CN119277366A - A communication protection method, system, device, medium and program product - Google Patents
A communication protection method, system, device, medium and program product Download PDFInfo
- Publication number
- CN119277366A CN119277366A CN202310840779.7A CN202310840779A CN119277366A CN 119277366 A CN119277366 A CN 119277366A CN 202310840779 A CN202310840779 A CN 202310840779A CN 119277366 A CN119277366 A CN 119277366A
- Authority
- CN
- China
- Prior art keywords
- network element
- element device
- security protection
- media type
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/1016—IP multimedia subsystem [IMS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/80—Responding to QoS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Multimedia (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本公开的实施例提供了一种通信保护的方法。在该方法中,第一网元设备从第二网元设备接收针对包括媒体类型的提议消息的第一应答消息,该媒体类型为终端设备请求的媒体类型。基于接收到第一应答消息,第一网元设备确定:i)指示针对媒体类型是否开启安全保护的第二指示信息、和/或ii)用于确定针对媒体类型是否开启所述安全保护的安全策略。第一网元设备向终端设备发送针对提议消息的第二应答消息,该第二应答消息包括指示针对媒体类型是否开启安全保护的第二指示信息。第一网元设备向第三网元设备发送该第二指示信息或安全策略。以此方式,对于某些媒体类型可以更好的满足业务性能需求。
An embodiment of the present disclosure provides a method for communication protection. In the method, a first network element device receives a first response message from a second network element device to a proposal message including a media type, and the media type is a media type requested by a terminal device. Based on receiving the first response message, the first network element device determines: i) second indication information indicating whether security protection is enabled for the media type, and/or ii) a security policy for determining whether the security protection is enabled for the media type. The first network element device sends a second response message to the terminal device to the proposal message, and the second response message includes second indication information indicating whether security protection is enabled for the media type. The first network element device sends the second indication information or the security policy to a third network element device. In this way, service performance requirements can be better met for certain media types.
Description
Technical Field
The present disclosure relates generally to the field of telecommunications, and more particularly to a method of communication protection, a communication system, a server device, an electronic device, a terminal device, a computer readable storage medium, and a computer program product.
Background
With the development of technology, the popularity of mobile devices has led to an increasing demand for mobile communication networks. In this case, the service types of the mobile communication network are also continuously optimized and enriched to meet the changing demands of users. Currently, mobile services of various media types, such as text, voice, video, entertainment applications, etc., have been satisfied.
Furthermore, protection against communication security is becoming increasingly important. In some cases, the mobile device may need to establish a secure communication connection with the network, such as encryption protection and/or integrity protection. At the same time, the security protection will consume corresponding communication resources and computing resources. Thus, how to trade off between communication efficiency and communication security may be further considered.
Disclosure of Invention
The application provides a method for media communication, a communication system, a server device, an electronic device, a terminal device, a computer readable storage medium and a computer program product.
In a first aspect of the present disclosure, a communication method is provided. The execution body of the method can be network element equipment, server equipment, a base station, a chip applied to the server equipment or the base station, and a logic module or software capable of realizing all or part of functions of the network element equipment, the server equipment or the base station. The following describes an example in which the execution body is a first network element device. In the method, a first network element device receives a first answer (answer) message for a proposal (offer) message comprising a media type from a second network element device, the media type being a media type requested by a terminal device. Based on receiving the first response message, the first network element device determines i) second indication information indicating whether or not to open a security protection for the media type, and/or ii) a security policy for determining whether or not to open the security protection for the media type. The first network element device sends a second response message to the terminal device for the proposal message, the second response message comprising second indication information indicating whether security protection is opened for the media type. The first network element device sends the second indication information or the security policy to the third network element device. In this way, the network side can decide whether to open the communication security protection with the terminal device according to the media type. In this way, the traffic performance requirements can be better met for certain media types without the need for security.
In some implementations, the first reply message includes a first indication of whether security protection is enabled for the media type. The determining second indication information indicating whether to open a security protection for the media type includes determining the second indication information based on the first indication information. In this way, the terminal device and the third network element device that need to establish a communication connection can obtain an indication that certain media types need to be secured, thereby establishing a secured communication connection accordingly in order to increase the security level.
In some implementations, the first indication information and the second indication information are both used to indicate that security protection is turned on for the media type, or the first indication information and the second indication information are both used to indicate that security protection is turned off for the media type. . In this way, the terminal device and the third network element device that need to establish a communication connection can obtain an indication that certain media types can close the security protection, thereby accordingly establishing a communication connection that does not need security protection in order to improve the service performance.
In some implementations, the first reply message includes a security policy. In some embodiments, determining second indication information indicating whether security protection is enabled for the media type includes determining the second indication information according to a security policy. In this way, the first network element device may determine whether to initiate security protection between the terminal device and the third network element device directly according to the security policy.
In some implementations, the security policy includes at least one of requiring the security protection to be opened, not requiring the security protection to be opened, prioritizing the security protection to be opened, or prioritizing the security protection to be closed. In this way, it can be determined whether to open security protection according to protection requirements for the media type.
In some implementations, the security policy includes a requirement to open the security protection, the second indication information indicates that the security protection is open for the media type, the security policy includes a requirement to close the security protection, the second indication information indicates that the security protection is closed for the media type, and the security policy includes a priority to open the security protection or a priority to close the security protection, the second indication information indicates that the security protection is open for the media type, or the second indication information indicates that the security protection is closed for the media type.
In some implementations, the first network element device includes a proxy call session control function (P-CSCF), the second network element device includes a serving call session control function (S-CSCF), and the third network element device includes an access media gateway (AGW) or a Data Channel Media Function (DCMF). In this way, datagram Transport Layer Security (DTLS) communications may be selectively turned on or off between the terminal device and the access media gateway or DCMF.
In a second aspect of the present disclosure, a communication method is provided. The execution body of the method can be network element equipment, server equipment, a base station, a chip applied to the server equipment or the base station, and a logic module or software capable of realizing all or part of functions of the network element equipment, the server equipment or the base station. The following describes an example in which the execution body is the second network element device. In the method, the second network element device receives a proposal message for a media type from the first network element device, the media type being a media type requested by the terminal device. The second network element device determines i) first indication information indicating whether security protection is opened for the media type, or ii) a security policy for determining whether security protection is opened for the media type. Further, the second network element device sends a first response message to the first network element device for the proposal message, and wherein the first response message comprises one of a first indication information or a security policy. In this way, the network side can decide whether to open the communication security protection with the terminal device according to the media type. In this way, the traffic performance requirements can be better met for certain media types without the need for security.
In some implementations, the second network element determining the first indication information includes the second network element determining a security policy, and the second network element determining the first indication information based on the security policy. In this way, it may be determined by the second network element device whether to open security protection based on the security policy, thereby reducing the signaling load.
In some implementations, the security policy includes a requirement to open the security protection, first indication information is used to indicate that the security protection is open for the media type, the security policy includes a requirement to close the security protection, first indication information is used to indicate that the security protection is closed for the media type, and the security policy includes a priority to open the security protection or a priority to close the security protection, first indication information is used to indicate that the security protection is open for the media type, or first indication information is used to indicate that the security protection is closed for the media type.
In some implementations, the security policy is a local security policy at the third network element device or a security policy from a fourth network element device that includes a Home Subscription Server (HSS) or an Application Server (AS). In this way, security policies for media types may be flexibly configured.
In some implementations, the fourth network element device described above is a home subscription server, HSS, and wherein the security policy from the HSS is determined based on a subscription policy specific to the terminal device, the subscription policy indicating security policy requirements for the terminal device for the media type. In this way, different security policies can be specifically configured for different terminal devices.
In some implementations, the security policy for the media type includes at least one of requiring security protection to be opened, not requiring security protection to be opened, prioritizing security protection to be opened, or prioritizing security protection to be closed. In this way, whether or not to open security protection may be determined based on protection requirements for the media type.
In some implementations, the security protection includes at least one of encryption protection or integrity protection. In this way, the terminal device may choose not to turn on encryption and/or integrity protection for all media types.
In some implementations, the first network element device includes a P-CSCF and the second network element device includes an S-CSCF.
In a third aspect of the present disclosure, a communication method is provided. The execution subject of the method may be a terminal device. The terminal device may be a device for communication, a chip applied to the device, or a logic module or software capable of implementing all or part of the functions of the device. The following describes an example in which the execution subject is a terminal device. In the method, a terminal device sends a proposal message comprising a media type to a first network element device, the media type being a media type requested by the terminal device. The terminal device receives a second reply message to the offer message from the first network element device. The second response message includes second indication information indicating whether security protection is opened for the media type. Based on the second response message, the terminal device establishes a connection with the third network element device. In this way, the network side can decide whether to open the communication security protection with the terminal device according to the media type. In this way, the traffic performance requirements can be better met for certain media types without the need for security.
In some implementations, the second indication information indicates that the security protection is to be opened for the media type, and wherein the terminal device establishing a connection with the third network element device includes the terminal device establishing a transport layer security protocol (TLS) connection or a datagram transport layer security protocol (DTLS) connection with the third network element device. In some implementations, the second indication information indicates an indication to close the security protection for the media type and the terminal device establishing a connection with the third network element device includes the terminal device establishing a non-TLS connection or a non-DTLS connection with the third network element device.
In some implementations, the first network element device includes a P-CSCF and the third network element device includes an AGW or DCMF. In this way, DTLS communications can be selectively turned on or off between the terminal device and the access media gateway or DCMF.
In a fourth aspect of the present disclosure, a communication method is provided. The execution body of the method can be network element equipment, server equipment, a base station, a chip applied to the server equipment or the base station, and a logic module or software capable of realizing all or part of functions of the network element equipment, the server equipment or the base station. The following describes an example in which the execution body is a third network element device. In the method, the third network element device receives from the first network element device one of i) a second indication indicating whether security protection is to be opened for the media type, or ii) a security policy for determining whether security protection is to be opened for the media type, the media type being the media type requested by the terminal device, for a proposal message comprising the media type. Further, the third network element device establishes a connection with the terminal device based on the second indication or the security policy. In this way, the network side can decide whether to open the communication security protection with the terminal device according to the media type. In this way, the traffic performance requirements can be better met for certain media types without the need for security.
In some implementations, the third network element device receiving second indication information from the first network element device to initiate security protection for the media type or receiving a security policy requiring initiation of security protection, establishing a connection with the terminal device includes the third network element device establishing a transport layer security protocol (TLS) connection or a datagram transport layer security protocol (DTLS) connection with the terminal device. In some implementations, the third network element device receiving the second indication information from the first network element device to close the security protection for the media type or receiving a security policy requiring the security protection to be closed, the third network element device establishing a connection with the terminal device includes the third network element device establishing a non-TLS connection or a non-DTLS connection with the terminal device. In some implementations, the third network element device receives a security policy from the first network element device that prioritizes on or prioritizing off security protection, the third network element device establishing the connection with the terminal device including the third network element device establishing a transport layer security protocol (TLS) connection or a datagram transport layer security protocol (DTLS) connection with the terminal device or establishing a non-TLS connection or a non-DTLS connection with the terminal device. In this way, the third network element device establishes a secure connection with the terminal device if security protection needs to be opened for certain media types, thereby improving communication efficiency.
In some implementations, the first network element device includes a P-CSCF and the third network element device includes an AGW or DCMF. In this way, DTLS communications can be selectively turned on or off between the terminal device and the access media gateway or DCMF.
In a fifth aspect of the present disclosure, a communication method is provided. The execution body of the method can be network element equipment, server equipment, a base station, a chip applied to the server equipment or the base station, and a logic module or software capable of realizing all or part of functions of the network element equipment, the server equipment or the base station. The following describes an example in which the execution body is a fourth network element device. In the method, the fourth network element device determines a security policy for the terminal device based on a subscription policy of the terminal device, the subscription policy indicating security policy requirements for the terminal device for the media type. And the fourth network element equipment sends the security policy to the second network element equipment. In this way, the network side can decide for the terminal device whether to open the communication security protection with the terminal device according to the specific media type. In this way, the traffic performance requirements can be better met for certain media types without the need for security.
In some implementations, the second network element device comprises a serving call session control function, S-CSCF, and the fourth network element device comprises a home subscription server, HSS. In this way, the network side can decide whether to open the communication security protection with the terminal device according to the media type.
In some implementations, the security policy includes at least one of requiring the security protection to be opened, not requiring the security protection to be opened, prioritizing the security protection to be opened, or prioritizing the security protection to be closed. In this way, whether or not to open security protection may be determined based on protection requirements for the media type.
In a sixth aspect of the present disclosure, a communication system is provided. The communication system comprises the first to fourth network element devices and the terminal device.
In a seventh aspect of the present disclosure, a server device is provided. The server device may be a part of a server, a chip provided in the server or the part, or a logic module or software capable of realizing all or part of the functions of the server or the part. Further, the one portion of the server device may communicate with another portion of the server device. The server device includes a processor, and a memory storing instructions that, when executed by the processor, cause the server device to perform any of the methods of the first, second, fourth and fifth aspects and implementations thereof.
In an eighth aspect of the present disclosure, a terminal device is provided. The server device comprises a processor, and a memory storing instructions that, when executed by the processor, cause the server device to perform any of the methods of the third aspect and implementations thereof.
In a ninth aspect of the present disclosure, an electronic device is provided. The electronic device may be a part of a server, a chip provided in the server or the part, or a logic module or software capable of realizing all or part of the functions of the server or the part. Further, the portion of the electronic device may communicate with another portion of the electronic device. The electronic device comprises a processor, and a memory storing instructions that, when executed by the processor, cause the electronic device to perform any of the methods of the first to fifth aspects and implementations thereof.
In a tenth aspect of the present disclosure, a computer readable storage medium is provided. The computer readable storage medium stores instructions that, when executed by an electronic device, cause the electronic device to perform any of the methods of the first to fifth aspects and implementations thereof.
In an eleventh aspect of the present disclosure, a computer program product is provided. The computer program product comprises instructions which, when executed by an electronic device, cause the electronic device to perform any of the methods of the first to fifth aspects and implementations thereof.
It should be understood that the description in this summary is not intended to limit the critical or essential features of the disclosure, nor is it intended to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
FIG. 1a illustrates an example communication architecture scenario in which embodiments of the present disclosure may be implemented.
Fig. 1b shows a signaling procedure for establishing a protected media plane communication between a terminal device and a network side.
Fig. 2 illustrates a signaling process for establishing media plane communication between a terminal device and a network side according to an embodiment of the present disclosure.
Fig. 3a illustrates one example of establishing media plane communication between a terminal device and a network side according to an embodiment of the present disclosure.
Fig. 3b illustrates another example of establishing media plane communication between a terminal device and a network side according to an embodiment of the present disclosure.
Fig. 4 shows a flowchart of a method implemented at a first network element device according to an embodiment of the present disclosure.
Fig. 5 shows a flowchart of a method implemented at a second network element device according to an embodiment of the present disclosure.
Fig. 6 shows a flowchart of a method implemented at a terminal device according to an embodiment of the present disclosure.
Fig. 7 shows a flowchart of a method implemented at a third network element device according to an embodiment of the present disclosure.
Fig. 8 shows a flowchart of a method implemented at a fourth network element device according to an embodiment of the present disclosure.
Fig. 9 shows a simplified block diagram of an example device of one possible implementation in an embodiment of the application.
Fig. 10 shows a simplified block diagram of another example device of one possible implementation in an embodiment of the application.
Fig. 11 shows a simplified block diagram of a further example device of one possible implementation in an embodiment of the application.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been shown in the accompanying drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but are provided to provide a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.
In describing embodiments of the present disclosure, the term "comprising" and its like should be taken to be open-ended, i.e., including, but not limited to. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The terms "first," "second," and the like, may refer to different or the same object. Other explicit and implicit definitions are also possible below.
Embodiments of the present disclosure may be implemented in accordance with any suitable communication protocol, including, but not limited to, third generation (3rd generation,3G), fourth generation (4G), fifth generation (5G), and future communication protocols (e.g., sixth generation (6G)), cellular communication protocols such as, for example, institute of Electrical and Electronics Engineers (IEEE) 802.11, wireless local area network communication protocols such as, for example, institute of electrical and electronics engineers (ELECTRICAL AND electronics engineers), and/or any other protocol now known or later developed.
The technical solutions of the embodiments of the present disclosure are applied to communication systems that follow any suitable communication protocol, such as a universal mobile telecommunications system (universal mobile telecommunications service, UMTS), long term evolution (long term evolution, LTE) system, wideband code division multiple access system (wideband code division multiple access, WCDMA), code division multiple access 2000 system (code division multiple access, CDMA 2000), time division-synchronous code division multiple access system (time division-synchronization code division multiple access, TD-SCDMA), frequency division duplex (frequency division duplex, FDD) system, time division duplex (time division duplex, TDD), fifth generation (5G) system (e.g., new radio, NR)), and future communication systems (e.g., sixth generation (6G) system), and so forth.
For purposes of illustration, embodiments of the present disclosure are described below in the context of a 5G communication system in 3 GPP. However, it should be understood that embodiments of the present disclosure are not limited to this communication system, but may be applied to any communication system where similar problems exist, such as a Wireless Local Area Network (WLAN), a wired communication system, or other communication systems developed in the future, and the like.
The term "terminal" or "terminal device" as used in this disclosure refers to any terminal device capable of wired or wireless communication with a network device or with each other. The terminal device may sometimes be referred to as a User Equipment (UE). The terminal device may be any type of mobile terminal, fixed terminal or portable terminal. The terminal device may be various wireless communication devices having a wireless communication function. With the advent of internet of things (internet of things, IOT) technology, more and more devices that have not previously been provided with communication functions, such as, but not limited to, home appliances, vehicles, tool devices, service devices, and service facilities, began to obtain wireless communication functions by configuring a wireless communication unit so that the wireless communication network can be accessed and remote control can be accepted. Such devices are also included in the category of wireless communication devices because they are equipped with a wireless communication unit and have a wireless communication function. As an example, the terminal device may include a mobile cellular telephone, a cordless telephone, a Mobile Terminal (MT), a mobile station, a mobile device, a wireless terminal, a handheld device, a client, a subscription station, a portable subscription station, an internet node, a communicator, a desktop computer, a laptop computer, a notebook computer, a tablet computer, a personal communication system device, a personal navigation device, a personal digital assistant (personal DIGITAL ASSISTANT, PDA), a wireless data card, a wireless Modem (modulator demodulator, modem), a positioning device, a radio broadcast receiver, an electronic book device, a gaming device, an internet of things (internet of things, ioT) device, an in-vehicle device, an aircraft, a Virtual Reality (VR) device, an augmented reality (augmented reality, AR) device, a wearable device (e.g., a smartwatch, etc.), a terminal device in a 5G network or any terminal device in an evolved public land mobile network (public land mobile network, PLMN), other device available for communication, or any combination of the above. Embodiments of the present disclosure are not limited in this regard.
The term "network node" or "network device" as used in this disclosure is an entity or node that may be used for communication with a terminal device, e.g. an access network device. The access network device may be an apparatus deployed in a radio access network to provide wireless communication functionality for mobile terminals, and may be, for example, a radio access network (radio access network, RAN) network device. The access network device may include various types of base stations. The base station is used for providing wireless access service for the terminal equipment. Specifically, each base station corresponds to a service coverage area, and terminal devices entering the service coverage area can communicate with the base station through wireless signals, so as to receive wireless access services provided by the base station. There may be an overlap between service coverage areas of base stations, and a terminal device in the overlapping area may receive wireless signals from multiple base stations, so that multiple base stations may serve the terminal device at the same time. Depending on the size of the service coverage area provided, the access network device may include macro base stations providing macro cells (macro cells), micro base stations providing micro cells (pico cells), pico base stations providing pico cells, and femto base stations providing femto cells (femto cells). The access network devices may also include various forms of relay stations, access points, remote radio units (remote radio unit, RRU), radio Heads (RH), remote radio heads (remote radio head, RRH), and so on. In systems employing different radio access technologies, the names of access network devices may vary, e.g., in long term evolution (long term evolution, LTE) networks referred to as evolved nodebs (enbs or enodebs), in 3G networks as Nodebs (NB), in 5G networks as G nodebs (gNB) or NR nodebs (NR NB), etc. In some scenarios, the access network device may contain a Centralized Unit (CU) and/or a Distributed Unit (DU). The CU and DU can be placed in different places, e.g. DU is pulled away, placed in areas of high traffic, CU placed in the central office. Or the CU and DU may be placed in the same room. The CU and DU may also be different components under one shelf. For convenience of description, in the subsequent embodiments of the present disclosure, the above devices for providing wireless communication functions for mobile terminals are collectively referred to as network devices, and embodiments of the present disclosure are not specifically limited. It will be appreciated that all or part of the functionality of the network device of the present application may also be implemented by software functions running on hardware, or by virtualized functions instantiated on a platform (e.g. a cloud platform).
In particular, in some communication scenarios, the media between the terminal device and the gateway device has to be secured. For example 33.328 has a definition regarding Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) that unencrypted TLS cipher suites should not be used.
This means that the media traffic between the UE and the IP multimedia subsystem-access gateway (IMS-AGW) has to be secured (full security + confidentiality), but the transmission performance loss may be as high as about 50% by opening TLS. However, portions of the media data stream (e.g., the data stream of an entertainment application or video application) may be more performance critical, and whether security protection is enabled is not important. But the current standards do not support flexible security protection options for operators based on traffic. In this case, the data streams of certain media types may not meet the performance level desired by the customer. Accordingly, it may be considered to support the determination of whether to turn on DTLS by the network side for a specified service or media type, thereby enabling more flexible configuration.
In view of the foregoing discussion, embodiments of the present disclosure provide a communication method. In the method, a first network element device receives a first answer (answer) message for a proposal (offer) message comprising a media type from a second network element device, the media type being a media type requested by a terminal device. Based on receiving the first response message, the first network element device determines i) second indication information indicating whether security protection is opened for the media type, and/or ii) a security policy for determining whether security protection is opened for the media type. The first network element device sends a second response message to the terminal device for the proposal message, the second response message comprising second indication information indicating whether security protection is opened for the media type. The first network element device sends the second indication information or the security policy to the third network element device.
In this way, the network side can decide whether to open the communication security protection with the terminal device according to the media type. In this way, the traffic performance requirements may be better met for certain media types, e.g., redundant encryption operations may no longer be performed. In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings. The specific methods of operation, functional descriptions, etc. in the method embodiments may also be applied in the apparatus embodiments or the system embodiments.
FIG. 1a illustrates an example communication architecture scenario 100A in which embodiments of the present disclosure may be implemented. The media plane communication method provided by the embodiment of the application can be applied to the communication architecture scene 100A. In the communication architecture scenario 100A, a proxy call session control function P-CSCF 110, a serving call session control function S-CSCF 120, a terminal device 130, an access media gateway IMS-AGW or data channel media function 140, and a home subscription server HSS or an application server AS 150 are shown. The proxy call session control function P-CSCF 110, the serving call session control function S-CSCF 120, the access media gateway IMS-AGW or data channel media function DCMF, and the home subscription server HSS or the application server AS 150 may also be collectively referred to AS network element devices. It should be understood that the numbers shown in fig. 1a are by way of example only. Any other number of network element devices and terminal devices may also be included in fig. 1A, which is not limiting in any way by the present disclosure. In some embodiments, the terminal device 130 may exchange each other's fingerprint information with the IMS-AGW or the data channel media function 140 via the P-CSCF. Further, a secured TLS communication or DTLS communication may be established after the terminal device 130 mutually verifies the fingerprint information with the IMS-AGW or DCMF. How to establish TLS communication or DTLS communication between a terminal device or UE and an IMS-AGW or DCMF will be discussed in further detail with reference to fig. 1 b.
Fig. 1B shows a signaling procedure 100B for establishing a protected media plane communication between a terminal device and a network side.
In signaling process 100B, terminal device 130 (e.g., UE 130) sends (151) an SDP offer (refer) message to P-CSCF 110, which may include the media service requested by UE 130 and fingerprint (finger print) information associated with UE 130. In an example, the fingerprint information may be a hash value. Further, the fingerprint information may be used by the IMS-AGW 140 in a subsequent DTLS-SRTP handshake step to authenticate the UE 130, thereby enabling DTLS communication with the UE 130. Further, the P-CSCF 110 interacts (153) with the IMS-AGW 140 to configure routing paths etc. for the media services requested in the SDP offer. Further, based on the received SDP offer, the P-CSCF 110 forwards (155) the SDP offer to the S-CDCF 120 and receives (157) an SDP answer from the S-CDCF 120. Then, a media security setup is performed (159) between the P-CSCF 110 and the IMS-AGW 140. During the media security setup procedure, the P-CSCF 110 passes fingerprint information related to the terminal device 130 acquired from the terminal device 130 to the IMS-AGW 140. Additionally, the P-CSCF 110 obtains fingerprint information from the IMS-AGW 140 that is related to the IMS-AGW 140. The P-CSCF 110 sends another SDP answer message to the UE 130, which may include fingerprint information related to the IMS-AGW 140. Further, in the DTLS-SRTP handshake procedure 163, the UE 130 may directly exchange fingerprint information with each other with the IMS-AGW 140. Then, the UE 130 and the IMS-AGW 140 respectively compare the directly received fingerprint information of the counterpart with the fingerprint information of the counterpart obtained via the P-CSCF 110. If the fingerprint information obtained from the two approaches match each other (i.e., the fingerprint information received directly from the counterpart and the fingerprint information about the counterpart obtained via the P-CSCF 110), the UE 130 may establish a DTLS connection with the IMS-AGW 140. Further, UE 130 may communicate (165) with IMS-AGW 140 the useful data for the media service by means of a secure real time transport protocol.
That is, in a web real-time communication (RTC) data channel scenario, a UE and an IMS-AGW may establish DTLS by:
1. the UE exchanges certificate fingerprints of the UE and the IMS-AGW with the P-CSCF through SDP proposal/response information;
2. the P-CSCF sends the acquired UE certificate fingerprint to the IMS-AGW;
3. UE and IMS-AGW establish DTLS link based on the acquired fingerprint of the opposite party certificate, and
All media plane data between the subsequent UE and the IMS-AGW are protected by adopting DTLS.
In this case, regardless of the media service or media type, it is necessary to exchange fingerprint information of each other between the UE and the IMS-AGW and verify the fingerprint information for DTLS link establishment. However, this may consume additional resources, resulting in the desired performance level of the media service not being achieved.
Fig. 2 illustrates a signaling process 200 for establishing media plane communication between a terminal device and a network side in accordance with an embodiment of the present disclosure. For clarity of discussion, and without any limitation, the following embodiments will also be discussed in conjunction with fig. 1.
In the signaling procedure 200, the terminal device 130 may send 203 a proposal (offer) message 203 to the first network element device. In some embodiments, the offer message may instruct the terminal device 130 to request a media service. In particular, the offer message may include a service type of the requested media service, such as a text type, an audio type, a video type, an application, a message, an image, an entertainment application type, and the like. In particular, the indication about the media type may be listed in, for example, the corresponding m-th line of media information. In turn, the first network element device 110 may receive (205) the offer message 203 from the terminal device 130. At the first network element device 110, the first network element device 110 may send a proposal message 208 to the second network element device 120 based on the proposal message 203. Similarly, the offer message 208 may include the service type of the media service requested by the terminal device 130. Accordingly, the second network element device 120 may receive (209) the offer message 208. Additionally, in some embodiments, the offer may also include capability information for the terminal device 130 indicating whether the terminal device 130 supports turning off and/or turning on security protection (e.g., DTLS). In an example, if the capability information indicates that the terminal device 130 supports shutdown security protection, the network element device on the network side may indicate to the terminal device 130 to shutdown security protection for a particular media type as described in embodiments below. Alternatively, if the capability information indicates that the terminal device 130 does not support shutdown security protection, the network element on the network side will always establish a security protected communication (e.g., DTLS communication) with the terminal device 130. Without any limitation, in some embodiments the proposal may also not include the above-described capability information, in which case the network element at the network side may determine whether to open the security protection for a particular media type and direct an indication to the terminal device 130 as described below in the embodiments. In this case, the terminal device 130 that does not support the shutdown security protection may feed back to the network element device that it does not support the shutdown security protection, or send a request to the network element device to establish media communication that opens the security protection. Alternatively, in the case where capability information is not included in the proposal, the network element device on the network side may also transmit a request message for the capability information to the terminal device 130 to obtain the capability information.
Further, at the second network element device 120, it may be determined (210) whether to open security protection based on a security policy for the media type included in the offer message 208. For example, in a security policy, security protection may be required to be turned on for text and voice media types, and turned off for video and entertainment application media types (since in, for example, gaming applications, any security protection such as integrity protection may not be required, but rather higher traffic data flow performance is required). It should be appreciated that the above security policies are by way of example only and not by way of limitation, and that any other security policies may be employed for the above media types, such as enforcing security protection on video media types, preferably on image media types, and so forth. In some embodiments, the security policy may include at least one of requiring (required) security to be turned on, not requiring (non-required) security, prioritizing (preferred) security to be turned on, or prioritizing (preferred) security to be turned off for different media types. In this way, security protection can be flexibly configured at the media granularity level. In this way, it is possible to decide on the network side whether to open protection with the UE according to the media type. Additionally, in the present disclosure, the security protection may include at least one of integrity protection or encryption protection. In some embodiments, if the security policy for a particular media type is to preferentially open the security protection or preferentially close the security protection, the second network element device 120 may autonomously determine whether to open the security protection for the media type requested by the terminal device based on current traffic performance, network load, available bandwidth, traffic priority, etc. information. For example, if the security policy is to prioritize the opening of the security protection, the second network element device 120 may open the security protection when the traffic performance, network load, available bandwidth, traffic priority, etc. meet a predetermined threshold. Alternatively, the second network element device 120 may turn off the security protection if the traffic performance, network load, available bandwidth, traffic priority, etc. do not meet a predetermined threshold, even though the security policy is to prioritize the security protection on, and vice versa. Without any restrictions, in case the security policy for a specific media type is to preferentially open or preferentially close the security protection, the second network element device may also determine whether to open the security protection based on any other parameters related to network performance or security. That is, in some embodiments, if the security policy includes a requirement to open security protection, the second network element device 120 may determine that the first indication information indicates that security protection is open for the media type. If the security policy includes a requirement to close the security protection, the second network element device 120 may determine that the first indication information indicates that the security protection is closed for the media type. If the security policy includes preferentially opening the security protection or preferentially closing the security protection, the second network element device 120 may determine that the first indication information indicates that the security protection is opened for the media type or that the first indication information indicates that the security protection is closed for the media type.
In some embodiments, the security policy may be a security policy configured locally at the second network element device 120. In some cases, the security policy may be configured with granularity of media types. That is, regardless of which terminal device requests the media service, the security policies for the same media type are consistent. For example, whichever terminal device requests an image media type, the security protection is turned on preferentially for the image media type service. Alternatively, the security policy may be configured with granularity of the terminal device. That is, the security policy for the media type is terminal device specific. In this case, each terminal device has security policies specific to that terminal device for different media types. Thus, even if different terminal devices are requesting the same media type, it may be different whether security protection for that media type is opened. For example, for a first terminal device, a security policy for a video media type is that security protection needs to be turned on. In turn, the security policy for the second terminal device for the video media type may be to preferentially turn off the security protection. It should be understood that the above-described policies regarding security protection are for illustrative purposes only and are not intended to be limiting in any way. In some embodiments, the terminal device-specific security policy configured with the terminal device as a granularity may be determined based on a terminal device-specific subscription policy. The subscription policy may indicate security policy requirements for any media type for the terminal device to be secure. For example, if a first terminal device has a high security requirement for a text media type, the security policy for that terminal device for the media type may be that security protection needs to be opened.
Alternatively, the security policy may be obtained by the second network element device 120 from the fourth network element device 150. The fourth network element device 150 may comprise a home subscription server HSS 150 and an application server AS 150. In some embodiments, the fourth network element device 150 is a HSS 150. In this case, the HSS 150 may determine (211) a security policy according to the subscription policy specific to the terminal device 130, which may be terminal device-granularity as described above. In turn, the HSS 150 may send (213) the determined security policy 215 to the second network element device 120. Accordingly, the second network element device 120 receives (217) the security policy 215 from the fourth network element device 150. In some embodiments, the fourth network element device 150 is an AS 150. In this case, the AS 150 may determine (211) a media type granularity security policy and send (213) the determined media type granularity security policy to the second network element device 150.
After determining to turn on/off security protection for the media type included in the offer message 203 or 208, the second network element device 120 sends (210) a first response message 213 to the first network element device 110. The first response message 213 includes first indication information indicating whether security protection is opened for the media type.
Accordingly, the first network element device 110 receives (215) the first reply message 213 from the second network element device 120. Further, the first network element device 110 determines (217) second indication information indicating whether security protection is opened for the media type based on the first response message 213. In some embodiments, the first network element device 110 determines the second indication information from the first indication information in the first reply message 213. For example, the first indication information and the second indication information are both used to indicate that the security protection is opened for the media type, or the first indication information and the second indication information are both used to indicate that the security protection is closed for the media type. Further, the first network element device 110 sends (219,225) second indication information (221,227) indicating whether or not to open security protection for the media type to the third network element device 140 and the terminal device 130, respectively. As an example, if the first indication information indicates that security protection is opened for the media type, the first network element device 110 may respectively transmit second indication information indicating that security protection is opened to the third network element device 140 and the terminal device 130. Alternatively, if security protection needs to be opened, the first network element device 110 may also notify the third network element device 140 of only fingerprint information related to the terminal device 130 to implicitly inform the third network element device 140 that security protection is opened for the media type. Additionally or alternatively, the first network element device 110 may also inform the terminal device 130 only about fingerprint information about the third network element device 140 to implicitly inform the terminal device 130 that security protection is opened for that media type. Additionally, if it is determined that the security protection can be turned off based on the security policy, the first network element device 110 may (implicitly) indicate that the security protection does not need to be turned on in a protocol stack that does not include the security protection (e.g., a protocol stack that does not include DTLS) in the second reply message sent to the terminal device 130. That is, in the present disclosure, whether to close the security protection for the media type may be indicated to the terminal device 130 in various ways, such as any of the explicit or implicit indication methods described above.
Accordingly, the second indication information 221 is received (223) at the third network element device 140 and the second answer message 227 is received (229) at the terminal device 130. Although the indication information sent to the third network element device 140 and the terminal device 130 indicating whether or not to open the security protection is referred to as second indication information, it should be understood that the two indication information are two independent second indication information sent to different devices. In case the first indication information indicates that security protection is opened for the media type, the first network element device 110 may interact with each other's fingerprint information between the third network element device 140 and the terminal device 130 towards the third network element device. That is, the terminal device 130 is notified of fingerprint information about the third network element device 140 and the third network element device 140 is notified of fingerprint information about the terminal device 130. Further, the terminal device 130 and the third network element device 140 may establish (233) a secure communication connection, such as a DTLS connection or a TLS connection, by verifying each other's fingerprint information. Alternatively, in some embodiments, the first indication information indicates that security protection is closed for the media type. In this case, the first network element device 110 sends a second indication to the third network element device 140 indicating that the security protection is closed for the media type. Since the security protection does not need to be opened, the first network element device 110 may not transmit fingerprint information related to the terminal device 130 to the third network element device 140, thereby saving communication resources. In turn, the first network element device 110 also sends (225) a second reply message 227 to the terminal device 130 including second indication information for the media type, and the second indication information indicates that the security protection is closed for the media type. Accordingly, the terminal device 130 receives (229) the second reply message from the first network element device 110. In case the first indication information in the first response message indicates that the security protection is closed for the media type, the first network element device 110 may not need to inform the terminal device 130 of fingerprint information related to the third network element device 140 and inform the third network element device 140 of fingerprint information related to the terminal device 130, thereby receiving the communication resource. Further, the terminal device 130 and the third network element device 140 may establish a communication connection that is not secured, such as a non-DTLS connection or a TLS connection, thereby improving the performance level of the traffic data stream.
Additionally or alternatively, the first reply message 213 may directly include a security policy for the media type for the first network element device 110 to autonomously decide. Without any limitation, the security policy may be a media type-granularity security policy as described above, or may be a terminal device-granularity security policy. In this case, the first network element device 110 autonomously determines a security policy for determining whether to open a security protection for the media type based on the first reply message 213. In some embodiments, the first network element device 110 may determine the indication information indicating whether to open security protection for the media type based on the security policy in the same manner as the second network element device 120. As an example, if the security policy includes a requirement to open a security protection, the first network element device 110 may determine that the second indication information indicates that the security protection is open for the media type. If the security policy includes a requirement to close the security protection, the first network element device 110 may determine that the second indication information indicates that the security protection is closed for the media type. If the security policy includes preferentially opening the security protection or preferentially closing the security protection, the first network element device 110 may determine that the second indication information indicates that the security protection is opened for the media type or that the second indication information indicates that the security protection is closed for the media type.
In some embodiments, based on the security policy, the first network element device 110 may determine to open the security protection for the media type. The first network element device 110 may then send second indication information to the third network element device 140 indicating that security protection is opened for the media type. That is, in addition to the first indication information in the first reply message, the first network element device 110 may autonomously determine the second indication information based on the security policy in the first reply message. Similarly, once the first network element device 110 determines whether to open the security policy for the media type based on the security policy, the first network element device 110 may notify the terminal device 130 and the third network element device 140 in the same manner as the above-described embodiment (the embodiment in which the second indication information is determined based on the first indication information). Further, the terminal device 130 and the third network element device 140 may determine whether to open the security protection, i.e. implement a DTLS connection or a TLS connection/a non-DTLS connection or a non-TLS connection, based on the second indication information (or the obtained fingerprint information).
Alternatively, the decision whether or not to start security protection may also be made at the third network element device 140. In some embodiments, the first reply message 213 includes a security policy for the media type. The first network element device 110 obtains (217) a security policy for the media type based on the first reply message 213. In turn, the first network element device 110 sends (219) a security policy 221 for the media type to the third network element device 140. Accordingly, the third network element device 140 receives (223) the security policy 221 for the media type from the first network element device 110. In this case, when the third network element device 140 is to establish a communication connection with the terminal device 130, the third network element device 140 may decide whether to open the security protection based on the media type of the communication connection and the security policy for the media type. Further, the third network element device 140 and the terminal device 130 may establish a secure connection or a non-secure connection in the same manner as described above. In this case, the decision whether or not to start security protection may be made at the third network element device 140. In some embodiments, the first network element device 110 may be a P-CSCF, the second network element device 120 may be an S-CSCF, the third network element device 140 may be an AGW or DCMF, and the fourth network element device 150 may be an HSS or an AS. It should be understood that the above-described network element devices are only examples, and that these network element devices may also be any other network element devices with similar functionality that are developed in the future.
Further, for clarity of discussion, two specific examples of establishing a communication connection for a media type are discussed with reference to fig. 3a and 3 b.
Fig. 3a illustrates one example 300A of establishing media plane communication between a terminal device and a network side according to an embodiment of the present disclosure.
In example 300A, UE 130 may be terminal device 130 in fig. 2, p-CSCF 110 may be first network element device 110 in fig. 2, ims-AGW may be third network element device 140 in fig. 2, and S-CSCF 120 may be second network element device 120 in fig. 2.
In example 300A, a decision may be made by the signaling plane as to whether to turn on DTLS protection, including the following design. Specifically, in example 300A, it is the S-CSCF 120 that decides whether to turn on the security protection described above according to the security policy.
Similarly, UE 130 sends (310) a proposal message including the media type to P-CSCF 110 (i.e., from UE 130 to P-CSCF 110SDP offer). In turn, the P-CSCF 110 sends (312) another offer message to the S-CSCF 120 that includes the media type (i.e., SDP offer sent from the P-CSCF 110 to the S-CSCF 120). In turn, the S-CSCF 120 determines (314) whether DTLS needs to be turned on for the corresponding media stream according to the local subscription and/or security policy and adds an indication (i.e., a first indication) in the corresponding m rows in the first response message. The S-CSCF 120 sends 316 a first response message including the first indication to the P-CSCF 110 (i.e. SDP ANWSER sent from the S-CSCF 120 to the P-CSCF 110). Next, for sessions requiring DTLS to be opened, the P-CSCF 110 exchanges (318) corresponding fingerprint information with the IMS-AGW 140, and for sessions not requiring DTLS to be opened, the P-CSCF 110 sends (318) the above-mentioned second indication to the IMS-AGW 140. In addition, P-CSCF 110 sends (320) a second answer message to UE 130 (i.e., SDP ANSWER sent from P-CSCF 110 to UE 130) that includes a second indication.
In the process, 1, S-CSCF 120 decides whether to turn on DTLS for a certain m-line media according to a locally configured policy or subscription of a user, and the local policy or subscription policy is bound with media types, such as not turning on DTLS for a large-flow media of video, and turning on for text types, which can be judged according to MEDIA TYPE in SDP m lines, wherein the current media types comprise audio, video, text, application, message, image and the like. Optionally, a media granularity security policy may also be configured at the AS 150, where the S-CSCF 120 obtains indication information from the AS 150. Alternatively, the local configuration may be configured at the P-CSCF 110.
2. The P-CSCF transmits an indication of whether the session is opened or not to the two sides, namely the UE and the IMS-AGW;
Alternatively, if DTLS is terminated between UE and DCMF (DATA CHANNEL MEDIA function), the IMS-AGW 140 in the above procedure is exchanged for DCMF 140. Alternatively, the indication may be classified into an encryption indication, a security indication, or a security protection indication, and the UE 130/IMS AGW 140 determines whether to turn on DTLS or select a corresponding suite (TLS 1.2 case) according to the indication
Fig. 3B illustrates one example 300B of establishing media plane communication between a terminal device and a network side according to an embodiment of the present disclosure.
In example 300B, UE 130 may be terminal device 130 in fig. 2, p-CSCF 110 may be first network element device 110 in fig. 2, ims-AGW 140 may be third network element device 140 in fig. 2, and S-CSCF 120 may be second network element device 120 in fig. 2.
In example 300B, a decision may be made by the signaling plane as to whether to turn on DTLS protection, including the following design. Specifically, in example 300A, the P-CSCF 110 or the IMS-AGW 140 decides whether to turn on the security protection according to the security policy.
Similarly, UE 130 sends 330 a proposal message including the media type to P-CSCF 110 (i.e., from UE 130 to P-CSCF 110SDP offer). In turn, the P-CSCF 110 sends (332) another offer message including the media type to the S-CSCF120 (i.e., SDP offer sent from the P-CSCF 110 to the S-CSCF 120). In turn, the S-CSCF120 generates (334) a security policy for the particular media according to the local subscription and/or security policy and adds the security policy (i.e., the first indication) in the corresponding m rows in the first response message. The S-CSCF120 sends (336) a first response message including the first indication to the P-CSCF 110 (i.e. SDP ANWSER sent from the S-CSCF120 to the P-CSCF 110). Next, based on the security policy, the P-CSCF 110 exchanges (338) corresponding fingerprint information with the IMS-AGW 140 for sessions that do not require DTLS to be opened, based on the security policy, the P-CSCF 110 sends (338) the above-mentioned second indication to the IMS-AGW 140 for sessions that do not require DTLS to be opened. Further, based on the security policy, P-CSCF 110 sends (340) a second answer message to UE 130 (i.e., SDP ANSWER sent from P-CSCF 110 to UE 130) including a second indication.
With respect to example 300A, in example 300B, the S-CSCF locally configures or HSS signs up for a security policy, which may be, for example, no need (non-needed), preferred (preferred), required (required), or whether to turn on or not by the P-CSCF based on the policy decision. Optionally, the IMS-AGW may also be submitted to making the final decision. Similar to example 300A, policies need to be bound to media types, security policies may also be obtained from AS 150. Similar to embodiment one 300A, the indication may be classified as an encryption indication, a security indication, or a security protection indication. In this way, the final decision of whether to open the P-CSCF 110 or the IMS-AGW 140 can enable the media plane gateway to determine according to the local actual load situation, and can guarantee the security more flexibly while guaranteeing the service.
Through the above embodiment, in the disclosure, the judgment of whether to turn on the DTLS can be made by the S-CSCF/P-CSCF, and whether to turn on the DTLS can be indicated by the UE and the IMS-AGW, and the situation of policy can be returned by the S-CSCF/P-CSCF, and whether to turn on the DTLS can be made by the IMS-AGW. In this way, the operator can flexibly select whether to start the DTLS protection with the UE according to the media type, thereby improving the media transmission performance.
Fig. 4 illustrates a flowchart of a method 400 implemented at a server device according to an embodiment of the disclosure. In one possible implementation, the method 400 may be implemented by a first network element device (P-CSCF) 110 in the example environment 100. In other possible implementations, the method 400 may also be implemented by other electronic devices independent of the example environment 100. As an example, the method 400 will be described below as being implemented by the first network element device 110 in the example environment 100.
At 410, the first network element device 110 receives a first response message from the second network element device 120 for a proposal message comprising a media type, the media type being the media type requested by the terminal device. Based on receiving the first response message, the first network element device 110 determines to obtain i) second indication information indicating whether security protection is opened for the media type, or ii) a security policy for determining whether security protection is opened for the media type, at 420. At 430, the first network element device 110 sends a second response message to the terminal device 130 for the proposal message, the second response message comprising second indication information indicating whether security protection is opened for the media type. At 430, the first network element device 110 sends a second indication or security policy to the third network element device 140.
In some embodiments, the first reply message includes a first indication of whether security protection is enabled for the media type. Determining, by the first network element device 110, second indication information indicating whether security protection is opened for the media type may include determining the second indication information based on the first indication information. In some embodiments, the first indication information and the second indication information are both used to indicate that security protection is turned on for the media type, or the first indication information and the second indication information are both used to indicate that security protection is turned off for the media type.
In some embodiments, the first reply message includes a security policy. In some embodiments, the first network element device 110 determines second indication information indicating whether security protection is opened for the media type, including determining the second indication information according to a security policy.
In some embodiments, the security policy includes at least one of requiring the security protection to be opened, not requiring the security protection to be opened, prioritizing the security protection to be opened, or prioritizing the security protection to be closed.
In some embodiments, the security policy includes a requirement to open the security protection, the second indication information indicates that the security protection is open for the media type, the security policy includes a requirement to close the security protection, the second indication information indicates that the security protection is closed for the media type, and the security policy includes a priority to open the security protection or a priority to close the security protection, the second indication information indicates that the security protection is open for the media type, or the second indication information indicates that the security protection is closed for the media type.
In some embodiments, the first network element device 110 comprises a proxy call session control function P-CSCF, the second network element device 120 comprises a serving call session control function S-CSCF, and the third network element device 140 comprises an access media gateway AGW or a data channel media function DCMF.
Fig. 5 illustrates a flowchart of a method 500 implemented at a second network element device according to an embodiment of the present disclosure. In one possible implementation, the method 500 may be implemented by a second network element device (S-CSCF) 120 in the example environment 100. In other possible implementations, the method 500 may also be implemented by other electronic devices independent of the example environment 100. As an example, the method 500 will be described below as being implemented by the second network element device 120 in the example environment 100.
At 510, the second network element device 120 receives a proposal message from the first network element device 110 for a media type that is requested by the terminal device. At 520, the second network element device 120 determines i) first indication information indicating whether security protection is opened for the media type, or ii) a security policy for determining whether security protection is opened for the media type. At 530, the second network element device 120 sends a first response message to the first network element device 110 for the proposal message, and wherein the first response message includes one of a first indication information or a security policy.
In some embodiments, the second network element device 120 determining the first indication information includes the second network element device 120 determining a security policy and the second network element device 120 determining the first indication information based on the security policy.
In some embodiments, the security policy includes a requirement to open the security protection, first indication information is used to indicate that the security protection is open for the media type, the security policy includes a requirement to close the security protection, first indication information is used to indicate that the security protection is closed for the media type, and the security policy includes a priority to open the security protection or a priority to close the security protection, first indication information is used to indicate that the security protection is open for the media type, or first indication information is used to indicate that the security protection is closed for the media type.
In some embodiments, the security policy is a local security policy at the third network element device or a security policy from a fourth network element device comprising a Home Subscription Server (HSS) or an Application Server (AS).
In some embodiments, the fourth network element device described above is a home subscription server, HSS, and wherein the security policy from the HSS is determined based on a subscription policy specific to the terminal device, the subscription policy indicating security policy requirements for the terminal device for the media type.
In some embodiments, the security policy includes at least one of requiring the security protection to be opened, not requiring the security protection to be opened, prioritizing the security protection to be opened, or prioritizing the security protection to be closed.
In some embodiments, the first network element device comprises a P-CSCF and the second network element device comprises an S-CSCF. .
Fig. 6 shows a flowchart of a method 600 implemented at a terminal device according to an embodiment of the disclosure. In one possible implementation, the method 600 may be implemented by the terminal device 130 in the example environment 100. In other possible implementations, the method 600 may also be implemented by other electronic devices independent of the example environment 100. By way of example, the method 600 will be described hereinafter as being implemented by the terminal device 130 in the example environment 100.
At 610, the terminal device 130 sends a proposal message to the first network element device 110 that includes a media type that the terminal device requested. At 620, the terminal device 130 receives a second reply message to the offer message from the first network element device 110. The second response message includes second indication information indicating whether security protection is opened for the media type. Based on the second reply message, the terminal device 130 establishes a connection with the third network element device 140 at 630.
In some embodiments, the second indication information indicates that the security protection is turned on for the media type, and wherein the terminal device 130 establishing a connection with the third network element device comprises the terminal device 130 establishing a transport layer security protocol (TLS) connection or a datagram transport layer security protocol (DTLS) connection with the third network element device. In some implementations, the second indication information indicates an indication to close the security protection for the media type and the terminal device 130 establishing a connection with the third network element device includes the terminal device 130 establishing a non-TLS connection or a non-DTLS connection with the third network element device.
In some embodiments, the first network element device comprises a P-CSCF and the third network element device comprises an AGW or DCMF. In this way, DTLS communication F may be selectively turned on or off between the terminal device and the access media gateway or DCMF.
Fig. 7 shows a flowchart of a method 700 implemented at a third network element device according to an embodiment of the present disclosure. In one possible implementation, the method 700 may be implemented by a third network element device (IMS-AGW) 140 in the example environment 100. In other possible implementations, the method 700 may also be implemented by other electronic devices independent of the example environment 100. As an example, the method 700 will be described below as being implemented by the third network element device 140 in the example environment 100.
At 710, the third network element device 140 receives from the first network element device one of i) a second indication indicating whether security protection is to be opened for the media type, or ii) a security policy for determining whether security protection is to be opened for the media type, the media type being the media type requested by the terminal device, for a proposal message comprising the media type. At 720, the third network element device 140 establishes a connection with the terminal device 130 based on the second indication or the security policy.
In some embodiments, the third network element device 140 receives second indication information from the first network element device to initiate security protection for the media type or receives a security policy requiring initiation of security protection, and establishing a connection with the terminal device includes the third network element device 140 establishing a transport layer security protocol (TLS) connection or a datagram transport layer security protocol (DTLS) connection with the terminal device 130. In some implementations, the third network element device 140 receiving the second indication information from the first network element device 110 to close the security protection for the media type or receiving a security policy requiring the security protection to be closed, the third network element device 140 establishing a connection with the terminal device 130 includes the third network element device 140 establishing a non-TLS connection or a non-DTLS connection with the terminal device 130. In some implementations, the third network element device 140 receives a security policy from the first network element device 110 that prioritizes on or prioritizing off security protection, the third network element device 140 establishing the connection with the terminal device 130 including the third network element device 140 establishing a transport layer security protocol (TLS) connection or a datagram transport layer security protocol (DTLS) connection with the terminal device 130 or establishing a non-TLS connection or a non-DTLS connection with the terminal device 130. .
In some embodiments, the first network element device comprises a P-CSCF and the third network element device comprises an AGW or DCMF. .
Fig. 8 shows a flowchart of a method 800 implemented at a fourth network element device according to an embodiment of the present disclosure. In one possible implementation, the method 800 may be implemented by a fourth network element device (HSS or AS) 150 in the example environment 100. In other possible implementations, the method 800 may also be implemented by other electronic devices independent of the example environment 100. As an example, the method 800 will be described below as being implemented by the fourth network element device 150 in the example environment 100.
At 810, the fourth network element device 150 determines a security policy for the terminal device based on the subscription policy of the terminal device 130, the subscription policy indicating security policy requirements for the terminal device for the media type. At 820, the fourth network element device 150 sends the security policy to the second network element device 120.
In some embodiments, the second network element device comprises a serving call session control function, S-CSCF, and wherein the fourth network element device comprises a home subscription server, HSS.
In some embodiments, the security policy includes at least one of requiring security protection to be opened, not requiring security protection to be opened, prioritizing security protection to be opened, or prioritizing security protection to be closed.
Fig. 9 and 10 are schematic structural diagrams of a possible communication device according to an embodiment of the present application. These communication apparatuses can implement the functions of the sensing device or the server device in the above-described method embodiments, and thus can also implement the beneficial effects provided by the above-described method embodiments. In the embodiment of the present application, the communication device may be any network element device or terminal device as shown in fig. 1, and may also be a module (such as a chip) applied to the device.
As shown in fig. 9, the communication apparatus 900 includes a transceiver module 901 and a processing module 902. The communication apparatus 900 implements the functions of the network management device in the embodiments shown in fig. 1 to 5.
As shown in fig. 10, the communication device 1000 includes a processor 1010 and an interface circuit 1020. The processor 1010 and the interface circuit 1020 are coupled to each other. It is understood that interface circuit 1020 may be a transceiver or an input-output interface. Optionally, the communication device 1000 may further comprise a memory 1030 for storing instructions to be executed by the processor 1010 or for storing input data required by the processor 1010 to execute instructions or for storing data generated after the processor 1010 executes instructions.
When the communication device 1000 is used to implement the method in the method embodiment, the processor 1010 is configured to perform the functions of the processing module 902, and the interface circuit 1020 is configured to perform the functions of the transceiver module 901.
When the communication device is a chip applied to the terminal equipment, the terminal equipment chip realizes the functions of the terminal equipment in the embodiment of the method. The terminal device chip receives information from other modules (e.g., radio frequency modules or antennas) in the terminal device to which the network device is transmitting, or transmits information to other modules (e.g., radio frequency modules or antennas) in the terminal device to which the terminal device is transmitting.
When the communication device is a chip applied to the network equipment, the network equipment chip realizes the functions of the network equipment in the embodiment of the method. The network device chip receives information from other modules (e.g., radio frequency modules or antennas) in the network device to which the terminal device is transmitting, or transmits information to other modules (e.g., radio frequency modules or antennas) in the network device to which the network device is transmitting.
It is to be appreciated that the processor in embodiments of the application may be a central processing unit (central processing unit, CPU), but may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL processors, DSPs), application Specific Integrated Circuits (ASICs), field programmable gate arrays (field programmable GATE ARRAY, FPGAs), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. The general purpose processor may be a microprocessor, but in the alternative, it may be any conventional processor.
When the apparatus in the embodiment of the present application is a network device (e.g., a server device), the apparatus may be as shown in fig. 11. The apparatus may include one or more radio frequency units, such as a remote radio frequency unit (remote radio unit, RRU) 1110 and one or more baseband units (BBU) (also referred to as digital units, DUs) 1120. The RRU 1110 may be referred to as a transceiver module, which may include a transmitting module and a receiving module, or the transceiver module may be a module capable of implementing transmitting and receiving functions. The transceiver module may correspond to the transceiver module 901 in fig. 9, i.e., the actions performed by the transceiver module 901 may be performed. Alternatively, the transceiver module may also be referred to as a transceiver, transceiver circuitry, or transceiver, etc., which may include at least one antenna 1111 and a radio frequency unit 1112. The RRU 1110 is mainly used for receiving and transmitting radio frequency signals and converting radio frequency signals and baseband signals. The BBU 1110 is mainly used for baseband processing, control of a base station, and the like. The RRU 1110 and BBU 1120 can be physically located together or physically separate, i.e., distributed base stations.
The BBU 1120 is a control center of the base station, and may also be referred to as a processing module, and may correspond to the processing module 902 in fig. 9, and is mainly configured to perform baseband processing functions, such as channel coding, multiplexing, modulation, spreading, and so on, and in addition, the processing module may perform actions performed by the processing module 602. For example, the BBU (processing module) may be configured to control the base station to perform the operation procedures described in the above method embodiments with respect to the network device.
In one example, the BBU 1120 may be configured by one or more single boards, where the multiple single boards may support a single access radio access network (such as an LTE network), or may support different access radio access networks (such as an LTE network, a 5G network, or other networks). The BBU 1120 further comprises a memory 1121 and a processor 1122. The memory 1121 is used to store necessary instructions and data. The processor 1122 is used to control the base station to perform the necessary actions, for example, to control the base station to perform the operational flows described above with respect to the network device in the method embodiments. The memory 1121 and processor 1122 may serve one or more boards. That is, the memory and the processor may be separately provided on each board. It is also possible that multiple boards share the same memory and processor. In addition, each single board can be provided with necessary circuits.
The embodiment of the application provides a communication system. The communication system may comprise a plurality of network nodes and a network management device as referred to in the embodiments shown in fig. 2 to 5 described above. Alternatively, the network management apparatus in the communication system may perform the communication method shown in any one of fig. 2 to 5.
Embodiments of the present application also provide a circuit, which may be coupled to a memory, and may be used to perform a procedure associated with a terminal device or a network device in any of the embodiments of the method described above. The chip system may include the chip, and may also include other components such as a memory or transceiver.
It should be appreciated that the processor referred to in the embodiments of the present application may be a CPU, but may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), off-the-shelf programmable gate arrays (field programmable GATE ARRAY, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It should also be understood that the memory referred to in embodiments of the present application may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an erasable programmable ROM (erasable PROM), an electrically erasable programmable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (STATIC RAM, SRAM), dynamic random access memory (DYNAMIC RAM, DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (double DATA RATE SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (ENHANCED SDRAM, ESDRAM), synchronous link dynamic random access memory (SYNCHLINK DRAM, SLDRAM), and direct memory bus random access memory (direct rambus RAM, DR RAM).
It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, the memory (storage module) is integrated into the processor.
It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described system, apparatus and module may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed communication method and apparatus may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical, or other forms.
The modules illustrated as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network elements. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored on a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or contributing part or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method in the various embodiments of the present application. The foregoing computer-readable storage media can be any available media that can be accessed by a computer. By way of example, and not limitation, computer-readable media can comprise random access memory (random access memory, RAM), read-only memory (ROM), electrically erasable programmable read-only memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ ONLY MEMORY, EEPROM), compact disk read-only memory (compact disc read-only memory, CD-ROM), universal serial bus flash disk (universal serial bus FLASH DISK), removable hard disk, or other optical disk storage, magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
As used herein, the term "comprising" and the like should be understood to be open-ended, i.e., including, but not limited to. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The terms "first," "second," and the like, may refer to different or the same object and are used solely to distinguish one from another without implying a particular spatial order, temporal order, order of importance, etc. of the referenced objects. In some embodiments, the values, processes, selected items, determined items, devices, means, parts, components, etc. are referred to as "best," "lowest," "highest," "smallest," "largest," etc. It should be understood that such description is intended to indicate that a selection may be made among many available options of functionality, and that such selection need not be better, lower, higher, smaller, larger, or otherwise preferred in further or all respects than other selections. As used herein, the term "determining" may encompass a wide variety of actions. For example, "determining" may include computing, calculating, processing, deriving, investigating, looking up (e.g., looking up in a table, a database or another data structure), ascertaining and the like. Further, "determining" may include receiving (e.g., receiving information), accessing (e.g., accessing data in memory), and so forth. Further, "determining" may include parsing, selecting, choosing, establishing, and the like.
The foregoing is merely illustrative of specific embodiments of the present application, and the scope of the embodiments of the present application is not limited thereto, and any person skilled in the art will readily appreciate variations or substitutions within the scope of the embodiments of the present application. Therefore, the protection scope of the embodiments of the present application shall be subject to the protection scope of the claims.
Claims (30)
1. A method of communication, comprising:
The first network element device receives a first response message for a proposal message comprising a media type from the second network element device, the media type being a media type requested by the terminal device;
determining, based on receiving the first response message, i) second indication information indicating whether or not to open a security protection for the media type, and/or ii) a security policy for determining whether or not to open the security protection for the media type;
the first network element device sending a second response message to the terminal device for the proposal message, the second response message comprising second indication information indicating whether the security protection is opened for the media type, and
And the first network element equipment sends the second indication information or the security policy to third network element equipment.
2. The method of claim 1, wherein the first reply message includes first indication information of whether the security protection is opened for the media type, and
The determining second indication information indicating whether to open a security protection for the media type includes determining the second indication information according to the first indication information.
3. The method of claim 1 or 2, wherein the first indication information and the second indication information are each used to indicate that security protection is turned on for the media type, or are each used to indicate that security protection is turned off for the media type.
4. The method of claim 1, wherein the first reply message includes the security policy.
5. The method of claim 4, wherein the determining second indication information indicating whether security protection is enabled for the media type comprises determining the second indication information according to the security policy.
6. The method of claim 4 or 5, wherein the security policy comprises at least one of:
Requiring the security protection to be turned on;
The security protection does not need to be opened;
preferably opening the security protection, or
And preferentially closing the safety protection.
7. The method of claim 6, wherein at least one of the following is present:
The security policy includes a requirement to open the security protection, the second indication information indicating that security protection is open for the media type;
The security policy includes a requirement to shutdown the security protection, the second indication information indicates that the security protection is shutdown for the media type, and
The security policy includes either preferentially opening the security protection or preferentially closing the security protection, the second indication information indicating that the security protection is opened for the media type, or the second indication information indicating that the security protection is closed for the media type.
8. The method according to any of claims 1 to 7, wherein the first network element device comprises a proxy call session control function, P-CSCF, the second network element device comprises a serving call session control function, S-CSCF, and the third network element device comprises an access media gateway, AGW, or a data channel media function DCMF.
9. A method of communication, comprising:
the second network element device receives a proposal message for a media type from the first network element device, wherein the proposal message comprises the media type which is requested by the terminal device;
The second network element device determines i) first indication information indicating whether security protection is opened for the media type, or ii) a security policy for determining whether security protection is opened for the media type;
the second network element device sends a first response message to the first network element device for the proposal message, and wherein the first response message comprises one of the first indication information or the security policy.
10. The method of claim 9, wherein the second network element device determining the first indication information comprises:
the second network element device determining the security policy, and
The second network element device determines the first indication information based on the security policy.
11. The method of claim 10, wherein at least one of the following is present
The security policy includes a requirement to open the security protection, the first indication information being for indicating to open the security protection for the media type;
The security policy includes a requirement to shutdown the security protection, the first indication information is used to indicate that the security protection is shutdown for the media type, and
The security policy includes a priority to open the security protection or a priority to close the security protection, the first indication information is used to indicate that the security protection is open for the media type, or the first indication information is used to indicate that the security protection is closed for the media type.
12. The method according to any of claims 9 to 11, wherein the security policy is a local security policy at the second network element device or a security policy from a fourth network element device comprising a home subscription server, HSS, or an application server, AS.
13. The method of claim 12, wherein the fourth network element device is a home subscription server, HSS, the security policy from the HSS being determined based on a subscription policy of a terminal device, the subscription policy indicating security policy requirements for the media type.
14. The method of any of claims 9 to 13, wherein the security policy comprises at least one of:
Requiring the security protection to be turned on;
The security protection does not need to be opened;
preferably opening the security protection, or
And preferentially closing the safety protection.
15. A method according to any of claims 9 to 14, wherein the first network element device comprises a proxy call session control function, P-CSCF, and the second network element device comprises a serving call session control function, S-CSCF.
16. A method of communication, comprising:
The terminal equipment sends a proposal message comprising a media type to the first network element equipment, wherein the media type is the media type requested by the terminal equipment;
the terminal device receiving a second response message to the proposal message from the first network element device, the second response message including second indication information indicating whether security protection is opened for the media type, and
And based on the second response message, the terminal equipment establishes connection with third network element equipment.
17. The method of claim 16, wherein at least one of the following is present:
The second indication information indicates that the security protection is opened for the media type, and wherein the terminal device establishing the connection with the third network element device comprises the terminal device establishing a transport layer security protocol (TLS) connection or a datagram transport layer security protocol (DTLS) connection with the third network element device, or
Wherein the second indication information indicates the indication to close the security protection for the media type, and wherein the terminal device establishing the connection with the third network element device comprises the terminal device establishing a non-TLS connection or a non-DTLS connection with the third network element device.
18. The method according to claim 16 or 17, wherein the first network element device comprises a proxy call session control function, P-CSCF, and the third network element device comprises an access media gateway, AGW, or a data channel media function DCMF.
19. A method of communication, comprising:
The third network element device receives from the first network element device one of the following for a proposal message comprising a media type:
i) A second indication indicating whether security protection is enabled for the media type, or
Ii) a security policy for determining whether to open the security protection for the media type, the media type being the media type requested by the terminal device, and
And the third network element equipment establishes connection with the terminal equipment based on the second indication or the security policy.
20. The method of claim 19, wherein at least one of the following is present:
the third network element device receiving the second indication information for the media type to open the security protection from the first network element device or receiving a security policy requiring the security protection to be opened, the establishing the connection with the terminal device including the third network element device establishing a transport layer security protocol (TLS) connection or a datagram transport layer security protocol (DTLS) connection with the terminal device;
Wherein the third network element device receives the second indication information from the first network element device that the security protection is closed for the media type or receives a security policy requiring that the security protection is closed, the third network element device establishing the connection with the terminal device comprising the third network element device establishing a non-TLS connection or a non-DTLS connection with the terminal device, or
The third network element device receives a security policy that the security protection is turned on or off preferentially from the first network element device, and the third network element device establishes the connection with the terminal device includes the third network element device establishing a transport layer security protocol (TLS) connection or a datagram transport layer security protocol (DTLS) connection with the terminal device or establishing a non-TLS connection or a non-DTLS connection with the terminal device.
21. The method according to claim 19 or 20, wherein the first network element device comprises a proxy call session control function, P-CSCF, and the third network element device comprises an access media gateway, AGW, or a data channel media function DCMF.
22. A method of communication, comprising:
the fourth network element device determining a security policy for the terminal device based on a subscription policy of the terminal device, the subscription policy indicating security policy requirements for the terminal device for media types, and
And the fourth network element equipment sends the security policy to the second network element equipment.
23. The method according to claim 22, wherein the second network element device comprises a serving call session control function, S-CSCF, and wherein the fourth network element device comprises a home subscription server, HSS.
24. The method of claim 22 or 23, wherein the security policy comprises at least one of:
Requiring the security protection to be turned on;
The security protection does not need to be opened;
preferably opening the security protection, or
And preferentially closing the safety protection.
25. An electronic device comprising a processor, and a memory storing instructions that, when executed by the processor, cause the electronic device to perform the method of any one of claims 1 to 8, 9 to 15, 16 to 18, 19 to 21, or 22 to 24.
26. A server device comprising a processor, and a memory storing instructions that, when executed by the processor, cause the server device to perform the method of any one of claims 1 to 8, 9 to 15, 19 to 21, or 22 to 24.
27. A terminal device comprising a processor, and a memory storing instructions that, when executed by the processor, cause the electronic device to perform the method of any one of claims 16 to 18.
28. A communication system comprising a first network element device, a second network element device, a third network element device, a fourth network element device or a terminal device, the first network element device being configured to perform the method of any of claims 1 to 8, the second network element device being configured to perform the method of any of claims 9 to 15, the terminal device being configured to perform the method of any of claims 16 to 18, the third network element device being configured to perform the method of any of claims 19 to 21, and the fourth network element device being configured to perform the method of any of claims 22 to 24.
29. A computer readable storage medium storing instructions that when executed by an electronic device cause the electronic device to perform the method of any one of claims 1 to 8, 9 to 15, 16 to 18, 19 to 21, or 22 to 24.
30. A computer program product comprising instructions which, when executed by an electronic device, cause the electronic device to perform the method of any one of claims 1 to 8, 9 to 15, 16 to 18, 19 to 21 or 22 to 24.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310840779.7A CN119277366A (en) | 2023-07-07 | 2023-07-07 | A communication protection method, system, device, medium and program product |
| PCT/CN2024/103290 WO2025011403A1 (en) | 2023-07-07 | 2024-07-03 | Communication protection method and system, device, medium, and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310840779.7A CN119277366A (en) | 2023-07-07 | 2023-07-07 | A communication protection method, system, device, medium and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119277366A true CN119277366A (en) | 2025-01-07 |
Family
ID=94121868
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310840779.7A Pending CN119277366A (en) | 2023-07-07 | 2023-07-07 | A communication protection method, system, device, medium and program product |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN119277366A (en) |
| WO (1) | WO2025011403A1 (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110035437B (en) * | 2018-01-11 | 2021-02-23 | 电信科学技术研究院 | User plane data security protection method and device |
| WO2021196051A1 (en) * | 2020-03-31 | 2021-10-07 | 华为技术有限公司 | Communication method, apparatus and system |
| CN114980105B (en) * | 2021-02-21 | 2025-03-21 | 华为技术有限公司 | Communication method and communication device |
| CN115706998A (en) * | 2021-08-04 | 2023-02-17 | 华为技术有限公司 | Communication method and device |
| CN114640988B (en) * | 2022-05-17 | 2023-03-14 | 成都信息工程大学 | Information processing method and device based on implicit indication encryption |
-
2023
- 2023-07-07 CN CN202310840779.7A patent/CN119277366A/en active Pending
-
2024
- 2024-07-03 WO PCT/CN2024/103290 patent/WO2025011403A1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| WO2025011403A1 (en) | 2025-01-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210058771A1 (en) | Key generation method and related apparatus | |
| US12213194B2 (en) | Method and apparatus for admission control of sessions based on priority | |
| CN110831243B (en) | Method, device and system for realizing user plane security policy | |
| CN113573326B (en) | Address acquisition method and device | |
| WO2021031768A1 (en) | Method and device for secure encryption | |
| TWI258952B (en) | Architecture for implementation of radio access bearer manager (RABM) and packet data convergence protocol (PDCP) process | |
| WO2021249512A1 (en) | Secure communication method, related apparatus, and system | |
| EP4135376A1 (en) | Method and device for secure communication | |
| CN113938880B (en) | Application verification method and device | |
| EP3014945B1 (en) | Device to device communication security | |
| CN115412911A (en) | An authentication method, communication device and system | |
| EP3846505B1 (en) | Method and device for communication | |
| CN119277366A (en) | A communication protection method, system, device, medium and program product | |
| WO2021073382A1 (en) | Registration method and apparatus | |
| WO2024092529A1 (en) | Determining authentication credentials for a device-to-device service | |
| US12267324B2 (en) | Service and security enhancement of communication services | |
| WO2024103415A1 (en) | Apparatus, method and computer program | |
| US20230007001A1 (en) | Service and security enhancement of communication services | |
| CN115396873A (en) | Communication method, device, server and storage medium | |
| WO2023131044A1 (en) | Authentication and security method and device, and storage medium | |
| WO2023236883A1 (en) | Computing power resource processing method and apparatus, and user equipment and computing power network device | |
| WO2025038487A1 (en) | Network enforcement of ai/ml distribution access control using modified akma | |
| WO2025016108A1 (en) | Information processing method, information transmission method, apparatus, terminal and network device | |
| CN116847331A (en) | Communication method and device | |
| WO2025008870A1 (en) | Method and system for routing the registration request in a wireless network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |