the third verification code generated by the first root key sent by the terminal, without the need for the first node from the server. Therefore, the time to verify the legitimacy of the terminal can be shortened.

In a possible implementation manner, the access network device verifies the legitimacy of the terminal according to the identity of the first node, the first root key and the third verification code, including: the access network device verifies the validity of the terminal according to the identity of the first node Generate a fourth verification code with the first root key, and verify the legitimacy of the first node according to the fourth verification code and the third verification code.

In a possible implementation manner, the method further includes: the access network device sends a first verification code for verifying the legitimacy of the first node to the first node.

In a fifth aspect, a verification method is provided, the method can be executed by a terminal or a chip in the terminal, including: the terminal receives an identifier of a first node and a first key freshness parameter from an access network device, the first The node is the termination point of the application layer data of the terminal; the terminal receives the first verification code from the first node, and the first verification code is generated according to the second root key, and the second root key is the root key used for communication between the terminal and the first node; the terminal verifies the The legitimacy of the first node. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided by the fifth aspect, when verifying the legality of the first node, the terminal verifies the legality of the first node according to the identifier of the first node and the freshness parameter of the first key obtained from the access network device, that is, Can. The terminal can realize the validity verification of the first node without acquiring the shared key from the server, so the time for the terminal to verify the validity of the first node can be shortened.

In a possible implementation manner, the terminal communicates with the first node through a side link.

In a possible implementation manner, the method further includes: the terminal sends a first request message to the first node, where the first request message is used to request association with the first node, and the first request message is used to request association with the first node. A node is responsible for allocating transmission resources of the side link, the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation, the terminal can send the first verification code to the first node, and when verifying the legitimacy of the terminal, the first node can verify the legitimacy of the terminal according to the first verification code sent by the terminal, without the need for The shared key is obtained from the server, therefore, the time for the first node to verify the legitimacy of the terminal can be shortened.

In a possible implementation manner, the terminal verifies the legitimacy of the first node according to the identifier of the first node, the first key freshness parameter and the first verification code, including: The terminal generates the second root key according to the first root key, the identifier of the first node, and the first key freshness parameter, where the first root key is the connection between the terminal and the interface. The root key used for communication between network access devices; the terminal generates a second verification code according to the second root key; the terminal verifies the second verification code according to the second verification code and the first verification code The legitimacy of the first node.

In a possible implementation manner, the sending, by the terminal, the first request message to the first node includes: the terminal receiving, by the terminal, a notification message broadcast by the first node on the side link, where the notification message includes indication information, where the indication information is used to indicate that the first node is a node responsible for allocating transmission resources of a side link; the terminal sends the first request message to the first node according to the notification message.

In a possible implementation manner, the first request message further includes the identifier of the terminal.

In a possible implementation manner, the method further includes: generating, by the terminal, a security protection key for data between the terminal and the first node according to the second root key; Data transmission is performed between the protection key and the first node.

In a sixth aspect, a verification method is provided, which can be executed by a first node or a chip in the first node, including: the first node generates a first verification code according to a second root key, the second root key The key is the root key used for communication between the terminal and the first node, and the first node is the termination point of the application layer data of the terminal; the first node sends the terminal to the terminal. The first verification code. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the sixth aspect, the access network device can send the identifier of the first node and the freshness parameter of the first key to the terminal, and when verifying the validity of the first node, the terminal can The identity of the first node and the freshness parameter of the first key can be used to verify the legitimacy of the first node. The terminal can realize the validity verification of the first node without acquiring the shared key from the server, so the time for the terminal to verify the validity of the first node can be shortened.

In a possible implementation manner, the terminal communicates with the first node through a side link.

In a possible implementation manner, the method further includes: the first node receiving a first request message from the terminal, where the first request message is used to request association with the first node, the first request message A node is responsible for allocating transmission resources of the side link, the first request message includes a third verification code, the third verification code is used to verify the legitimacy of the terminal, and the third verification code is based on the third verification code. A second root key is generated; the first node verifies the legitimacy of the terminal according to the second root key and the third verification code. In the prior art, since the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation manner, when verifying the legitimacy of the terminal, the first node can verify the legitimacy of the terminal according to the first verification code sent by the terminal without acquiring the shared key from the server. The time when the first node verifies the legitimacy of the terminal.

In a possible implementation manner, the first request message includes an identifier of the terminal, and the first node verifies the validity of the terminal according to the second root key and the third verification code The method further includes: acquiring, by the first node, the second root key according to the identifier of the terminal.

In a possible implementation manner, the method further includes: receiving, by the first node, the identifier of the terminal and the second root key from the access network device.

In a possible implementation manner, the method further includes: the first node broadcasts a notification message on a side link, where the notification message includes indication information, where the indication information is used to indicate that the first node is a A node responsible for allocating transmission resources for a side link.

In a possible implementation manner, the method further includes: generating, by the first node, a security protection key for data with the terminal according to the second root key; data transmission between the security protection key and the terminal.

In a seventh aspect, a verification method is provided, and the method can be executed by a first access network device or a chip in the first access network device, including: the first access network device sends a switch to the second access network device request message, the handover request message is used to request the second access network device to switch the terminal from the first access network device to the second access network device, and the handover request message includes the The identifier of the terminal; the first access network device receives a handover reply message from the second access network device, and the handover reply message includes the identifier of the second node and the second key freshness parameter, and the first access network device receives a handover reply message from the second access network device. The second node is the node responsible for allocating side link resources for the terminal to be associated after the terminal is switched, and the identifier of the second node and the second key freshness parameter are used to verify the terminal and/or the the validity of the second node; the first access network device sends the identifier of the second node and the second key freshness parameter to the terminal. In the method provided by the seventh aspect, in a scenario where the terminal switches from the first access network device to the second access network device, the first access network device sends the identifier of the second node and the freshness of the second key to the terminal through the first access network device parameters, thereby ensuring that the terminal can successfully perform legality verification with the second node after switching to the second access network device.

In an eighth aspect, a verification method is provided, and the method can be executed by a second access network device or a chip in the second access network device, including: the second access network device receives a handover from the first access network device request message, the handover request message is used to request the second access network device to switch the terminal from the first access network device to the second access network device, and the handover request message includes the The identifier of the terminal; the second access network device sends a handover reply message to the first access network device, and the handover reply message includes the identifier of the second node and the second key freshness parameter, the first access network device The second node is the node responsible for allocating side link resources for the terminal to be associated after the terminal is switched, and the identifier of the second node and the second key freshness parameter are used to verify the terminal and/or the the validity of the second node; the second access network device sends the identification of the terminal and the third root key to the second node, where the third root key is the connection between the terminal and the third root. The root key for communication between two nodes, and the third root key is used to verify the legitimacy of the terminal and/or the second node. In the method provided by the eighth aspect, in a scenario where the terminal switches from the first access network device to the second access network device, the first access network device sends the identifier of the second node and the freshness of the second key to the terminal through the first access network device parameters, thereby ensuring that the terminal can successfully perform legality verification with the second node after switching to the second access network device.

In a ninth aspect, a verification device is provided, comprising: a communication unit and a processing unit; the communication unit is configured to receive a first verification code and an identifier of the first node from a first node, the first verification code Generated according to the first root key and the identifier of the first node, where the first root key is the root key used for communication between the verification apparatus and the access network device; the processing unit, configured to The validity of the first node is verified according to the identifier of the first node, the first root key and the first verification code.

In a possible implementation manner, the verification apparatus communicates with the first node through a side link.

In a possible implementation manner, the communication unit is further configured to send a first request message to the first node, where the first request message is used to request association with the first node, the first request message The node is responsible for allocating transmission resources of the side link, and the first request message includes a radio resource control RRC message sent by the verification apparatus to the access network device.

In a possible implementation manner, the communication unit is further configured to send a first request message to the first node, where the first request message is used to request association with the first node, the first request message The node is responsible for allocating transmission resources of the side link, the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the verification device.

In a possible implementation manner, the communication unit is further configured to receive a notification message broadcast by the first node on the side link, where the notification message includes indication information, where the indication information is used to indicate the The first node is a node responsible for allocating transmission resources of the side link; the communication unit is further configured to send the first request message to the first node according to the notification message.

In a possible implementation manner, the processing unit is specifically configured to: generate a second verification code according to the identifier of the first node and the first root key; The first verification code verifies the legitimacy of the first node.

In a tenth aspect, a verification apparatus is provided, comprising: a communication unit and a processing unit; the processing unit is configured to receive a first verification code from an access network device through the communication unit, the first verification code according to the first verification code generating a key and the identification of the verification device, the first root key is the root key used for communication between the terminal and the access network device; the processing unit is further configured to pass the The communication unit sends the first verification code and the identification of the verification device to the terminal, where the identification of the verification device and the first verification code are used to verify the legitimacy of the verification device.

In a possible implementation manner, the terminal and the verification apparatus communicate through a side link.

In a possible implementation manner, the processing unit is further configured to receive a first request message from the terminal through the communication unit, where the first request message is used to request association with the verification apparatus, the The verification apparatus is responsible for allocating transmission resources of the side link, and the first request message includes an RRC message sent by the terminal to the access network device; the processing unit is further configured to pass the The communication unit sends a second request message to the access network device, where the second request message includes the RRC message, and the RRC message is used by the access network device to verify the legitimacy of the terminal.

In a possible implementation manner, the processing unit is further configured to receive a first request message from the terminal through the communication unit, where the first request message is used to request association with the verification apparatus, the The verification device is responsible for allocating transmission resources of the side link, the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal; the processing unit is further configured to The first request message sends a second request message to the access network device through the communication unit, where the second request message includes the third verification code.

In a possible implementation manner, the processing unit is further configured to broadcast a notification message on the side link through the communication unit, where the notification message includes indication information, where the indication information is used to instruct the verification apparatus is the node responsible for allocating the transmission resources of the side link.

In an eleventh aspect, a verification device is provided, comprising: a communication unit and a processing unit; the communication unit is configured to receive a second request message from a first node, where the second request message includes a terminal sent to the The RRC message of the verification device; the processing unit is configured to decode the RRC message; if the decoding is successful, the processing unit determines that the terminal is legal; if the decoding is unsuccessful, the processing unit determines that the terminal is illegal .

In a possible implementation manner, the communication unit is further configured to send a first verification code to the first node, where the first verification code is used to verify the legitimacy of the first node.

A twelfth aspect provides a verification device, comprising: a communication unit and a processing unit; the communication unit is configured to receive a second request message from a first node, where the second request message includes a third verification code, The third verification code is used to verify the legitimacy of the terminal, and the third verification code is generated according to the identifier of the first node and the first root key, and the first root key is the terminal and the The root key used for communication between the verification devices; the processing unit is configured to verify the validity of the terminal according to the identifier of the first node, the first root key and the third verification code verify.

In a possible implementation manner, the processing unit is specifically configured to: generate a fourth verification code according to the identifier of the first node and the first root key; The third verification code verifies the legitimacy of the first node.

In a possible implementation manner, the communication unit is further configured to send a first verification code to the first node, where the first verification code is used to verify the legitimacy of the first node.

A thirteenth aspect provides a verification device, the device having the function of implementing any one of the methods provided in the fifth aspect, the sixth aspect, the seventh aspect or the eighth aspect. This function can be implemented by hardware or by executing corresponding software by hardware. The hardware or software includes one or more units corresponding to the above-mentioned functions. For example, the apparatus may comprise a communication unit and a processing unit for performing actions of the processing in the fifth, sixth, seventh or eighth aspects (eg actions other than sending and/or receiving) , the communication unit is configured to perform the actions of sending and/or receiving in the fifth aspect, the sixth aspect, the seventh aspect or the eighth aspect. Optionally, the actions performed by the communication unit are performed under the control of the processing unit. Optionally, the communication unit includes a sending unit and a receiving unit, in this case, the sending unit is configured to perform the sending action in the fifth aspect, the sixth aspect, the seventh aspect or the eighth aspect, and the receiving unit is configured to perform the fifth aspect. The act of receiving in the aspect, sixth aspect, seventh aspect or eighth aspect. The device may exist in the form of a chip product.

A fourteenth aspect provides a verification apparatus, comprising: a processor. The processor is connected to the memory, the memory is used for storing computer-executed instructions, and the processor executes the computer-executed instructions stored in the memory, thereby implementing any one of the methods provided in any one of the first to eighth aspects. Among them, the memory and the processor can be integrated together or can be independent devices. In the latter case, the memory may be located in the verification device or outside the verification device.

In one possible implementation, the processor includes logic circuits and an input interface and/or an output interface. Wherein, the output interface is used for executing the sending action in the corresponding method, and the input interface is used for executing the receiving action in the corresponding method.

In a possible implementation manner, the verification apparatus further includes a communication interface and a communication bus, and the processor, the memory and the communication interface are connected through the communication bus. The communication interface is used to perform the actions of transceiving in the corresponding method. The communication interface may also be referred to as a transceiver. Optionally, the communication interface includes a transmitter and a receiver. In this case, the transmitter is configured to perform the sending action in the corresponding method, and the receiver is configured to perform the receiving action in the corresponding method.

In a possible implementation manner, the verification device exists in the form of a chip product.

A fifteenth aspect provides a computer-readable storage medium, comprising instructions, which, when executed on a computer, cause the computer to perform any one of the methods provided in any one of the first to eighth aspects.

A sixteenth aspect provides a computer program product comprising instructions that, when the instructions are run on a computer, cause the computer to perform any one of the methods provided in any one of the first to eighth aspects.

For the technical effects brought about by any one of the implementation manners of the ninth aspect to the sixteenth aspect, reference may be made to the technical effects brought about by the corresponding implementation manners in the first aspect to the eighth aspect, which will not be repeated here.

It should be noted that various possible implementation manners of any one of the above aspects can be combined on the premise that the solutions are not contradictory.

Description of drawings

FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of the present application;

2 is a schematic diagram of the composition of a communication protocol stack provided by an embodiment of the present application;

3 to 10 are respectively interactive flowcharts of a verification method provided by an embodiment of the present application;

11 is a schematic diagram of the composition of a verification device provided by an embodiment of the present application;

FIG. 12 and FIG. 13 are schematic diagrams of the hardware structure of a verification device provided by an embodiment of the present application respectively;

FIG. 14 is a schematic diagram of a hardware structure of a terminal according to an embodiment of the present application;

FIG. 15 is a schematic diagram of a hardware structure of a network device according to an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. Wherein, in the description of this application, unless otherwise specified, "/" means or means, for example, A/B can mean A or B. In this article, "and/or" is only an association relationship to describe the associated objects, which means that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone these three situations. Also, in the description of this application, unless stated otherwise, "a plurality" means two or more than two, and "at least one" means one or more.

In addition, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same or similar items with basically the same function and effect. Those skilled in the art can understand that the words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like are not necessarily different.

The technical solutions of the embodiments of the present application can be applied to various communication systems. For example, orthogonal frequency-division multiple access (OFDMA for short), single carrier frequency-division multiple access (SC-FDMA for short), and other systems. The term "system" is interchangeable with "network". The OFDMA system can implement wireless technologies such as evolved universal terrestrial radio access (E-UTRA for short), ultra mobile broadband (UMB for short). E-UTRA is an evolved version of a universal mobile telecommunications system (universal mobile telecommunications system, UMTS for short). The 3rd generation partnership project (3GPP for short) is a new version using E-UTRA in long term evolution (long term evolution, LTE for short) and various versions based on LTE evolution. The 5th-generation (5G for short) communication system and the new radio (NR for short) communication system are the next generation communication systems under study. In addition, the communication system may also be applicable to future-oriented communication technologies, and the technical solutions provided by the embodiments of the present application are all applicable.

The methods provided in the embodiments of the present application can be applied to various service scenarios, for example, enhanced mobile broadband (eMBB for short) service scenarios, ultra-reliable and low latency communication (ultra-reliable and low latency communication, URLLC for short) service scenarios, Internet of Things (IoT) business scenarios, Industrial IoT (IIoT), etc.

The traditional cellular network communication mainly includes the communication between the access network device and the terminal. During the communication between the terminal and the access network device, the data of the terminal can be transmitted to the core network device through the access network device. With the introduction of D2D communication, communication between terminals is increased. When communicating between terminals, there is an end-to-end peer-to-peer application layer between the two terminals, and the user plane data of one terminal (denoted as terminal A) can be terminated at the other terminal (denoted as terminal B), that is to say , after the user plane data of terminal A is sent to terminal B, it can be processed at the application layer of terminal B, and does not need to be sent to other devices. Subsequently, V2X, a special D2D communication method, was introduced. For D2D communication or V2X communication, the transmission (transmission can be understood as sending and/or receiving) resources used by the terminal can be obtained by any of the following methods: Method 1. The access network equipment is semi-static scheduling (semi- Persistent scheduling (SPS for short) or dynamic allocation of transmission resources; method 2, the terminal selects transmission resources from the transmission resource pool according to one or more transmission resource pools on one or more carriers broadcast by the access network device, such as the terminal The transmission resource can be selected according to the channel busy ratio of the resource pool after performing channel sensing by itself; method 3, select the transmission resource in the transmission resource pool preconfigured by the server (eg, a V2X control function). Wherein, in the above method 2 and method 3, the transmission resource pool may include time domain resources and/or frequency domain resources. Domain resources, and/or time-frequency resources composed of one or more RBs on a specific time slot or set of time slots.

At present, in order to improve the efficiency of resource allocation, some schemes propose to use a local resource coordinator (LRC) node to allocate the transmission resources of the side link. The LRC node refers to a local area (for example, an area smaller than a cell) A node that internally schedules local resources (eg, resource pools), for example, an LRC node can allocate transmission resources for side links between terminals and LRC nodes, or allocate transmission resources for side links between terminals and terminals, etc. . The local resources that the LRC node is responsible for can be allocated by the access network equipment, or can be sensed by its own channel sensing (for example, the access network equipment broadcasts one or more transmission resource pools on one or more carriers, LRC The node selects the transmission resource from the transmission resource pool, for example, the LRC node selects the transmission resource according to the channel busy ratio of the resource pool after performing channel sensing by itself).

FIG. 1 is a schematic diagram of a communication system provided by the present application. 1, the terminal and the access network device can communicate through the cellular network wireless link (ie Uu port), and the LRC node and the access network device can communicate through the cellular network wireless link (ie Uu interface) , the terminal and the LRC node can communicate through the side link wireless link (ie the PC5 port). There are three ways to communicate between a terminal and an access network device. The first way is: the terminal can only communicate directly with the access network device. The second way is: the terminal can communicate with the access network device only through the LRC node. The third way is: the terminal can directly communicate with the access network device, or can communicate with the access network device through the LRC node.

In the first manner, the terminal may establish a radio resource control (radio resource control, RRC for short) connection (hereinafter referred to as a Uu-RRC connection) with an access network device. In the second and third modes, the terminal can first establish a Uu-RRC connection with the access network equipment, and then the terminal can establish a connection with the LRC node, or it can first establish a connection with the LRC node, and then pass the LRC node (at this time , the LRC node is a relay) and the access network device establishes a Uu-RRC connection. The connection between the terminal and the LRC node may be a side link RRC connection (also referred to as a PC5-RRC connection), or may be other connections (for example, establishing an association hereinafter refers to establishing a connection).

For the transmission between the LRC node and the terminal, in one case, the control plane signaling and/or user plane data of the access network equipment need to be sent to the terminal through the LRC node, and the control plane signaling and/or user plane data of the terminal It needs to be sent to the access network device through the LRC node. At this time, the LRC node may act as a relay between the terminal and the access network equipment. In another case, the user plane data of the terminal may be terminated at the LRC node, that is, there may be an end-to-end peer-to-peer application layer between the terminal and the LRC node. The application layer can process it, and it does not need to be sent to other devices.

It should be noted that the user plane data in this embodiment of the present application may also be referred to as application layer data.

It should be noted that the LRC node may have an RRC layer (called the PC5-RRC layer) equivalent to the terminal and an RRC layer (called the Uu-RRC layer) equivalent to the access network equipment. In this case, the terminal RRC messages exchanged with LRC nodes can be called PC5-RRC messages, RRC messages exchanged between LRC nodes and access network devices can be called Uu-RRC _LRC messages, and RRC messages exchanged between terminals and access network devices The messages may be referred to as Uu-RRC _UE messages. Alternatively, the LRC node may not have the PC5-RRC layer that is equivalent to the terminal and the Uu-RRC layer that is equivalent to the access network device. In this case, only the terminal and the access network device can exchange RRC messages, and the terminal and the access network device can exchange RRC messages. RRC messages exchanged between access network devices may also be referred to as Uu-RRC _UE messages. Alternatively, the LRC node may not have a PC5-RRC layer that is equivalent to the terminal, but has a Uu-RRC layer that is equivalent to the access network device. In this case, the RRC messages exchanged between the LRC node and the access network device may be It is called a Uu-RRC _LRC message, and the RRC message exchanged between the terminal and the access network device may also be called a Uu-RRC _UE message.

Exemplarily, see FIG. 2 , which shows a schematic diagram of a protocol stack architecture of a terminal, an LRC node, and an access network device. This example is drawn by taking as an example that there is no PC5-RRC layer and Uu-RRC layer on the LRC node. Wherein, the protocol stack of the terminal includes from top to bottom: an RRC layer peering with the access network equipment, a packet data convergence protocol (PDCP) layer peering with the access network equipment, and peering with the LRC node A radio link control (RLC) layer, a medium access control (MAC) layer equivalent to the LRC node, and a physical (PHY) layer equivalent to the LRC node. On the PC5 port, the protocol stack of the LRC node includes from top to bottom: the RLC layer equivalent to the terminal, the MAC layer equivalent to the terminal, and the PHY layer equivalent to the terminal. On the Uu interface, the protocol stack of the LRC node includes from top to bottom: the Adapt layer equivalent to the access network device, the RLC layer equivalent to the access network device, and the MAC equivalent to the access network device layer and the PHY layer that is equivalent to the access network equipment. The protocol stack of the access network equipment includes from top to bottom: the RRC layer equivalent to the terminal, the PDCP layer equivalent to the terminal, the Adapt layer equivalent to the LRC node, the RLC layer equivalent to the LRC node, and the LRC node. A peer MAC layer and a PHY layer peer to the LRC node.

The LRC node is mainly responsible for allocating transmission resources of the side link (Sidelink). Allocating the transmission resources of the side link includes one or more of the following: allocating the transmission resources of the side link between the terminal and the terminal, allocating the transmission resources of the side link between the LRC node and the terminal, and assigning the transmission resources of the side link between the terminal and the terminal. The transmission resources of the side link configured by the network access device for the terminal are forwarded to the terminal.

In the case where the access network device configures the terminal with the transmission resources of the side link, a possible implementation manner is that the access network device configures the terminal with a side link resource pool, and the terminal can subsequently access the resources in the side link resource pool. Perform channel awareness, and then select resources from the side link resource pool for data transmission on the side link. In another possible implementation manner, the access network device configures side link resources for the terminal, and the terminal performs side link data transmission on the given side link resources.

The LRC node may be an IoT terminal, a relay node (RN for short), an integrated access and backhaul (IAB for short) node, a controller in the IIoT, a terminal for the Internet of Vehicles, and the like. The LRC node may also be referred to as a local manager, a local control node, a user group header (UE header or header UE), a scheduling user (scheduling UE), and the like. The LRC node in the embodiment of the present application may be designated by the access network device, may also be elected by the terminal, or may be pre-configured (for example, some terminals are pre-configured as LRC nodes). There is no specific limitation.

The access network device is an entity on the network side that is used for sending signals, receiving signals, or sending and receiving signals. The access network device may be a device deployed in a radio access network (radio access network, RAN for short) to provide a wireless communication function for a terminal, for example, a base station. The access network equipment can be various forms of macro base station, micro base station (also called small station), relay station, access point (AP for short), etc., and can also include various forms of control nodes, such as network control device. The control node can be connected to multiple base stations, and configure resources for multiple terminals covered by the multiple base stations. In systems using different radio access technologies, the names of devices with base station functions may vary. For example, a global system for mobile communication (GSM for short) or a code division multiple access (CDMA for short) network may be called a base transceiver station (BTS for short), a wideband code It can be called a base station (NodeB) in wideband code division multiple access (WCDMA for short), an evolved base station (evolved NodeB, eNB or eNodeB for short) in an LTE system, and a 5G communication system or an NR communication system. It is a next generation node base station (gNB for short), and the specific name of the base station is not limited in this application. The access network device may also be a wireless controller in a cloud radio access network (cloud radio access network, referred to as CRAN) scenario, or an access network in a future evolved public land mobile network (public land mobile network, referred to as PLMN) network Equipment, transmission and reception point (transmission and reception point, TRP for short), etc.

A terminal is an entity on the user side that is used to receive signals, or send signals, or receive and send signals. The terminal is used to provide one or more of voice service and data connectivity service to the user. A terminal may be referred to as user equipment (UE for short), terminal equipment, access terminal, subscriber unit, subscriber station, mobile station, remote station, remote terminal, mobile device, user terminal, wireless communication device, user agent or user device. The terminal may be a mobile station (mobile station, referred to as MS), a subscriber unit (subscriber unit), a drone, an IoT device, a station in a wireless local area network (referred to as WLAN) (station, referred to as ST), a cellular phone (cellular phone), smart phone (smart phone), cordless phone, wireless data card, tablet computer, session initiation protocol (SIP) phone, wireless local loop (WLL) station, personal Personal digital assistant (PDA) equipment, laptop computer (laptop computer), machine type communication (MTC) terminal, handheld device with wireless communication capabilities, computing device or connected to a wireless modem Other processing devices, in-vehicle devices, wearable devices (also known as wearable smart devices). The terminal may also be a terminal in a next-generation communication system, for example, a terminal in a 5G communication system or a terminal in a future evolved PLMN, a terminal in an NR communication system, and the like.

For the communication system shown in FIG. 1, when the legality verification between the terminal and the LRC node is performed, if the method in the prior art is adopted, both the terminal and the LRC node need to obtain the shared key from the server (for example, the ProSe function). , and then perform a handshake between the two parties based on the shared key to achieve the purpose of mutual authentication. Since the server is located in the DN of the core network, it takes a long time for the terminal and the LRC node to obtain the shared key, which causes the terminal to verify the legitimacy of the LRC node, or it takes a long time for the LRC node to verify the legitimacy of the terminal. In order to solve this problem, the embodiments of the present application provide a variety of verification methods. In these verification methods, the LRC node and the terminal do not need to obtain a shared key from the server. Therefore, the validity of the first node and/or the terminal can be shortened. time for sexual verification.

In order to make the embodiments of the present application clearer, first, some concepts mentioned in the embodiments of the present application are briefly introduced.

(1) Security protection key

The security protection key refers to a key that can be used to realize the security protection of data.

Security protection keys may include one or more of the following: encryption keys, decryption keys, integrity protection keys, and the like.

The sender encrypts the plaintext according to the encryption key and the encryption algorithm to generate the ciphertext. The receiving end decrypts the ciphertext according to the decryption key and the decryption algorithm to generate the plaintext. If symmetric encryption is used, the encryption key and decryption key are the same. The sender uses a key to encrypt (at this time, the key is the encryption key), and the receiver uses the key to decrypt (at this time, the key is the decryption key).

The integrity protection key is a parameter input by the sender when the plaintext or ciphertext is integrity protected according to the integrity protection algorithm. The receiving end can perform integrity verification on the integrity-protected data according to the same integrity-protection algorithm and integrity-protection key.

Wherein, the encryption key may include the encryption key of the control plane and the encryption key of the user plane. The decryption keys may include a control plane decryption key and a user plane decryption key. The integrity protection keys may include the integrity protection keys of the control plane and the integrity protection keys of the user plane.

(2) Root key

The root key in this embodiment of the present application refers to a verification code on the access network side that is used to generate a verification code between the terminal and other devices for legality verification, and/or is used to generate a security code between the terminal and other devices The key that protects the key. The other device may be an LRC node or an access network device.

The root key involved in the embodiments of the present application includes the root key used for communication between the terminal and the access network device (for example, the first root key hereinafter), and the root key used for communication between the terminal and the LRC node (eg, the second root key and the third root key below).

The root key used for the communication between the terminal and the access network device may be recorded as K _eNB /K _gNB , and the root key used for the communication between the terminal and the LRC node may be recorded as K _LRC . K _LRC may be generated according to K _eNB /K _gNB . In addition, the encryption key of the control plane and the integrity protection key of the control plane between the terminal and the LRC node can be generated based on K _LRC .

(3) Key freshness parameter

The key freshness parameter refers to the freshness parameter used to update the key. For example, the key freshness parameter may be the freshness parameter used to update the root key.

(4) side link (sidelink)

The side link refers to a link for communication between a terminal and an LRC node, or a link for communication between a terminal and a terminal. The side link can also be called a PC5 port link.

(5) Identification of the terminal

The identifier of the terminal in this embodiment of the present application may be a cell radio network temporary identifier (C-RNTI for short) of the terminal in the cellular network, or, C-RNTI+cell identifier, or, the terminal on the side link identification, etc.

The identifier of the terminal on the side link refers to the identifier used by the LRC node to identify the terminal on the side link. The identifier of the terminal on the side link may also be called a near field communication user identifier (ProSe UE ID) or the identifier of the terminal on the PC5 port.

Exemplarily, referring to FIG. 2 , the identifier of the terminal on the side link may be carried in the MAC layer header, and may also be carried in the MAC layer header and the PHY layer header. For example, the length of the ProSe UE ID is 24 bits, and all of the 24 bits can be included in the MAC layer header. At this time, the identifier of the terminal on the side link can also be called the layer 2 identifier of the terminal (which can be recorded as UE L2ID). Or 8 bits are included in the PHY layer header and the remaining 16 bits are included in the MAC layer header.

(6) Identification of LRC nodes

In this embodiment of the present application, the identifier of the LRC node may be allocated by the access network device for the first node, or may be generated by itself.

The identifier of the LRC node (for example, the first node and the second node in the following) may be the identifier of the LRC node on the side link, and in this case, the identifier of the LRC node is used to identify the LRC node on the side link (in this case, The identifier of the LRC node is carried in the MAC layer header, or carried in the MAC layer header and the PHY layer header. Specifically, when the LRC node acts as the sender, the identifier of the LRC node or a part of the identifier can be carried in the MAC layer header. Source (Source, SRC for short) address field). Exemplarily, the identifier of the LRC node on the side link may be the C-RNTI of the LRC node.

The identity of the LRC node may also be the identity of the LRC node in the cellular network (eg, C-RNTI).

The identifier of the LRC node may also be an identifier used by the LRC node in the routing process, for example, the MAC address of the LRC node or the internet protocol (IP) address of the LRC node.

(7) Notification message

The notification message in the embodiment of the present application is a kind of message broadcast by the first node (for example, the LRC node) on the side link. The notification message includes indication information (referred to as first indication information), and the first indication information is used to indicate that the first node is the node responsible for allocating transmission resources of the side link (or it can be understood that the first indication information is used to indicate that the first node is an LRC node), for example, the notification message includes a scheduling header indication, and when the value of the scheduling header indication is set to 1, it means that the first node is the node responsible for allocating transmission resources of the side link . For another example, the first indication information may be implemented by a message type (message type) included in the notification message. For example, when the message type is a certain message type, the message type indicates that the node sending the notification message (ie, the first node) is The node responsible for allocating transmission resources of the side link (or it can be understood that the first indication information is used to indicate that the first node is an LRC node).

Optionally, the notification message may also include information used to indicate the first node, and the information used to indicate the first node may include one or more of the following: the identifier of the first node (refer to the identifier of the LRC node above). related content) and regional information.

The area identifier is the identifier of the area served by the first node. There is a corresponding relationship between the first node and the area identifier of the area to be served, the terminal may have the corresponding relationship, and the terminal may determine the first node according to the area identifier. The correspondence between the first node in the terminal and the area identifier of the area to be served may be sent (or broadcast) to the terminal by the access network device.

The area information is information for indicating the area served by the first node. The area information may include area identification and/or location information of the area (eg, information such as longitude, latitude, radius, length, width, etc. of the area). The terminal may determine the first node according to the area information. For example, there is a correspondence between the first node and the area information of the served area, and the terminal may determine the first node according to the correspondence between the first node and the area information of the served area. In this case, the correspondence between the first node in the terminal and the area information of the area to be served may be sent (or broadcast) to the terminal by the access network device. For another example, the terminal may determine the area identifier according to the location information of the area, and determine the first node according to the area identifier. The correspondence between the location information of the regions determines the first node. In this case, the correspondence between the first node in the terminal and the area identifier of the served area, and the correspondence between the area identifier of the area and the location information of the area may be sent (or broadcast) by the access network device for the terminal.

(8) Signaling radio bearer (signalling radio bearer, SRB for short)

SRBs include SRB0 and SRB1. SRB0 is the default SRB. When the terminal initially accesses the cellular network, it sends an RRC connection establishment request message through SRB0, for example, RRC setup request (RRC Setup request), RRC reestablishment request (RRCreestablishment request), RRC resume request (RRC resume request) Wait. SRB1 is an SRB established in the process of establishing a Uu-RRC connection between a terminal and an access network device, and can be used to transmit Uu-RRC _UE messages.

It should be noted that, in the various embodiments of the present application, the meanings and acquisition methods of the first root key and the second root key may be referred to each other, and are not limited. In addition, in the following embodiments, the identification of the terminal is taken as an example of the identification of the terminal on the side link for description. In specific implementation, the identification of the terminal may also be the identification of the terminal in the cellular network.

Example 1

After the terminal establishes a Uu-RRC connection with the access network device, the core network will authenticate the terminal. After the authentication is successful, a root key (referred to as the first root key) used for communication between the terminal and the access network device is generated, and the first root key is stored in the terminal and the access network device. Embodiment 1 provides a verification method. In the verification method, the terminal verifies the legitimacy of the first node based on the first root key, and the access network device verifies the validity of the first node based on the first root key or the Uu-RRC _UE sent by the terminal. The message verifies the legitimacy of the terminal. Among them, legitimacy can also be called credibility. Legal in each embodiment of the present application may be considered credible, and illegality may be considered unreliable, and details will not be described in the following.

As shown in Figure 3, the verification method includes:

301. A terminal sends a first request message to a first node. Correspondingly, the first node receives the first request message from the terminal.

Wherein, the first request message is used for requesting to associate with the first node. In the case that a PC5-RRC layer equivalent to the terminal exists in the protocol stack of the first node, the first request message may be a PC5-RRC message.

Optionally, the first request message includes an identifier of the terminal on the side link, and the first node may determine the terminal requesting association according to the identifier of the terminal on the side link. The identifier of the terminal on the side link may be carried in the SRC address field of the MAC layer header of the first request message. In each embodiment of the present application, reference may be made to the above description for the identification of the terminal on the side link, and details are not repeated here.

Optionally, the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.

Optionally, the terminal communicates with the first node through a side link.

Optionally, the first node is the termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated in the first node.

The terminal determines that the scenario in which step 301 is executed may be the following scenario 1 or scenario 2.

scene 1,

Before step 301, when the access network device determines that the terminal is located within the communication distance of the first node according to the measurement report of the terminal or the location information reported by the terminal, the access network device may notify the terminal to associate with the first node through a Uu-RRC _UE message. node. The terminal may perform step 301 under the trigger of the Uu-RRC _UE message. The Uu-RRC _UE message includes the identity of the first node, and may also include an association indication. The terminal determines to associate with the first node according to the association indication and the identifier of the first node. For the description of the identifier of the first node in each embodiment of the present application, reference may be made to the above description, and details are not repeated here.

In scenario 1, when the access network device sends the identifier of the first node, it may send the identifier of the first node on the side link, so that the terminal can identify the first node on the side link.

In the first case, the identifier of the first node on the side link may be generated by itself. In this case, the process of acquiring the identifier of the first node on the side link by the access network device may include: the LRC node acts as a terminal access connection When accessing a network device, the access network device will assign the LRC node an identity in the cellular network. After the LRC node, as a terminal, establishes a Uu-RRC connection with the access network device, it can report to the access network device through a Uu-RRC _LRC message. The identifier of the LRC node on the side link. After receiving the Uu-RRC _LRC message, the access network device obtains the identity of the LRC node on the side link, and establishes a correspondence between the identity of the LRC node on the side link and the identity of the LRC node on the cellular network. In this case, if the first node subsequently sends a Uu-RRC _LRC message to the access network device, the access network device may determine that the first node is in the cellular The identification of the network, and then the identification of the first node in the side link is determined according to the identification of the first node in the cellular network. It should be noted that, in this method, there is a corresponding relationship between the time-frequency resources allocated by the access network device for the LRC node and the LRC node.

In the second case, the identifier of the first node on the side link may be allocated by the access network device, for example, the identifier of the first node on the side link may be the C-RNTI allocated by the access network device for the first node . In this case, the access network device can directly obtain the identifier of the first node on the side link.

scene 2,

The first node broadcasts a notification message on the side link, and the notification message includes first indication information, where the first indication information is used to indicate that the first node is a node responsible for allocating transmission resources of the side link. For the implementation method of the first indication information, reference may be made to the above, and details are not described herein again. In this case, the specific implementation of step 301 may include: the terminal receives a notification message broadcast by the first node on the side link, and sends a first request message to the first node according to the notification message.

In scenario 2, in a possible implementation manner, if the terminal receives the notification message broadcast by the first node, it means that the terminal is located in the coverage or communication range of the first node. In this case, the terminal may send a message to the first node. The first request message. In another possible implementation manner, the notification message may further include information used to indicate the first node. In this other implementation manner, before step 301, the access network device may indicate to the terminal one or more LRC nodes that the terminal is allowed to associate with. At this time, if the information contained in the notification message received by the terminal indicates the first When the node is a node among one or more LRC nodes that allow the terminal to associate, that is, if the terminal finds that the first node is an LRC node that the access network device allows itself to associate, the terminal sends a first request message to the first node.

302. The first node sends a second request message to the access network device according to the first request message.

Correspondingly, the access network device receives the second request message from the first node.

Wherein, the second request message is used for the access network device to verify the legitimacy of the terminal. Optionally, the second request message includes an identifier of the terminal on the side link, and the access network device may determine the validity of which terminal to verify according to the identifier of the terminal on the side link.

303. The access network device verifies the validity of the terminal according to the second request message.

There are two possible implementation manners for verifying the legitimacy of the terminal, which are denoted as implementation manner 1 and implementation manner 2, and implementation manner 1 and implementation manner 2 are respectively described below.

Implementation 1.

The first request message includes a Uu-RRC _UE message sent by the terminal to the access network device. For example, the Uu-RRC _UE message sent by the terminal to the access network device may be encapsulated in the first request message. After receiving the first request message, the first node carries the Uu-RRC _UE message in the first request message in the second request message and sends it to the access network device. In addition, when the first node carries the Uu-RRC _UE message in the second request message and sends it to the access network device, the first node may obtain the identifier of the terminal on the side link in the first request message, and send the terminal on the side link The identifier of the second request message is carried in the Adapt layer header of the second request message. In this case, the specific implementation of step 303 may include: the access network device decodes the Uu-RRC _UE message, and if the decoding is successful, the access network device determines that the terminal is legal; if the decoding is unsuccessful, the access network device determines that the terminal is not legitimate. Specifically, the access network device sends the Uu-RRC _UE message to the PDCP layer entity corresponding to the SRB1 of the terminal according to the identifier of the terminal on the side link contained in the Adapt layer of the second request message for processing. In particular, when the Adapt layer contains the identifier of the terminal on the side link (assuming that the terminal has reported its identifier on the side link to the access network device before), the access network device can The identification of the side link, find the PDCP entity corresponding to the SRB1 of the terminal, and the access network device sends the Uu-RRC _UE message to the PDCP entity for decoding. If the decoding is successful, the access network device determines that the terminal is legal; otherwise, it is considered that the terminal is not. legitimate.

In implementation mode 1, it should be noted that after the terminal and the access network device establish a Uu-RRC connection, the Uu-RRC _UE message between the terminal and the access network device itself passes through the communication between the terminal and the access network device. The control plane key is encrypted. Therefore, when the Uu-RRC _UE message of the terminal is forwarded to the access network device through the first node, and the access network device successfully decodes the Uu-RRC _UE message sent by the terminal, the terminal is legal.

In implementation mode 1, the method further includes: the terminal sends indication information (referred to as second indication information) to the first node, where the second indication information is used to indicate that the Uu-RRC _UE message in the first request message is sent to the receiving node Uu-RRC message of the network access device.

In one case, the second indication information may be carried in the first request message. Exemplarily, it may be carried in the MAC layer header of the first request message. Specifically, the function of the second indication information may be implemented by a logical channel identity (logical channel identity, LCID for short) parameter in the MAC layer header in the first request message. For example, when the value of the LCID parameter is 0 (or 1), the LCID parameter may indicate that the Uu-RRC _UE message in the first request message is a Uu-RRC message sent to the access network device.

In another case, the second indication information may not be carried in the first request message, and the second indication information may be carried in a sidelink control indicator (sidelink control indicator, SCI for short).

Implementation 2,

The first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal. The terminal may generate the third verification code according to the first root key, and at least one of the identity of the first node and the identity of the terminal on the side link. After receiving the first request message, the first node may carry the third verification code in the first request message in the second request message and send it to the access network device. In this case, step 303 may include: the access network device verifies the terminal's identity according to at least one of the identity of the first node and the identity of the terminal on the side link, as well as the first root key and the third verification code. legality.

In implementation mode 2, when step 303 is specifically implemented, the access network device may generate a fourth verification code according to the first root key, and at least one of the identifier of the first node and the identifier of the terminal on the side link , the access network device verifies the legitimacy of the terminal according to the third verification code and the fourth verification code. The methods for generating the fourth verification code by the access network device and the terminal generating the third verification code are the same. Optionally, the terminal and the access network device may pre-configure or negotiate between the terminal and the access network device to generate the third verification code and the access network device. The method for generating the fourth verification code, for example, between the terminal and the access network device, the terminal may be preconfigured to generate the third verification code according to the first root key and the identifier of the first node, and the access network device may be preconfigured to generate the third verification code according to the first root key. The key and the identity of the first node generate a fourth verification code. When the access network device determines that the third verification code and the fourth verification code are the same, the terminal is determined to be legal; otherwise, the terminal is determined to be illegal.

In the specific implementation of step 303, when the access network device needs to use the identifier of the first node in the process of generating the fourth verification code, the identifier of the first node is the LRC node that the terminal requests to associate (in the embodiment of the present application, the terminal The identification of the LRC node that requests association is the first node), then the access network device also needs to determine the node that the terminal requests to associate. The node is the node that sends the second request message (ie, the first node). In method 2, the second request message may further include the identifier of the node that the terminal requests to associate (ie, the identifier of the first node), and the access network device determines the node that the terminal requests to associate according to the identifier.

In implementation mode 2, the second request message may include the identifier of the terminal on the side link, and before step 303, the access network device may obtain the first root root according to the identifier of the terminal on the side link included in the second request message key to verify the legitimacy of the terminal according to the first root key.

The manner in which the access network device obtains the first root key may include the first possible implementation manner and the second possible implementation manner. Among them, the first possible implementation manner is to obtain the first root key after establishing a Uu-RRC connection between the terminal and the access network device, and the second possible implementation manner is that there is no connection between the terminal and the access network device. The method of obtaining the first root key when establishing a Uu-RRC connection. specific:

In a first possible implementation manner, a Uu-RRC connection has been established between the terminal and the access network device, the access network device saves the context of the terminal, and the context of the terminal includes the first root key. The access network device may determine the context of the terminal according to the identifier of the terminal on the side link, and obtain the first root key from the context of the terminal.

In the second possible implementation manner, a Uu-RRC connection has not been established between the terminal and the access network device, and the terminal may send a Uu-RRC _UE message for applying for establishing a Uu-RRC connection to the first node. The first node forwards the Uu-RRC _UE message (for example, the Uu-RRC _UE connection establishment request message, that is, the RRC connection establishment request message sent by the terminal to the access network device) to the access network device, and the access network device passes the first The node replies a Uu-RRC _UE message (for example, a Uu-RRC _UE connection establishment message, that is, an RRC connection establishment message sent by the access network device to the terminal) to the terminal, thereby establishing a Uu-RRC between the access network device and the terminal connect. The subsequent core network can authenticate the terminal through the Uu-RRC connection between the terminal and the access network device. The final access network device can obtain the first root key from the core network. For the method for the first node to determine whether the Uu-RRC message sent by the terminal is a Uu-RRC message sent to the access network device, reference may be made to the description of the relevant part in Implementation Mode 1, and details are not repeated here.

In implementation mode 2, optionally, the second request message further includes node association information (for example, the identifier of the first node), where the node association information is used to inform the access network device that there is a terminal requesting association with the first node , thereby triggering the access network device to authenticate the terminal. In implementation mode 2, the second request message may be a Uu-RRC _LRC message.

304. The access network device sends a second response message to the first node, where the second response message is used to indicate a verification result or an association result. Correspondingly, the first node receives the second response message from the access network device.

The second response message may be a Uu-RRC _LRC message (for example, a Uu-RRC _LRC reconfiguration message, that is, an RRC reconfiguration message sent by the access network device to the first node). The verification result is used to indicate the verification result of the legitimacy of the terminal, which can be success or failure. Success means that the terminal is legal, and failure means that the terminal is illegal. The association result is used to indicate whether the terminal is allowed to associate with the first node.

The verification result or the association result can be indicated by the message type of the second response message. For example, if the association result is that the terminal is allowed to associate with the first node, the second response message can be the association permit message. If the association result is that the terminal is not allowed to associate with the first node. the first node, the second response message may be an association not allowed message.

The verification result or the association result may also be indicated by an indication information in the second response message. For example, when the indication information corresponding to the association result is true (or 1), it means that the terminal is allowed to associate with the first node, and when the indication information corresponding to the association result is false (or 0), it means that the terminal is not allowed to associate with the first node.

It should be noted that, in each embodiment of the present application, since the first node has accessed the access network device, the first node trusts the access network device. When the access network device verifies the validity of the terminal, if the access network device indicates to the first node that the terminal is legal, the first node considers the terminal to be legal.

305. The first node sends a first response message to the terminal according to the second response message, where the first response message is used to indicate the association result.

The association result can be indicated by the message type of the first response message. For example, if the association result is that the terminal is allowed to associate with the first node, the first response message can be an association success message. If the association result is that the terminal is not allowed to associate with the first node , the first response message may be an association failure message.

The association result may also be indicated by an indication information in the first response message. For example, when the indication information corresponding to the association result is true (or 1), it means that the terminal is successfully associated with the first node, and when the indication information corresponding to the association result is false (or 0), it means that the terminal is not successfully associated with the first node.

Wherein, in the case that a PC5-RRC layer equivalent to the terminal exists in the protocol stack of the first node, the first response message may be a PC5-RRC message.

The above steps 301 to 305 are optional steps.

306. The access network device sends the first verification code to the first node.

Correspondingly, the first node receives the first verification code from the access network device.

The first verification code is used by the terminal to verify the legitimacy of the first node. The first verification code is generated according to the first root key and at least one of the identity of the first node and the identity of the terminal on the side link.

It should be noted that the access network device may carry the first verification code in the second response message and send it to the first node. At this time, step 304 and step 306 may be combined into the same step. In this case, for the second response message, a possible implementation manner, regardless of whether the access network device successfully verifies the legitimacy of the terminal in step 303, the second response message includes the identifier of the terminal on the side link, the first Verification code and verification result (or association result). In another possible implementation manner, when the verification result in step 303 is failure or the association result is not allowed, the second response message only contains the verification result or the association result; when the verification result in step 303 is successful or the association result is allowed , the second response message may only include the side-link identifier of the terminal and the first verification code.

307. The first node sends the first verification code and the identifier of the first node to the terminal.

Correspondingly, the terminal receives the first verification code and the identifier of the first node from the first node.

The first verification code and the identifier of the first node sent by the first node to the terminal are used for the terminal to verify the legitimacy of the first node.

In the embodiment of this application, the access network device generates the first verification code and sends it to the first node, and the first node sends the first verification code and the identifier of the first node to the terminal, so that the terminal can verify the legitimacy of the first node .

It should be noted that the first node may carry the first verification code and the identifier of the first node in the above-mentioned first response message and send it to the terminal. At this time, step 305 and step 307 can be combined into the same step. In this case, the identifier of the first node may be carried in the SRC address field of the MAC layer header of the first response message. The first verification code may be carried in the MAC layer header of the first response message, or may be carried in the payload of the first response message.

308. The terminal verifies the legitimacy of the first node according to the first root key, the first verification code, and at least one of the identifier of the first node and the identifier of the terminal on the side link.

Optionally, step 308 includes:

11) The terminal generates a second verification code according to the first root key and at least one of the identity of the first node and the identity of the terminal on the side link.

12) The terminal verifies the legitimacy of the first node according to the second verification code and the first verification code.

The method for generating the first verification code by the access network device is the same as the method for generating the second verification code by the terminal. Optionally, the terminal and the access network device may preconfigure or negotiate the method for the access network device to generate the first verification code and the terminal to generate the second verification code. The key and the identifier of the first node generate the first verification code, and the pre-configured terminal generates the second verification code according to the first root key and the identifier of the first node. Step 12) During specific implementation, if the terminal determines that the first verification code and the second verification code are the same, the terminal determines that the first node is legal; otherwise, the terminal determines that the first node is illegal.

In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the first embodiment, when verifying the legality of the first node, the terminal can verify the legality of the first node according to the first root key, the received identifier of the first node and the first verification code, There is no need to obtain the shared key from the server, therefore, the time for the terminal to verify the legitimacy of the first node can be shortened. When verifying the legitimacy of the terminal, the access network device verifies the legitimacy of the terminal according to the Uu-RRC _UE message, or the access network device according to the third verification code and the fourth verification code generated by the first root key , and notify the first node without needing the first node to obtain the shared key from the server, therefore, the time for the first node to verify the legitimacy of the terminal can be shortened. In addition, in the first embodiment, since the first root key is stored in the access network device and the terminal, the terminal and the access network device can conveniently and quickly verify the legitimacy of the terminal and the first node.

It should be noted that, when verifying the legality of the terminal and the first node in the first embodiment, the legality of the terminal may be verified first, or the legality of the first node may be verified first (in this case, steps 306 to 308 may be performed before step 301). This embodiment of the present application does not specifically limit this.

Embodiment 2

The second embodiment provides a verification method, and the main differences from the verification method provided by the first embodiment include but are not limited to: 1. The validity verification of the terminal is no longer performed by the access network device, but by the first node. 2. The verification of the legitimacy of the terminal by the first node and the verification of the legitimacy of the first node by the terminal are no longer based on the first root key, but on the second root key. The second root key is a root key used for communication between the terminal and the first node, and the second root key may be generated according to the first root key. For a description related to the first root key, reference may be made to Embodiment 1, and details are not repeated here.

As shown in Figure 4, the verification method provided by the second embodiment includes:

400. The access network device sends the identifier of the terminal on the side link and the second root key to the first node. Correspondingly, the first node receives the identifier of the terminal on the side link and the second root key from the access network device. The first node may determine the terminal that uses the second root key to communicate with the first node according to the identification of the terminal on the side link.

Wherein, before step 400, the access network device may generate the second root key according to the first root key and the first key freshness parameter. The access network device may be specifically implemented through the following manner 1 or manner 2 or manner 3.

Manner 1: Generate the second root key according to the first root key, the identifier of the first node, and the first key freshness parameter.

Manner 2: Generate the second root key according to the first root key, the identifier of the first node, the freshness parameter of the first key, and the identifier of the terminal on the side link.

Manner 3: Generate the second root key according to the first root key, the freshness parameter of the first key, and the identifier of the terminal on the side link.

Optionally, the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.

Optionally, the first node is the termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated in the first node.

401. The access network device sends the identifier of the first node and the first key freshness parameter to the terminal.

Correspondingly, the terminal receives the identifier of the first node and the first key freshness parameter from the access network device.

Exemplarily, the identity of the first node and the freshness parameter of the first key may be carried in a Uu-RRC _UE message (for example, a Uu-RRC _UE reconfiguration message, that is, an RRC reconfiguration message sent by the access network device to the terminal) middle.

Before step 401, if the access network device receives the Uu-RRC _UE message that is sent by the terminal and carries the identifier of the terminal on the side link, the access network device can find the context of the terminal according to the identifier of the terminal on the side link. The context includes the first key freshness parameter, and the access network device may carry the first key freshness parameter in the Uu-RRC _UE message and send it to the terminal. Exemplarily, the Uu-RRC _UE message may be a Uu-RRC _UE reconfiguration message.

The terminal may generate the second root key according to the first root key and the first key freshness parameter. The method for the terminal to generate the second root key is the same as the method for the access network device to generate the second root key. For example, both the terminal and the access network device can use the above method 1 or method 2 or method 3 to generate the second root key , the specific mode to be adopted may be pre-configured or determined through negotiation between the access network device and the terminal.

Wherein, the execution order of step 401 and step 400 is in no particular order.

402. The terminal sends a first request message to the first node. Correspondingly, the first node receives the first request message from the terminal.

The first request message is used for requesting to associate with the first node, the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal.

The terminal may generate the third verification code according to the second root key, and one or more of the identification of the terminal on the side link and the identification of the first node. Specifically, it can be implemented in the following manner 1 or manner 2 or manner 3.

Manner 1: The terminal directly generates the third verification code according to the second root key, and one or more of the identifier of the terminal on the side link and the identifier of the first node.

Mode 2: The terminal first generates the encryption key of the control plane between the terminal and the LRC node according to the second root key, and then according to the encryption key of the control plane between the terminal and the LRC node, and the identification of the terminal on the side link and one or more of the identification of the first node to generate a third verification code.

Mode 3: The terminal first generates the integrity protection key of the control plane between the terminal and the LRC node according to the second root key, and then according to the integrity protection key of the control plane between the terminal and the LRC node, and the terminal is on the side One or more of the identification of the link and the identification of the first node generates a third verification code.

Optionally, the first request message further includes one or more of the identifier of the terminal on the side link, the association request information and the identifier of the first node.

It should be noted that the role of the first request message may be characterized by association request information in the first request message, or may be characterized by the message type of the first request message. If it is the latter, the first request message may be an association request (in this case, the first request message does not include association request information). The identifier of the terminal on the side link is used for the node receiving the first request message to determine the terminal requesting association. The identifier of the first node is used to indicate the node to which the terminal requests association.

403. The first node verifies the legitimacy of the terminal according to the second root key and the third verification code.

The specific implementation of step 403 may include: the first node generates a fourth verification code according to the second root key, and the first node verifies the legitimacy of the terminal according to the fourth verification code and the third verification code.

The method for generating the fourth verification code by the first node is the same as the method for generating the third verification code by the terminal. Optionally, the terminal and the first node may preconfigure or negotiate a method for the terminal to generate the third verification code and the first node to generate the fourth verification code. For example, the terminal and the first node may preconfigure the terminal according to the second verification code. The root key and the identifier of the first node generate a third verification code, and the preconfigured first node generates a fourth verification code according to the second root key and the identifier of the first node. If the first node determines that the fourth verification code and the third verification code are the same, it determines that the terminal is legal; otherwise, it determines that the terminal is illegal.

Wherein, before step 403, optionally, the method further includes: the first node obtains the second root key according to the identification of the terminal on the side link.

404. The first node sends a first response message to the terminal, where the first response message is used to indicate an association result.

Wherein, when the first node verifies that the terminal is legal, the association result is that the association is successful. When the first node verifies that the terminal is invalid, the association result is association failure.

The association result may be indicated by the message type of the first response message, or may be indicated by a piece of indication information in the first response message. For details, reference may be made to the relevant description in step 305 in the first embodiment, and details are not repeated here.

405. The first node generates a first verification code according to the second root key.

The first verification code is used by the terminal to verify the legitimacy of the first node.

406. The first node sends the first verification code to the terminal. Correspondingly, the terminal receives the first verification code from the first node.

Optionally, the terminal communicates with the first node through a side link.

The first node may carry the first verification code in the first response message in step 404 and send it to the terminal. In this case, step 404 and step 406 may be combined into the same step.

407. The terminal verifies the legitimacy of the first node according to the second root key.

When step 407 is specifically implemented, the terminal may generate a second verification code according to the second root key, and verify the legitimacy of the first node according to the second verification code and the first verification code.

The method for generating the first verification code by the first node is the same as the method for generating the second verification code by the terminal. Optionally, the terminal and the first node may preconfigure or negotiate a method for the terminal to generate the second verification code and the first node to generate the first verification code. For example, the terminal and the first node may preconfigure the terminal according to the second verification code. The root key and the identifier of the first node generate the second verification code, and the preconfigured first node generates the first verification code according to the second root key and the identifier of the first node. When step 407 is specifically implemented, if the terminal determines that the first verification code and the second verification code are the same, the terminal determines that the first node is legal; otherwise, the terminal determines that the first node is illegal.

In the embodiment shown in FIG. 4 , step 400 , step 402 , step 403 and step 404 are all optional steps.

It should be noted that, when verifying the legality of the terminal and the first node in the second embodiment, the legality of the terminal may be verified first, and the legality of the first node may also be verified first (in this case, steps 405, 406 and Step 407 may be performed before step 402). This embodiment of the present application does not specifically limit this.

In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. However, in the method provided in the second embodiment, when verifying the legitimacy of the first node, the terminal generates a second verification method according to the first root key, the identifier of the first node obtained from the access network device, and the freshness parameter of the first key. code, and then verify the legitimacy of the first node according to the first verification code and the second verification code. The terminal can realize the validity verification of the first node without acquiring the shared key from the server, so the time for the terminal to verify the validity of the first node can be shortened. When verifying the legitimacy of the terminal, the first node can generate a fourth verification code according to the second root key sent by the access network device, and then verify the legitimacy of the terminal according to the third verification code and the fourth verification sent by the terminal, It is not necessary to obtain the shared key from the server, therefore, the time for the first node to verify the legitimacy of the terminal can be shortened.

Optionally, the above method further includes: generating a security protection key for data between the terminal and the first node according to the second root key; and performing data transmission between the terminal and the first node according to the security protection key.

Optionally, the above method further includes: the first node generates a security protection key for data with the terminal according to the second root key; the first node performs data transmission with the terminal according to the security protection key.

Wherein, the security protection key of the data between the first node and the terminal may include the security protection key of the user plane data and/or the control plane data, and the communication between the terminal and the first node is performed by the security protection key of the user plane data For user plane data transmission, the control plane data transmission is performed through the security protection key of the control plane data, thereby ensuring data security.

Embodiment 3

This embodiment provides a verification method, and the verification process of the legality of the first node is the same as the verification process of the legality of the first node in the second embodiment. The validity verification of the terminal can be implemented in three manners, and two of the three implementation manners are the same as the implementation manners 1 and 2 in the first embodiment, respectively. As shown in Figure 5, the verification method provided by the third embodiment is specifically described below, and the verification method includes:

501. It is the same as step 402 above.

502. It is the same as step 301 above.

503. It is the same as step 302 above.

504. It is the same as step 303 above.

505. It is the same as step 304 above.

506. It is the same as step 305 above.

There may be three implementation manners for verifying the legitimacy of the terminal in steps 502 to 506 . The first implementation manner among the three implementation manners is the same as the implementation manner 1 in the first embodiment. The second implementation manner among the three implementation manners is the same as the implementation manner 2 in the first embodiment. In the third implementation manner of the three implementation manners, the terminal may generate the second root key according to the first root key (for the specific generation method, please refer to the description of the relevant part in Embodiment 2), and according to the second root key Generate a third verification code, carry the third verification code in the first request message and send it to the first node, and the first node includes the third verification code in the first request message in the second request message to the access network The device sends, and the access network device compares the received third verification code and the fourth verification code generated according to the second root key. If they are the same, it is determined that the terminal is legal. If they are different, it is determined that the terminal is illegal. . Wherein, in the third implementation manner, the method for the terminal to generate the third verification code and the method for the access network device to generate the fourth verification code are the same, and the method may be pre-configured or determined through negotiation between the access network device and the terminal For example, the terminal can be preconfigured to generate the third verification code according to the second root key and the identifier of the first node, and the preconfigured access network device can also generate the fourth verification code according to the second root key and the identifier of the first node.

507. It is the same as step 400 above.

Wherein, before step 507, the access network device may generate the second root key, and the generation method may refer to the description of the relevant part in the second embodiment, which will not be repeated here. The access network device may carry the identifier of the terminal on the side link and the second root key in the second response message in step 505 and send it to the first node. In this case, step 505 and step 507 can be combined into the same step.

508. It is the same as step 405 above.

Steps 507 and 508 may be performed before any one of steps 501 to 506 .

509. Same as step 406 above.

Wherein, in the case that steps 507 and 508 are performed before step 506, the access network device may send the first verification code to the first node by carrying the first verification code in the first response message in step 506. In this case, step 506 and step 509 may be combined into the same step.

510. It is the same as step 407 above.

Wherein, if the verification of the legitimacy of the terminal in steps 502 to 506 adopts the first implementation manner or the second implementation manner, step 501 may be executed before step 510, and the execution of the steps in steps 502 to 509 In no particular order. Exemplarily, the identifier of the first node and the first key freshness parameter in step 501 may be forwarded to the terminal by the first node, for example, carried in the second response message and the first response message and sent to the terminal.

It should be noted that, when verifying the legality of the terminal and the first node in the third embodiment, the legality of the terminal may be verified first, and the legality of the first node may also be verified first (in this case, steps 508 to 510 may be performed before step 504). This embodiment of the present application does not specifically limit this.

In the embodiment shown in FIG. 5 , steps 502 to 507 are all optional steps.

In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. However, in the method provided by the third embodiment, when verifying the validity of the first node, the terminal generates a second verification method according to the first root key, the identifier of the first node obtained from the access network device, and the freshness parameter of the first key. code, and then verify the legitimacy of the first node according to the first verification code and the second verification code. The terminal can realize the validity verification of the first node without acquiring the shared key from the server, so the time for the terminal to verify the validity of the first node can be shortened. When verifying the legitimacy of the terminal, the access network device according to the Uu-RRC _UE message, or the access network device according to the third verification code and the fourth verification code generated by the first root key, or, the access network device The legitimacy of the terminal is verified according to the third verification code and the fourth verification code generated by the second root key, and the first node is notified without the first node needing to obtain the shared key from the server. Therefore, it can shorten the The time when the first node verifies the legitimacy of the terminal.

Optionally, the above method further includes: generating a security protection key for data between the terminal and the first node according to the second root key; and performing data transmission between the terminal and the first node according to the security protection key. For a specific description of the optional method, reference may be made to the relevant description in Embodiment 2, and details are not repeated here.

Optionally, the above method further includes: the first node generates a security protection key for data with the terminal according to the second root key; the first node performs data transmission with the terminal according to the security protection key. For a specific description of the optional method, reference may be made to the relevant description in Embodiment 2, and details are not repeated here.

Embodiment 4

If the terminal needs to switch from one access network device (referred to as the first access network device) to another access network device (referred to as the second access network device). In order to ensure that the terminal successfully performs legality verification with the LRC node after the handover, Embodiment 4 provides a verification method, as shown in FIG. 6 , including:

601. The first access network device sends a handover request message to the second access network device.

Correspondingly, the second access network device receives the handover request message from the first access network device.

The handover request message is used to request the second access network device to switch the terminal from the first access network device to the second access network device, and the handover request message includes the identifier of the terminal.

602. The second access network device sends a handover reply message to the first access network device.

Correspondingly, the first access network device receives the handover reply message from the second access network device.

Wherein, the handover reply message includes the identifier of the second node and the second key freshness parameter. The second node is the LRC node, and the second node is the node responsible for allocating transmission resources of the side link after the terminal is handed over. For example, after the handover is completed, after the terminal is associated with the second node, the second node can allocate the transmission of the side link to the terminal. resource. The second node and the first node may be the same node, or may be different nodes. The second key freshness parameter is used to update the third root key. The third root key is the root key for communication between the terminal and the second node, and the third root key is used to verify the legitimacy of the terminal and/or the second node.

Before step 602, the second access network device may determine the second node.

603. The first access network device sends the identifier of the second node and the second key freshness parameter to the terminal.

Correspondingly, the terminal receives the identifier of the second node and the second key freshness parameter from the first access network device.

After the terminal switches from the first access network device to the second access network device, when the second access network device is the access network device in the foregoing second and third embodiments, the second access network device may Use the method shown in FIG. 4 or FIG. 5 to verify the legitimacy of the terminal and the second node. In specific implementation, only the first node in FIG. 4 or FIG. 5 needs to be replaced with the second node, and the second root Just replace the key with the third root key. In addition, step 401 in FIG. 4 may not be executed, and step 501 in FIG. 5 may not be executed.

In the method provided in Embodiment 4, in a scenario where the terminal switches from the first access network device to the second access network device, the first access network device can send the identifier of the second node and the fresh second key to the terminal. parameters, so as to ensure that the terminal can successfully perform legality verification with the second node after switching to the second access network device.

Embodiment 5

This embodiment provides a verification method, wherein the process of verifying the legitimacy of the terminal is the same as that in the second embodiment. The difference between the verification of the legitimacy of the first node and the first embodiment, the second embodiment and the third embodiment is that in the first embodiment, the second embodiment and the third embodiment, the terminal needs to generate a verification code. The terminal does not need to generate a verification code, and the terminal can directly use the verification code sent by the access network device and the first node to verify the legitimacy of the first node.

As shown in Figure 7, the verification method includes:

701. The access network device sends the identifier of the first node, the first verification code, and the third verification code to the terminal.

The first verification code is used to verify the legitimacy of the first node, and the third verification code is used to verify the legitimacy of the terminal. Both the first verification code and the second verification code may be generated according to the second root key. For details, please refer to the description of the relevant part in the second embodiment.

Optionally, the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.

702. The terminal sends a first request message to the first node.

Correspondingly, the first node receives the first request message from the terminal.

Wherein, the first request message is used for requesting to associate with the first node. The first request message includes a third verification code.

Optionally, the first request message may further include an identifier of the terminal on the side link.

Optionally, the terminal communicates with the first node through a side link. The first node is the termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated in the first node.

The scenario where the terminal determines to perform step 702 may also be scenario 1 or scenario 2 in the first embodiment, and details are not described herein again.

703. The first node verifies the legitimacy of the terminal according to the second root key and the third verification code.

Before step 703, the method may further include: the access network device sends the second root key to the first node, and correspondingly, the first node receives the second root key from the access network device.

For the related description of step 703, reference may be made to the description related to step 403 in the second embodiment, and details are not repeated here.

704. The first node sends a first response message to the terminal.

Correspondingly, the terminal receives the first response message from the first node.

The first response message is used to indicate the association result, and the specific implementation can refer to step 404 in the second embodiment. The first response message includes the second verification code. The second verification code is generated by the first node. The method for the first node to generate the second verification code is the same as the method for the access network device to generate the first verification code. For details, please refer to the description of the relevant part in the second embodiment, here No longer.

705. The terminal verifies the legitimacy of the first node according to the first verification code and the second verification code.

For the related description of step 705, reference may be made to the description related to step 407 in the second embodiment, which will not be repeated here.

After step 705, the first node and the terminal may further generate a security protection key for communication between the first node and the terminal according to the second root key. For details, reference may be made to the description of the relevant part in the second embodiment, which will not be repeated here.

In the fifth embodiment, when verifying the legality of the terminal and the first node, the legality of the terminal may be verified first, and the legality of the first node may also be verified first (in this case, steps 704 and 705 may be performed before step 702. ). This embodiment of the present application does not specifically limit this.

It should be noted that, in FIG. 7 , both the legality of the first node and the legality of the terminal are verified for drawing. In actual implementation, only the legitimacy of the terminal may be verified. In this case, step 704 and step 705 are optional steps, or only the legitimacy of the first node may be verified. In this case, step 702 and step 703 are optional. step.

It should be noted that, in addition to using the method in the second embodiment to generate the first verification code and the third verification code, the first verification code and the third verification code can also be based on the communication between the first node and the access network device. The root key used is generated. At this time, the method for generating the verification code is similar to the method for generating the verification code in Embodiment 1 or Embodiment 2. The only difference is to replace the first root key or the second root key. The root key used for the communication between the first node and the access network device will not be repeated here.

In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the fifth embodiment, the first node and the terminal can directly perform legality verification with each other based on the verification code sent by the access network device, and do not need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. The validity verification time of the terminal. In addition, the terminal does not need to generate a verification code, so it can avoid increasing the implementation complexity of the terminal and thus avoid increasing the power consumption of the terminal.

Embodiment 6

This embodiment provides a verification method, which is the same as the fifth embodiment in that the terminal does not need to generate a verification code. The difference from the fifth embodiment is that in the fifth embodiment, the first node needs to generate a verification code, while this implementation In the example, the first node does not need to generate a verification code, the verification codes in the terminal and the first node can be sent by the access network device, and the terminal and the first node can verify the terminal and the first node based on the verification code sent by the access network device. Verify legality.

As shown in Figure 8, the verification method includes:

801. The access network device sends the first verification code and the third verification code to the terminal. Correspondingly, the terminal receives the first verification code and the third verification code from the access network device.

The first verification code is used to verify the legitimacy of the first node, and the third verification code is used to verify the legitimacy of the terminal.

The first verification code may be generated according to the first root key or the second root key. For details, refer to the description of the relevant part in Embodiment 1 or Embodiment 2.

The third verification code may be allocated by the access network device to the terminal, and used for identifying the terminal identifier (eg, a local identifier) between the access network device and the first node. Alternatively, the third verification code may also be allocated by the first node to the terminal, and used for identifying the terminal identifier between the access network device and the first node. Alternatively, the third verification code is generated by the access network device according to the first root key or the second root key. For details, refer to the description of the relevant part in Embodiment 1 or Embodiment 2.

Optionally, the terminal may first send a verification code request message 1 for requesting the first verification code and the third verification code to the first node, and then the first node sends a verification code request message 1 for requesting the first verification code and the third verification code to the access network device. The verification code request message 2 of the three verification codes, the verification code request message 2 contains the identification of the terminal in the side link (or the identification of the terminal in the cellular network). The access network device finds the terminal according to the identifier of the terminal on the side link (or the identifier of the terminal on the cellular network), and sends the first verification code and the third verification code to the terminal through the Uu-RRC _UE message. In the case where the first node assigns an identifier to the terminal, the verification code request message 2 may include the identifier assigned to the terminal by the first node. In the case where the first node does not assign an identifier to the terminal, the verification code request message 2 does not contain an identifier Contains the identifier assigned to the terminal by the first node.

Optionally, the access network device also sends the identifier of the first node to the terminal, so that the terminal can determine the node to be associated.

802. The access network device sends the first verification code and the third verification code to the first node. Correspondingly, the first node receives the first verification code and the third verification code from the access network device.

Optionally, the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.

The execution order of step 801 and step 802 is not specific.

803. The terminal sends a third verification code to the first node. Correspondingly, the first node receives the third verification code from the terminal.

The third verification code may be carried in the first request message, and the first request message is used to request association with the first node.

Optionally, the terminal communicates with the first node through a side link. The first node is the termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated in the first node.

The scenario where the terminal determines to perform step 803 may also be scenario 1 or scenario 2 in the first embodiment, and details are not described herein again.

804. The first node determines whether the third verification code received from the access network device is the same as the third verification code received from the terminal, and if so, the first node determines that the terminal is legal, otherwise, determines that the terminal is illegal.

805. The first node sends the first verification code to the terminal. Correspondingly, the terminal receives the first verification code from the first node.

Optionally, the first verification code may be carried in a reply message of the first request message sent by the first node to the terminal.

806. The terminal determines whether the first verification code received from the access network device is the same as the first verification code received from the first node, and if so, the terminal determines that the first node is legal, otherwise, determines that the first node is illegal of.

In the sixth embodiment, when verifying the legality of the terminal and the first node, the legality of the terminal may be verified first, and the legality of the first node may also be verified first (in this case, step 805 and step 806 may be performed before step 803. ). This embodiment of the present application does not specifically limit this.

It should be noted that, in FIG. 8 , both the legality of the first node and the legality of the terminal are verified for drawing. In actual implementation, only the legitimacy of the terminal may be verified. In this case, step 805 and step 806 are optional steps. It is also possible to only verify the legitimacy of the first node. In this case, steps 803 to 804 are optional steps.

In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. However, in the method provided in the sixth embodiment, the first node and the terminal can directly verify the validity of each other based on the verification code sent by the access network device, and do not need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. The validity verification time of the terminal. In addition, the terminal and the first node do not need to generate a verification code, therefore, it is possible to avoid increasing the implementation complexity of the terminal and the first node, thereby avoiding increasing the power consumption of the terminal.

Embodiment 7

This embodiment provides a verification method, which is the same as the sixth embodiment in that the terminal and the first node do not need to generate a verification code, and the difference from the sixth embodiment is that the first node and the terminal do not need to obtain the verification code either. , the terminal and the first node transmit the trust through information transmission, so as to verify the legitimacy of the first node and the terminal. As shown in Figure 9, the verification method includes:

901. A terminal sends a first request message to a first node.

Correspondingly, the first node receives the first request message from the terminal.

The first request message is used for requesting to associate with the first node, and the first request message includes a first Uu-RRC _UE message from the terminal to the access network device.

The scenario where the terminal determines to perform step 901 may also be scenario 1 or scenario 2 in the first embodiment, and details are not described herein again.

902. The first node sends the first Uu-RRC _UE message in the first request message to the access network device.

Correspondingly, the access network device receives the first Uu-RRC _UE message sent by the terminal from the first node.

Exemplarily, the first Uu-RRC _UE message may be carried in the second request message.

903. The access network device verifies the validity of the terminal according to the first Uu-RRC _UE message sent by the first node.

When step 903 is specifically implemented, for a method for verifying the legitimacy of the terminal, reference may be made to the relevant description in the implementation manner 1 in the first embodiment, and details are not repeated here.

904. If the terminal is valid, the access network device sends the second root key to the first node, or sends the second root key and the identifier of the terminal on the side link.

Correspondingly, the first node receives the second root key from the access network device, or receives the second root key and the identifier of the terminal on the side link.

Exemplarily, the second root key, or, the second root key and the identifier of the terminal on the side link may be carried in the second response message, where the second response message is a response message of the second request message.

905. The first node determines that the terminal is legal according to the second root key, or according to the second root key and the identifier of the terminal on the side link.

It should be noted that, after the access network device verifies that the terminal is legal, it sends the second root key, or the second root key and the identification of the terminal on the side link to the first node, which is equivalent to transmitting trust to the terminal. For the first node, the first node recognizes the legitimacy of the terminal as long as it receives the second root key, or the second root key and the identifier of the terminal on the side link.

After step 905, the first node may send the association result to the terminal. Correspondingly, the terminal receives the association result from the first node, and the terminal can determine whether to successfully associate with the first node according to the association result. Specifically, if the association result is that the association is successful, the terminal determines that it is successfully associated with the first node according to the association result; otherwise, the terminal determines that it is not associated to the first node. For the description of the association result, reference may be made to the relevant description in Embodiment 1, and details are not repeated here.

906. If the terminal is valid, the access network device sends a second Uu-RRC _UE message to the terminal through the first node. Correspondingly, the terminal receives the second Uu-RRC _UE message sent by the terminal from the access network device through the first node.

Wherein, the second Uu-RRC _UE message is a reply message of the first Uu-RRC _UE message. The second Uu-RRC _UE message may include the identity of the first node.

The information sent by the access network device to the first node in step 904 (the second root key, or the second root key and the identifier of the terminal on the side link) and the information sent by the access network device to the first node in step 906 The information (the second Uu-RRC _UE message) may be carried in the same message for sending, or may be carried in different messages and sent, which is not specifically limited in this embodiment of the present application. For example, the information sent by the access network device to the first node in step 904 and the information sent by the access network device to the first node in step 906 may both be sent in a second response message, and the second response message is the second request The response message for the message.

The association result sent by the first node to the terminal and the second Uu-RRC _UE message may be sent in the same message, or may be sent in different messages. For example, the association result and the second Uu-RRC _UE message sent by the first node to the terminal may both be carried in a first response message and sent, where the first response message is a response message of the first request message.

907. The terminal determines the validity of the first node according to the second Uu-RRC _UE message received from the access network device.

It should be noted that the access network device sends the second Uu-RRC _UE message to the terminal through the first node, which is equivalent to passing the trust to the first node to the terminal, and the terminal successfully parses the second Uu-RRC UE message forwarded by the first node. After the RRC _UE message, it is determined that the first node is legal; otherwise, it is determined that the first node is illegal.

In Embodiment 7, it should be noted that the first request message may not be a request for requesting association with the first node. In this case, the terminal may send a request for association with the first node to the first node after step 905. A node request. At this time, when the first node receives a request sent by the terminal on the side link for requesting to associate with the first node, the first node recognizes the legitimacy of the terminal.

In the seventh embodiment, when verifying the legality of the terminal and the first node, the legality of the terminal may be verified first, and the legality of the first node may also be verified first (in this case, steps 906 and 907 may be performed before step 901. ). This embodiment of the present application does not specifically limit this.

It should be noted that, in FIG. 9 , both the legality of the first node and the legality of the terminal are verified for drawing. In actual implementation, only the legitimacy of the terminal may be verified. In this case, steps 906 and 907 are optional steps, or only the legitimacy of the first node may be verified. In this case, steps 901 to 905 are optional. step.

In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. However, in the method provided in the seventh embodiment, the first node and the terminal can directly perform mutual legality verification based on the information sent by the access network device, and there is no need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. the time of legality verification. In addition, the terminal and the first node do not need to generate a verification code, therefore, it is possible to avoid increasing the implementation complexity of the terminal and the first node, thereby avoiding increasing the power consumption of the terminal.

Embodiment 8

This embodiment provides a verification method. In this embodiment, the process for the access network device to verify the legitimacy of the terminal and the process for the terminal to verify the legitimacy of the first node are the same as those in Embodiment 7, and this embodiment is the same as Embodiment 7. The difference is that the first node does not verify the legitimacy of the terminal based on the second root key, or the second root key and the identification of the terminal on the side link, but based on the association result sent by the access network device. Or the verification result verifies the legitimacy of the terminal. As shown in Figure 10, the verification method includes:

1001, which is the same as step 901.

1002. The first node sends a second request message to an access network device, where the second request message includes a first Uu-RRC _UE message.

Correspondingly, the access network device receives the second request message from the first node.

Optionally, the second request message further includes node association information, and the access network device may determine, according to the node association information, that there is a terminal requesting association with the first node. For the description of the node association information, reference may be made to the relevant description of Embodiment 1, and details are not repeated here.

1003, the same as step 903.

1004. The access network device sends the association result (or the verification result) to the first node. Correspondingly, the first node receives the association result (or verification result) from the access network device.

For the description of the association result and the verification result, reference may be made to the relevant description in Embodiment 1, and details are not repeated here.

1005. The first node determines whether the terminal is legal according to the association result (or the verification result).

When step 1005 is specifically implemented, if the association result is that the association is allowed (or the verification result is that the verification is successful), the first node determines that the terminal is legal; otherwise, the first node determines that the terminal is illegal.

After step 1005, the first node may send the association result to the terminal. Correspondingly, the terminal receives the association result from the first node, and the terminal can determine whether to successfully associate with the first node according to the association result. Specifically, if the association result is that the association is successful, the terminal determines that it is successfully associated with the first node according to the association result; otherwise, the terminal determines that it is not associated to the first node. For the description of the association result, reference may be made to the relevant description in Embodiment 1, and details are not repeated here.

1006. If the terminal is valid, the access network device sends a second Uu-RRC _UE message to the terminal through the first node. Correspondingly, the terminal receives the second Uu-RRC _UE message sent by the terminal from the access network device through the first node.

Wherein, the second Uu-RRC _UE message is a reply message of the first Uu-RRC _UE message. The second Uu-RRC _UE message may include the identity of the first node.

The information (association result or verification result) sent by the access network device to the first node in step 1004 and the information (second Uu-RRC _UE message) sent by the access network device to the first node in step 1006 can be carried in the same message. It may be sent in a message, or may be carried in a different message and sent, which is not specifically limited in this embodiment of the present application. For example, the information sent by the access network device to the first node in step 1004 and the information sent by the access network device to the first node in step 1006 may both be carried in the second response message, and the second response message is the second request The response message for the message.

The association result sent by the first node to the terminal and the second Uu-RRC _UE message may be sent in the same message, or may be sent in different messages. For example, the association result and the second Uu-RRC _UE message sent by the first node to the terminal may both be carried in a first response message and sent, where the first response message is a response message of the first request message.

1007, which is the same as step 907.

In Embodiment 8, it should be noted that the first request message may not be a request for requesting association to the first node. In this case, the terminal may send a request to the first node after step 1005 for requesting association to the first node. A node request. At this time, when the first node receives a request sent by the terminal on the side link for requesting to associate with the first node, the first node recognizes the legitimacy of the terminal.

In the eighth embodiment, when verifying the legality of the terminal and the first node, the legality of the terminal may be verified first, and the legality of the first node may also be verified first (in this case, steps 1006 and 1007 may be performed before step 1001. ). This embodiment of the present application does not specifically limit this.

It should be noted that, in FIG. 10 , both the legality of the first node and the legality of the terminal are verified for drawing. In actual implementation, only the legitimacy of the terminal may be verified. In this case, steps 1006 and 1007 are optional steps, or only the legitimacy of the first node may be verified. In this case, steps 1001 to 1005 are optional. step.

In the prior art, since the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. However, in the method provided in the eighth embodiment, the first node and the terminal can directly perform mutual legality verification based on the information sent by the access network device, and do not need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. the time of legality verification. In addition, the terminal and the first node do not need to generate a verification code, therefore, it is possible to avoid increasing the implementation complexity of the terminal and the first node, thereby avoiding increasing the power consumption of the terminal.

It should be noted that, each solution or technical feature shown in each embodiment of the present application can be combined on the premise of not contradicting each other.

The foregoing mainly introduces the solutions of the embodiments of the present application from the perspective of interaction between various network elements. It can be understood that each network element, for example, an access network device, a first node, and a terminal, includes at least one of a hardware structure and a software module corresponding to performing each function in order to implement the above-mentioned functions. Those skilled in the art should easily realize that the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

In this embodiment of the present application, the access network device, the first node, and the terminal may be divided into functional units according to the foregoing method examples. For example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated in in a processing unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units. It should be noted that the division of units in the embodiments of the present application is illustrative, and is only a logical function division, and other division methods may be used in actual implementation.

In the case of using an integrated unit, FIG. 11 shows a possible schematic structural diagram of the verification device (referred to as verification device 110 ) involved in the above embodiment, and the verification device 110 includes a processing unit 1101 and a communication unit 1102 , and may also include a storage unit 1103 . The schematic structural diagram shown in FIG. 11 may be used to illustrate the structures of the access network device, the first node, and the terminal involved in the foregoing embodiment.

When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the terminal involved in the above embodiment, the processing unit 1101 is used to control and manage the actions of the terminal. For example, the processing unit 1101 is used to execute 301, 305, 307 and 308, 401, 402, 404, 406 and 407 in Figure 4, 501, 502, 506, 509 and 510 in Figure 5, 603 in Figure 6, 701, 702, 704 and 705, 801, 803, 805, and 806 in FIG. 8, 901, 906, and 907 in FIG. 9, 1001, 1006, and 1007 in FIG. 10, and/or terminals in other processes described in the embodiments of this application Action performed. The processing unit 1101 may communicate with other network entities through the communication unit 1102, for example, with the first node shown in FIG. 3 . The storage unit 1103 is used to store program codes and data of the terminal.

When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the terminal involved in the foregoing embodiment, the verification apparatus 110 may be a terminal or a chip in the terminal.

When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the access network equipment involved in the above embodiment, the processing unit 1101 is used to control and manage the actions of the access network equipment, for example, the processing unit 1101 is used to execute 302-304, 306 in Figure 3, 400-401 in Figure 4, 501, 503-505, 507 in Figure 5, 601-602 in Figure 6, 701 in Figure 7, 801- in Figure 8 802, 902-904 and 906 in FIG. 9, 1002-1004 and 1006 in FIG. 10, and/or actions performed by the access network device in other processes described in the embodiments of this application. The processing unit 1101 may communicate with other network entities through the communication unit 1102, for example, with the first node shown in FIG. 3 . The storage unit 1103 is used for storing program codes and data of the access network device.

When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the access network equipment involved in the foregoing embodiment, the verification apparatus 110 may be the access network equipment, or may be a chip in the access network equipment.

When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the first node involved in the above embodiment, the processing unit 1101 is used to control and manage the actions of the first node, for example, the processing unit 1101 is used to execute the operation of FIG. 3 301-302, 304-307 in Fig. 4, 400, 402-406 in Fig. 4, 502-503, 505-509 in Fig. 5, 601-603 in Fig. 6, 702-704 in Fig. 7, Fig. 8 802-805 in FIG. 9, 901-902, 904-906 in FIG. 9, 1001-1002, 1004-1006 in FIG. 10, and/or performed by the first node in other processes described in the embodiments of the present application action. The processing unit 1101 may communicate with other network entities through the communication unit 1102, for example, with the terminal shown in FIG. 3 . The storage unit 1103 is used to store program codes and data of the first node.

When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the first node involved in the foregoing embodiment, the verification apparatus 110 may be the first node, or may be a chip in the first node.

Wherein, when the verification device 110 is a terminal, a first node or an access network device, the processing unit 1101 may be a processor or a controller, and the communication unit 1102 may be a communication interface, a transceiver, a transceiver, a transceiver circuit, a transceiver, etc. . Among them, the communication interface is a general term, which may include one or more interfaces. The storage unit 1103 may be a memory. When the verification apparatus 110 is a terminal, a first node or a chip in an access network device, the processing unit 1101 may be a processor or a controller, and the communication unit 1102 may be an input/output interface, a pin or a circuit. The storage unit 1103 may be a storage unit (for example, a register, a cache, etc.) in the chip, or a storage unit (for example, a read-only memory, abbreviated as a read-only memory) located outside the chip in a terminal or an access network device. ROM), random access memory (random access memory, RAM for short), etc.).

The communication unit may also be referred to as a transceiver unit. The antenna and control circuit with the transceiver function in the verification device 110 can be regarded as the communication unit 1102 of the verification device 110 , and the processor with the processing function can be regarded as the processing unit 1101 of the verification device 110 . Optionally, the device in the communication unit 1102 for implementing the receiving function may be regarded as a receiving unit, the receiving unit is used to perform the receiving steps in the embodiments of the present application, and the receiving unit may be a receiver, a receiver, a receiving circuit, or the like. The device in the communication unit 1102 for implementing the sending function may be regarded as a sending unit, the sending unit is used to perform the sending step in the embodiments of the present application, and the sending unit may be a transmitter, a transmitter, a sending circuit, or the like.

The integrated units in FIG. 11 can be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as independent products. Based on this understanding, the technical solutions of the embodiments of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage The medium includes several instructions to cause a computer device (which may be a personal computer, a server, or an access network device, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application. Storage media for storing computer software products include: U disk, removable hard disk, read-only memory, random access memory, magnetic disk or optical disk and other media that can store program codes.

The units in FIG. 11 may also be referred to as modules, eg, a processing unit may be referred to as a processing module.

This embodiment of the present application also provides a schematic diagram of the hardware structure of a verification apparatus (referred to as verification apparatus 120 ). Referring to FIG. 12 or FIG. 13 , the verification apparatus 120 includes a processor 1201 , and optionally, also includes a connection with the processor 1201 memory 1202.

The processor 1201 may be a general-purpose central processing unit (CPU for short), a microprocessor, an application-specific integrated circuit (ASIC for short), or one or more programs for controlling the solution of the present application implemented integrated circuits. The processor 1201 may also include multiple CPUs, and the processor 1201 may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, or processing cores for processing data (eg, computer program instructions).

The memory 1202 can be a ROM or other type of static storage device that can store static information and instructions, a RAM or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory. read-only memory, referred to as EEPROM), compact disc read-only memory (referred to as CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.) , a magnetic disk storage medium or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, which is not limited by the embodiments of the present application. The memory 1202 may exist independently, or may be integrated with the processor 1201 . Among them, the memory 1202 may contain computer program code. The processor 1201 is configured to execute the computer program codes stored in the memory 1202, so as to implement the methods provided by the embodiments of the present application.

In a first possible implementation manner, referring to FIG. 12 , the verification apparatus 120 further includes a transceiver 1203 . The processor 1201, the memory 1202 and the transceiver 1203 are connected by a bus. The transceiver 1203 is used to communicate with other devices or communication networks. Optionally, the transceiver 1203 may include a transmitter and a receiver. A device in the transceiver 1203 for implementing the receiving function may be regarded as a receiver, and the receiver is configured to perform the receiving steps in the embodiments of the present application. A device in the transceiver 1203 for implementing the sending function may be regarded as a transmitter, and the transmitter is used to perform the sending step in the embodiment of the present application.

Based on the first possible implementation manner, the schematic structural diagram shown in FIG. 12 may be used to illustrate the structure of the access network device, the first node or the terminal involved in the foregoing embodiment.

When the schematic structural diagram shown in FIG. 12 is used to illustrate the structure of the terminal involved in the above embodiment, the processor 1201 is used to control and manage the actions of the terminal. For example, the processor 1201 is used to support the terminal to execute the 301, 305, 307 and 308, 401, 402, 404, 406 and 407 in Fig. 4, 501, 502, 506, 509 and 510 in Fig. 5, 603 in Fig. 6, 701, 702, 704 and 705, 801, 803, 805, and 806 in FIG. 8, 901, 906, and 907 in FIG. 9, 1001, 1006, and 1007 in FIG. 10, and/or in other processes described in the embodiments of the present application The action performed by the terminal. The processor 1201 may communicate with other network entities through the transceiver 1203, eg, with the first node shown in FIG. 3 . The memory 1202 is used to store program codes and data of the terminal.

When the schematic structural diagram shown in FIG. 12 is used to illustrate the structure of the access network equipment involved in the above embodiment, the processor 1201 is used to control and manage the actions of the access network equipment, for example, the processor 1201 is used to support The access network equipment executes 302-304, 306 in Fig. 3, 400-401 in Fig. 4, 501, 503-505, 507 in Fig. 5, 601-602 in Fig. 6, 701 in Fig. 7, and Fig. 801-802 in FIG. 8, 902-904 and 906 in FIG. 9, 1002-1004 and 1006 in FIG. 10, and/or actions performed by the access network device in other processes described in the embodiments of this application. The processor 1201 may communicate with other network entities through the transceiver 1203, eg, with the first node shown in FIG. 3 . The memory 1202 is used to store program codes and data of the access network equipment.

When the schematic structural diagram shown in FIG. 12 is used to illustrate the structure of the first node involved in the above embodiment, the processor 1201 is used to control and manage the actions of the first node, for example, the processor 1201 is used to support the first node The node executes 301-302, 304-307 in Figure 3, 400, 402-406 in Figure 4, 502-503, 505-509 in Figure 5, 601-603 in Figure 6, and 702- in Figure 7 704, 802-805 in FIG. 8, 901-902, 904-906 in FIG. 9, 1001-1002, 1004-1006 in FIG. 10, and/or No. 1 in other processes described in the embodiments of the present application An action performed by a node. The processor 1201 may communicate with other network entities through the transceiver 1203, eg, with the terminal shown in FIG. 3 . The memory 1202 is used to store program codes and data of the first node.

In a second possible implementation, the processor 1201 includes a logic circuit and at least one of an input interface and an output interface. Wherein, the output interface is used for executing the sending action in the corresponding method, and the input interface is used for executing the receiving action in the corresponding method.

Based on the second possible implementation manner, see FIG. 13 . The schematic structural diagram shown in FIG. 13 may be used to illustrate the structure of the access network device, the first node, or the terminal involved in the foregoing embodiment.

When the schematic structural diagram shown in FIG. 13 is used to illustrate the structure of the terminal involved in the above embodiment, the processor 1201 is used to control and manage the actions of the terminal, for example, the processor 1201 is used to support the terminal to perform the 301, 305, 307 and 308, 401, 402, 404, 406 and 407 in Fig. 4, 501, 502, 506, 509 and 510 in Fig. 5, 603 in Fig. 6, 701, 702, 704 and 705, 801, 803, 805, and 806 in FIG. 8, 901, 906, and 907 in FIG. 9, 1001, 1006, and 1007 in FIG. 10, and/or in other processes described in the embodiments of the present application The action performed by the terminal. The processor 1201 may communicate with other network entities, eg, with the first node shown in FIG. 3 , through at least one of an input interface and an output interface. The memory 1202 is used to store program codes and data of the terminal.

When the schematic structural diagram shown in FIG. 13 is used to illustrate the structure of the access network equipment involved in the above embodiment, the processor 1201 is used to control and manage the actions of the access network equipment, for example, the processor 1201 is used to support The access network equipment executes 302-304, 306 in Fig. 3, 400-401 in Fig. 4, 501, 503-505, 507 in Fig. 5, 601-602 in Fig. 6, 701 in Fig. 7, and Fig. 801-802 in FIG. 8, 902-904 and 906 in FIG. 9, 1002-1004 and 1006 in FIG. 10, and/or actions performed by the access network device in other processes described in the embodiments of this application. The processor 1201 may communicate with other network entities, eg, with the first node shown in FIG. 3 , through at least one of an input interface and an output interface. The memory 1202 is used to store program codes and data of the access network equipment.

When the schematic structural diagram shown in FIG. 13 is used to illustrate the structure of the first node involved in the above embodiment, the processor 1201 is used to control and manage the actions of the first node, for example, the processor 1201 is used to support the first node The node executes 301-302, 304-307 in Figure 3, 400, 402-406 in Figure 4, 502-503, 505-509 in Figure 5, 601-603 in Figure 6, and 702- in Figure 7 704, 802-805 in FIG. 8, 901-902, 904-906 in FIG. 9, 1001-1002, 1004-1006 in FIG. 10, and/or No. 1 in other processes described in the embodiments of the present application An action performed by a node. The processor 1201 may communicate with other network entities, eg, with the terminal shown in FIG. 3 , through at least one of the input interface and the output interface. The memory 1202 is used to store program codes and data of the first node.

12 and 13 may also illustrate a system chip in an access network device. In this case, the above-mentioned actions performed by the access network device may be implemented by the system chip, and the specific actions performed may refer to the above, which will not be repeated here. FIG. 12 and FIG. 13 may also illustrate a system chip in a terminal. In this case, the above-mentioned actions performed by the terminal may be implemented by the system chip, and the specific actions to be performed may refer to the above, which will not be repeated here. Figures 12 and 13 may also illustrate a system-on-chip in the first node. In this case, the above-mentioned actions performed by the first node may be implemented by the system chip, and the specific actions performed can refer to the above, which will not be repeated here.

In addition, an embodiment of the present application also provides a schematic diagram of the hardware structure of a terminal (referred to as terminal 140 ) and a network device (referred to as network device 150 ). For details, please refer to FIG. 14 and FIG. 15 respectively.

FIG. 14 is a schematic diagram of the hardware structure of the terminal 140 . For convenience of explanation, FIG. 14 only shows the main components of the terminal. As shown in FIG. 14 , the terminal 140 includes a processor, a memory, a control circuit, an antenna, and an input and output device.

The processor is mainly used to process communication protocols and communication data, and to control the entire terminal, execute software programs, and process data of software programs, for example, to control the terminal to execute 301, 305, 307, and 308 in FIG. 401, 402, 404, 406 and 407 in Fig. 4, 501, 502, 506, 509 and 510 in Fig. 5, 603 in Fig. 6, 701, 702, 704 and 705 in Fig. 7, 801, 803, 805, and 806, 901, 906, and 907 in FIG. 9, 1001, 1006, and 1007 in FIG. 10, and/or actions performed by the terminal in other processes described in the embodiments of this application. The memory is mainly used to store software programs and data. The control circuit (also referred to as a radio frequency circuit) is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal. The control circuit together with the antenna can also be called a transceiver, which is mainly used to send and receive radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users.

When the terminal is powered on, the processor can read the software program in the memory, interpret and execute the instructions of the software program, and process the data of the software program. When it is necessary to send data through the antenna, the processor performs baseband processing on the data to be sent, and outputs the baseband signal to the control circuit in the control circuit. The control circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal through the antenna in the form of electromagnetic waves. send. When data is sent to the terminal, the control circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, which converts the baseband signal into data and processes the data.

Those skilled in the art can understand that, for the convenience of description, FIG. 14 only shows one memory and one processor. In an actual terminal, there may be multiple processors and memories. The memory may also be referred to as a storage medium or a storage device, etc., which is not limited in this embodiment of the present application.

As an optional implementation, the processor may include a baseband processor and a central processing unit. The baseband processor is mainly used to process communication protocols and communication data, and the central processing unit is mainly used to control the entire terminal and execute software. Programs that process data from software programs. The processor in FIG. 14 integrates the functions of the baseband processor and the central processing unit. Those skilled in the art can understand that the baseband processor and the central processing unit may also be independent processors, interconnected by technologies such as a bus. Those skilled in the art can understand that a terminal may include multiple baseband processors to adapt to different network standards, a terminal may include multiple central processors to enhance its processing capability, and various components of the terminal may be connected through various buses. The baseband processor can also be expressed as a baseband processing circuit or a baseband processing chip. The central processing unit can also be expressed as a central processing circuit or a central processing chip. The function of processing the communication protocol and communication data may be built in the processor, or may be stored in the memory in the form of a software program, and the processor executes the software program to realize the baseband processing function.

FIG. 15 is a schematic diagram of the hardware structure of the network device 150 . The network device 150 may be the above-mentioned access network device or the first node. The network device 150 may include one or more radio frequency units, such as a remote radio unit (remote radio unit, RRU for short) 1501 and one or more baseband units (BBU for short) (also referred to as a digital unit (digital unit, abbreviated as BBU) DU)) 1502.

The RRU 1501 may be referred to as a transceiver unit, a transceiver, a transceiver circuit, or a transceiver, etc., and may include at least one antenna 1511 and a radio frequency unit 1512 . The RRU1501 part is mainly used for transmitting and receiving radio frequency signals and converting between radio frequency signals and baseband signals. The RRU 1501 and the BBU 1502 may be physically set together, or may be physically separated, for example, distributed base stations.

The BBU1502 is the control center of the network equipment, which can also be called a processing unit, and is mainly used to complete baseband processing functions, such as channel coding, multiplexing, modulation, spread spectrum, and so on.

In one embodiment, the BBU 1502 may be composed of one or more single boards, and the multiple boards may jointly support a wireless access network (such as an LTE network) of a single access standard, or may respectively support wireless access systems of different access standards. Access network (such as LTE network, 5G network or other network). The BBU 1502 also includes a memory 1521 and a processor 1522, and the memory 1521 is used to store necessary instructions and data. The processor 1522 is used to control the network device to perform necessary actions. The memory 1521 and processor 1522 may serve one or more single boards. That is to say, the memory and processor can be provided separately on each single board. It can also be that multiple boards share the same memory and processor. In addition, necessary circuits may also be provided on each single board.

It should be understood that when the network device 150 is the access network device in the above embodiment, the network device 150 can execute 302-304 and 306 in FIG. 3 , 400-401 in FIG. 4 , and 501 and 503 - in FIG. 505, 507, 601-602 in Fig. 6, 701 in Fig. 7, 801-802 in Fig. 8, 902-904 and 906 in Fig. 9, 1002-1004 and 1006 in Fig. 10, and/or this Actions performed by the access network device in other processes described in the embodiments of the application. When the network device 150 is the first node in the above embodiment, the network device 150 can execute 301-302, 304-307 in FIG. 3, 400, 402-406 in FIG. 4, 502-503, 505-509, 601-603 in Fig. 6, 702-704 in Fig. 7, 802-805 in Fig. 8, 901-902, 904-906 in Fig. 9, 1001-1002, 1004- in Fig. 10 1006, and/or an action performed by the first node in other processes described in the embodiments of this application. The operations, functions, or, operations and functions of each module in the network device 150 are respectively set to implement the corresponding processes in the foregoing method embodiments. For details, reference may be made to the descriptions in the foregoing method embodiments. To avoid repetition, the detailed descriptions are appropriately omitted here.

In the implementation process, each step in the method provided in this embodiment may be completed by an integrated logic circuit of hardware in a processor or an instruction in the form of software. The steps of the method disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor. For other descriptions about the processor in FIG. 14 and FIG. 15, reference may be made to the description about the processor in FIG. 12 and FIG. 13, and details are not repeated here.

Embodiments of the present application further provide a computer-readable storage medium, including instructions, which, when executed on a computer, cause the computer to execute any of the foregoing methods.

Embodiments of the present application also provide a computer program product containing instructions, which, when run on a computer, enables the computer to execute any of the above methods.

The embodiment of the present application also provides a communication system, including: a first node and a terminal. Optionally, it also includes access network equipment.

In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device. Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website site, computer, server, or data center over a wire (e.g. Coaxial cable, optical fiber, digital subscriber line (DSL for short)) or wireless (such as infrared, wireless, microwave, etc.) means to transmit to another website site, computer, server or data center. Computer-readable storage media can be any available media that can be accessed by a computer or data storage devices including one or more servers, data centers, etc., that can be integrated with the media. Useful media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVD), or semiconductor media (eg, solid state disk (SSD) for short), and the like.

Although the application is described herein in conjunction with various embodiments, in practicing the claimed application, those skilled in the art can understand and implement the disclosure by reviewing the drawings, the disclosure, and the appended claims Other variations of the embodiment. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that these measures cannot be combined to advantage.

Although the application has been described in conjunction with specific features and embodiments thereof, it will be apparent that various modifications and combinations can be made therein without departing from the spirit and scope of the application. Accordingly, this specification and drawings are merely exemplary illustrations of the application as defined by the appended claims, and are deemed to cover any and all modifications, variations, combinations or equivalents within the scope of this application. Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (18)

1. A method of authentication, comprising:

a terminal receives a first verification code and an identifier of a first node from the first node, wherein the first verification code is generated according to a first root key and the identifier of the first node, and the first root key is a root key used for communication between the terminal and access network equipment;

and the terminal verifies the validity of the first node according to the identifier of the first node, the first root key and the first verification code.

2. The method of claim 1, wherein the terminal and the first node communicate via a sidelink.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

the terminal sends a first request message to the first node, wherein the first request message is used for requesting to be associated to the first node, and the first request message comprises a Radio Resource Control (RRC) message sent by the terminal to the access network equipment.

4. The method according to claim 1 or 2, characterized in that the method further comprises:

the terminal sends a first request message to the first node, wherein the first request message is used for requesting to be associated to the first node, the first request message comprises a third verification code, the third verification code is generated according to the identifier of the first node and the first root key, and the third verification code is used for verifying the validity of the terminal.

5. The method according to claim 3 or 4, wherein the terminal sends a first request message to the first node, comprising:

the terminal receives a notification message broadcasted by the first node in a side link, wherein the notification message comprises indication information, and the indication information is used for indicating that the first node is a node responsible for allocating transmission resources of the side link;

and the terminal sends the first request message to the first node according to the notification message.

6. The method according to any of claims 1-5, wherein the terminal verifying the validity of the first node according to the identity of the first node, the first root key and the first verification code comprises:

the terminal generates a second verification code according to the identifier of the first node and the first root key;

and the terminal verifies the validity of the first node according to the second verification code and the first verification code.

7. A method of authentication, comprising:

a first node receives a first verification code from access network equipment, wherein the first verification code is generated according to a first root key and an identifier of the first node, and the first root key is a root key used for communication between a terminal and the access network equipment;

and the first node sends the first verification code and the identifier of the first node to the terminal, wherein the identifier of the first node and the first verification code are used for verifying the validity of the first node.

8. The method of claim 7, wherein the terminal and the first node communicate via a sidelink.

9. The method according to claim 7 or 8, characterized in that the method further comprises:

the first node receives a first request message from the terminal, wherein the first request message is used for requesting to be associated to the first node, and the first request message comprises a Radio Resource Control (RRC) message sent by the terminal to the access network equipment;

and the first node sends a second request message to the access network equipment according to the first request message, wherein the second request message comprises the RRC message, and the RRC message is used for verifying the legality of the terminal by the access network equipment.

10. The method according to claim 7 or 8, characterized in that the method further comprises:

the first node receives a first request message from the terminal, wherein the first request message is used for requesting to be associated to the first node, the first request message comprises a third verification code, the third verification code is generated according to the identifier of the first node and the first root key, and the third verification code is used for verifying the validity of the terminal;

and the first node sends a second request message to the access network equipment according to the first request message, wherein the second request message comprises the third verification code.

11. The method according to any one of claims 7-10, further comprising:

the first node broadcasts a notification message in a side link, wherein the notification message comprises indication information, and the indication information is used for indicating that the first node is a node responsible for allocating transmission resources of the side link.

12. A method of authentication, comprising:

the access network equipment receives a second request message from the first node, wherein the second request message comprises a Radio Resource Control (RRC) message sent to the access network equipment by a terminal;

the access network device decoding the RRC message;

if the decoding is successful, the access network equipment determines that the terminal is legal;

and if the decoding is unsuccessful, the access network equipment determines that the terminal is illegal.

13. The method of claim 12, further comprising:

and the access network equipment sends a first verification code to the first node, wherein the first verification code is generated according to the first root key and the identifier of the first node, and the first verification code is used for verifying the validity of the first node.

14. A method of authentication, comprising:

the access network equipment receives a second request message from a first node, wherein the second request message comprises a third verification code, the third verification code is used for verifying the validity of a terminal, the third verification code is generated according to the identifier of the first node and a first root key, and the first root key is a root key used for communication between the terminal and the access network equipment;

and the access network equipment verifies the validity of the terminal according to the identifier of the first node, the first root key and the third verification code.

15. The method of claim 14, wherein the access network device verifying the validity of the terminal according to the identifier of the first node, the first root key, and the third verification code, comprises:

the access network equipment generates a fourth verification code according to the identifier of the first node and the first root key;

and the access network equipment verifies the validity of the first node according to the fourth verification code and the third verification code.

16. The method according to claim 14 or 15, characterized in that the method further comprises:

and the access network equipment sends a first verification code to the first node, wherein the first verification code is generated according to the first root key and the identifier of the first node, and the first verification code is used for verifying the validity of the first node.

17. An authentication apparatus, comprising: a processor coupled with a memory for storing a computer program or instructions, the processor for executing the computer program or instructions stored in the memory to cause the authentication apparatus to perform the method of any one of claims 1 to 6, or to cause the authentication apparatus to perform the method of any one of claims 7 to 11, or to cause the authentication apparatus to perform the method of claim 12 or 13, or to cause the authentication apparatus to perform the method of any one of claims 14 to 16.

18. A computer-readable storage medium for storing a computer program or instructions which, when executed, cause the computer to perform the method of any of claims 1 to 6, or cause the computer to perform the method of any of claims 7 to 11, or cause the computer to perform the method of claim 12 or 13, or cause the computer to perform the method of any of claims 14 to 16.

Images