CN114205814B - Data transmission method, device and system, electronic equipment and storage medium - Google Patents
Data transmission method, device and system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114205814B CN114205814B CN202111465977.7A CN202111465977A CN114205814B CN 114205814 B CN114205814 B CN 114205814B CN 202111465977 A CN202111465977 A CN 202111465977A CN 114205814 B CN114205814 B CN 114205814B
- Authority
- CN
- China
- Prior art keywords
- data
- message
- data message
- encryption
- header
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 157
- 238000000034 method Methods 0.000 title claims abstract description 122
- 238000004891 communication Methods 0.000 claims abstract description 7
- 230000006870 function Effects 0.000 claims description 45
- 238000012545 processing Methods 0.000 claims description 41
- 238000001514 detection method Methods 0.000 claims description 16
- 238000013523 data management Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 description 16
- 238000007726 management method Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 12
- 230000000694 effects Effects 0.000 description 12
- 230000004044 response Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 238000005538 encapsulation Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000032683 aging Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
技术领域Technical field
本申请涉及通信领域,尤其涉及一种数据传输方法、装置、系统、电子设备及存储介质。The present application relates to the field of communications, and in particular, to a data transmission method, device, system, electronic equipment and storage medium.
背景技术Background technique
目前,无线终端通过基站建立与核心网之间的承载后,无线终端在该承载上进行数据报文传输时,收发的数据报文全部为明文传输。报文数据以明文方式在无线信道和承载网中传输,会导致报文数据泄露、数据篡改、流量劫持、钓鱼攻击等安全问题,只要通过网络的嗅探设备及一些技术手段,就可还原报文内容,十分不安全。Currently, after a wireless terminal establishes a bearer with the core network through a base station, when the wireless terminal transmits data packets on the bearer, all data packets sent and received are transmitted in plain text. Message data is transmitted in clear text on wireless channels and bearer networks, which can lead to message data leakage, data tampering, traffic hijacking, phishing attacks and other security issues. As long as the network sniffing equipment and some technical means are used, the message can be restored. The content of this article is very unsafe.
现有技术的解决方案为无线终端通过基站建立与核心网之间的承载,并在该承载上进行数据报文传输。某些具有安全性要求的应用会对数据报文的净荷部分进行加密,如超文本传输安全协议(hyper text transfer protocol over securesocket layer,HTTPS)报文。然而,包含目的IP地址、源IP地址的报头部分仍旧为明文传输,安全性的问题没有得到解决。The solution in the existing technology is that the wireless terminal establishes a bearer with the core network through the base station, and transmits data messages on the bearer. Some applications with security requirements will encrypt the payload part of data packets, such as hypertext transfer protocol over securesocket layer (HTTPS) packets. However, the header part including the destination IP address and source IP address is still transmitted in clear text, and the security issue has not been resolved.
发明内容Contents of the invention
本申请提供一种数据传输方法、装置、系统、电子设备及存储介质,用以解决现有技术中无线终端在与核心网之间进行报文传输时,报文数据安全性较低的问题。This application provides a data transmission method, device, system, electronic equipment and storage medium to solve the problem in the prior art that the security of message data is low when a wireless terminal transmits messages between the core network and the wireless terminal.
为达到上述目的,本申请采用如下技术方案:In order to achieve the above purpose, this application adopts the following technical solutions:
第一方面,本申请提供一种数据传输方法,包括:用户平面功能网元接收来自用户终端UE的数据报文。用户平面功能网元根据报文加密方式标志位,用户平面功能网元确定数据报文的加密方式。用户平面功能网元根据数据报文的加密方式,确定数据报文的目的IP地址。用户平面功能网元向目的IP地址发送数据报文。In a first aspect, this application provides a data transmission method, including: a user plane functional network element receiving a data message from a user terminal UE. The user plane functional network element determines the encryption method of the data packet according to the packet encryption mode flag bit. The user plane functional network element determines the destination IP address of the data message based on the encryption method of the data message. The user plane functional network element sends the data packet to the destination IP address.
在一种可能的实现方式中,上述数据报文的加密方式包括:明文传输方式、全加密传输方式以及报文头混淆加密传输方式。In a possible implementation manner, the encryption method of the above-mentioned data message includes: a plain text transmission method, a fully encrypted transmission method, and a message header obfuscated encryption transmission method.
在一种可能的实现方式中,用户平面功能网元根据数据报文的加密方式,确定数据报文的目的IP地址,具体包括:若数据报文的加密方式为明文传输方式,则获取数据报文的字头,并根据数据报文的字头确定数据报文的目的IP地址。若数据报文的加密方式为全加密传输方式或报文头混淆加密传输方式,则用户平面功能网元对数据报文的字头进行解密,并根据解密后的数据报文的字头确定数据报文的目的IP地址。In a possible implementation, the user plane functional network element determines the destination IP address of the data packet according to the encryption method of the data packet, which specifically includes: if the encryption method of the data packet is plaintext transmission, obtain the data packet header of the data packet, and determine the destination IP address of the data packet based on the header of the data packet. If the encryption method of the data packet is the fully encrypted transmission method or the header obfuscation encryption transmission method, the user plane functional network element decrypts the header of the data packet and determines the data based on the header of the decrypted data packet. The destination IP address of the message.
基于上述技术方案,本申请能够带来以下有益效果:本申请通过在UE发送的数据报文中增加报文加密方式标志位,使得用户平面功能网元在接收到数据报文后,能够根据报文加密方式标志位来确定数据报文的加密方式,在加密方式是明文传输方式时直接获取报文数据的字头以确定目的IP地址;并在加密方式是全加密传输方式或报文头混淆加密传输方式时,对数据报文的字头进行解密以获取数据报文的目的IP地址。最后,用户平面功能网元向目的IP地址发送数据报文。由此,本申请能够同时支持UE采用常规方式和加密方式发送数据报文,能有效地提高无线信道和承载网中传输时的数据安全性和灵活性。Based on the above technical solution, this application can bring the following beneficial effects: This application adds a message encryption mode flag bit in the data message sent by the UE, so that after receiving the data message, the user plane functional network element can Text encryption mode flag bit to determine the encryption mode of the data message. When the encryption mode is plain text transmission mode, the header of the message data is directly obtained to determine the destination IP address; and when the encryption mode is fully encrypted transmission mode or the message header is obfuscated In the encrypted transmission mode, the header of the data message is decrypted to obtain the destination IP address of the data message. Finally, the user plane functional network element sends the data packet to the destination IP address. Therefore, this application can simultaneously support the UE to send data messages in the conventional method and the encrypted method, and can effectively improve the data security and flexibility during transmission in the wireless channel and bearer network.
第二方面,本申请提供一种数据传输方法,包括:用户终端UE根据统一数据管理UDM签约数据,确定报文加密方式标志位。UE向用户平面功能网元发送数据报文。In the second aspect, this application provides a data transmission method, which includes: the user terminal UE determines the message encryption mode flag according to the unified data management UDM subscription data. The UE sends a data packet to the user plane functional network element.
在一种可能的实现方式中,上述方法还包括:UE通过基站,向用户平面功能网元发送数据报文;数据报文包括报文加密方式标志位,报文加密方式标志位用于指示数据报文的加密方式。In a possible implementation, the above method also includes: the UE sends a data message to the user plane functional network element through the base station; the data message includes a message encryption mode flag bit, and the message encryption mode flag bit is used to indicate the data The encryption method of the message.
此外,第二方面的数据传输方法的技术效果可以参考上述第一方面的数据传输方法的技术效果,此处不再赘述。In addition, the technical effects of the data transmission method of the second aspect can be referred to the technical effects of the data transmission method of the first aspect, and will not be described again here.
第三方面,本申请提供一种数据传输装置,该数据传输装置包括:接收单元、处理单元和发送单元。接受单元,用于接收来自用户终端UE的数据报文;其中,数据报文包括报文加密方式标志位。处理单元,用于根据报文加密方式标志位,确定数据报文的加密方式。处理单元,还用于根据数据报文的加密方式,确定数据报文的目的IP地址。发送单元,用于向目的IP地址发送数据报文。In a third aspect, the present application provides a data transmission device, which includes: a receiving unit, a processing unit and a sending unit. The receiving unit is configured to receive a data message from the user terminal UE; wherein the data message includes a message encryption mode flag. The processing unit is used to determine the encryption method of the data message according to the message encryption mode flag bit. The processing unit is also used to determine the destination IP address of the data message based on the encryption method of the data message. The sending unit is used to send data packets to the destination IP address.
在一种可能的实现方式中,数据报文的加密方式包括:明文传输方式、全加密传输方式以及报文头混淆加密传输方式。In a possible implementation method, the encryption method of the data message includes: a plain text transmission method, a fully encrypted transmission method, and a message header obfuscated encryption transmission method.
在一种可能的实现方式中,处理单元,还用于在数据报文的加密方式为明文传输方式时,获取数据报文的字头,并根据数据报文的字头确定数据报文的目的IP地址。处理单元,还用于在数据报文的加密方式为全加密传输方式或报文头混淆加密传输方式时,对数据报文的字头进行解密,并根据解密后的数据报文的字头确定数据报文的目的IP地址。In a possible implementation, the processing unit is also used to obtain the header of the data message when the encryption method of the data message is plaintext transmission, and determine the purpose of the data message based on the header of the data message. IP address. The processing unit is also used to decrypt the header of the data message when the encryption method of the data message is the fully encrypted transmission method or the message header obfuscation encryption transmission method, and determine the header based on the decrypted data message. The destination IP address of the data packet.
此外,第三方面的数据传输装置的技术效果可以参考上述第一方面的数据传输方法的技术效果,此处不再赘述。In addition, the technical effects of the data transmission device of the third aspect can be referred to the technical effects of the data transmission method of the first aspect, and will not be described again here.
第四方面,本申请提供一种数据传输装置,该数据传输装置包括:处理单元和发送单元。处理单元,用于根据统一数据管理UDM签约数据,确定报文加密方式标志位。发送单元,用于向用户平面功能网元发送数据报文。In a fourth aspect, the present application provides a data transmission device, which includes: a processing unit and a sending unit. The processing unit is used to manage UDM contract data based on unified data and determine the message encryption mode flag. The sending unit is used to send data packets to the user plane functional network element.
在一种可能的实现方式中,发送单元,还用于通过基站,向用户平面功能网元发送数据报文;数据报文包括报文加密方式标志位,报文加密方式标志位用于指示数据报文的加密方式。In a possible implementation, the sending unit is also used to send a data message to the user plane functional network element through the base station; the data message includes a message encryption mode flag bit, and the message encryption mode flag bit is used to indicate the data The encryption method of the message.
此外,第四方面的数据传输装置的技术效果可以参考上述第一方面的数据传输方法的技术效果,此处不再赘述。In addition, the technical effects of the data transmission device of the fourth aspect can be referred to the technical effects of the data transmission method of the first aspect, and will not be described again here.
第五方面,本申请提供一种数据传输系统,包括:用户平面功能网元、用户终端UE。用户平面功能网元,用于接收来自UE的数据报文,并确定数据报文的加密方式以及数据报文的目的IP地址,并向目的IP地址发送数据报文。UE,用于根据统一数据管理UDM签约数据,确定报文加密方式标志位,并向用户平面功能网元发送数据报文;其中,数据报文包括报文加密方式标志位。In the fifth aspect, this application provides a data transmission system, including: a user plane functional network element and a user terminal UE. The user plane functional network element is used to receive data packets from the UE, determine the encryption method of the data packet and the destination IP address of the data packet, and send the data packet to the destination IP address. The UE is used to manage UDM subscription data based on unified data, determine the message encryption mode flag bit, and send a data message to the user plane functional network element; wherein the data message includes the message encryption mode flag bit.
此外,第五方面所述的数据传输系统的技术效果可以参考上述第一方面所述的数据传输方法的技术效果,此处不再赘述。In addition, the technical effects of the data transmission system described in the fifth aspect can be referred to the technical effects of the data transmission method described in the first aspect, and will not be described again here.
第六方面,本申请提供一种存储一个或多个程序的计算机可读存储介质,该一个或多个程序包括指令,上述指令当被本申请的电子设备执行时使电子设备执行如第一方面、第一方面的任一种可能的实现方式、第二方面和第二方面的任一种可能的实现方式中所描述的数据传输方法。In a sixth aspect, the present application provides a computer-readable storage medium storing one or more programs. The one or more programs include instructions. When executed by the electronic device of the present application, the above instructions cause the electronic device to execute the first aspect. , any possible implementation manner of the first aspect, the second aspect, and the data transmission method described in any possible implementation manner of the second aspect.
第七方面,本申请提供一种电子设备,包括:处理器以及存储器;其中,存储器用于存储一个或多个程序,一个或多个程序包括计算机执行指令,当电子设备运行时,处理器执行存储器存储的计算机执行指令,以使电子设备执行如第一方面、第一方面的任一种可能的实现方式、第二方面和第二方面的任一种可能的实现方式中所描述的数据传输方法。In a seventh aspect, the present application provides an electronic device, including: a processor and a memory; wherein the memory is used to store one or more programs, and the one or more programs include computer execution instructions. When the electronic device is running, the processor executes The computer executes instructions stored in the memory to cause the electronic device to perform data transmission as described in the first aspect, any possible implementation of the first aspect, the second aspect, and any possible implementation of the second aspect. method.
第八方面,本申请提供一种包含指令的计算机程序产品,当该指令在计算机上运行时,使得本申请的电子设备执行如第一方面、第一方面的任一种可能的实现方式、第二方面和第二方面的任一种可能的实现方式中所描述的数据传输方法。In an eighth aspect, the present application provides a computer program product containing instructions. When the instructions are run on a computer, the electronic device of the present application executes the first aspect, any possible implementation manner of the first aspect, and the third aspect. The data transmission method described in the second aspect and any possible implementation manner of the second aspect.
第九方面,本申请提供一种芯片系统,该芯片系统应用于数据传输装置;所述芯片系统包括一个或多个接口电路,以及一个或多个处理器。所述接口电路和所述处理器通过线路互联;所述接口电路用于从所述数据传输装置的存储器接收信号,并向所述处理器发送所述信号,所述信号包括所述存储器中存储的计算机指令。当所述处理器执行所述计算机指令时,所述数据传输装置执行如第一方面、第一方面的任一种可能的实现方式、第二方面和第二方面的任一种可能的实现方式中所描述的数据传输方法。In a ninth aspect, the present application provides a chip system, which is applied to a data transmission device; the chip system includes one or more interface circuits and one or more processors. The interface circuit and the processor are interconnected through lines; the interface circuit is used to receive signals from the memory of the data transmission device and send the signals to the processor, where the signals include information stored in the memory. computer instructions. When the processor executes the computer instructions, the data transmission device executes the first aspect, any possible implementation of the first aspect, the second aspect, and any possible implementation of the second aspect. The data transfer method described in .
附图说明Description of the drawings
图1为本申请的实施例提供的一种数据报文的形式示意图;Figure 1 is a schematic diagram of a data message format provided by an embodiment of the present application;
图2为本申请的实施例提供的另一种数据报文的形式示意图;Figure 2 is a schematic diagram of another data message format provided by an embodiment of the present application;
图3为本申请的实施例提供的一种数据传输方法的网络架构示意图;Figure 3 is a schematic diagram of the network architecture of a data transmission method provided by an embodiment of the present application;
图4为本申请的实施例提供的一种数据传输系统的架构示意图;Figure 4 is a schematic architectural diagram of a data transmission system provided by an embodiment of the present application;
图5为本申请的实施例提供的一种数据传输方法的流程示意图;Figure 5 is a schematic flow chart of a data transmission method provided by an embodiment of the present application;
图6为本申请的实施例提供的另一种数据传输方法的流程示意图;Figure 6 is a schematic flow chart of another data transmission method provided by an embodiment of the present application;
图7为本申请的实施例提供的一种数据传输装置的结构示意图;Figure 7 is a schematic structural diagram of a data transmission device provided by an embodiment of the present application;
图8为本申请的实施例提供的一种数据传输装置的结构示意图;Figure 8 is a schematic structural diagram of a data transmission device provided by an embodiment of the present application;
图9为本申请的实施例提供的另一种数据传输装置的结构示意图。Figure 9 is a schematic structural diagram of another data transmission device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only some of the embodiments of the present application, rather than all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.
本文中字符“/”,一般表示前后关联对象是一种“或者”的关系。例如,A/B可以理解为A或者B。The character "/" in this article generally indicates that the related objects are an "or" relationship. For example, A/B can be understood as A or B.
本申请的说明书和权利要求书中的术语“第一”和“第二”是用于区别不同的对象,而不是用于描述对象的特定顺序。例如,第一边缘服务节点和第二边缘服务节点是用于区别不同的边缘服务节点,而不是用于描述边缘服务节点的特征顺序。The terms "first" and "second" in the description and claims of this application are used to distinguish different objects, rather than to describe a specific order of objects. For example, the first edge service node and the second edge service node are used to distinguish different edge service nodes, rather than to describe the characteristic sequence of the edge service nodes.
此外,本申请的描述中所提到的术语“包括”和“具有”以及它们的任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括其他没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。Furthermore, references to the terms "including" and "having" and any variations thereof in the description of this application are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device that includes a series of steps or units is not limited to the listed steps or units, but optionally also includes other unlisted steps or units, or optionally also Includes other steps or units that are inherent to such processes, methods, products, or devices.
另外,在本申请实施例中,“示例性的”、或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性的”或“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”、或者“例如”等词旨在以具体方式呈现概念。In addition, in the embodiments of this application, words such as "exemplary" or "for example" are used to represent examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "such as" is not intended to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the words "exemplary," or "such as" is intended to present a concept in a concrete manner.
为了便于理解本申请的技术方案,下面对一些技术术语进行介绍。In order to facilitate understanding of the technical solutions of this application, some technical terms are introduced below.
基站主要用于实现终端设备的资源调度、无线资源管理、无线接入控制等功能。基站可以包括各种形式的基站,例如:宏基站,微基站(也称为小站),中继站,接入点等。具体可以为:是无线局域网(Wireless Local Area Network,WLAN)中的接入点(access point,AP),全球移动通信系统(Global System for Mobile Communications,GSM)或码分多址接入(Code Division Multiple Access,CDMA)中的基站(Base Transceiver Station,BTS),也可以是宽带码分多址(Wideband Code Division Multiple Access,WCDMA)中的基站(NodeB,NB),还可以是LTE中的演进型基站(Evolved Node B,eNB或eNodeB),或者中继站或接入点,或者车载设备、可穿戴设备以及未来5G网络中的下一代节点B(The NextGeneration Node B,gNB)或者未来演进的公用陆地移动网(Public Land MobileNetwork,PLMN)网络中的基站等。Base stations are mainly used to implement resource scheduling, wireless resource management, wireless access control and other functions of terminal equipment. Base stations can include various forms of base stations, such as macro base stations, micro base stations (also called small stations), relay stations, access points, etc. Specifically, it can be: an access point (AP) in a Wireless Local Area Network (WLAN), a Global System for Mobile Communications (GSM) or a Code Division Multiple Access (Code Division). The base station (Base Transceiver Station, BTS) in Multiple Access (CDMA), or the base station (NodeB, NB) in Wideband Code Division Multiple Access (WCDMA), or the evolved type in LTE Base station (Evolved Node B, eNB or eNodeB), or relay station or access point, or vehicle-mounted equipment, wearable devices, and the next generation Node B (The NextGeneration Node B, gNB) in the future 5G network or future evolved public land mobile Base stations in the Public Land Mobile Network (PLMN) network, etc.
以上对本申请中的一些技术术语进行了介绍。The above has introduced some technical terms in this application.
在现有技术中,无线终端通过基站建立与核心网之间的承载后,无线终端在该承载上进行数据报文传输时,收发的数据报文全部为明文传输。报文数据以明文方式在无线信道和承载网中传输,会导致报文数据泄露、数据篡改、流量劫持、钓鱼攻击等安全问题,只要通过网络的嗅探设备及一些技术手段,就可还原报文内容,十分不安全。In the existing technology, after a wireless terminal establishes a bearer with the core network through a base station, when the wireless terminal transmits data packets on the bearer, all data packets sent and received are transmitted in plain text. Message data is transmitted in clear text on wireless channels and bearer networks, which can lead to message data leakage, data tampering, traffic hijacking, phishing attacks and other security issues. As long as the network sniffing equipment and some technical means are used, the message can be restored. The content of this article is very unsafe.
现阶段的解决方案为无线终端通过基站建立与核心网之间的承载,并在该承载上进行数据报文传输。某些具有安全性要求的应用会对数据报文的净荷部分进行加密,如HTTPS报文。然而,包含目的IP地址、源IP地址的报头部分仍旧为明文传输,安全性的问题没有得到解决。The current solution is for the wireless terminal to establish a bearer with the core network through the base station and transmit data messages on the bearer. Some applications with security requirements will encrypt the payload part of data packets, such as HTTPS packets. However, the header part including the destination IP address and source IP address is still transmitted in clear text, and the security issue has not been resolved.
例如,现有技术公开了一种方案1,A机传输数据至B机,上行数据报文处理的步骤为:For example, the prior art discloses a solution 1. Machine A transmits data to machine B. The steps for processing uplink data messages are:
1、无线终端将全部未加密的数据报文通过无线链路传输至基站。1. The wireless terminal transmits all unencrypted data messages to the base station through the wireless link.
2、基站通过N3接口对数据报文进行GTP-U协议封装,将数据转发至用户平面功能(user port function,UPF)网元。2. The base station encapsulates the data packet with GTP-U protocol through the N3 interface and forwards the data to the user plane function (user port function, UPF) network element.
3、UPF对数据进行GTP-U报文解封装和报头字段解码,可以获得数据的源IP地址和目的IP地址。UPF进行数据报文的QoS、常规计费、PFCP节点管理,并将数据报文产生的信息通过N4接口上报给5GC核心网的会话管理功能(service management function,SMF)网元。3. UPF decapsulates the GTP-U message and decodes the header field of the data to obtain the source IP address and destination IP address of the data. UPF performs QoS, conventional accounting, and PFCP node management of data packets, and reports the information generated by data packets to the session management function (SMF) network element of the 5GC core network through the N4 interface.
4、UPF根据数据报文的目的IP地址通过N6接口转发数据报文至外部网络。4. UPF forwards the data packet to the external network through the N6 interface according to the destination IP address of the data packet.
其中,如图1所示,数据报文以数据链路层MAC帧形式表示,实线框部分为明文数据。Among them, as shown in Figure 1, the data message is expressed in the form of a data link layer MAC frame, and the solid line frame part is plain text data.
然而,在方案1中,报文数据以明文方式在无线信道和承载网中传输,不提供任何方式的数据加密。这会导致报文数据泄露、数据篡改、流量劫持、钓鱼攻击等安全问题,只要通过网络的嗅探设备及一些技术手段,就可还原报文内容,十分不安全。However, in solution 1, the message data is transmitted in plain text on the wireless channel and the bearer network, and no data encryption is provided in any way. This will lead to security issues such as packet data leakage, data tampering, traffic hijacking, and phishing attacks. The content of the packet can be restored through network sniffing equipment and some technical means, which is very unsafe.
再如,现有技术还公开了一种方案2,A机传输数据至B机的上行数据报文处理步骤与方案1大致相同,不同点是A机发送的报文数据净荷部分已加密。其中,如图2所示,数据报文以数据链路层MAC帧形式表示,实线框部分为明文数据,虚线框部分为加密数据。For another example, the prior art also discloses a scheme 2. The processing steps of the uplink data message from machine A to machine B are roughly the same as scheme 1. The difference is that the data payload of the message sent by machine A has been encrypted. Among them, as shown in Figure 2, the data message is expressed in the form of a data link layer MAC frame, the solid line box part is plain text data, and the dotted line box part is encrypted data.
然而,在方案2中,报文数据在无线信道和承载网中仅对净荷部分进行加密,能够确保用户数据在传输过程中处于加密状态,同时防止服务器被钓鱼网站假冒。但报头字段如IP地址等仍以明文传输,这可能存在IP地址修改、IP地址盗用等安全隐患。However, in Solution 2, only the payload part of the message data is encrypted in the wireless channel and bearer network, which ensures that user data is encrypted during transmission and prevents the server from being impersonated by phishing websites. However, header fields such as IP addresses are still transmitted in clear text, which may lead to security risks such as IP address modification and IP address theft.
图3示出了本申请提供的数据传输方法的网络架构示意图,该网络架构包括:用户设备、新空口、用户平面功能、数据网络、认证服务功能、接入和移动管理功能、会话管理功能、网络存储功能、统一数据管理、策略控制功能、应用功能、网络开放功能等网元。Figure 3 shows a schematic diagram of the network architecture of the data transmission method provided by this application. The network architecture includes: user equipment, new air interface, user plane function, data network, authentication service function, access and mobility management function, session management function, Network elements such as network storage functions, unified data management, policy control functions, application functions, and network opening functions.
其中,用户终端(user equipment,UE)是用户在进行移动通信时使用的终端设备。Among them, user equipment (UE) is a terminal equipment used by users when performing mobile communications.
新空口(new radio,NR)用于完成控制信号和用户数据在终端和核心网之间的转发。New radio (NR) is used to complete the forwarding of control signals and user data between the terminal and the core network.
用户平面功能(user port function,UPF)是处理用户数据面数据的网元,用于分组路由和转发、服务质量(quality of service,QoS)处理、包过滤控制协议(packetfilter control protocol,PFCP)节点管理等。The user plane function (UPF) is a network element that processes user data plane data. It is used for packet routing and forwarding, quality of service (QoS) processing, and packet filter control protocol (PFCP) nodes. Management etc.
数据网络(data network,DN)是用于传输数据的网络。A data network (DN) is a network used to transmit data.
认证服务功能(authentication server function,AUSF)用于终端鉴权认证、保护控制信息列表等。Authentication server function (AUSF) is used for terminal authentication and protection, protection control information list, etc.
接入和移动管理功能(authentication management function,AMF),用于负责终端接入权限和切换等。The access and mobility management function (authentication management function, AMF) is responsible for terminal access permissions and handovers.
会话管理功能(service management function,SMF),用于保障服务连续性,为用户提供不间断的服务体验,包括IP地址和锚点变化的情况。SMF还用于负责会话管理,例如与分离的数据面交互,创建、更新和删除协议数据单元(protocol data unit,PDU)会话,以及用户面功能的选择与控制等。The session management function (service management function, SMF) is used to ensure service continuity and provide users with an uninterrupted service experience, including changes in IP addresses and anchor points. SMF is also responsible for session management, such as interacting with the separated data plane, creating, updating, and deleting protocol data unit (PDU) sessions, and selecting and controlling user plane functions.
网络存储功能(network repository function,NRF)用于进行网络功能登记、管理、状态检测,实现所有网络功能的自动化管理。The network repository function (NRF) is used for network function registration, management, status detection, and automatic management of all network functions.
统一数据管理(unified data management,UDM)用于存储签约信息,并支持鉴权证书存储和处理。Unified data management (UDM) is used to store contract information and supports the storage and processing of authentication certificates.
策略控制功能(policy control function,PCF)用于为控制面功能提供策略信息、存储并提供用户策略相关的签约信息。The policy control function (PCF) is used to provide policy information for the control plane function, store and provide user policy-related subscription information.
应用功能(application function,AF)用于与核心网交互并提供服务。Application function (AF) is used to interact with the core network and provide services.
网络开放功能(network exposure fuction,NEF)用于负责对外开放网络数据。The network exposure function (NEF) is responsible for opening network data to the outside world.
在该网络架构中,N1接口是终端和AMF之间的参考点;N2接口是NR和AMF的参考点,用于非接入层消息的发送等;N3接口为NR和UPF之间的参考点,使用GTP-U协议传输用户面数据等;N4接口是SMF和UPF之间的参考点,使用PFCP控制面协议栈封装信令、传输数据缓存指示信息等;N6接口是UPF和DN之间的参考点,用于传输用户面数据等。In this network architecture, the N1 interface is the reference point between the terminal and AMF; the N2 interface is the reference point between NR and AMF, used for sending non-access layer messages, etc.; the N3 interface is the reference point between NR and UPF , uses the GTP-U protocol to transmit user plane data, etc.; the N4 interface is the reference point between SMF and UPF, and uses the PFCP control plane protocol stack to encapsulate signaling, transmit data cache indication information, etc.; the N6 interface is the reference point between UPF and DN Reference point, used to transmit user plane data, etc.
在本申请提供的数据传输方法中,执行主体可以是一种电子设备(例如电脑终端、服务器),还可以是电子设备中的处理器,还可以是电子设备中用于数据传输的控制模块,还可以是电子设备中用于数据传输的客户端。In the data transmission method provided by this application, the execution subject can be an electronic device (such as a computer terminal, a server), a processor in the electronic device, or a control module for data transmission in the electronic device. It can also be a client in an electronic device for data transmission.
图4为本申请实施例提供的一种数据传输系统400的架构示意图。如图4所示,该数据传输系统400包括:用户终端401和用户平面功能网元402。其中,用户平面功能网元402接收来自用户终端401的数据报文,并确定数据报文的加密方式和目的IP地址,向目的IP地址发送该数据报文。其中,该方案的具体实现将在后续方法实施例中详细描述,在此不再赘述。FIG. 4 is a schematic architectural diagram of a data transmission system 400 provided by an embodiment of the present application. As shown in Figure 4, the data transmission system 400 includes: a user terminal 401 and a user plane functional network element 402. Among them, the user plane functional network element 402 receives the data packet from the user terminal 401, determines the encryption method and destination IP address of the data packet, and sends the data packet to the destination IP address. The specific implementation of this solution will be described in detail in subsequent method embodiments, and will not be described again here.
可选的,假设图4所示的数据传输系统应用于如图3所示的网络架构,则上述用户平面功能网元402所对应的网元或者实体可以为图3所示的网络架构中的UPF网元。Optionally, assuming that the data transmission system shown in Figure 4 is applied to the network architecture shown in Figure 3, the network element or entity corresponding to the above user plane functional network element 402 can be in the network architecture shown in Figure 3 UPF network element.
为了解决现有技术中无线终端在与核心网之间进行报文传输时,报文数据安全性较低的问题,本申请提供一种数据传输方法。如图5所示,以用户平面功能网元402所对应的网元或者实体为UPF网元为例,对本申请实施例的技术方案进行说明。本申请提供的数据传输方法包括以下步骤:In order to solve the problem in the prior art that the security of message data is low when wireless terminals transmit messages with the core network, this application provides a data transmission method. As shown in Figure 5, taking the network element or entity corresponding to the user plane function network element 402 as a UPF network element as an example, the technical solution of the embodiment of the present application is explained. The data transmission method provided by this application includes the following steps:
S501、UE向基站发送数据报文。相应的,基站接收数据报文。S501. The UE sends a data message to the base station. Correspondingly, the base station receives the data message.
其中,报文加密方式标志位根据UE的UDM签约数据确定。该报文加密方式标志位用于指示数据报文的加密方式。可以理解,UE通过无线链路向基站发送数据报文。Among them, the message encryption mode flag is determined based on the UE's UDM subscription data. The message encryption mode flag is used to indicate the encryption mode of the data message. It can be understood that the UE sends a data message to the base station through a wireless link.
可选的,数据报文的加密方式包括明文传输方式、全加密传输方式、报文头混淆加密传输方式。Optional encryption methods for data messages include plain text transmission, fully encrypted transmission, and header obfuscation encrypted transmission.
S502、基站对数据报文进行协议封装。S502. The base station performs protocol encapsulation on the data message.
可选的,基站通过N3接口对数据报文进行协议封装。示例性的,基站在对数据报文进行协议封装时采用的协议为GTP-U协议。具体根据GTP-U协议对数据报文进行协议封装的流程为现有技术,本申请在此不再赘述。Optionally, the base station performs protocol encapsulation of the data packet through the N3 interface. For example, the protocol used by the base station to encapsulate the data packet is the GTP-U protocol. The specific process of protocol encapsulation of data packets according to the GTP-U protocol is an existing technology, and will not be described in detail here in this application.
S503、基站向UPF发送封装后的数据报文。相应的,UPF接收封装后的数据报文。S503. The base station sends the encapsulated data message to the UPF. Correspondingly, UPF receives the encapsulated data message.
S504、UPF确定数据报文的加密方式。S504, UPF determines the encryption method of the data message.
可选的,UPF在接收到来自基站的数据报文后,根据包检测优先级确定数据报文对应的包检测规则(packet detection rules,PDR)。Optionally, after receiving the data message from the base station, the UPF determines the packet detection rules (PDR) corresponding to the data message according to the packet detection priority.
示例性的,包检测优先级预设报文加密方式标志位为第一优先级,则UPF最先获取识别报文加密方式标志位。在此之后,UPF根据识别出的报文加密方式标志位,确定数据报文对应的PDR。在此之后,UPF根据数据报文对应的PDR,确定数据报文的加密方式。For example, if the packet detection priority presets the packet encryption mode flag as the first priority, then the UPF is the first to obtain the packet encryption mode flag. After that, UPF determines the PDR corresponding to the data message based on the identified message encryption mode flag. After that, UPF determines the encryption method of the data message based on the PDR corresponding to the data message.
S505、UPF确定数据报文对应的源IP地址和目的IP地址。S505. UPF determines the source IP address and destination IP address corresponding to the data message.
可选的,UPF对数据报文的字头进行解密。可以理解的是,若此时报文加密方式标志位指示的传输方式为明文传输方式,则无需对数据报文的字头进行解密。UPF可直接根据数据报文的字头,获取到数据报文对应的源IP地址和目的IP地址。Optionally, UPF decrypts the header of the data message. It can be understood that if the transmission mode indicated by the message encryption mode flag bit at this time is plaintext transmission, there is no need to decrypt the header of the data message. UPF can directly obtain the source IP address and destination IP address corresponding to the data message based on the header of the data message.
示例性的,在数据报文的加密方式为明文传输方式的情况下,UPF获取数据报文的字头,并根据数据报文的字头确定数据报文的目的IP地址。For example, when the encryption method of the data packet is plaintext transmission, UPF obtains the header of the data packet and determines the destination IP address of the data packet based on the header of the data packet.
示例性的,在数据报文的加密方式为全加密传输方式或报文头混淆加密传输方式的情况下,UPF对数据报文的字头进行解密,并根据解密后的数据报文的字头确定数据报文的目的IP地址。For example, when the encryption method of the data packet is the fully encrypted transmission method or the header obfuscation encryption transmission method, UPF decrypts the header of the data packet and uses the header of the decrypted data packet to Determine the destination IP address of the data packet.
S506、PDF向目的IP地址发送数据报文。S506, PDF sends a data packet to the destination IP address.
需要说明的是,PDF在确定数据报文的加密方式,并对数据报文的字头进行解码后,对数据报文进行转发的方式与现有技术中的方式相同,本申请在此不再赘述。It should be noted that after PDF determines the encryption method of the data message and decodes the header of the data message, it forwards the data message in the same manner as in the prior art. This application will no longer describe it here. Repeat.
基于上述技术方案,本申请通过在UE发送的数据报文中增加报文加密方式标志位,使得用户平面功能网元在接收到数据报文后,能够根据报文加密方式标志位来确定数据报文的加密方式,在加密方式是明文传输方式时直接获取报文数据的字头以确定目的IP地址;并在加密方式是全加密传输方式或报文头混淆加密传输方式时,对数据报文的字头进行解密以获取数据报文的目的IP地址。最后,用户平面功能网元向目的IP地址发送数据报文。由此,本申请能够同时支持UE采用常规方式和加密方式发送数据报文,能有效地提高无线信道和承载网中传输时的数据安全性和灵活性。Based on the above technical solution, this application adds a message encryption mode flag bit in the data message sent by the UE, so that the user plane functional network element can determine the data message according to the message encryption mode flag bit after receiving the data message. The encryption method of the message. When the encryption method is plain text transmission, the header of the message data is directly obtained to determine the destination IP address; and when the encryption method is fully encrypted transmission or message header obfuscated encryption transmission, the data message is Decrypt the header to obtain the destination IP address of the data packet. Finally, the user plane functional network element sends the data packet to the destination IP address. Therefore, this application can simultaneously support the UE to send data messages in the conventional method and the encrypted method, and can effectively improve the data security and flexibility during transmission in the wireless channel and bearer network.
结合图5,如图6所示,本申请提供的数据传输方法,在S501之前,还包括UE发起PDU会话创建的流程,具体下步骤:Combined with Figure 5, as shown in Figure 6, the data transmission method provided by this application also includes the process of UE initiating PDU session creation before S501. The specific steps are as follows:
S601、UE请求PDU会话建立。S601. The UE requests PDU session establishment.
S602、AMF根据请求选择SMF。S602. AMF selects SMF according to the request.
S603、AMF请求创建PDU会话SM上下文服务。为了建立AMF与SMF关于此UE Session的联系;传输有关此SMF选择的签约数据UDM、触发整个5GC会话建立流程。S603. AMF requests to create a PDU session SM context service. In order to establish the connection between AMF and SMF regarding this UE Session; transmit the subscription data UDM selected by this SMF and trigger the entire 5GC session establishment process.
其中,在UDM中新增报文加密方式标志位flag-1,用于包检测第一优先级标识。示例性的,报文加密方式标志位flag-1的取值包括三种参数,参数的内容及其代表的加密方式分别为:0-常规传输方式(也即明文传输方式)、1-全加密传输方式、2-报文头混淆加密传输方式。Among them, a new message encryption mode flag flag-1 is added to UDM, which is used to identify the first priority of packet detection. For example, the value of the message encryption mode flag flag-1 includes three parameters. The content of the parameters and the encryption methods they represent are: 0-regular transmission mode (that is, plaintext transmission mode), 1-full encryption. Transmission method, 2-message header obfuscation and encryption transmission method.
S604、SMF向UDM获取签约数据,或者更新签约数据。S604. SMF obtains contract data from UDM or updates contract data.
S605、SMF返回创建PDU会话SM上下文服务响应。S605. SMF returns a create PDU session SM context service response.
S606、SMF选择合适的PCF。S606, SMF selects the appropriate PCF.
S607、SMF与PCF进行会话策略建立。S607. SMF and PCF establish a session policy.
S608、SMF选择为UE服务的UPF,并为UE会话分配一个IP地址。S608. The SMF selects the UPF serving the UE and allocates an IP address to the UE session.
S609、SMF向UPF发送N4会话建立请求,提供要在该PDU会话的UPF上安装的包检测规则(PDR),转发行为规则(FAR)等。S609. The SMF sends an N4 session establishment request to the UPF, providing packet detection rules (PDR), forwarding behavior rules (FAR), etc. to be installed on the UPF of the PDU session.
其中,PDR规则中新增密文传输标识位flag-2,该位由UDM中不同报文加密方式标识符flag-1确定。对应于S603中对报文加密方式标志位flag-1的取值,当flag-2参数为0时表示UPF将会使用常规传输方式;当flag-2参数为1将命中该PDU会话的报文作为密文处理;当flag-2参数为2时,作为混淆报文头的密文处理。对于密文,先解密然后再对PDR规则中的元组匹配规则进行匹配。Among them, a new ciphertext transmission flag flag-2 is added to the PDR rule, which is determined by flag-1, the identifier of different message encryption methods in UDM. Corresponding to the value of the packet encryption mode flag flag-1 in S603, when the flag-2 parameter is 0, it means that UPF will use the conventional transmission method; when the flag-2 parameter is 1, the packets of the PDU session will be hit. Processed as ciphertext; when the flag-2 parameter is 2, processed as ciphertext of obfuscated message headers. For ciphertext, decrypt it first and then match the tuple matching rules in the PDR rule.
S610、UPF向SMF返回N4会话建立响应,携带PDU会话上下文信息,例如:QoS流列表等。S610. UPF returns an N4 session establishment response to SMF, carrying PDU session context information, such as QoS flow list, etc.
S611、SMF向AMF发送N1/N2消息传输请求S611. SMF sends N1/N2 message transmission request to AMF.
S612、AMF向基站发送N2接口PDU会话请求。S612. The AMF sends an N2 interface PDU session request to the base station.
S613、基站向UE发送无线资源建立请求,根据AMF提供的PDU会话信息,为UE建立合适的无线承载。S613. The base station sends a radio resource establishment request to the UE, and establishes an appropriate radio bearer for the UE according to the PDU session information provided by the AMF.
S614、基站向AMF返回N2接口PDU会话接收信息,其中携带基站分配的N3接口资源,上行数据链路建立。S614. The base station returns the N2 interface PDU session reception information to the AMF, which carries the N3 interface resources allocated by the base station, and the uplink data link is established.
S615、AMF向SMF发送更新的SM会话上下文请求。S615. AMF sends an updated SM session context request to SMF.
S616、SMF向UPF发送N4会话更新。下行链路建立。S616. SMF sends N4 session update to UPF. Downlink established.
S617、SMF向AMF返回更新SM会话上下文请求响应。整个5GS的会话建立过程至此结束。S617. The SMF returns an update SM session context request response to the AMF. This completes the entire 5GS session establishment process.
S618、AMF向UE返回会话建立的请求响应PDU session establishment accept,该响应中携带MSG-1内容。S618. The AMF returns the session establishment request response PDU session establishment accept to the UE, and the response carries the MSG-1 content.
S619、UE处理该PDU session establishment accept消息,将MSG-1中的内容解析更新到UE的加解密模块中的LIST-1、LIST-2中,其中LIST-2中的LIST-2-node-action-src-ip初始为0。S619. The UE processes the PDU session establishment accept message and parses and updates the content in MSG-1 to LIST-1 and LIST-2 in the encryption and decryption module of the UE, where LIST-2-node-action in LIST-2 -src-ip is initially 0.
以上对本申请提供的数据传输方法中UE发起PDU会话创建的流程进行了介绍。The above describes the process of UE initiating PDU session creation in the data transmission method provided by this application.
下面对本申请实施例中数据报文的加密方式的实现方法进行说明。The following describes the implementation method of the encryption method of the data message in the embodiment of the present application.
(1)若报文加密方式标志位的参数为1,则表示此时数据报文的加密方式为全加密传输方式,具体的实现方法为:upf接收到数据报文,在teid命中pdr之后根据flag-2的参数(此时flag-2的参数为1)判断数据报文为全加密报文,则转到解密模块进行解密处理,然后再进行正常的明文相同的转发流程;upf处理下行数据时,根据目的ip地址命中该ue对应的pdr,根据pdr中的标识位,判断是否需要加密,如需要加密,则转到加解密模块进行加密处理之后再通过N3和基站发送到对应的UE。UE中默认对所有的上下行报文进行加解密处理。(1) If the parameter of the message encryption mode flag bit is 1, it means that the encryption mode of the data message at this time is the fully encrypted transmission mode. The specific implementation method is: after upf receives the data message, after teid hits pdr, according to The parameter of flag-2 (the parameter of flag-2 is 1 at this time) determines that the data message is a fully encrypted message, then it is transferred to the decryption module for decryption processing, and then the normal plaintext forwarding process is performed; upf processes the downlink data At that time, the PDR corresponding to the UE is hit according to the destination IP address, and based on the identification bit in the PDR, it is judged whether encryption is required. If encryption is required, it is transferred to the encryption and decryption module for encryption processing and then sent to the corresponding UE through N3 and the base station. By default, all uplink and downlink messages are encrypted and decrypted in the UE.
(2)若报文加密方式标志位的参数为2,则表示此时数据报文的加密方式为报文头混淆加密传输方式,具体的实现方法为:(2) If the parameter of the message encryption mode flag is 2, it means that the encryption mode of the data message at this time is the message header obfuscation encryption transmission mode. The specific implementation method is:
根据净荷加密及报文头(IP头)混淆的方式,实现报文头混淆加密传输,并可以根据业务需要针对部分报文进行混淆。净荷加密部分与现有技术相同,本申请在此不再赘述。报文头的混淆机制的实现步骤具体如下:According to the method of payload encryption and message header (IP header) obfuscation, the message header obfuscation encrypted transmission is realized, and some messages can be obfuscated according to business needs. The payload encryption part is the same as the existing technology, and will not be described in detail here in this application. The implementation steps of the message header obfuscation mechanism are as follows:
S1、UE注册到网络建立pdu会话,通过pdu会话分配ip地址时,会分配一个真实ip地址和一组特殊ip地址,如10.x.x.1/8或者ip地址列表LIST-1。S1. The UE registers with the network to establish a PDU session. When assigning an IP address through the PDU session, a real IP address and a set of special IP addresses will be allocated, such as 10.x.x.1/8 or IP address list LIST-1.
S2、UE的协议栈增加混淆处理模块,混淆模块中维护一张N元组规则表LIST-2,该规则表通过5GC配置下达,规则表的规则为N元组LIST-2-node-rule,动作中包含源ip混淆地址(LIST-2-node-action-src-ip)和目的地址混淆密钥LIST-2-node-action-dst-ip-key、净荷部分的混淆/加密类型LIST-2-node-action-payload-type,密钥LIST-2-node-action-payload-key。An obfuscation processing module is added to the protocol stack of S2 and UE. The obfuscation module maintains an N-tuple rule table LIST-2. This rule table is issued through 5GC configuration. The rules of the rule table are N-tuple LIST-2-node-rule. The action contains the source IP obfuscation address (LIST-2-node-action-src-ip), the destination address obfuscation key LIST-2-node-action-dst-ip-key, and the obfuscation/encryption type LIST- of the payload part. 2-node-action-payload-type, key LIST-2-node-action-payload-key.
S3、UE中的APP发送报文时,从APP经过协议栈到网络报文发出之前到达混淆模块,混淆模块会根据N元组规则表与报文匹配,命中后则表示需要对ip报文头混淆。S3. When the APP in the UE sends a message, it passes through the protocol stack and reaches the obfuscation module before the network message is sent. The obfuscation module will match the message according to the N-tuple rule table. After a hit, it means that the IP message header needs to be modified. Confused.
S4、混淆方式---源IP地址:源IP地址根据LIST-2中的LIST-2-node-action-src-ip确定,当LIST-2-node-action-src-ip为0时,在LIST-1中随机选择一个ip地址;当LIST-2-node-action-src-ip不为0时,源IP地址直接替换为LIST-2-node-action-src-ip。根据配置,可以设置老化时间LIST-2-node-action-src-ip-aging,超时后LIST-2-node-action-src-ip清0,下一条报文时重新随机选择地址。S4. Obfuscation method---Source IP address: The source IP address is determined based on LIST-2-node-action-src-ip in LIST-2. When LIST-2-node-action-src-ip is 0, in An IP address is randomly selected from LIST-1; when LIST-2-node-action-src-ip is not 0, the source IP address is directly replaced with LIST-2-node-action-src-ip. According to the configuration, you can set the aging time LIST-2-node-action-src-ip-aging. After the timeout, LIST-2-node-action-src-ip is cleared to 0, and the address is re-randomly selected for the next message.
S5、混淆方式---目的IP地址:目的IP根据LIST-2-node-action-dst-ip-key对真实目的IP进行混淆计算,例如:真实目的IP为A.B.C.D,LIST-2-node-action-dst-ip-key为k(k的取值范围为1~254),混淆方式为{[(A-k)+255]%256}.{[(B+k)+255]%256}、{[(C-k)+255]%256}、{[(D+k)+255]%256}。S5. Obfuscation method---Destination IP address: The destination IP performs obfuscation calculation on the real destination IP based on LIST-2-node-action-dst-ip-key. For example: the real destination IP is A.B.C.D, LIST-2-node-action -dst-ip-key is k (the value range of k is 1~254), and the confusion method is {[(A-k)+255]%256}.{[(B+k)+255]%256}, { [(C-k)+255]%256}, {[(D+k)+255]%256}.
S6、混淆方式---净荷:采用正常的加密或者混淆算法即可,类型和密钥为:LIST-2-node-action-payload-type和LIST-2-node-action-payload-key。S6. Obfuscation method---payload: Use normal encryption or obfuscation algorithm. The type and key are: LIST-2-node-action-payload-type and LIST-2-node-action-payload-key.
S7、发送报文信息:按照UE的常规报文发送方式,将混淆/加密后的报文发送到基站。S7. Send message information: Send the obfuscated/encrypted message to the base station according to the UE's regular message sending method.
S8、基站接收到信息后通过N3转发到UPF。S8. After receiving the information, the base station forwards it to UPF through N3.
S9、UPF收到上行报文后,首先根据teid命中pdr之后根据flag-2判断为2时表示为方式2的这种加密报文,则进一步判断源IP地址,如果源IP地址在LIST-1中,则认为该报文属于混淆/加密的报文,转到UPF中专门处理加解密的单元进行反混淆和解密处理,得到明文报文;如果源IP地址不在LIST-1中,则按照正常普通报文处理。S9. After UPF receives the uplink message, it first hits the pdr based on teid and then determines that flag-2 is 2. When the encrypted message is expressed as method 2, it further determines the source IP address. If the source IP address is in LIST-1 , the message is considered to be an obfuscated/encrypted message, and will be transferred to the UPF unit that specializes in encryption and decryption for deobfuscation and decryption processing to obtain the plaintext message; if the source IP address is not in LIST-1, the message will be processed as normal Ordinary message processing.
S10、UPF对明文报文进行正常的路由转发。S10 and UPF perform normal routing and forwarding of plain text messages.
S11、下行报文与上述上行过程类似,区别是由UPF根据报文目的IP和N元组判断是否需要混淆和加密,如果需要,则转到加解密模块进行加密处理,之后通过N3和基站发送到UE。S11. The downlink message is similar to the above uplink process. The difference is that UPF determines whether it needs to be obfuscated and encrypted based on the destination IP and N-tuple of the message. If necessary, it goes to the encryption and decryption module for encryption processing, and then sends it through N3 and the base station. to UE.
S12、UE收到报文后,根据目的IP地址判断是否需要做解密,如需要,则解密后再通过协议栈传入到APP。S12. After receiving the message, the UE determines whether it needs to be decrypted based on the destination IP address. If so, it will decrypt it and then pass it to the APP through the protocol stack.
需要说明的是,UE中的规则会在PDU session establishment accept消息中下发,如下表1所示,在PDU session establishment accept消息中新增用于传输该加密规则的内容MSG-1:It should be noted that the rules in the UE will be delivered in the PDU session establishment accept message. As shown in Table 1 below, the content MSG-1 used to transmit the encryption rules is added to the PDU session establishment accept message:
表1加密规则的内容MSG-1Table 1 Contents of encryption rules MSG-1
以上对本申请提供的数据传输方法中数据报文的加密方式的实现方法进行了介绍。The above has introduced the implementation method of the encryption method of the data message in the data transmission method provided by this application.
本申请实施例可以根据上述方法示例对数据传输装置进行功能模块或者功能单元的划分,例如,可以对应各个功能划分各个功能模块或者功能单元,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块或者功能单元的形式实现。其中,本申请实施例中对模块或者单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。Embodiments of the present application can divide the data transmission device into functional modules or functional units according to the above method examples. For example, each functional module or functional unit can be divided corresponding to each function, or two or more functions can be integrated into one in the processing module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules or functional units. Among them, the division of modules or units in the embodiments of the present application is schematic and is only a logical function division. In actual implementation, there may be other division methods.
示例性的,如图7所述,为本申请实施例所涉及的一种数据传输装置的一种可能的结构示意图。该数据传输装置700包括:接收单元701、处理单元702和发送单元703。Illustratively, as shown in FIG. 7 , it is a possible structural schematic diagram of a data transmission device involved in the embodiment of the present application. The data transmission device 700 includes: a receiving unit 701, a processing unit 702, and a sending unit 703.
其中,接收单元701,用于接收来自用户终端UE的数据报文。Among them, the receiving unit 701 is used to receive data messages from the user terminal UE.
处理单元702,用于确定数据报文的加密方式。The processing unit 702 is used to determine the encryption method of the data message.
处理单元702,还用于根据数据报文的加密方式,确定数据报文的目的IP地址。The processing unit 702 is also used to determine the destination IP address of the data message according to the encryption method of the data message.
发送单元703,用于向目的IP地址发送数据报文。The sending unit 703 is used to send data packets to the destination IP address.
可选的,处理单元702,还用于根据报文加密方式标志位,确定数据报文的加密方式。Optionally, the processing unit 702 is also configured to determine the encryption method of the data message according to the message encryption mode flag.
可选的,处理单元702,还用于在数据报文的加密方式为明文传输方式,获取数据报文的字头,并根据数据报文的字头确定数据报文的目的IP地址。Optionally, the processing unit 702 is also configured to obtain the header of the data message when the encryption mode of the data message is plain text transmission, and determine the destination IP address of the data message based on the header of the data message.
可选的,处理单元702,还用于在数据报文的加密方式为全加密传输方式或报文头混淆加密传输方式时,对数据报文的字头进行解密,并根据解密后的数据报文的字头确定数据报文的目的IP地址。Optionally, the processing unit 702 is also configured to decrypt the header of the data message when the encryption mode of the data message is a fully encrypted transmission mode or a message header obfuscated encrypted transmission mode, and use the decrypted data message to The header of the message determines the destination IP address of the data message.
可选的,数据传输装置700还可以包括存储单元(图7中以虚线框示出),该存储单元存储有程序或指令,当处理单元702执行该程序或指令时,使得数据传输装置可以执行上述方法实施例所述的数据传输方法。Optionally, the data transmission device 700 may also include a storage unit (shown as a dotted box in FIG. 7 ), which stores programs or instructions. When the processing unit 702 executes the program or instructions, the data transmission device can execute The data transmission method described in the above method embodiment.
此外,图7所述的数据传输装置的技术效果可以参考上述实施例所述的数据传输方法的技术效果,此处不再赘述。In addition, the technical effects of the data transmission device described in FIG. 7 can be referred to the technical effects of the data transmission method described in the above embodiments, and will not be described again here.
示例性的,如图8所述,为本申请实施例所涉及的另一种数据传输装置的一种可能的结构示意图。该数据传输装置800包括:处理单元801和发送单元802。Illustratively, as shown in FIG. 8 , it is a possible structural schematic diagram of another data transmission device involved in the embodiment of the present application. The data transmission device 800 includes: a processing unit 801 and a sending unit 802.
其中,处理单元801,用于根据统一数据管理UDM签约数据,确定报文加密方式标志位。Among them, the processing unit 801 is used to determine the message encryption mode flag according to the unified data management UDM contract data.
发送单元802,用于向用户平面功能网元发送数据报文。The sending unit 802 is used to send data packets to the user plane functional network element.
可选的,发送单元802,还用于通过基站,向用户平面功能网元发送数据报文。Optionally, the sending unit 802 is also used to send the data message to the user plane functional network element through the base station.
可选的,数据传输装置800还可以包括存储单元(图8中以虚线框示出),该存储单元存储有程序或指令,当处理单元801执行该程序或指令时,使得数据传输装置可以执行上述方法实施例所述的数据传输方法。Optionally, the data transmission device 800 may also include a storage unit (shown as a dotted box in FIG. 8 ), which stores programs or instructions. When the processing unit 801 executes the program or instructions, the data transmission device can execute The data transmission method described in the above method embodiment.
此外,图8所述的数据传输装置的技术效果可以参考上述实施例所述的数据传输方法的技术效果,此处不再赘述。In addition, the technical effects of the data transmission device described in FIG. 8 can be referred to the technical effects of the data transmission method described in the above embodiments, which will not be described again here.
示例性地,图9为上述实施例中所涉及的数据传输装置的又一种可能的结构示意图。如图9所示,数据传输装置900包括:处理器902。Exemplarily, FIG. 9 is a schematic structural diagram of another possible structure of the data transmission device involved in the above embodiment. As shown in Figure 9, the data transmission device 900 includes: a processor 902.
其中,处理器902,用于对该数据传输装置的动作进行控制管理,例如,执行上述接收单元701、处理单元702、发送单元703、处理单元801以及发送单元802执行的步骤,和/或用于执行本文所描述的技术方案的其它过程。Among them, the processor 902 is used to control and manage the actions of the data transmission device, for example, execute the steps performed by the above-mentioned receiving unit 701, processing unit 702, sending unit 703, processing unit 801 and sending unit 802, and/or use Other processes for executing the technical solutions described in this article.
上述处理器902可以是实现或执行结合本申请内容所描述的各种示例性的逻辑方框,模块和电路。该处理器可以是中央处理器,通用处理器,数字信号处理器,专用集成电路,现场可编程门阵列或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等。The above-mentioned processor 902 may implement or execute various exemplary logical blocks, modules and circuits described in conjunction with the contents of this application. The processor may be a central processing unit, a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field-programmable gate array or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute the various illustrative logical blocks, modules, and circuits described in connection with this disclosure. The processor may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, etc.
可选地,数据传输装置900还可以包括通信接口903、存储器901和总线904。其中,通信接口903用于支持数据传输装置900与其他网络实体的通信。存储器901用于存储该数据传输装置的程序代码和数据。Optionally, the data transmission device 900 may also include a communication interface 903, a memory 901 and a bus 904. Among them, the communication interface 903 is used to support communication between the data transmission device 900 and other network entities. The memory 901 is used to store program codes and data of the data transmission device.
其中,存储器901可以是数据传输装置中的存储器,该存储器可以包括易失性存储器,例如随机存取存储器;该存储器也可以包括非易失性存储器,例如只读存储器,快闪存储器,硬盘或固态硬盘;该存储器还可以包括上述种类的存储器的组合。The memory 901 may be a memory in a data transmission device, and the memory may include a volatile memory, such as a random access memory; the memory may also include a non-volatile memory, such as a read-only memory, flash memory, hard disk, or Solid state drive; the memory may also include a combination of the above types of memory.
总线909可以是扩展工业标准结构(Extended Industry StandardArchitecture,EISA)总线等。总线909可以分为地址总线、数据总线、控制总线等。为便于表示,图9中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 909 may be an Extended Industry Standard Architecture (EISA) bus or the like. The bus 909 can be divided into an address bus, a data bus, a control bus, etc. For ease of presentation, only one thick line is used in Figure 9, but it does not mean that there is only one bus or one type of bus.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的系统,装置和模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Through the above description of the embodiments, those skilled in the art can clearly understand that for the convenience and simplicity of description, only the division of the above functional modules is used as an example. In actual applications, the above functions can be allocated as needed. It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. For the specific working processes of the systems, devices and modules described above, reference can be made to the corresponding processes in the foregoing method embodiments, which will not be described again here.
本申请实施例提供一种包含指令的计算机程序产品,当所述计算机程序产品在本申请的电子设备上运行时,使得所述计算机执行上述方法实施例所述的数据传输方法。Embodiments of the present application provide a computer program product containing instructions. When the computer program product is run on the electronic device of the present application, it causes the computer to execute the data transmission method described in the above method embodiment.
本申请实施例还提供一种计算机可读存储介质,计算机可读存储介质中存储有指令,当计算机执行该指令时,该本申请的电子设备执行上述方法实施例所示的方法流程中数据传输装置执行的各个步骤。Embodiments of the present application also provide a computer-readable storage medium. Instructions are stored in the computer-readable storage medium. When the computer executes the instructions, the electronic device of the present application performs data transmission in the method process shown in the above method embodiment. The various steps performed by the device.
其中,计算机可读存储介质,例如可以是但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘。随机存取存储器(Random Access Memory,RAM)、只读存储器(Read-Only Memory,ROM)、可擦式可编程只读存储器(Erasable Programmable Read Only Memory,EPROM)、寄存器、硬盘、光纤、便携式紧凑磁盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、光存储器件、磁存储器件、或者上述的人以合适的组合、或者本领域数值的任何其他形式的计算机可读存储介质。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于特定用途集成电路(Application Specific Integrated Circuit,ASIC)中。在本申请实施例中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。The computer-readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof. More specific examples (non-exhaustive list) of computer-readable storage media include: an electrical connection having one or more wires, a portable computer disk, a hard drive. Random Access Memory (RAM), Read-Only Memory (ROM), Erasable Programmable Read Only Memory (EPROM), register, hard disk, optical fiber, portable and compact Compact Disc Read-Only Memory (CD-ROM), optical storage device, magnetic storage device, or a suitable combination of the above, or any other form of computer-readable storage medium valued in the art. An exemplary storage medium is coupled to the processor such that the processor can read information from the storage medium and write information to the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and storage medium may be located in an Application Specific Integrated Circuit (ASIC). In the embodiments of the present application, the computer-readable storage medium may be any tangible medium containing or storing a program, which may be used by or in combination with an instruction execution system, apparatus or device.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应该以权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any changes or substitutions within the technical scope disclosed in the present application shall be covered by the protection scope of the present application. . Therefore, the protection scope of this application should be subject to the protection scope of the claims.
Claims (7)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111465977.7A CN114205814B (en) | 2021-12-03 | 2021-12-03 | Data transmission method, device and system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111465977.7A CN114205814B (en) | 2021-12-03 | 2021-12-03 | Data transmission method, device and system, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114205814A CN114205814A (en) | 2022-03-18 |
| CN114205814B true CN114205814B (en) | 2023-11-21 |
Family
ID=80650363
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111465977.7A Active CN114205814B (en) | 2021-12-03 | 2021-12-03 | Data transmission method, device and system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114205814B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115473729B (en) * | 2022-09-09 | 2024-05-28 | 中国联合网络通信集团有限公司 | Data transmission method, gateway, SDN controller and storage medium |
| CN115460594B (en) * | 2022-09-16 | 2024-12-24 | 四川创智联恒科技有限公司 | Terminal side indication data encryption direction method, sending and receiving device and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105025475A (en) * | 2015-07-28 | 2015-11-04 | 东南大学常州研究院 | Andriod system-oriented implement method of mobile secure terminal |
| CN105516139A (en) * | 2015-12-09 | 2016-04-20 | 北京四达时代软件技术股份有限公司 | Network data transmission method, device and system |
| CN110177116A (en) * | 2019-06-10 | 2019-08-27 | 北京交通大学 | Intelligence melts the safety data transmission method and device of mark network |
| CN110719611A (en) * | 2018-07-11 | 2020-01-21 | 华为技术有限公司 | Message sending method and device |
| WO2020029922A1 (en) * | 2018-08-10 | 2020-02-13 | 华为技术有限公司 | Method and apparatus for transmitting message |
| CN110830989A (en) * | 2018-08-09 | 2020-02-21 | 华为技术有限公司 | Communication method and device |
| CN110913508A (en) * | 2019-11-25 | 2020-03-24 | 广州爱浦路网络技术有限公司 | A 5G base station deploying UPF and its data packet processing method |
| CN111901446A (en) * | 2019-05-05 | 2020-11-06 | 华为技术有限公司 | Method and equipment for allocating and acquiring IP address |
| CN112672345A (en) * | 2019-09-30 | 2021-04-16 | 华为技术有限公司 | Communication authentication method and related equipment |
| CN113472626A (en) * | 2021-07-06 | 2021-10-01 | 深圳艾灵网络有限公司 | Data message transmission method, electronic device and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110463231A (en) * | 2017-03-24 | 2019-11-15 | 英特尔公司 | System and method for the service dispensing based on group |
| KR102489245B1 (en) * | 2018-12-28 | 2023-01-17 | 삼성전자 주식회사 | A method and an apparatus for providing rule information in a wireless communication system |
-
2021
- 2021-12-03 CN CN202111465977.7A patent/CN114205814B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105025475A (en) * | 2015-07-28 | 2015-11-04 | 东南大学常州研究院 | Andriod system-oriented implement method of mobile secure terminal |
| CN105516139A (en) * | 2015-12-09 | 2016-04-20 | 北京四达时代软件技术股份有限公司 | Network data transmission method, device and system |
| CN110719611A (en) * | 2018-07-11 | 2020-01-21 | 华为技术有限公司 | Message sending method and device |
| CN110830989A (en) * | 2018-08-09 | 2020-02-21 | 华为技术有限公司 | Communication method and device |
| WO2020029922A1 (en) * | 2018-08-10 | 2020-02-13 | 华为技术有限公司 | Method and apparatus for transmitting message |
| CN111901446A (en) * | 2019-05-05 | 2020-11-06 | 华为技术有限公司 | Method and equipment for allocating and acquiring IP address |
| CN110177116A (en) * | 2019-06-10 | 2019-08-27 | 北京交通大学 | Intelligence melts the safety data transmission method and device of mark network |
| CN112672345A (en) * | 2019-09-30 | 2021-04-16 | 华为技术有限公司 | Communication authentication method and related equipment |
| CN110913508A (en) * | 2019-11-25 | 2020-03-24 | 广州爱浦路网络技术有限公司 | A 5G base station deploying UPF and its data packet processing method |
| CN113472626A (en) * | 2021-07-06 | 2021-10-01 | 深圳艾灵网络有限公司 | Data message transmission method, electronic device and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| 5G端到端网络协同关键技术;刘义亮;李鑫;薄开涛;;电信科学(03);全文 * |
| Huawei.R3-161759 "RAN Support for Core Network Slicing".3GPP tsg_ran\WG3_Iu.2016,(第TSGR3_93期),全文. * |
| 移动物联网核心网技术应用及演进;谷群;李爱华;张;张彦;魏彬;苑红;;互联网天地(08);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114205814A (en) | 2022-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110830991B (en) | Secure session method and device | |
| CN108574969B (en) | Connection processing method and device in multi-access scenario | |
| EP3557840B1 (en) | Security implementation method, device and system | |
| US11533610B2 (en) | Key generation method and related apparatus | |
| WO2021000827A1 (en) | Data transmission link establishment method and apparatus, and computer-readable storage medium | |
| CN108353282B (en) | Method and apparatus for wireless communication using a security model supporting multiple connectivity and service contexts | |
| US20210219137A1 (en) | Security management between edge proxy and internetwork exchange node in a communication system | |
| US20210084489A1 (en) | Terminal information transfer method and relevant products | |
| US8837365B2 (en) | Method and system for securely routing traffic on X2 interface in a 3GPP network | |
| CN110830993A (en) | A method and apparatus for data processing | |
| CN113841443B (en) | Data transmission method and device | |
| WO2019242525A1 (en) | Data transmission method, related device and system | |
| US20230013500A1 (en) | Radio bearer configuration method, apparatus, and system | |
| CN114205814B (en) | Data transmission method, device and system, electronic equipment and storage medium | |
| RU2684754C1 (en) | Method and device for processing data packets | |
| US20240292219A1 (en) | Method and device for operating terminal in wireless communication system | |
| US20210168614A1 (en) | Data Transmission Method and Device | |
| WO2023224915A1 (en) | Security for distributed non-access stratum protocol in a mobile system | |
| CN116601985A (en) | Security context generation method, device and computer readable storage medium | |
| CN115298662A (en) | Selective user plane protection in 5G virtual RAN | |
| CN111386682A (en) | Wireless communication system, security proxy device and relay device | |
| CN114979962A (en) | Method and device for updating key | |
| CN111465060A (en) | Method, device and system for determining security protection mode | |
| WO2021073382A1 (en) | Registration method and apparatus | |
| CN113453287B (en) | Data transmission method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |