[go: up one dir, main page]

WO2017128306A1 - Communication method and equipment - Google Patents

Communication method and equipment Download PDF

Info

Publication number
WO2017128306A1
WO2017128306A1 PCT/CN2016/072818 CN2016072818W WO2017128306A1 WO 2017128306 A1 WO2017128306 A1 WO 2017128306A1 CN 2016072818 W CN2016072818 W CN 2016072818W WO 2017128306 A1 WO2017128306 A1 WO 2017128306A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
key
access network
core network
access
Prior art date
Application number
PCT/CN2016/072818
Other languages
French (fr)
Chinese (zh)
Inventor
石小丽
张宏卓
罗海燕
彭文杰
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2016/072818 priority Critical patent/WO2017128306A1/en
Publication of WO2017128306A1 publication Critical patent/WO2017128306A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a communication method and device.
  • a RRC (Radio Resource Control) connectionless technology is proposed.
  • the RRC connectionless technology the User Equipment (UE) may not establish an RRC connection with the base station, but directly send the user data to the core network.
  • the data is encrypted between the UE and the base station by using a good protocol key, and the key is known only by the UE and the base station.
  • the base station releases the context information of the UE, including the key used to transmit data when the RRC connection is established. If the UE still uses the key under the RRC connection to encrypt the data, the network side cannot correctly decrypt the data packet, and the data packet may be discarded, which affects the normal communication of the UE and reduces the user experience.
  • the embodiment of the present invention provides a communication method, device, and system, which can implement correct decryption of a data packet encrypted by a user equipment using a key under an RRC connection, thereby ensuring normal communication of the user equipment. Improve the user experience.
  • embodiments of the present invention provide a method of communication.
  • the method includes: acquiring, by the core network device, a first key, where the first key is generated by the access network device in performing an access layer security activation process Key.
  • the core network device decrypts the data packet by using the first key.
  • the embodiment of the present invention can implement that the core network device can correctly decrypt the data packet encrypted by the user equipment and the key generated by the access network device to perform the access layer security activation process, thereby reducing the possibility that the data packet is discarded.
  • the normal communication between the user equipment and the network is ensured, and the user experience is improved.
  • the acquiring, by the core network device, the first key may include: sending, by the core network device, a first request message to the access network device, where the first request message is used to request the first key.
  • the access network device After receiving the first request message, the access network device carries the first key generated by the access layer security activation process in the first response message and sends the first key to the core network device.
  • the core network device receives the first response message sent by the access network device, and obtains the first key.
  • the core network device can actively request the access network device to perform the key generated by the access layer security activation process by the access network device, and when receiving the data sent by the user equipment, the core network can be implemented.
  • the device directly decrypts the key obtained from the access network device to ensure that the user equipment can communicate normally.
  • the first request message may include an initial context setup request
  • the first response message may include: an initial context setup response
  • the first request message may include The access bearer setup request ERAB setup request
  • the first response message may include an access bearer setup response ERAB setup response.
  • the embodiment of the present invention can implement the use of the response or request that needs to be sent in the existing attaching process to implement the key acquisition, so that the core network device can be used at a small cost or without changing the existing process structure.
  • the key generated by the access network device and the user equipment to perform the access layer security activation process is ensured, thereby ensuring normal communication of the user equipment and reducing the cost.
  • the acquiring, by the core network device, the first key may include: after the access network device performs the access layer security activation process, after the first key is generated, the access network device passes the first indication information.
  • the first key is actively sent to the core network device.
  • the core network device receives the first indication information sent by the access network device, where the first indication information carries the first key. Where the first finger
  • the indication information may also instruct the core network device to decrypt the data sent by the user equipment by using the first key.
  • the embodiment of the present invention can be implemented that the access network device can actively send the first key to the core network device, so that the core network device obtains the first key, and can correctly decrypt the data packet sent by the user equipment, thereby ensuring that the data packet is correctly decrypted.
  • the normal communication of the user equipment improves the user experience.
  • the foregoing first indication information includes: an initial context setup response or an access bearer setup response ERAB setup response.
  • the embodiment of the present invention can implement the use of the response or request that needs to be sent in the existing attaching process to implement the key acquisition, so that the core network device can be used at a small cost or without changing the existing process structure.
  • the key generated by the access network device and the user equipment to perform the access layer security activation process is ensured, thereby ensuring normal communication of the user equipment and reducing the cost.
  • the core network device may send a second key generated by the non-access stratum security activation process to the access network device, where the second key is used by the access network device to derive the first key
  • the acquiring, by the core network device, the first key may include: the core network device acquiring an encryption algorithm used to derive the first key, and the core network device generating the first key according to the second key and the encryption algorithm.
  • the core network device can generate the first key by itself, for example, the first key can be generated in the non-access layer security activation process, so that the core network device receives the user equipment and sends the first key.
  • the first key can be used for decryption, which ensures the normal communication of the user equipment and improves the user experience.
  • the encryption algorithm used by the core network device to obtain the deduced first key may include: the core network device sends a second request message to the access network device, where the second request message is used to request access.
  • the identifier of the encryption algorithm used by the network device to derive the first key After receiving the second request message, the access network device may send the identifier of the encryption algorithm for deriving the first key used in performing the access layer security activation process to the core network device by using the second response message.
  • the core network device receives the second response message sent by the access network device, and obtains an encryption algorithm used by the access network device to derive the first key.
  • the core network device requests the access network device to extract the identifier of the encryption algorithm of the first key, and the second core network device knows the second key.
  • the core network device may further generate the first key, so that after receiving the data sent by the user equipment, the first key is used for decryption, thereby ensuring normal communication of the user equipment.
  • the foregoing second request message may include: an initial context setup request, where the second response message may include: an initial context setup response; or the second request message may include, access The bearer setup request ERAB setup request, the second response message may include an access bearer setup response ERAB setup response.
  • the embodiment of the present invention can realize that the identifier of the encryption algorithm for deriving the first key is obtained by using the response or request that needs to be sent in the existing attaching process, so that the existing one can be used with little cost or no change.
  • the core network device can obtain the first key to ensure that the user equipment communicates normally while reducing the cost.
  • the encryption algorithm used by the core network device to obtain the deduced first key may include: an encryption algorithm used by the access network device to perform the access layer security activation process for deriving the first key.
  • the identifier is carried in the second indication information and sent to the core network device.
  • the core network device receives the second indication information sent by the access network device, and the core network obtains an encryption algorithm used to derive the first key.
  • the embodiment of the present invention can be implemented that the access network device can actively send the identifier of the encryption algorithm used to derive the first key to the core network device, so that the core network device can obtain the first key according to the algorithm, thereby enabling the user to The data packets sent by the device are correctly decrypted to ensure normal communication of the user equipment and improve the user experience.
  • the foregoing second indication information may include: an initial context setup response or an access bearer setup response ERAB setup response.
  • the embodiment of the present invention can realize that the identifier of the encryption algorithm for deriving the first key is obtained by using the response or request that needs to be sent in the existing attaching process, so that the existing one can be used with little cost or no change.
  • the core network device can obtain the first key to ensure that the user equipment communicates normally while reducing the cost.
  • the core network device when there is no RRC connection between the user equipment and the access network device, the core network device receives the data packet sent by the user equipment, and uses the first key determined by the foregoing method. Decrypt the data packet sent by the user equipment.
  • the RRC connection when the RRC connection is not available, or the RRC connection is released, and the access network device releases the context information of the user equipment, the user equipment still encrypts the data by using the key generated by the RRC connection. After the encrypted data packet is transmitted to the core network device, it can still be decrypted correctly, ensuring normal communication of the user equipment and improving the user experience.
  • an embodiment of the present invention provides a communication method.
  • the method includes: when the access network device performs the access layer security activation process, the access network device generates the first key.
  • the access network device sends the identifier of the encryption algorithm used by the first key or the access network device to derive the first key to the core network device, where the first key is used by the core network device to decrypt the data sent by the user equipment. .
  • the access network device sends the identifier of the first key or the encryption algorithm used to derive the first key to the core network device, which may include: the access network device and the first key or derivation
  • the algorithm identifier of the encryption algorithm used by the first key is carried in the initial context setup response or the EBB setup response, and is sent to the core network device.
  • the method may further include: the access network device receiving the core A request message sent by the network device, the request message is used to request the identifier of the first key or the encryption algorithm.
  • the foregoing request message of the aspect may specifically include an initial context setup request or an access bearer setup request ERAB setup request.
  • an embodiment of the present invention provides an access network device, which has the function of implementing the behavior of the access network device in the foregoing method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the structure of the access network device includes a processor and a communication unit,
  • the processor is configured to support the access network device to perform the corresponding function in the above method.
  • the communication unit is configured to support communication between the access network device and the core network device, and send information or instructions involved in the foregoing method to the core network device.
  • the access network device can also include a memory for coupling with the processor that retains the necessary program instructions and data for the access network device.
  • an embodiment of the present invention provides a core network device.
  • the core network device may be a network entity in the core network, such as a mobility management entity MME, or a gateway (such as a Serving Gateway (SGW) and/or a Packet Data Network Gateway (PGW)).
  • the core network device is configured to decrypt the data sent by the user equipment, where the key required for decryption can be implemented by the foregoing method, and the core network device has the function of realizing the behavior of the core network device in the actual method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the structure of the core network device includes a processor and a communication unit configured to support the core network device to perform the corresponding functions in the above methods.
  • the communication unit is configured to support communication between the core network device and the access network device, and send information or instructions involved in the foregoing method to the access network device.
  • the core network device can also include a memory for coupling with the processor that retains the necessary program instructions and data for the core network device.
  • an embodiment of the present invention provides a communication system, where the system includes the access network device and the core network device according to the foregoing aspect; or the system includes the core network device described in the foregoing aspect.
  • an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use in the access network device, including a program designed to perform the above aspects.
  • an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use in the core network device, including a program designed to perform the above aspects.
  • the embodiments provided by the embodiments of the present invention can implement that the core network device can use the user equipment.
  • the key under the RRC connection performs the correct decryption of the encrypted data packet, ensuring normal communication of the user equipment and improving the user experience.
  • FIG. 1 is a schematic diagram of a communication system according to an embodiment of the present invention
  • FIG. 2 shows a schematic diagram of an LTE network architecture
  • FIG. 3 is a flowchart of a communication method according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of communication of a communication method according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of another communication method according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of communication of another communication method according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a communication apparatus according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of another communication apparatus according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of hardware of an access network device according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of hardware of a core network device according to an embodiment of the present invention.
  • the core network device obtains the encryption key of the data plane of the user equipment in the process of attaching the user equipment.
  • the core network may be utilized.
  • the encryption key obtained above is decrypted, thereby ensuring normal communication between the user equipment and the network, and improving the user experience.
  • FIG. 1 is a schematic diagram of a communication system according to an embodiment of the present invention.
  • FIG. 1 is a schematic diagram showing a partial structure of a system architecture related to an embodiment of the present invention.
  • the system architecture may include: a core network device 101, an access network device 102, and a user equipment 103.
  • the user equipment 103 can access the core network device 103 through the access network device 102 to perform communication, and further, can access the Internet through the core network to perform Internet communication.
  • the core network device 101 may be a device that provides a user connection, management of the user, and completion of the bearer for the service, and serves as an interface for the bearer network to provide an interface to the external network.
  • the establishment of the user connection includes mobility management (MM), call management (CM), switching/routing, and recording notification (in combination with the connection of the intelligent network service to the intelligent network peripheral device).
  • User management includes user description, QoS (Quality of Service), user communication record (Accounting), dialogue with intelligent network platform to provide virtual home environment, security (the corresponding security measures provided by the authentication center include Security management of mobile services and security of access to external networks). Access to include external PSTN, external circuit data network and packet data network, Internet and Intranets, and mobile own SMS server.
  • the basic services that the core network can provide include mobile office, e-commerce, communication, entertainment. Sexual business, travel and location-based services, Telemetry simple messaging services (monitoring controls) and more.
  • an MME Mobility Management Entity
  • an SGW Serving GateWay
  • a P-GW Packet Data Network Gateway
  • LTE Long Term Evolution
  • the foregoing provides a user connection, a management of the user, and a service completion bearer, and the device that provides the interface to the external network as the bearer network is collectively referred to as the bearer network is collectively referred to as the bearer network is collectively referred to as the bearer network is collectively referred to as the core network device, or the MME in the LTE system is taken as an example. description.
  • Access network device 102 can be a device deployed in a wireless access network to provide wireless communication functionality to a UE or WD.
  • the apparatus may include various forms of macro base stations, micro base stations, relay stations, access points, and the like.
  • the name of a device having a base station function may be different.
  • an evolved Node B evolved Node B: eNB or eNodeB
  • eNB evolved Node B
  • Node B In the 3G network, it is called Node B and so on.
  • the foregoing apparatus for providing a wireless communication function for a UE is collectively referred to as an access network device, or an eNB in an LTE system is taken as an example for description.
  • User equipment 103 may include various handheld devices with wireless communication capabilities, in-vehicle devices, wearable devices, computing devices, or other processing devices connected to wireless modems, as well as various forms of User Equipment (UE), mobile Mobile station (MS), Terminal, Terminal Equipment, etc.
  • UE User Equipment
  • MS mobile Mobile station
  • Terminal Terminal Equipment
  • FIG. 2 is a schematic diagram of an LTE network architecture, which mainly includes a UE, an E-UTRAN (Evolved Universal Terrestrial Radio Access Network), and an EPC (Evolved Packet Core). And so on.
  • LTE Long Term Evolution
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • EPC Evolved Packet Core
  • EPC is mainly composed of MME, P-GW, SGW, etc. It can realize the traditional capabilities of mobile network such as user subscription data storage, mobility management and data exchange, and can provide users with ultra-high speed Internet experience.
  • the E-UTRAN may be a network composed of a plurality of eNBs, and implement functions such as wireless physical layer functions, resource scheduling and radio resource management, radio access control, and mobility management.
  • the embodiment of the present invention is mainly applicable to the process of attaching a user equipment.
  • the user equipment is a process of registering in the network before the user equipment performs the actual service. After the user equipment is successfully attached, the user equipment can receive the network. The service sent by the device.
  • the user equipment attachment process based on the LTE system is described as an example in the embodiment of the present invention.
  • the attachment process is generally initiated by the user equipment.
  • the user equipment may trigger the attachment when the device is powered on, or the user equipment needs to reattach after leaving the network coverage for a period of time.
  • the user equipment attachment process mainly achieves the following purposes:
  • the user equipment and the network device authenticate each other, and the user equipment establishes a context with the network device. 2.
  • the network device establishes a bearer for the user equipment. 3.
  • the user equipment obtains the IP address assigned by the network device. Fourth, the location registration of the user equipment. 5.
  • the network device allocates a temporary identity to the user equipment. and many more.
  • an RRC connection is established between the UE and the eNB.
  • the UE will also bring an Attach Request message (attach request message).
  • Attach Request message attach request message
  • the eNB sends an Initial UE Message (initial UE message) to the MME, and then places an Attach Request message (attach request message) into the message.
  • the authentication process is that the core network device obtains an authentication vector from the HSS (Home Subscriber Server) that the user subscribes to.
  • the authentication vector includes K ASME (Key Access Security Management Entity). ).
  • K ASME is used to derive the encryption and integrity protection keys, which can be derived from the relevant keys.
  • the NAS security activation process is a process of establishing an encryption and integrity protection context between the UE and the MME. After this process, NAS messages between the MME and the UE are encrypted and integrity protected to ensure secure signaling.
  • the algorithm used by the MME to inform the UE of the algorithm ID, the MME and the UE can respectively derive the NAS layer encryption key according to the K ASME , which mainly includes: K NASenc (Key Non-access stratum encryption) Or K NASint (Key Non-access stratum integrity), etc.; then the MME will further generate K eNB using K ASME and send the K eNB to the eNB for the eNB to generate the relevant key.
  • the UE will notify the core network device of the algorithm ID supported by the UE.
  • the algorithm used by the UE can be as shown in Table 1.
  • the previous NAS security process is to create a security context between the MME and the UE. That is, the MME and the UE negotiate to use the same Key and encryption algorithm to exchange messages between them. Encryption and integrity protection.
  • the AS security activation process is to create a security context between the eNB and the UE, and encrypt and integrity protect the access part interaction message between the eNB and the UE.
  • the eNB selects an encryption algorithm, and then informs the UE of the algorithm ID, and then the eNB and the UE respectively generate a key required by the access layer by using the corresponding algorithm ID and K DF , for example, K UPenc (Key User plane encryption, user plane encryption key) ), K RRCenc (RRC layer signaling message encryption key), K RRCint (RRC Signaling Integrity Protection Key), and so on.
  • K UPenc Key User plane encryption, user plane encryption key
  • K RRCenc RRC layer signaling message encryption key
  • K RRCint RRC Signaling Integrity Protection Key
  • FIG. 3 is a flowchart of a communication method according to an embodiment of the present invention.
  • the method may specifically include:
  • the core network device acquires the first key.
  • the first key is a key generated when the user equipment and the access network device perform an access layer security activation process.
  • the first key may be an encryption key of the user plane of the access layer, or may be an encryption key or an integrity protection key of the control plane of the access network.
  • the first key may be the above K UPenc , K Any one or more of the keys RRCenc , K RRCint, etc.
  • the core network device receives the data packet sent by the user equipment, performs decryption by using the first key, and obtains data in the data packet.
  • the user equipment encrypts the data by using the first key, and sends the data to the core network device.
  • the core network device uses the first step determined by the foregoing steps. The key is decrypted and the data sent by the user can be obtained.
  • the core network device acquiring the first key may have the following implementation manner.
  • the core network device can obtain the first key from the access network device.
  • the core network device may send a request message to the access network device, requesting the first key from the access network device, and the first time that the access network device generates the first key after performing the security activation process.
  • the key is carried in the response message and sent to the core network device.
  • the core network device may carry the request message in an initial context setup request to the access network device, and the access network device may carry the first key in an initial context setup response (initial context setup).
  • the response is sent to the core network device, or the core network device can carry the request in the ERAB setup request to the access network device, and the access network device can carry the first key in The ERAB setup response is sent to the core network device, and so on.
  • the access network device may send the first key to the core network device after generating the first key.
  • the access network device may send the first key to the core network device in a message such as an initial context setup response or an ERAB setup response.
  • the core network device may further indicate, by using the foregoing message, that the core network device decrypts the data sent by the user equipment by using the first key sent by the access network device.
  • the core network device can generate the first key.
  • the second key required for the access network device and the user equipment to generate the first key is generated by the core network device and sent to the access network device.
  • the second key may be a K eNB .
  • the encryption algorithm used by the general access network device to perform the access layer security activation process to derive the first key is the same as the algorithm for the core network device to perform the non-access layer security activation process to generate the encryption key or the integrity protection key. Therefore, the core network device can directly generate the first key according to the second key and an algorithm for generating an encryption key or an integrity protection key.
  • Manner 3 When the access network device performs the access layer security activation process, the encryption algorithm used by the access network device to derive the first key and the core network device perform the non-access layer security activation process to generate an encryption key or integrity protection When the algorithm of the key is different, the core network device can also generate the first key. It can be known by the second method that the second key is generated by the core network device, and the core network device can generate the first key by determining the encryption algorithm used to derive the first key.
  • the identity of the encryption algorithm used to derive the first key may be provided by the access network device.
  • the core network device may send a request message to the access network device to request an identifier of the encryption algorithm used by the access network device to derive the first key, and the access network device performs the access layer security activation process to generate the first key. And carrying the generated identifier of the encryption algorithm used to derive the first key in the response message and sending the identifier to the core network device.
  • the core network device may carry the request in an initial context setup request to the access network device, and the access network device may carry the identifier of the encryption algorithm used to derive the first key in the initial context.
  • the initial context setup response is sent to the core network device, or the core network device can carry the request in the ERAB setup request to the access network device, and the access network device can perform the deduction.
  • the identifier of the encryption algorithm used by a key is carried in the ERAB setup response and sent to the core network device.
  • the access network device When the access network device performs the access layer security activation process, the access network device actively sends the encryption algorithm identifier used by the access network device to derive the first key to the core network device. For example, the access network device may send the encryption algorithm identifier used by the derivation of the first key to the core network device in an initial context setup response or an ERAB setup response.
  • the foregoing response information may be used to indicate that the core network device decrypts the data packet sent by the user equipment by using the first key, or does not need to receive the data packet sent by the user equipment according to the indication of the access network device. After decryption directly.
  • the data packet encrypted by the key generated by the protocol between the user equipment and the access network device can be decrypted at the core network device, and then, the RRC connection is released, or no RRC In the case of the connection, the user equipment can still be decrypted after the data encrypted by the key generated when the RRC connection is established is sent to the core network device, thereby ensuring the normal communication, improving the user experience, and the communication process of the user equipment is not used. Make major adjustments.
  • the following describes the embodiment of the present invention in more detail by taking an attaching process based on the LTE system as an example.
  • the first key uses K UPenc as an example
  • the access network device takes an eNB as an example
  • the core network device takes an MME as an example.
  • the acquisition of the first key may be performed when the access network device performs an access layer security activation process.
  • the details are as follows.
  • the UE triggers the attach procedure, the RRC setup process, the authentication process, the non-access stratum security activation process, the location update process, and the like according to the existing procedures.
  • the MME sends an initial context setup request to the eNB, and notifies the eNB to perform initial context setting, where the request carries an access layer user plane encryption key K UPenc to acquire the request.
  • the eNB performs an access layer security activation process with the UE.
  • the eNB sends a security mode command to the UE.
  • the UE After receiving the message, the UE derives a key according to an encryption algorithm in the message, and the key includes K UPenc .
  • the UE then sends a security mode complete message to the eNB.
  • the eNB also generates the same key K UPenc .
  • the eNB sends an RRC connection reconfiguration message (RRCConnectionReconfiguration) to the UE, where the message includes an attach accept message and a bearer related context.
  • the UE sends an RRC Connection Reconfiguration Complete message (RRCConnectionReconfigurationComplete) to the eNB.
  • the eNB sends an initial context setup response to the MME, where the response carries K UPenc .
  • the UE encrypts the data packet by using K UPenc , and transparently transmits the data packet to the MME through the eNB, and the MME uses K UPenc to perform decryption to obtain data transmitted by the UE.
  • the process of obtaining the identifier of the encryption algorithm used by the MME for deriving the first key may be similar to the process shown in FIG. 4, for example, the identifier of the encryption algorithm used by the K UPenc deduction may be carried in the initial context setup request.
  • the request, in the initial context setup response carrying the identifier of the encryption algorithm used by the K UPenc deduction, can obtain the identification of the K UPenc generation algorithm. Can be understood cross-referenced.
  • the MME After obtaining the identifier of the encryption algorithm deduced by K UPenc, the MME generates K UPenc through an encryption algorithm according to K ASME and KeNB. After the MME receives the data packet sent by the UE, it decrypts with K UPenc to obtain the data in the data packet.
  • the acquisition of the first key may be performed during the bearer establishment process performed by the access network device.
  • the details are as follows.
  • the UE triggers the attach process, the RRC setup process, the authentication process, the non-access stratum security activation process, the location update process, and the access layer security activation process, etc. according to the existing process.
  • the UE and the eNB generate K UPenc .
  • the MME sends an ERAB setup request to the eNB, requesting to establish an ERAB bearer for the user equipment, where the request carries the user plane encryption key K UPenc of the access layer to obtain the request.
  • the eNB performs an ERAB bearer setup procedure with the UE, and sends an RRC connection reconfiguration message (RRCConnectionReconfiguration) to the UE to notify the UE.
  • RRCConnectionReconfiguration RRC connection reconfiguration message
  • the UE sends an RRC connection reconfiguration complete message RRCConnectionReconfigurationComplete to the eNB to the eNB.
  • the eNB sends an ERAB setup response to the MME, confirming that the ERAB bearer of the UE is established, and carrying K UPenc in the response.
  • the UE encrypts the data packet by using K UPenc , and transparently transmits the data packet to the MME through the eNB, and the MME uses K UPenc to perform decryption to obtain data transmitted by the UE.
  • the obtaining process of the identifier of the encryption algorithm used for the first key deduction may be similar to the process shown in FIG. 5, for example, carrying the identifier acquisition request of the encryption algorithm generated by K UPenc in the ERAB setup request, in the ERAB setup response carries the identifier K UPenc into the algorithm to obtain the identification of the encryption algorithm K UPenc generation can be realized. Can be understood cross-referenced.
  • the MME After obtaining the identifier of the encryption algorithm generated by K UPenc, the MME generates K eNB according to K ASME , and then generates K UPenc through an encryption algorithm. After the MME receives the data packet sent by the UE, it decrypts with K UPenc to obtain the data in the data packet.
  • the first key may be generated by the MME, for example, may be generated during the non-access stratum security activation process performed by the MME. Wherein, this case is directed to the MME performing non-access stratum security activation.
  • the encryption key is used in the same encryption algorithm as the eNB performs the access layer security activation process to generate the encryption key.
  • the UE triggers the attach process, the RRC setup process, the authentication process, and the like according to the foregoing procedure.
  • the MME continues to push the K eNB .
  • the MME continues to generate any one or more of K UPenc , K RRCenc , K RRCint, and K ENB+ according to the K eNB and the encryption algorithm used by the K NASenc or K NASint .
  • the UE In the data transmission process, the UE encrypts the data packet by using K UPenc , and sends the data packet to the MME.
  • the MME After receiving the encrypted data packet sent by the UE, the MME decrypts the data packet by using K UPenc .
  • each network element such as a user equipment, an access network device, a core network device, etc.
  • each network element includes hardware structures and/or software modules corresponding to each function.
  • the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
  • FIG. 7 is a schematic structural diagram of a communication device of an access network device involved in the foregoing embodiment.
  • the device can include:
  • the processing module 701 is configured to acquire a first key, where the first key is a key generated when the access network device performs an access layer security activation process;
  • the receiving module 702 is configured to receive a data packet sent by the user equipment, by using the first key Decrypt the data packet.
  • the apparatus may further include: a sending module 703, configured to send a first request message to the access network device, where the first request message is used to request the first key;
  • the receiving module 702 is further configured to: after the access network device generates the first key, receive a first response message sent by the access network device, where the first response message carries the first secret key.
  • the first request message includes an initial context setup request
  • the first response message includes an initial context setup response
  • the first request message includes an ERAB setup response
  • the receiving module 702 is further configured to: after the access network device generates the first key, receive the first indication information sent by the access network device, where the first indication information carries the first A key.
  • the first indication information includes: an initial context setup response or an ERAB setup response.
  • the sending module 703 is further configured to: when the core network performs a non-access stratum security activation process, the core network device generates a second key and sends the second key to the access network device;
  • the processing module 701 is further configured to determine an encryption algorithm used by the access network device to derive the first key.
  • the processing module 701 is further configured to generate the first key according to the second key and the encryption algorithm.
  • the sending module 703 is further configured to send, by the access network device, a second request message, where the second request message is used to request an identifier of an encryption algorithm used by the access network device to derive the first key;
  • the receiving module 702 is further configured to: after the access network device generates the first key, receive the second response message sent by the access network device, where the second response message carries the identifier of the encryption algorithm.
  • the second request message includes an initial context setting request (initial context)
  • the second request message includes: an initial context setup response; or the second request message includes an ERAB setup request, the second response message Including, the EBB setup response.
  • the receiving module 702 is further configured to: after the access network device generates the first key, receive second indication information that is sent by the access network device, where the second indication information carries an access network.
  • the identifier of the encryption algorithm used by the device to derive the first key is further configured to: after the access network device generates the first key, receive second indication information that is sent by the access network device, where the second indication information carries an access network.
  • the second indication information includes: an initial context setup response or an ERAB setup response.
  • the receiving module 702 is further configured to receive the data packet sent by the user equipment when the RRC connection is not available.
  • FIG. 8 is a schematic structural diagram of a communication device of a core network device involved in the above embodiment.
  • the apparatus may include: a processing module 801, configured to generate a first key when the access network device performs an access layer security activation process.
  • the sending module 802 is configured to send, to the core network device, an identifier of the encryption algorithm used by the first key or the access network device to derive the first key, where the first key is used by the core network device pair
  • the data sent by the user equipment to the core network device is decrypted.
  • the sending module 802 is specifically configured to carry the algorithm identifier of the encryption algorithm used by the first key or the access network device to derive the first key in an initial context setup response. Or the ERAB setup response is sent to the core network device.
  • the device further includes:
  • the receiving module 803 is configured to receive a request message sent by the core network device, where the request message is used to request the identifier of the first key or the encryption algorithm.
  • the request message includes an initial context setup request or an ERAB setup request.
  • FIG. 9 is a schematic structural diagram of hardware of an access network device involved in the foregoing embodiment.
  • the access network device includes a communication unit 901, a processor 902, and a memory 903. Individual modules can be connected via a bus.
  • the communication unit 901 is configured to support the transmission and reception of information between the access network device and the core network device in the foregoing embodiment.
  • the communication unit 901 may be an interface circuit, and may support the light between the access network device and the core network device.
  • the service data and signaling messages are processed by the processor 902 and sent by the communication unit 901 to the core network device.
  • the signal from the core network device is received by the communication unit 901 for mediation, and further processed by the processor 902 to obtain service data and signaling information transmitted by the core network device.
  • Processor 902 also performs the processes involved in the access network device of Figures 3 through 6 and/or other processes for the techniques described herein.
  • the memory 903 is used to store program codes and data of the access network device.
  • the access network device can also include a transceiver 904 for supporting communication between the access network device and the user equipment. For example, it is used to support the signaling interaction between the access network device and the user equipment in the process of performing the attaching process. Further, the interaction between the access network device and the user equipment in performing the access layer security activation process may also be used. Supports the transmission and reception of data between the access network device and the user equipment.
  • FIG. 10 is a schematic diagram showing the hardware structure of a core network device involved in the foregoing embodiment.
  • the core network device includes a communication unit 1001, a processor 1002, and a memory 1003. Individual modules can be connected via a bus.
  • the communication unit 1001 is configured to support the transmission and reception of information between the core network device and the access network device in the foregoing embodiment.
  • the communication unit 1001 may be an interface circuit, and may support the light between the access network device and the core network device.
  • Communication During communication between the core network device and the access network device, the service data and signaling messages are processed by the processor 1002 and transmitted by the communication unit 1001 to the access network device.
  • the signal from the access network device is received by the communication unit 1001 and coordinated, and further processed by the processor 1002 to obtain service data and signaling information transmitted or forwarded by the access network device.
  • the processor 1002 also performs the processes involved in the access network device of Figures 3-6 and/or other processes for the techniques described herein.
  • the memory 1003 is configured to store an access network device Program code and data.
  • the core network device communicates with the user equipment through the access network device, and the signaling or data between the core network device and the user equipment may be transparently transmitted through the access network device, or may be sent after being processed by the access network device. .
  • the processor of the access network device or the core network device in the foregoing embodiment may be a processor or a collective name of multiple processing elements.
  • the processor may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention.
  • CPU Central Processing Unit
  • ASIC Application Specific Integrated Circuit
  • DSPs digital singal processors
  • FPGAs Field Programmable Gate Arrays
  • the memory of the access network device or the core network device in the foregoing embodiment may be a storage device, or may be a collective name of a plurality of storage elements, and used to store executable program code or parameters required for the operation of the access network management device, Data, etc.
  • the memory 903 may include random access memory (RAM), and may also include non-volatile memory such as a magnetic disk memory, a flash memory, or the like.
  • the bus of the access network device or the core network device in the above embodiment may be an Industry Standard Architecture (ISA) bus, a Peripheral Component (PCI) bus, or an extended industry standard architecture (Extended Industry). Standard Architecture, EISA) bus, etc.
  • ISA Industry Standard Architecture
  • PCI Peripheral Component
  • EISA Extended Industry Standard Architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and the like.
  • the embodiment of the present invention further provides a communication system, which includes the access network device and the core network device described in the foregoing embodiments; or the system includes the core network device described in the foregoing aspect.
  • the steps of a method or algorithm described in connection with the embodiments disclosed herein can be implemented in hardware, a software module executed by a processor, or a combination of both.
  • the software module can be placed in random access memory (RAM), memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or technical field. Any other form of storage medium known.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiments of the invention comprise a communication method and equipment. The method comprises: core network equipment obtains a first key generated when access network equipment executes an access stratum security activation procedure; and after receiving a data packet transmitted by user equipment, the core network equipment decrypts, by utilizing the first key, the data packet. According to the embodiments of the invention, the core network equipment can accurately decrypt, using the key generated during the access stratum security activation procedure executed with the access network equipment, a data packet encrypted by user equipment, reducing the possibility of packet loss, ensuring normal communication between user equipment and a network, and enhancing user experience.

Description

通信方法及设备Communication method and device 技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种通信方法及设备。The present invention relates to the field of communications technologies, and in particular, to a communication method and device.
背景技术Background technique
目前,由于智能终端以及移动应用的迅速发展,移动数据流量剧增,为了在基站上发送稀疏包时,提高数据发送的效率,提出了RRC(Radio Resource Control,无线资源控制协议)无连接技术,采用RRC无连接技术,用户设备(Users Equipment,UE)可以不与基站建立RRC连接,而直接向核心网发送用户数据。At present, due to the rapid development of intelligent terminals and mobile applications, the mobile data traffic has increased dramatically. In order to improve the efficiency of data transmission when sending sparse packets on the base station, a RRC (Radio Resource Control) connectionless technology is proposed. The RRC connectionless technology, the User Equipment (UE) may not establish an RRC connection with the base station, but directly send the user data to the core network.
在RRC连接建立的条件下,UE与基站之间通过协议好的密钥对数据进行加密,且该密钥仅UE与基站知道。UE在无RRC连接下与核心网设备进行通信时,当UE进入空闲状态后,基站会释放UE的上下文信息,包括在RRC连接建立时进行传输数据所用的密钥。如果UE仍然使用RRC连接下的密钥对数据进行加密,网络侧无法对数据包正确解密,该数据包可能会被丢弃,影响了UE的正常通信,降低了用户体验。Under the condition that the RRC connection is established, the data is encrypted between the UE and the base station by using a good protocol key, and the key is known only by the UE and the base station. When the UE communicates with the core network device without the RRC connection, when the UE enters the idle state, the base station releases the context information of the UE, including the key used to transmit data when the RRC connection is established. If the UE still uses the key under the RRC connection to encrypt the data, the network side cannot correctly decrypt the data packet, and the data packet may be discarded, which affects the normal communication of the UE and reduces the user experience.
发明内容Summary of the invention
本发明实施例提供了一种通信方法,装置及系统,可以实现核心网设备能够对用户设备使用RRC连接下的密钥进行加密的数据包正确的解密,保证了用户设备的能够正常的通信,提高了用户体验。The embodiment of the present invention provides a communication method, device, and system, which can implement correct decryption of a data packet encrypted by a user equipment using a key under an RRC connection, thereby ensuring normal communication of the user equipment. Improve the user experience.
一方面,本发明的实施例提供了一种通信方法。包括:核心网设备获取第一密钥,该第一密钥为接入网设备在执行接入层安全激活过程需要生成的 密钥。核心网设备接收到用户设备发送的数据包后,利用第一密钥对数据包进行解密。通过本发明实施例可以实现,核心网设备能够对用户设备使用与接入网设备执行接入层安全激活过程生成的密钥加密的数据包进行正确的解密,降低了数据包被丢弃的可能,保证了用户设备与网络的正常通信,提高了用户体验。In one aspect, embodiments of the present invention provide a method of communication. The method includes: acquiring, by the core network device, a first key, where the first key is generated by the access network device in performing an access layer security activation process Key. After receiving the data packet sent by the user equipment, the core network device decrypts the data packet by using the first key. The embodiment of the present invention can implement that the core network device can correctly decrypt the data packet encrypted by the user equipment and the key generated by the access network device to perform the access layer security activation process, thereby reducing the possibility that the data packet is discarded. The normal communication between the user equipment and the network is ensured, and the user experience is improved.
在一个可能的设计中,上述核心网设备获取第一密钥具体可以包括:核心网设备向接入网设备发送第一请求消息,该第一请求消息用于请求第一密钥。接入网设备在接收到第一请求消息后,将执行接入层安全激活过程生成的第一密钥携带在第一响应消息中发送给核心网设备。核心网设备接收接入网设备发送的第一响应消息,获得第一密钥。通过本发明实施例可以实现,核心网设备可以主动向接入网设备请求接入网设备与用户设备执行接入层安全激活过程生成的密钥,当接收到用户设备发送的数据时,核心网设备直接利用从接入网设备处获得的密钥进行解密,保证了用户设备能够正常的通信。In a possible design, the acquiring, by the core network device, the first key may include: sending, by the core network device, a first request message to the access network device, where the first request message is used to request the first key. After receiving the first request message, the access network device carries the first key generated by the access layer security activation process in the first response message and sends the first key to the core network device. The core network device receives the first response message sent by the access network device, and obtains the first key. The core network device can actively request the access network device to perform the key generated by the access layer security activation process by the access network device, and when receiving the data sent by the user equipment, the core network can be implemented. The device directly decrypts the key obtained from the access network device to ensure that the user equipment can communicate normally.
在一个可能的设计中,上述第一请求消息可以包括,初始上下文设置请求initial context setup request,上述第一响应消息可以包括,初始上下文设置响应initial context setup response;或者,上述第一请求消息可以包括,接入承载建立请求ERAB setup request,上述第一响应消息可以包括,接入承载建立响应ERAB setup response。通过本发明实施例可以实现,利用现有的附着过程中需要发送的响应或者请求,来实现密钥的获取,这样可以用较小的代价或者不改动现有的流程结构,核心网设备便可以得到接入网设备与用户设备执行接入层安全激活过程生成的密钥,确保用户设备正常通信的同时,降低了成本。In a possible design, the first request message may include an initial context setup request, and the first response message may include: an initial context setup response; or the first request message may include The access bearer setup request ERAB setup request, where the first response message may include an access bearer setup response ERAB setup response. The embodiment of the present invention can implement the use of the response or request that needs to be sent in the existing attaching process to implement the key acquisition, so that the core network device can be used at a small cost or without changing the existing process structure. The key generated by the access network device and the user equipment to perform the access layer security activation process is ensured, thereby ensuring normal communication of the user equipment and reducing the cost.
在一个可能的设计中,上述核心网设备获取第一密钥具体可以包括:在接入网设备执行接入层安全激活过程时,生成第一密钥后,接入网设备通过第一指示信息主动将第一密钥发送给核心网设备。核心网设备接收接入网设备发送的第一指示信息,该第一指示信息携带有第一密钥。其中,该第一指 示信息还可以指示核心网设备利用第一密钥对用户设备发送的数据进行解密。通过本发明实施例可以实现,接入网设备可以主动将第一密钥发送给核心网设备,使得核心网设备得到第一密钥,进而能够对用户设备发送的数据包进行正确解密,保证了用户设备的正常通信,提高了用户体验。In a possible design, the acquiring, by the core network device, the first key may include: after the access network device performs the access layer security activation process, after the first key is generated, the access network device passes the first indication information. The first key is actively sent to the core network device. The core network device receives the first indication information sent by the access network device, where the first indication information carries the first key. Where the first finger The indication information may also instruct the core network device to decrypt the data sent by the user equipment by using the first key. The embodiment of the present invention can be implemented that the access network device can actively send the first key to the core network device, so that the core network device obtains the first key, and can correctly decrypt the data packet sent by the user equipment, thereby ensuring that the data packet is correctly decrypted. The normal communication of the user equipment improves the user experience.
在一个可能的设计中,上述第一指示信息包括:初始上下文设置响应initial context setup response或接入承载建立响应ERAB setup response。通过本发明实施例可以实现,利用现有的附着过程中需要发送的响应或者请求,来实现密钥的获取,这样可以用较小的代价或者不改动现有的流程结构,核心网设备便可以得到接入网设备与用户设备执行接入层安全激活过程生成的密钥,确保用户设备正常通信的同时,降低了成本。In a possible design, the foregoing first indication information includes: an initial context setup response or an access bearer setup response ERAB setup response. The embodiment of the present invention can implement the use of the response or request that needs to be sent in the existing attaching process to implement the key acquisition, so that the core network device can be used at a small cost or without changing the existing process structure. The key generated by the access network device and the user equipment to perform the access layer security activation process is ensured, thereby ensuring normal communication of the user equipment and reducing the cost.
在一个可能的设计中,核心网设备可以将执行非接入层安全激活过程生成第二密钥发送给接入网设备,该第二密钥用于接入网设备推演第一密钥,上述核心网设备获取第一密钥具体可以包括:核心网设备获取推演第一密钥所使用的加密算法,核心网设备根据第二密钥以及上述加密算法,生成第一密钥。通过本发明实施例可以实现,核心网设备可以自己生成第一密钥,例如可以在执行非接入层安全激活过程中一并生成第一密钥,这样,核心网设备在接收到用户设备发送的经过加密的数据包后,便可以利用第一密钥进行解密,保证了用户设备的正常通信,提高了用户体验。In a possible design, the core network device may send a second key generated by the non-access stratum security activation process to the access network device, where the second key is used by the access network device to derive the first key, The acquiring, by the core network device, the first key may include: the core network device acquiring an encryption algorithm used to derive the first key, and the core network device generating the first key according to the second key and the encryption algorithm. The core network device can generate the first key by itself, for example, the first key can be generated in the non-access layer security activation process, so that the core network device receives the user equipment and sends the first key. After the encrypted data packet, the first key can be used for decryption, which ensures the normal communication of the user equipment and improves the user experience.
在一个可能的设计中,上述核心网设备获取推演第一密钥所使用的加密算法具体可以包括:核心网设备向接入网设备发送第二请求消息,该第二请求消息用于请求接入网设备推演第一密钥所使用的加密算法的标识。接入网设备在接收到第二请求消息后,可以将执行接入层安全激活过程时使用的推演第一密钥的加密算法的标识通过第二响应消息发送给核心网设备。核心网设备接收所述接入网设备发送的第二响应消息,获取接入网设备推演第一密钥所使用的加密算法。通过本发明实施例可以实现,核心网设备向接入网设备请求推演第一密钥的加密算法的标识,二核心网设备又知道第二密钥,所 以,核心网设备可以进一步生成第一密钥,以便于在接收到用户设备发送的数据后,利用第一密钥进行解密,保证了用户设备的正常通信。In a possible design, the encryption algorithm used by the core network device to obtain the deduced first key may include: the core network device sends a second request message to the access network device, where the second request message is used to request access. The identifier of the encryption algorithm used by the network device to derive the first key. After receiving the second request message, the access network device may send the identifier of the encryption algorithm for deriving the first key used in performing the access layer security activation process to the core network device by using the second response message. The core network device receives the second response message sent by the access network device, and obtains an encryption algorithm used by the access network device to derive the first key. According to the embodiment of the present invention, the core network device requests the access network device to extract the identifier of the encryption algorithm of the first key, and the second core network device knows the second key. The core network device may further generate the first key, so that after receiving the data sent by the user equipment, the first key is used for decryption, thereby ensuring normal communication of the user equipment.
可选地,上述第二请求消息可以包括,初始上下文设置请求initial context setup request,上述第二响应消息可以包括,初始上下文设置响应initial context setup response;或者,上述第二请求消息可以包括,接入承载建立请求ERAB setup request,上述第二响应消息可以包括,接入承载建立响应ERAB setup response。通过本发明实施例可以实现,利用现有的附着过程中需要发送的响应或者请求,来实现推演第一密钥的加密算法的标识的获取,这样可以用较小的代价或者不改动现有的流程结构,核心网设备便可以得到第一密钥,确保用户设备正常通信的同时,降低了成本。Optionally, the foregoing second request message may include: an initial context setup request, where the second response message may include: an initial context setup response; or the second request message may include, access The bearer setup request ERAB setup request, the second response message may include an access bearer setup response ERAB setup response. The embodiment of the present invention can realize that the identifier of the encryption algorithm for deriving the first key is obtained by using the response or request that needs to be sent in the existing attaching process, so that the existing one can be used with little cost or no change. In the process structure, the core network device can obtain the first key to ensure that the user equipment communicates normally while reducing the cost.
在一个可能的设计中,上述核心网设备获取推演第一密钥所使用的加密算法具体可以包括:接入网设备将执行接入层安全激活过程时用于推演第一密钥的加密算法的标识,携带在第二指示信息中发送给核心网设备。核心网设备接收接入网设备发送的第二指示信息,核心网获取推演第一密钥所使用的加密算法。通过本发明实施例可以实现,接入网设备可以主动将推演第一密钥所使用的加密算法的标识发送给核心网设备,使得核心网设备可以根据算法得到第一密钥,进而能够对用户设备发送的数据包进行正确解密,保证了用户设备的正常通信,提高了用户体验。In a possible design, the encryption algorithm used by the core network device to obtain the deduced first key may include: an encryption algorithm used by the access network device to perform the access layer security activation process for deriving the first key. The identifier is carried in the second indication information and sent to the core network device. The core network device receives the second indication information sent by the access network device, and the core network obtains an encryption algorithm used to derive the first key. The embodiment of the present invention can be implemented that the access network device can actively send the identifier of the encryption algorithm used to derive the first key to the core network device, so that the core network device can obtain the first key according to the algorithm, thereby enabling the user to The data packets sent by the device are correctly decrypted to ensure normal communication of the user equipment and improve the user experience.
在一个可能的设计中,上述第二指示信息可以包括:初始上下文设置响应initial context setup response或接入承载建立响应ERAB setup response。通过本发明实施例可以实现,利用现有的附着过程中需要发送的响应或者请求,来实现推演第一密钥的加密算法的标识的获取,这样可以用较小的代价或者不改动现有的流程结构,核心网设备便可以得到第一密钥,确保用户设备正常通信的同时,降低了成本。In a possible design, the foregoing second indication information may include: an initial context setup response or an access bearer setup response ERAB setup response. The embodiment of the present invention can realize that the identifier of the encryption algorithm for deriving the first key is obtained by using the response or request that needs to be sent in the existing attaching process, so that the existing one can be used with little cost or no change. In the process structure, the core network device can obtain the first key to ensure that the user equipment communicates normally while reducing the cost.
在一个可能的设计中,可以在用户设备与接入网设备之间无RRC连接时,核心网设备接收用户设备发送的数据包,利用通过上述方法确定的第一密钥 对用户设备发送的数据包进行解密。通过本发明实施例可以实现,在无RRC连接,或者RRC连接被释放,接入网设备释放了用户设备的上下文信息的情况下,用户设备依然利用RRC连接下生成的密钥对数据进行加密,经过加密的数据包传输到核心网设备后,依然能够被正确解密,保证了用户设备的正常通信,提高了用户体验。In a possible design, when there is no RRC connection between the user equipment and the access network device, the core network device receives the data packet sent by the user equipment, and uses the first key determined by the foregoing method. Decrypt the data packet sent by the user equipment. In the embodiment of the present invention, when the RRC connection is not available, or the RRC connection is released, and the access network device releases the context information of the user equipment, the user equipment still encrypts the data by using the key generated by the RRC connection. After the encrypted data packet is transmitted to the core network device, it can still be decrypted correctly, ensuring normal communication of the user equipment and improving the user experience.
另一方面,本发明实施例提供了一种通信方法。包括:在接入网设备执行接入层安全激活过程时,接入网设备生成第一密钥。接入网设备将第一密钥或接入网设备推演第一密钥所使用的加密算法的标识发送给核心网设备,该第一密钥用于核心网设备对用户设备发送的数据进行解密。In another aspect, an embodiment of the present invention provides a communication method. The method includes: when the access network device performs the access layer security activation process, the access network device generates the first key. The access network device sends the identifier of the encryption algorithm used by the first key or the access network device to derive the first key to the core network device, where the first key is used by the core network device to decrypt the data sent by the user equipment. .
在一个可能的设计中,接入网设备将第一密钥或推演第一密钥所使用的加密算法的标识发送给核心网设备具体可以包括:接入网设备将与第一密钥或推演第一密钥所使用的加密算法的算法标识携带在初始上下文设置响应initial context setup response或接入承载建立响应ERAB setup response中,发送给核心网设备。In a possible design, the access network device sends the identifier of the first key or the encryption algorithm used to derive the first key to the core network device, which may include: the access network device and the first key or derivation The algorithm identifier of the encryption algorithm used by the first key is carried in the initial context setup response or the EBB setup response, and is sent to the core network device.
在一个可能的设计中,在上述接入网设备将第一密钥或推演第一密钥所使用的加密算法的标识发送给核心网设备之前,还可以包括:接入网设备接收所述核心网设备发送的请求消息,该请求消息用于请求第一密钥或上述加密算法的标识。In a possible design, before the foregoing access network device sends the identifier of the encryption algorithm used by the first key or the derivation of the first key to the core network device, the method may further include: the access network device receiving the core A request message sent by the network device, the request message is used to request the identifier of the first key or the encryption algorithm.
在一个可能的设计中,本方面上述请求消息具体可以包括,初始上下文设置请求initial context setup request或接入承载建立请求ERAB setup request。In a possible design, the foregoing request message of the aspect may specifically include an initial context setup request or an access bearer setup request ERAB setup request.
另一方面,本发明实施例提供了一种接入网设备,该接入网设备具有实现上述方法实际中接入网设备行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。On the other hand, an embodiment of the present invention provides an access network device, which has the function of implementing the behavior of the access network device in the foregoing method. The functions may be implemented by hardware or by corresponding software implemented by hardware. The hardware or software includes one or more modules corresponding to the functions described above.
在一个可能的设计中,接入网设备的结构中包括处理器和通信单元,其 中,处理器被配置为支持接入网设备执行上述方法中相应的功能。所述通信单元用于支持接入网设备与核心网设备之间的通信,向核心网设备发送上述方法中所涉及的信息或者指令。该接入网设备还可以包括存储器,该存储器用于与处理器耦合,其保存接入网设备必要的程序指令和数据。In a possible design, the structure of the access network device includes a processor and a communication unit, The processor is configured to support the access network device to perform the corresponding function in the above method. The communication unit is configured to support communication between the access network device and the core network device, and send information or instructions involved in the foregoing method to the core network device. The access network device can also include a memory for coupling with the processor that retains the necessary program instructions and data for the access network device.
又一方面,本发明实施例提供了一种核心网设备。该核心网设备可以是核心网络中的网络实体,例如移动性管理实体MME,或者网关(如服务网关serving Gateway(SGW)和/或分组数据网关Packet Data Network Gateway(PGW))。该核心网设备用于对用户设备发送的数据进行解密,其中,解密所需要的密钥可以通过上述方法实现,且该核心网设备具有实现上述方法实际中核心网设备行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。In another aspect, an embodiment of the present invention provides a core network device. The core network device may be a network entity in the core network, such as a mobility management entity MME, or a gateway (such as a Serving Gateway (SGW) and/or a Packet Data Network Gateway (PGW)). The core network device is configured to decrypt the data sent by the user equipment, where the key required for decryption can be implemented by the foregoing method, and the core network device has the function of realizing the behavior of the core network device in the actual method. The functions may be implemented by hardware or by corresponding software implemented by hardware. The hardware or software includes one or more modules corresponding to the functions described above.
在一个可能的设计中,核心网设备的结构中包括处理器和通信单元,所述处理器被配置为支持核心网设备执行上述方法中相应的功能。所述通信单元用于支持核心网设备与接入网设备之间的通信,向接入网设备发送上述方法中所涉及的信息或者指令。所述核心网设备还可以包括存储器,所述存储器用于与处理器耦合,其保存核心网设备必要的程序指令和数据。In one possible design, the structure of the core network device includes a processor and a communication unit configured to support the core network device to perform the corresponding functions in the above methods. The communication unit is configured to support communication between the core network device and the access network device, and send information or instructions involved in the foregoing method to the access network device. The core network device can also include a memory for coupling with the processor that retains the necessary program instructions and data for the core network device.
再一方面,本发明实施例提供了一种通信系统,该系统包括上述方面所述的接入网设备和核心网设备;或者,该系统包括上述方面所述的核心网设备。In another aspect, an embodiment of the present invention provides a communication system, where the system includes the access network device and the core network device according to the foregoing aspect; or the system includes the core network device described in the foregoing aspect.
再一方面,本发明实施例提供了一种计算机存储介质,用于储存为上述接入网设备所用的计算机软件指令,其包含用于执行上述方面所设计的程序。In still another aspect, an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use in the access network device, including a program designed to perform the above aspects.
再一方面,本发明实施例提供了一种计算机存储介质,用于储存为上述核心网设备所用的计算机软件指令,其包含用于执行上述方面所设计的程序。In still another aspect, an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use in the core network device, including a program designed to perform the above aspects.
本发明实施例提供的实施例,可以实现核心网设备能够对用户设备使用 RRC连接下的密钥进行加密的数据包正确的解密,保证了用户设备的能够正常的通信,提高了用户体验。The embodiments provided by the embodiments of the present invention can implement that the core network device can use the user equipment. The key under the RRC connection performs the correct decryption of the encrypted data packet, ensuring normal communication of the user equipment and improving the user experience.
附图说明DRAWINGS
图1为本发明实施例提供的一种通信系统示意图;FIG. 1 is a schematic diagram of a communication system according to an embodiment of the present invention;
图2示出了一种LTE网络架构示意图;2 shows a schematic diagram of an LTE network architecture;
图3为本发明实施例提供的一种通信方法流程图;FIG. 3 is a flowchart of a communication method according to an embodiment of the present invention;
图4为本发明实施例提供的一种通信方法通信示意图;4 is a schematic diagram of communication of a communication method according to an embodiment of the present invention;
图5为本发明实施例提供的另一种通信方法通信示意图;FIG. 5 is a schematic diagram of another communication method according to an embodiment of the present invention; FIG.
图6为本发明实施例提供的再一种通信方法通信示意图;FIG. 6 is a schematic diagram of communication of another communication method according to an embodiment of the present invention;
图7为本发明实施例中提供的一种通信装置的结构示意图;FIG. 7 is a schematic structural diagram of a communication apparatus according to an embodiment of the present invention;
图8为本发明实施例中提供的另一种通信装置的结构示意图;FIG. 8 is a schematic structural diagram of another communication apparatus according to an embodiment of the present invention;
图9为本发明实施例中提供的一种接入网设备的硬件结构示意图;FIG. 9 is a schematic structural diagram of hardware of an access network device according to an embodiment of the present disclosure;
图10为本发明实施例中提供的一种核心网设备的硬件结构示意图。FIG. 10 is a schematic structural diagram of hardware of a core network device according to an embodiment of the present invention.
具体实施方式detailed description
下面通过附图和实施例,对本发明的技术方案做进一步的详细描述。The technical solution of the present invention will be further described in detail below through the accompanying drawings and embodiments.
本发明实施例可以通过在用户设备附着过程中,核心网设备获得用户设备数据面的加密密钥,当用户设备发送的数据通过接入网设备透传到核心网设备处时,核心网可以利用上述获得的加密密钥进行解密,进而保证用户设备与网络的正常通信,提高用户体验。In the embodiment of the present invention, the core network device obtains the encryption key of the data plane of the user equipment in the process of attaching the user equipment. When the data sent by the user equipment is transparently transmitted to the core network device through the access network device, the core network may be utilized. The encryption key obtained above is decrypted, thereby ensuring normal communication between the user equipment and the network, and improving the user experience.
图1为本发明实施例提供的一种通信系统示意图。图1示出的是与本发明实施例相关的系统架构的部分结构的示意图,如图1所示,该系统架构具体可以包括:核心网设备101,接入网设备102,用户设备103。其中,用户设备103可以通过接入网设备102接入核心网设备103,进行通信,进一步地,可以再通过核心网接入因特网,进行因特网通信。 FIG. 1 is a schematic diagram of a communication system according to an embodiment of the present invention. FIG. 1 is a schematic diagram showing a partial structure of a system architecture related to an embodiment of the present invention. As shown in FIG. 1 , the system architecture may include: a core network device 101, an access network device 102, and a user equipment 103. The user equipment 103 can access the core network device 103 through the access network device 102 to perform communication, and further, can access the Internet through the core network to perform Internet communication.
核心网设备101可以为提供用户连接、对用户的管理以及对业务完成承载,作为承载网络提供到外部网络的接口的设备。用户连接的建立包括移动性管理(MM)、呼叫管理(CM)、交换/路由、录音通知(结合智能网业务完成到智能网外围设备的连接关系)等功能。用户管理包括用户的描述、QoS(Quality of Service,服务质量)、用户通信记录(Accounting)、与智能网平台的对话提供虚拟居家环境、安全性(由鉴权中心提供相应的安全性措施包含了对移动业务的安全性管理和对外部网络访问的安全性处理)。承载连接(Access to)包括到外部的PSTN、外部电路数据网和分组数据网、Internet和Intranets、以及移动自己的SMS服务器等等核心网可以提供的基本业务包括移动办公、电子商务、通信、娱乐性业务、旅行和基于位置的服务、遥感业务(Telemetry)简单消息传递业务(监视控制)等等。例如在LTE网络中的MME(Mobility Management Entity,移动管理实体),SGW(Serving GateWay,服务网关),P-GW(Packet Data Network Gateway,分组数据网网关)等等。为方便描述,本申请中,上述提供用户连接、对用户的管理以及对业务完成承载,作为承载网络提供到外部网络的接口的设备统称为核心网设备,或者以LTE系统中的MME为例进行描述。The core network device 101 may be a device that provides a user connection, management of the user, and completion of the bearer for the service, and serves as an interface for the bearer network to provide an interface to the external network. The establishment of the user connection includes mobility management (MM), call management (CM), switching/routing, and recording notification (in combination with the connection of the intelligent network service to the intelligent network peripheral device). User management includes user description, QoS (Quality of Service), user communication record (Accounting), dialogue with intelligent network platform to provide virtual home environment, security (the corresponding security measures provided by the authentication center include Security management of mobile services and security of access to external networks). Access to include external PSTN, external circuit data network and packet data network, Internet and Intranets, and mobile own SMS server. The basic services that the core network can provide include mobile office, e-commerce, communication, entertainment. Sexual business, travel and location-based services, Telemetry simple messaging services (monitoring controls) and more. For example, an MME (Mobility Management Entity), an SGW (Serving GateWay), a P-GW (Packet Data Network Gateway), and the like in an LTE network. For the convenience of the description, in the present application, the foregoing provides a user connection, a management of the user, and a service completion bearer, and the device that provides the interface to the external network as the bearer network is collectively referred to as the core network device, or the MME in the LTE system is taken as an example. description.
接入网设备102可以为一种部署在无线接入网中用以为UE或WD提供无线通信功能的装置。该装置可以包括各种形式的宏基站,微基站,中继站,接入点等等。在采用不同的无线接入技术的系统中,具备基站功能的设备的名称可能会有所不同,例如在LTE网络中,称为演进的节点B(evolved NodeB简称:eNB或者eNodeB),在第三代3G网络中,称为节点B(Node B)等等。为方便描述,本申请中,上述为UE提供无线通信功能的装置统称为接入网设备,或者以LTE系统中的eNB为例进行描述。 Access network device 102 can be a device deployed in a wireless access network to provide wireless communication functionality to a UE or WD. The apparatus may include various forms of macro base stations, micro base stations, relay stations, access points, and the like. In a system using different radio access technologies, the name of a device having a base station function may be different. For example, in an LTE network, an evolved Node B (evolved Node B: eNB or eNodeB) is in the third. In the 3G network, it is called Node B and so on. For convenience of description, in the present application, the foregoing apparatus for providing a wireless communication function for a UE is collectively referred to as an access network device, or an eNB in an LTE system is taken as an example for description.
用户设备103可以包括各种具有无线通信功能的手持设备、车载设备、可穿戴设备、计算设备或连接到无线调制解调器的其它处理设备,以及各种形式的用户设备(User Equipment,简称UE),移动台(Mobile station,简称MS), 终端(terminal),终端设备(Terminal Equipment)等等。 User equipment 103 may include various handheld devices with wireless communication capabilities, in-vehicle devices, wearable devices, computing devices, or other processing devices connected to wireless modems, as well as various forms of User Equipment (UE), mobile Mobile station (MS), Terminal, Terminal Equipment, etc.
本发明描述的技术可以适用于长期演进(Long Term Evolution,简称LTE)系统,或其他采用各种无线接入技术的无线通信系统,例如采用码分多址,频分多址,时分多址,正交频分多址,单载波频分多址等接入技术的系统。此外,还可以适用于使用LTE系统后续的演进系统,如第五代5G系统等。为清楚起见,这里仅以LTE系统为例进行说明。图2示出了一种LTE网络架构示意图,其主要包括UE、E-UTRAN(Evolved Universal Terrestrial Radio Access Network,演进型通用陆地无线接入网)、EPC(Evolved Packet Core,演进的分组核心网)等构成。EPC主要由MME、P-GW、SGW等构成,能够实现用户签约数据存储,移动性管理和数据交换等移动网络的传统能力,并能够给用户提供超高速的上网体验。另外,E-UTRAN可以是由多个eNB组成的网络,实现无线物理层功能、资源调度和无线资源管理、无线接入控制以及移动性管理等功能。The technology described in the present invention can be applied to a Long Term Evolution (LTE) system, or other wireless communication systems using various radio access technologies, for example, using code division multiple access, frequency division multiple access, time division multiple access, A system of orthogonal frequency division multiple access, single carrier frequency division multiple access and other access technologies. In addition, it can also be applied to the subsequent evolution system using the LTE system, such as the fifth generation 5G system and the like. For the sake of clarity, only the LTE system is taken as an example here. FIG. 2 is a schematic diagram of an LTE network architecture, which mainly includes a UE, an E-UTRAN (Evolved Universal Terrestrial Radio Access Network), and an EPC (Evolved Packet Core). And so on. EPC is mainly composed of MME, P-GW, SGW, etc. It can realize the traditional capabilities of mobile network such as user subscription data storage, mobility management and data exchange, and can provide users with ultra-high speed Internet experience. In addition, the E-UTRAN may be a network composed of a plurality of eNBs, and implement functions such as wireless physical layer functions, resource scheduling and radio resource management, radio access control, and mobility management.
本发明实施例主要适用于用户设备附着(attach)过程中,其中,用户设备附着是指,用户设备在进行实际业务之前,在网络中注册的过程,用户设备在附着成功后,便可以接收网络设备发送的服务。为了描述方便,在本发明实施例中以基于LTE系统的用户设备附着过程作为举例进行说明。The embodiment of the present invention is mainly applicable to the process of attaching a user equipment. The user equipment is a process of registering in the network before the user equipment performs the actual service. After the user equipment is successfully attached, the user equipment can receive the network. The service sent by the device. For convenience of description, the user equipment attachment process based on the LTE system is described as an example in the embodiment of the present invention.
下面对基于LTE系统的用户设备附着过程作进一步的介绍。The following is a further introduction to the user equipment attachment process based on the LTE system.
附着过程一般是用户设备发起的,例如,用户设备在开机时可以触发附着,或者用户设备离开网络覆盖的范围一段时间后,需要重新附着。The attachment process is generally initiated by the user equipment. For example, the user equipment may trigger the attachment when the device is powered on, or the user equipment needs to reattach after leaving the network coverage for a period of time.
用户设备附着过程主要实现如下目的:The user equipment attachment process mainly achieves the following purposes:
一、用户设备与网络设备相互鉴权,用户设备与网设备建立上下文。二、网络设备为用户设备建立承载。三、用户设备获得网络设备分配的I P地址。四、用户设备的位置登记。五、网络设备为用户设备分配临时身份标识。等等。1. The user equipment and the network device authenticate each other, and the user equipment establishes a context with the network device. 2. The network device establishes a bearer for the user equipment. 3. The user equipment obtains the IP address assigned by the network device. Fourth, the location registration of the user equipment. 5. The network device allocates a temporary identity to the user equipment. and many more.
其中,在首次附着时,UE与eNB之间会建立RRC连接。在这个部分最后 一条RRC Connection Setup Complete消息(RRC连接建立完成消息)中,UE会把Attach Request消息(附着请求消息)也带上来。这个消息到达接入网设备之后,eNB会向MME发送Initial UE Message消息(初始UE消息),再把Attach Request消息(附着请求消息)放到这个消息里。Wherein, when the first attachment occurs, an RRC connection is established between the UE and the eNB. At the end of this section In an RRC Connection Setup Complete message (RRC Connection Setup Complete message), the UE will also bring an Attach Request message (attach request message). After the message arrives at the access network device, the eNB sends an Initial UE Message (initial UE message) to the MME, and then places an Attach Request message (attach request message) into the message.
鉴权过程:鉴权过程是核心网设备从用户签约的HSS(Home Subscriber Server,归属服务器)获取鉴权向量,其中,鉴权向量包括KASME(Key Access Security Management Entity,接入安全管理密钥)。KASME用于推演加密和完整性保护密钥,可以衍生出相关密钥。Authentication process: The authentication process is that the core network device obtains an authentication vector from the HSS (Home Subscriber Server) that the user subscribes to. The authentication vector includes K ASME (Key Access Security Management Entity). ). K ASME is used to derive the encryption and integrity protection keys, which can be derived from the relevant keys.
NAS(Non-access stratum,非接入层)安全激活过程:NAS安全激活过程是UE和MME之间建立加密和完整性保护上下文的过程。在这个过程之后,MME和UE之间的NAS消息都会被加密和完整性保护,保证信令传送安全。MME选择使用的算法,把算法ID告诉UE,则MME和UE分别能够根据KASME推演出NAS层加密密钥,主要包括:KNASenc(Key Non-access stratum encryption,非接入层加密密钥)或KNASint(Key Non-access stratum integrity,非接入层完整性保护密钥)等;然后MME还会再使用KASME生成KeNB,并把KeNB发给eNB,供eNB生成相关密钥。NAS (Non-access stratum) security activation process: The NAS security activation process is a process of establishing an encryption and integrity protection context between the UE and the MME. After this process, NAS messages between the MME and the UE are encrypted and integrity protected to ensure secure signaling. The algorithm used by the MME to inform the UE of the algorithm ID, the MME and the UE can respectively derive the NAS layer encryption key according to the K ASME , which mainly includes: K NASenc (Key Non-access stratum encryption) Or K NASint (Key Non-access stratum integrity), etc.; then the MME will further generate K eNB using K ASME and send the K eNB to the eNB for the eNB to generate the relevant key.
其中,UE会把自己支持的算法ID通知核心网设备。例如,UE使用的算法可以如表1所示。The UE will notify the core network device of the algorithm ID supported by the UE. For example, the algorithm used by the UE can be as shown in Table 1.
表1 LTE系统安全算法Table 1 LTE system security algorithm
4-bit标志4-bit logo 加密算法Encryption Algorithm 完整性保护算法Integrity protection algorithm 使用算法Using algorithm
00002 0000 2 EEA0EEA0 EEA0EEA0 NULLNULL
00012 0001 2 128-EEA1128-EEA1 128-EEA1128-EEA1 SONW 3GSONW 3G
00102 0010 2 128-EEA2128-EEA2 128-EEA2128-EEA2 AESAES
00112 0011 2 128-EEA3128-EEA3 128-EEA3128-EEA3 ZUCZUC
AS(access stratum,接入层)安全激活过程:前面的NAS安全流程是创建MME和UE之间的安全上下文,即MME和UE协商使用相同的Key和加密 算法,对它们之间交互的消息进行加密和完整性保护。AS安全激活过程是创建eNB和UE之间的安全上下文,对eNB和UE之间的接入部分交互消息进行加密和完整性保护。eNB选择加密算法,再把算法ID告诉UE,然后eNB和UE分别通过相应的算法ID和KDF生成接入层所需要的密钥,例如,KUPenc(Key User plane encryption,用户面加密密钥),KRRCenc(RRC层信令消息加密密钥),KRRCint(RRC信令完整性保护密钥),等等。其中KUPenc是用于eNB和用户终端之间用户面的加密。KRRCenc和KRRCint两个密钥是用于eNB和用户终端之间的RRC层信令消息的加密和完整性保护。AS (access stratum) security activation process: The previous NAS security process is to create a security context between the MME and the UE. That is, the MME and the UE negotiate to use the same Key and encryption algorithm to exchange messages between them. Encryption and integrity protection. The AS security activation process is to create a security context between the eNB and the UE, and encrypt and integrity protect the access part interaction message between the eNB and the UE. The eNB selects an encryption algorithm, and then informs the UE of the algorithm ID, and then the eNB and the UE respectively generate a key required by the access layer by using the corresponding algorithm ID and K DF , for example, K UPenc (Key User plane encryption, user plane encryption key) ), K RRCenc (RRC layer signaling message encryption key), K RRCint (RRC Signaling Integrity Protection Key), and so on. Where K UPenc is used for encryption of the user plane between the eNB and the user terminal. The K RRCenc and K RRCint keys are encryption and integrity protection for RRC layer signaling messages between the eNB and the user terminal.
为便于对本发明实施例的理解,下面将结合附图以具体实施例做进一步的解释说明,实施例并不构成对本发明实施例的限定。In order to facilitate the understanding of the embodiments of the present invention, the embodiments of the present invention are not to be construed as limiting.
图3为本发明实施例提供的一种通信方法流程图。所述方法具体可以包括:FIG. 3 is a flowchart of a communication method according to an embodiment of the present invention. The method may specifically include:
S310,核心网设备获取第一密钥。其中,该第一密钥为用户设备和接入网设备执行接入层安全激活过程时生成的密钥。S310. The core network device acquires the first key. The first key is a key generated when the user equipment and the access network device perform an access layer security activation process.
其中,第一密钥可以是接入层用户面的加密密钥,也可以是接入网控制面的加密密钥或者完整性保护密钥,例如,第一密钥可以是上述KUPenc,KRRCenc,KRRCint等等密钥中任意一项或多项。The first key may be an encryption key of the user plane of the access layer, or may be an encryption key or an integrity protection key of the control plane of the access network. For example, the first key may be the above K UPenc , K Any one or more of the keys RRCenc , K RRCint, etc.
S320,核心网设备接收用户设备发送的数据包,利用第一密钥进行解密,得到数据包中的数据。S320. The core network device receives the data packet sent by the user equipment, performs decryption by using the first key, and obtains data in the data packet.
在通信过程中,用户设备利用第一密钥对数据进行加密,并发送给核心网设备,核心网设备在接收到用户设备发送的经过加密的数据包后,利用经过上述步骤确定好的第一密钥进行解密,便可以的到用户发送的数据。During the communication process, the user equipment encrypts the data by using the first key, and sends the data to the core network device. After receiving the encrypted data packet sent by the user equipment, the core network device uses the first step determined by the foregoing steps. The key is decrypted and the data sent by the user can be obtained.
在本发明实施例中,核心网设备获取第一密钥可以有如下的实现方式。In the embodiment of the present invention, the core network device acquiring the first key may have the following implementation manner.
方式一,核心网设备可以从接入网设备获取第一密钥。In the first manner, the core network device can obtain the first key from the access network device.
其中,核心网设备可以向接入网设备发送请求消息,向接入网设备请求第一密钥,接入网设备在执行安全激活过程生成第一密钥后,将生成的第一 密钥携带在响应消息中发送给核心网设备。例如,核心网设备可以将该请求消息携带在初始上下文设置请求(initial context setup request)中发送给接入网设备,接入网设备可以将第一密钥携带在初始上下文设置响应(initial context setup response)中发送给核心网设备,或者,核心网设备可以将该请求携带在接入承载建立请求(ERAB setup request)中发送给接入网设备,接入网设备可以将第一密钥携带在接入承载建立响应(ERAB setup response)中发送给核心网设备,等等。The core network device may send a request message to the access network device, requesting the first key from the access network device, and the first time that the access network device generates the first key after performing the security activation process. The key is carried in the response message and sent to the core network device. For example, the core network device may carry the request message in an initial context setup request to the access network device, and the access network device may carry the first key in an initial context setup response (initial context setup). The response is sent to the core network device, or the core network device can carry the request in the ERAB setup request to the access network device, and the access network device can carry the first key in The ERAB setup response is sent to the core network device, and so on.
还可以是,接入网设备在生成第一密钥后,主动将第一密钥发送给核心网设备。例如,接入网设备可以将第一密钥携带在初始上下文设置响应(initial context setup response)或接入承载建立响应(ERAB setup response)等消息中发送给核心网设备。另外,核心网设备还可以通过上述消息指示核心网设备利用接入网设备发送的第一密钥对用户设备发送的数据进行解密。The access network device may send the first key to the core network device after generating the first key. For example, the access network device may send the first key to the core network device in a message such as an initial context setup response or an ERAB setup response. In addition, the core network device may further indicate, by using the foregoing message, that the core network device decrypts the data sent by the user equipment by using the first key sent by the access network device.
方式二,核心网设备可以生成第一密钥。In the second mode, the core network device can generate the first key.
其中,接入网设备与用户设备生成第一密钥所需的第二密钥是由核心网设备生成并发送给接入网设备的,例如,第二密钥可以是KeNB。一般接入网设备执行接入层安全激活过程推演第一密钥所使用的加密算法与核心网设备执行非接入层安全激活过程生成加密密钥或完整性保护密钥的算法是相同的,所以,核心网设备可以直接根据第二密钥,以及生成加密密钥或完整性保护密钥的算法,生成第一密钥。The second key required for the access network device and the user equipment to generate the first key is generated by the core network device and sent to the access network device. For example, the second key may be a K eNB . The encryption algorithm used by the general access network device to perform the access layer security activation process to derive the first key is the same as the algorithm for the core network device to perform the non-access layer security activation process to generate the encryption key or the integrity protection key. Therefore, the core network device can directly generate the first key according to the second key and an algorithm for generating an encryption key or an integrity protection key.
方式三,接入网设备执行接入层安全激活过程时,接入网设备推演第一密钥所使用的加密算法与核心网设备执行非接入层安全激活过程生成加密密钥或完整性保护密钥的算法不同时,核心网设备也可以生成第一密钥。由方式二可以知道第二密钥是核心网设备生成的,那么核心网设备只要确定推演第一密钥所使用的加密算法便可以生成第一密钥。Manner 3: When the access network device performs the access layer security activation process, the encryption algorithm used by the access network device to derive the first key and the core network device perform the non-access layer security activation process to generate an encryption key or integrity protection When the algorithm of the key is different, the core network device can also generate the first key. It can be known by the second method that the second key is generated by the core network device, and the core network device can generate the first key by determining the encryption algorithm used to derive the first key.
该推演第一密钥所使用的加密算法的标识可以由接入网设备提供。 The identity of the encryption algorithm used to derive the first key may be provided by the access network device.
其中,核心网设备可以向接入网设备发送请求消息向接入网设备请求推演第一密钥所使用的加密算法的标识,接入网设备执行接入层安全激活过程生成第一密钥后,将生成的推演第一密钥所使用的加密算法的标识携带在响应消息中发送给核心网设备。例如,核心网设备可以将请求携带在初始上下文设置请求(initial context setup request)中发送给接入网设备,接入网设备可以将推演第一密钥所使用的加密算法的标识携带在初始上下文设置响应(initial context setup response)中发送给核心网设备,或者核心网设备可以将请求携带在接入承载建立请求(ERAB setup request)中发送给接入网设备,接入网设备可以将推演第一密钥所使用的加密算法的标识携带在接入承载建立响应(ERAB setup response)中发送给核心网设备。The core network device may send a request message to the access network device to request an identifier of the encryption algorithm used by the access network device to derive the first key, and the access network device performs the access layer security activation process to generate the first key. And carrying the generated identifier of the encryption algorithm used to derive the first key in the response message and sending the identifier to the core network device. For example, the core network device may carry the request in an initial context setup request to the access network device, and the access network device may carry the identifier of the encryption algorithm used to derive the first key in the initial context. The initial context setup response is sent to the core network device, or the core network device can carry the request in the ERAB setup request to the access network device, and the access network device can perform the deduction. The identifier of the encryption algorithm used by a key is carried in the ERAB setup response and sent to the core network device.
还可以是,接入网设备执行接入层安全激活过程时,主动将接入网设备推演第一密钥所使用的加密算法标识发送给核心网设备。例如,接入网设备可以将其推演第一密钥所使用的加密算法标识携带在初始上下文设置响应(initial context setup response)或接入承载建立响应(ERAB setup response)中发送给核心网设备。另外,还可以通过上述响应信息指示核心网设备利用该第一密钥对用户设备发送的数据包进行解密,或者不用根据接入网设备的指示,核心网设备在收到用户设备发送的数据包后直接进行解密。When the access network device performs the access layer security activation process, the access network device actively sends the encryption algorithm identifier used by the access network device to derive the first key to the core network device. For example, the access network device may send the encryption algorithm identifier used by the derivation of the first key to the core network device in an initial context setup response or an ERAB setup response. In addition, the foregoing response information may be used to indicate that the core network device decrypts the data packet sent by the user equipment by using the first key, or does not need to receive the data packet sent by the user equipment according to the indication of the access network device. After decryption directly.
需要说明的是,上述“请求消息”,“响应消息”或“指示信息”等仅是以携带在现有命令或消息中为例进行描述,在具体实施过程中,也可以携带在其他的命令或消息中,还可以单独的发送具有上述“请求消息”,“响应消息”或“指示信息”功能的消息或命令。It should be noted that the foregoing "request message", "response message" or "instruction information" and the like are only described as being carried in an existing command or message, and may be carried in other commands in a specific implementation process. Or in the message, a message or command having the above-mentioned "request message", "response message" or "instruction information" function may also be separately transmitted.
通过本发明实施例提供的通信方法,用户设备与接入网设备之间经过协议生成的密钥加密的数据包,在核心网设备处能够被解密,进而,在RRC连接被释放,或者无RRC连接的情况下,用户设备利用建立RRC连接时生成的密钥加密的数据发送给核心网设备后,依然能够被解密,保证了通信的正常进行,提高了用户体验,且用户设备的通信流程不用进行较大的调整。 According to the communication method provided by the embodiment of the present invention, the data packet encrypted by the key generated by the protocol between the user equipment and the access network device can be decrypted at the core network device, and then, the RRC connection is released, or no RRC In the case of the connection, the user equipment can still be decrypted after the data encrypted by the key generated when the RRC connection is established is sent to the core network device, thereby ensuring the normal communication, improving the user experience, and the communication process of the user equipment is not used. Make major adjustments.
下面结合附图,以基于LTE系统的附着过程为例,对本发明实施例做更具体的介绍。其中,第一密钥以KUPenc为例,接入网设备以eNB为例,核心网设备以MME为例。The following describes the embodiment of the present invention in more detail by taking an attaching process based on the LTE system as an example. The first key uses K UPenc as an example, the access network device takes an eNB as an example, and the core network device takes an MME as an example.
如图4所示,第一密钥的获取可以在接入网设备执行接入层安全激活过程时进行。具体如下所示。As shown in FIG. 4, the acquisition of the first key may be performed when the access network device performs an access layer security activation process. The details are as follows.
UE触发附着过程,RRC setup过程,鉴权过程,非接入层安全激活过程,位置更新过程等按照现有流程进行。The UE triggers the attach procedure, the RRC setup process, the authentication process, the non-access stratum security activation process, the location update process, and the like according to the existing procedures.
401,MME向eNB发送initial context setup request,通知eNB进行初始上下文设置,该请求携带接入层用户面加密密钥KUPenc获取请求。401. The MME sends an initial context setup request to the eNB, and notifies the eNB to perform initial context setting, where the request carries an access layer user plane encryption key K UPenc to acquire the request.
402,eNB与UE执行接入层安全激活过程。402. The eNB performs an access layer security activation process with the UE.
具体的,eNB向UE发送安全模式命令(security mode command),UE收到消息后,根据消息内的加密算法推演出密钥,该密钥包括KUPencSpecifically, the eNB sends a security mode command to the UE. After receiving the message, the UE derives a key according to an encryption algorithm in the message, and the key includes K UPenc .
然后,UE向eNB发送安全模式完成消息(security mode complete)。The UE then sends a security mode complete message to the eNB.
与此同时,eNB也产生了相同的密钥KUPencAt the same time, the eNB also generates the same key K UPenc .
403,eNB向UE发送RRC连接重配置消息(RRCConnectionReconfiguration),该消息中包括附着成功消息(attach accept),以及承载相关上下文。UE向eNB发送RRC连接重配置完成消息(RRCConnectionReconfigurationComplete)。403. The eNB sends an RRC connection reconfiguration message (RRCConnectionReconfiguration) to the UE, where the message includes an attach accept message and a bearer related context. The UE sends an RRC Connection Reconfiguration Complete message (RRCConnectionReconfigurationComplete) to the eNB.
404,eNB向MME发送initial context setup response,该响应中携带KUPenc404. The eNB sends an initial context setup response to the MME, where the response carries K UPenc .
405,UE利用KUPenc对数据包进行加密,并通过eNB透传至MME,MME利用KUPenc进行解密得到UE传输的数据。405. The UE encrypts the data packet by using K UPenc , and transparently transmits the data packet to the MME through the eNB, and the MME uses K UPenc to perform decryption to obtain data transmitted by the UE.
其中,MME对于推演第一密钥所使用的加密算法的标识的获取过程可以与图4所示的过程类似,例如,可以在initial context setup request中携带KUPenc推演所使用的加密算法的标识获取请求,在initial context setup response中携带KUPenc推演所使用的加密算法的标识,便可实现KUPenc生成算法 的标识的获取。可相互参照理解。MME在获取到KUPenc推演的加密算法的标识后,根据KASME以及KeNB通过加密算法生成KUPenc。当MME接收到UE发送的数据包后,利用KUPenc进行解密得到该数据包中的数据。The process of obtaining the identifier of the encryption algorithm used by the MME for deriving the first key may be similar to the process shown in FIG. 4, for example, the identifier of the encryption algorithm used by the K UPenc deduction may be carried in the initial context setup request. The request, in the initial context setup response carrying the identifier of the encryption algorithm used by the K UPenc deduction, can obtain the identification of the K UPenc generation algorithm. Can be understood cross-referenced. After obtaining the identifier of the encryption algorithm deduced by K UPenc, the MME generates K UPenc through an encryption algorithm according to K ASME and KeNB. After the MME receives the data packet sent by the UE, it decrypts with K UPenc to obtain the data in the data packet.
如图5所示,第一密钥的获取可以在接入网设备执行承载建立过程中进行。具体如下所示。As shown in FIG. 5, the acquisition of the first key may be performed during the bearer establishment process performed by the access network device. The details are as follows.
UE触发附着过程,RRC setup过程,鉴权过程,非接入层安全激活过程,位置更新过程,接入层安全激活过程等按照现有流程进行。在接入层安全激活过程中,UE与eNB生成KUPencThe UE triggers the attach process, the RRC setup process, the authentication process, the non-access stratum security activation process, the location update process, and the access layer security activation process, etc. according to the existing process. During the access layer security activation process, the UE and the eNB generate K UPenc .
501,MME向eNB发送ERAB setup request,请求为用户设备建立ERAB承载,该请求携带接入层的用户面加密密钥KUPenc获取请求。501. The MME sends an ERAB setup request to the eNB, requesting to establish an ERAB bearer for the user equipment, where the request carries the user plane encryption key K UPenc of the access layer to obtain the request.
502,eNB与UE执行ERAB承载建立过程,并向UE发送RRC连接重配置消息(RRCConnectionReconfiguration)通知UE。502. The eNB performs an ERAB bearer setup procedure with the UE, and sends an RRC connection reconfiguration message (RRCConnectionReconfiguration) to the UE to notify the UE.
503,UE向eNB发送RRC连接重配置完成消息RRCConnectionReconfigurationComplete响应eNB。503. The UE sends an RRC connection reconfiguration complete message RRCConnectionReconfigurationComplete to the eNB to the eNB.
504,eNB向MME发送ERAB setup response,确认UE的ERAB承载已建立,在该响应中携带KUPenc504. The eNB sends an ERAB setup response to the MME, confirming that the ERAB bearer of the UE is established, and carrying K UPenc in the response.
505,在数据传输过程中,UE利用KUPenc对数据包进行加密,并通过eNB透传至MME,MME利用KUPenc进行解密得到UE传输的数据。505. In the data transmission process, the UE encrypts the data packet by using K UPenc , and transparently transmits the data packet to the MME through the eNB, and the MME uses K UPenc to perform decryption to obtain data transmitted by the UE.
其中,对于第一密钥推演所使用的加密算法的标识的获取过程可以与图5所示的过程类似,例如,在ERAB setup request中携带KUPenc生成的加密算法的标识获取请求,在ERAB setup response中携带KUPenc成算法的标识,便可实现KUPenc生成的加密算法的标识的获取。可相互参照理解。MME在获取到KUPenc生成的加密算法的标识后,根据KASME生成KeNB,进而通过加密算法生成KUPenc。当MME接收到UE发送的数据包后,利用KUPenc进行解密得到该数据包中的数据。The obtaining process of the identifier of the encryption algorithm used for the first key deduction may be similar to the process shown in FIG. 5, for example, carrying the identifier acquisition request of the encryption algorithm generated by K UPenc in the ERAB setup request, in the ERAB setup response carries the identifier K UPenc into the algorithm to obtain the identification of the encryption algorithm K UPenc generation can be realized. Can be understood cross-referenced. After obtaining the identifier of the encryption algorithm generated by K UPenc, the MME generates K eNB according to K ASME , and then generates K UPenc through an encryption algorithm. After the MME receives the data packet sent by the UE, it decrypts with K UPenc to obtain the data in the data packet.
如图6所示,第一密钥的可以由MME生成,例如可以在MME执行非接入层安全激活过程中生成。其中,此情况针对于MME执行非接入层安全激活生 成加密密钥与eNB执行接入层安全激活过程生成加密密钥使用相同的加密算法。As shown in FIG. 6, the first key may be generated by the MME, for example, may be generated during the non-access stratum security activation process performed by the MME. Wherein, this case is directed to the MME performing non-access stratum security activation. The encryption key is used in the same encryption algorithm as the eNB performs the access layer security activation process to generate the encryption key.
UE触发附着过程,RRC setup过程,鉴权过程,等按照前述流程进行。The UE triggers the attach process, the RRC setup process, the authentication process, and the like according to the foregoing procedure.
在非接入层安全激活过程中,UE与MME在根据KASME生成KNASenc以及KNASint后,MME继续推演出KeNBIn the non-access stratum security activation process, after the UE and the MME generate K NASenc and K NASint according to K ASME , the MME continues to push the K eNB .
601,MME根据KeNB以及推演KNASenc或KNASint所使用的加密算法,继续生成KUPenc,KRRCenc,KRRCint以及KENB+中的任意一项或多项。601. The MME continues to generate any one or more of K UPenc , K RRCenc , K RRCint, and K ENB+ according to the K eNB and the encryption algorithm used by the K NASenc or K NASint .
602,在数据传输过程中,UE利用KUPenc对数据包进行加密,发送给MME。602. In the data transmission process, the UE encrypts the data packet by using K UPenc , and sends the data packet to the MME.
603,MME在接收到UE发送的经过加密的数据包后,利用KUPenc对数据包进行解密。603. After receiving the encrypted data packet sent by the UE, the MME decrypts the data packet by using K UPenc .
上述主要从各个网元之间交互的角度对本发明实施例提供的方案进行了介绍。可以理解的是,各个网元,例如用户设备,接入网设备,核心网设备等为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本发明能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。The solution provided by the embodiment of the present invention is mainly introduced from the perspective of interaction between the network elements. It can be understood that each network element, such as a user equipment, an access network device, a core network device, etc., in order to implement the above functions, includes hardware structures and/or software modules corresponding to each function. Those skilled in the art will readily appreciate that the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
下面结合附图,以通过虚拟装置的实现方式为例对本发明实施例做进一步的介绍。The embodiments of the present invention are further described by taking an implementation manner of a virtual device as an example in the following with reference to the accompanying drawings.
图7为上述实施例中所涉及的接入网设备的通信装置的结构示意图。FIG. 7 is a schematic structural diagram of a communication device of an access network device involved in the foregoing embodiment.
该装置可以包括:The device can include:
处理模块701,用于获取第一密钥,所述第一密钥为接入网设备执行接入层安全激活过程时生成的密钥;The processing module 701 is configured to acquire a first key, where the first key is a key generated when the access network device performs an access layer security activation process;
接收模块702,用于接收所述用户设备发送的数据包,利用所述第一密钥 对所述数据包进行解密。The receiving module 702 is configured to receive a data packet sent by the user equipment, by using the first key Decrypt the data packet.
可选地,该装置还可以包括,发送模块703,用于向所述接入网设备发送第一请求消息,所述第一请求消息用于请求所述第一密钥;Optionally, the apparatus may further include: a sending module 703, configured to send a first request message to the access network device, where the first request message is used to request the first key;
接收模块702,还用于在所述接入网设备生成所述第一密钥后,接收所述接入网设备发送的第一响应消息,所述第一响应消息携带有所述第一密钥。The receiving module 702 is further configured to: after the access network device generates the first key, receive a first response message sent by the access network device, where the first response message carries the first secret key.
可选地,所述第一请求消息包括,初始上下文设置请求(initial context setup request),所述第一响应消息包括,初始上下文设置响应(initial context setup response);或者,所述第一请求消息包括,接入承载建立请求(ERAB setup request),所述第一响应消息包括,接入承载建立响应(ERAB setup response)。Optionally, the first request message includes an initial context setup request, the first response message includes an initial context setup response, or the first request message The ERAB setup request is included, and the first response message includes an ERAB setup response.
可选地,接收模块702,还用于在所述接入网设备生成第一密钥后,接收所述接入网设备发送的第一指示信息,所述第一指示信息携带有所述第一密钥。Optionally, the receiving module 702 is further configured to: after the access network device generates the first key, receive the first indication information sent by the access network device, where the first indication information carries the first A key.
可选地,所述第一指示信息包括:初始上下文设置响应(initial context setup response)或接入承载建立响应(ERAB setup response)。Optionally, the first indication information includes: an initial context setup response or an ERAB setup response.
可选地,发送模块703,还用于在所述核心网执行非接入层安全激活过程中,所述核心网设备生成第二密钥并发送给接入网设备;Optionally, the sending module 703 is further configured to: when the core network performs a non-access stratum security activation process, the core network device generates a second key and sends the second key to the access network device;
处理模块701,还用于确定接入网设备推演第一密钥所使用的加密算法;The processing module 701 is further configured to determine an encryption algorithm used by the access network device to derive the first key.
处理模块701,还用于根据所述第二密钥以及所述加密算法,生成所述第一密钥。The processing module 701 is further configured to generate the first key according to the second key and the encryption algorithm.
可选地,发送模块703,还用于向所述接入网设备发送第二请求消息,所述第二请求消息用于请求接入网设备推演第一密钥所使用的加密算法的标识;Optionally, the sending module 703 is further configured to send, by the access network device, a second request message, where the second request message is used to request an identifier of an encryption algorithm used by the access network device to derive the first key;
接收模块702,还用于在所述接入网设备生成第一密钥后,接收所述接入网设备发送的第二响应消息,所述第二响应消息携带有所述加密算法的标识。The receiving module 702 is further configured to: after the access network device generates the first key, receive the second response message sent by the access network device, where the second response message carries the identifier of the encryption algorithm.
可选地,所述第二请求消息包括,初始上下文设置请求(initial context  setup request),所述第二响应消息包括,初始上下文设置响应(initial context setup response);或者,所述第二请求消息包括,接入承载建立请求(ERAB setup request),所述第二响应消息包括,接入承载建立响应(ERAB setup response)。Optionally, the second request message includes an initial context setting request (initial context) The second request message includes: an initial context setup response; or the second request message includes an ERAB setup request, the second response message Including, the EBB setup response.
可选地,接收模块702,还用于在接入网设备生成所述第一密钥后,接收所述接入网设备发送的第二指示信息,所述第二指示信息携带有接入网设备推演第一密钥所使用的加密算法的标识。Optionally, the receiving module 702 is further configured to: after the access network device generates the first key, receive second indication information that is sent by the access network device, where the second indication information carries an access network. The identifier of the encryption algorithm used by the device to derive the first key.
可选地,所述第二指示信息包括:初始上下文设置响应(initial context setup response)或接入承载建立响应(ERAB setup response)。Optionally, the second indication information includes: an initial context setup response or an ERAB setup response.
可选地,接收模块702,还用于在无无线资源控制协议RRC连接时,接收所述用户设备发送的数据包。Optionally, the receiving module 702 is further configured to receive the data packet sent by the user equipment when the RRC connection is not available.
图8为上述实施例中所涉及的核心网设备的通信装置的结构示意图。FIG. 8 is a schematic structural diagram of a communication device of a core network device involved in the above embodiment.
该装置可以包括:处理模块801,用于在接入网设备执行接入层安全激活过程时,生成第一密钥。The apparatus may include: a processing module 801, configured to generate a first key when the access network device performs an access layer security activation process.
发送模块802,用于将所述第一密钥或接入网设备推演第一密钥所使用的加密算法的标识发送给核心网设备,所述第一密钥用于所述核心网设备对用户设备发送给核心网设备的数据进行解密。The sending module 802 is configured to send, to the core network device, an identifier of the encryption algorithm used by the first key or the access network device to derive the first key, where the first key is used by the core network device pair The data sent by the user equipment to the core network device is decrypted.
可选地,发送模块802,具体用于将所述第一密钥或所述接入网设备推演第一密钥所使用的加密算法的算法标识携带在初始上下文设置响应(initial context setup response)或接入承载建立响应(ERAB setup response)中,发送给核心网设备。Optionally, the sending module 802 is specifically configured to carry the algorithm identifier of the encryption algorithm used by the first key or the access network device to derive the first key in an initial context setup response. Or the ERAB setup response is sent to the core network device.
可选地,该装置还包括:Optionally, the device further includes:
接收模块803,用于接收所述核心网设备发送的请求消息,所述请求消息用于请求第一密钥或所述加密算法的标识。The receiving module 803 is configured to receive a request message sent by the core network device, where the request message is used to request the identifier of the first key or the encryption algorithm.
可选地,所述请求消息包括,初始上下文设置请求(initial context setup request)或接入承载建立请求(ERAB setup request)。 Optionally, the request message includes an initial context setup request or an ERAB setup request.
下面结合附图,以通过硬件结构的实现方式为例对本发明实施例做进一步的介绍。The embodiments of the present invention are further described by taking the implementation of the hardware structure as an example in the following with reference to the accompanying drawings.
图9为上述实施例中所涉及的接入网设备的硬件结构示意图。FIG. 9 is a schematic structural diagram of hardware of an access network device involved in the foregoing embodiment.
接入网设备包括通信单元901,处理器902,存储器903。各个模块可以通过总线连接。其中,通信单元901用于支持接入网设备与上述实施例中的核心网设备之间收发信息,例如,通信单元901可以是接口电路,可以支持接入网设备与核心网设备之间的光通信。业务数据和信令消息由处理器902进行处理,并由通信单元901发送给核心网设备。来自核心网设备的信号经由通信单元901接收进行调解,并进一步由处理器902进行处理得到核心网设备发送的业务数据和信令信息。处理器902还执行图3至图6中涉及接入网设备的处理过程和/或用于本申请所描述的技术的其他过程。存储器903用于存储接入网设备的程序代码和数据。另外,接入网设备还可以包括收发器904,该收发器904用于支持接入网设备与用户设备之间的通信。例如,用于支持接入网设备与用户设备执行附着过程中的信令交互,进一步的,支持接入网设备与用户设备执行接入层安全激活过程中的信令的交互,还可以用于支持接入网设备与用户设备之间的数据的收发。The access network device includes a communication unit 901, a processor 902, and a memory 903. Individual modules can be connected via a bus. The communication unit 901 is configured to support the transmission and reception of information between the access network device and the core network device in the foregoing embodiment. For example, the communication unit 901 may be an interface circuit, and may support the light between the access network device and the core network device. Communication. The service data and signaling messages are processed by the processor 902 and sent by the communication unit 901 to the core network device. The signal from the core network device is received by the communication unit 901 for mediation, and further processed by the processor 902 to obtain service data and signaling information transmitted by the core network device. Processor 902 also performs the processes involved in the access network device of Figures 3 through 6 and/or other processes for the techniques described herein. The memory 903 is used to store program codes and data of the access network device. In addition, the access network device can also include a transceiver 904 for supporting communication between the access network device and the user equipment. For example, it is used to support the signaling interaction between the access network device and the user equipment in the process of performing the attaching process. Further, the interaction between the access network device and the user equipment in performing the access layer security activation process may also be used. Supports the transmission and reception of data between the access network device and the user equipment.
图10为上述实施例中所涉及的核心网设备的硬件结构示意图。FIG. 10 is a schematic diagram showing the hardware structure of a core network device involved in the foregoing embodiment.
核心网设备包括通信单元1001,处理器1002,存储器1003。各个模块可以通过总线连接。其中,通信单元1001用于支持核心网设备与上述实施例中的接入网设备之间收发信息,例如,通信单元1001可以是接口电路,可以支持接入网设备与核心网设备之间的光通信。在核心网设备与接入网设备通信过程中,业务数据和信令消息由处理器1002进行处理,并由通信单元1001发送给接入网设备。来自接入网设备的信号经由通信单元1001接收,并进行调解,进一步由处理器1002进行处理得到接入网设备发送或转发的业务数据和信令信息。处理器1002还执行图3至图6中涉及接入网设备的处理过程和/或用于本申请所描述的技术的其他过程。存储器1003用于存储接入网设备 的程序代码和数据。其中,核心网设备通过接入网设备实现与用户设备的通信,核心网设备与用户设备之间的信令或数据可以通过接入网设备透传,也可以经由接入网设备处理后再发送。The core network device includes a communication unit 1001, a processor 1002, and a memory 1003. Individual modules can be connected via a bus. The communication unit 1001 is configured to support the transmission and reception of information between the core network device and the access network device in the foregoing embodiment. For example, the communication unit 1001 may be an interface circuit, and may support the light between the access network device and the core network device. Communication. During communication between the core network device and the access network device, the service data and signaling messages are processed by the processor 1002 and transmitted by the communication unit 1001 to the access network device. The signal from the access network device is received by the communication unit 1001 and coordinated, and further processed by the processor 1002 to obtain service data and signaling information transmitted or forwarded by the access network device. The processor 1002 also performs the processes involved in the access network device of Figures 3-6 and/or other processes for the techniques described herein. The memory 1003 is configured to store an access network device Program code and data. The core network device communicates with the user equipment through the access network device, and the signaling or data between the core network device and the user equipment may be transparently transmitted through the access network device, or may be sent after being processed by the access network device. .
需要说明的是,上述实施例中的接入网设备或核心网设备的处理器可以是一个处理器,也可以是多个处理元件的统称。例如,该处理器可以是中央处理器(Central Processing Unit,CPU),也可以是特定集成电路(Application Specific Integrated Circuit,ASIC),或者是被配置成实施本发明实施例的一个或多个集成电路,例如:一个或多个微处理器(digital singnal processor,DSP),或,一个或者多个现场可编程门阵列(Field Programmable Gate Array,FPGA)。It should be noted that the processor of the access network device or the core network device in the foregoing embodiment may be a processor or a collective name of multiple processing elements. For example, the processor may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention. For example, one or more digital singal processors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs).
上述实施例中的接入网设备或核心网设备的存储器可以是一个存储装置,也可以是多个存储元件的统称,且用于存储可执行程序代码或接入网管理设备运行所需要参数、数据等。且存储器903可以包括随机存储器(RAM),也可以包括非易失性存储器(non-volatile memory),例如磁盘存储器,闪存(Flash)等。The memory of the access network device or the core network device in the foregoing embodiment may be a storage device, or may be a collective name of a plurality of storage elements, and used to store executable program code or parameters required for the operation of the access network management device, Data, etc. And the memory 903 may include random access memory (RAM), and may also include non-volatile memory such as a magnetic disk memory, a flash memory, or the like.
上述实施例中的接入网设备或核心网设备的总线可以是工业标准体系结构(Industry Standard Architecture,ISA)总线、外部设备互连(Peripheral Component,PCI)总线或扩展工业标准体系结构(Extended Industry Standard Architecture,EISA)总线等。该总线可以分为地址总线、数据总线、控制总线等。The bus of the access network device or the core network device in the above embodiment may be an Industry Standard Architecture (ISA) bus, a Peripheral Component (PCI) bus, or an extended industry standard architecture (Extended Industry). Standard Architecture, EISA) bus, etc. The bus can be divided into an address bus, a data bus, a control bus, and the like.
本发明实施例还提供了一种通信系统,该系统包括上述实施例所述的接入网设备和核心网设备;或者,该系统包括上述方面所述的核心网设备。The embodiment of the present invention further provides a communication system, which includes the access network device and the core network device described in the foregoing embodiments; or the system includes the core network device described in the foregoing aspect.
专业人员应该还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来 执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。A person skilled in the art should further appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, in order to clearly illustrate hardware and software. Interchangeability, the composition and steps of the various examples have been generally described in terms of function in the above description. Whether these functions come in hardware or software Execution depends on the specific application and design constraints of the technical solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
结合本文中所公开的实施例描述的方法或算法的步骤可以用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of a method or algorithm described in connection with the embodiments disclosed herein can be implemented in hardware, a software module executed by a processor, or a combination of both. The software module can be placed in random access memory (RAM), memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or technical field. Any other form of storage medium known.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The specific embodiments of the present invention have been described in detail with reference to the preferred embodiments of the present invention. All modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (30)

  1. 一种通信方法,其特征在于,包括:A communication method, comprising:
    核心网设备获取第一密钥,所述第一密钥为接入网设备执行接入层安全激活过程时生成的密钥;The core network device acquires a first key, where the first key is a key generated when the access network device performs an access layer security activation process;
    所述核心网设备接收所述用户设备发送的数据包,利用所述第一密钥对所述数据包进行解密。The core network device receives a data packet sent by the user equipment, and decrypts the data packet by using the first key.
  2. 根据权利要求1所述的方法,其特征在于,所述核心网设备获取第一密钥包括:The method according to claim 1, wherein the acquiring, by the core network device, the first key comprises:
    所述核心网设备向所述接入网设备发送第一请求消息,所述第一请求消息用于请求所述第一密钥;Sending, by the core network device, a first request message to the access network device, where the first request message is used to request the first key;
    在所述接入网设备生成所述第一密钥后,所述核心网设备接收所述接入网设备发送的第一响应消息,所述第一响应消息携带有所述第一密钥。After the access network device generates the first key, the core network device receives a first response message sent by the access network device, where the first response message carries the first key.
  3. 根据权利要求2所述的方法,其特征在于,所述第一请求消息包括,初始上下文设置请求initial context setup request,所述第一响应消息包括,初始上下文设置响应initial context setup response;或者,所述第一请求消息包括,接入承载建立请求ERAB setup request,所述第一响应消息包括,接入承载建立响应ERAB setup response。The method according to claim 2, wherein the first request message includes an initial context setup request, the first response message includes an initial context setup response, or an initial context setup response; The first request message includes an access bearer setup request ERAB setup request, and the first response message includes an access bearer setup response ERAB setup response.
  4. 根据权利要求1所述的方法,其特征在于,所述核心网设备获取第一密钥包括:The method according to claim 1, wherein the acquiring, by the core network device, the first key comprises:
    在所述接入网设备生成第一密钥后,所述核心网设备接收所述接入网设备发送的第一指示信息,所述第一指示信息携带有所述第一密钥。After the access network device generates the first key, the core network device receives the first indication information sent by the access network device, where the first indication information carries the first key.
  5. 根据权利要求4所述的方法,其特征在于,所述第一指示信息包括:初始上下文设置响应initial context setup response或接入承载建立响应ERAB setup response。The method according to claim 4, wherein the first indication information comprises: an initial context setup response or an access bearer setup response ERAB setup response.
  6. 根据权利要求1所述的方法,其特征在于,所述方法还包括,The method of claim 1 wherein said method further comprises
    在所述核心网设备执行非接入层安全激活过程中,所述核心网设备生成 第二密钥并发送给所述接入网设备,所述第二密钥用于所述接入网设备推演所述第一密钥;In the process of performing non-access stratum security activation by the core network device, the core network device generates The second key is sent to the access network device, and the second key is used by the access network device to derive the first key;
    所述核心网设备获取第一密钥包括:The acquiring, by the core network device, the first key includes:
    所述核心网设备获取所述接入网设备推演第一密钥所使用的加密算法;Obtaining, by the core network device, an encryption algorithm used by the access network device to derive a first key;
    所述核心网设备根据所述第二密钥以及所述加密算法,生成所述第一密钥。The core network device generates the first key according to the second key and the encryption algorithm.
  7. 根据权利要求6所述的方法,其特征在于,所述核心网设备获取所述接入网设备推演第一密钥所使用的加密算法包括:The method according to claim 6, wherein the encryption algorithm used by the core network device to obtain the derivation of the first key by the access network device comprises:
    所述核心网设备向所述接入网设备发送第二请求消息,所述第二请求消息用于请求所述接入网设备推演第一密钥所使用的加密算法的标识;The core network device sends a second request message to the access network device, where the second request message is used to request the access network device to derive an identifier of an encryption algorithm used by the first key;
    在所述接入网设备生成第一密钥后,所述核心网设备接收所述接入网设备发送的第二响应消息,所述第二响应消息携带有所述加密算法的标识。After the access network device generates the first key, the core network device receives the second response message sent by the access network device, where the second response message carries the identifier of the encryption algorithm.
  8. 根据权利要求7所述的方法,其特征在于,所述第二请求消息包括,初始上下文设置请求initial context setup request,所述第二响应消息包括,初始上下文设置响应initial context setup response;或者,所述第二请求消息包括,接入承载建立请求ERAB setup request,所述第二响应消息包括,接入承载建立响应ERAB setup response。The method according to claim 7, wherein the second request message includes an initial context setup request, the second response message includes an initial context setup response, or an initial context setup response; The second request message includes an access bearer setup request ERAB setup request, and the second response message includes an access bearer setup response ERAB setup response.
  9. 根据权利要求6所述的方法,其特征在于,所述核心网设备获取接入网设备推演第一密钥所使用的加密算法包括:The method according to claim 6, wherein the encryption algorithm used by the core network device to obtain the derivation of the first key by the access network device comprises:
    在所述接入网设备生成所述第一密钥后,所述核心网设备接收所述接入网设备发送的第二指示信息,所述第二指示信息携带有所述接入网设备推演第一密钥所使用的加密算法的标识。After the access network device generates the first key, the core network device receives the second indication information sent by the access network device, where the second indication information carries the access network device derivation The identifier of the encryption algorithm used by the first key.
  10. 根据权利要求9所述的方法,其特征在于,所述第二指示信息包括:初始上下文设置响应initial context setup response或接入承载建立响应ERAB setup response。The method according to claim 9, wherein the second indication information comprises: an initial context setup response or an access bearer setup response ERAB setup response.
  11. 根据权利要求1-10所述的方法,其特征在于,所述核心网设备接收 所述用户设备发送的数据包,包括:Method according to claims 1-10, characterized in that said core network device receives The data packet sent by the user equipment includes:
    在无无线资源控制协议RRC连接时,所述核心网设备接收所述用户设备发送的数据包。When there is no RRC connection, the core network device receives the data packet sent by the user equipment.
  12. 一种通信方法,其特征在于,包括:A communication method, comprising:
    在接入网设备执行接入层安全激活过程时,所述接入网设备生成第一密钥;The access network device generates a first key when the access network device performs an access layer security activation process;
    所述接入网设备将所述第一密钥或其推演第一密钥所使用的加密算法的标识发送给核心网设备,其中,所述第一密钥用于所述核心网设备对用户设备发送给所述核心网设备的数据进行解密。Transmitting, by the access network device, the first key or an identifier of an encryption algorithm used by the first key to the core network device, where the first key is used by the core network device to the user The data sent by the device to the core network device is decrypted.
  13. 根据权利要求12所述的方法,其特征在于,所述接入网设备将所述第一密钥或其推演第一密钥所使用的加密算法的标识发送给核心网设备包括:The method according to claim 12, wherein the sending, by the access network device, the identifier of the encryption algorithm used by the first key or the derivation of the first key to the core network device comprises:
    所述接入网设备将所述第一密钥或所述加密算法的算法标识携带在初始上下文设置响应initial context setup response或接入承载建立响应ERAB setup response中,发送给所述核心网设备。The access network device carries the first key or the algorithm identifier of the encryption algorithm in an initial context setup response or an access bearer setup response ERAB setup response, and sends the identifier to the core network device.
  14. 根据权利要求12或13所述的方法,其特征在于,在所述接入网设备将所述第一密钥或其推演第一密钥所使用的加密算法的标识发送给核心网设备之前,还包括:The method according to claim 12 or 13, wherein before the access network device sends the identifier of the first key or the encryption algorithm used by the first key to the core network device, Also includes:
    所述接入网设备接收所述核心网设备发送的请求消息,所述请求消息用于请求第一密钥或所述加密算法的标识。The access network device receives a request message sent by the core network device, where the request message is used to request the identifier of the first key or the encryption algorithm.
  15. 根据14所述的方法,其特征在于,所述请求消息包括,初始上下文设置请求initial context setup request或接入承载建立请求ERAB setup request。The method according to 14, wherein the request message comprises an initial context setup request or an access bearer setup request ERAB setup request.
  16. 一种核心网设备,其特征在于,包括:A core network device, comprising:
    通信单元,用于接收用户设备发送的数据包; a communication unit, configured to receive a data packet sent by the user equipment;
    处理器,用于获取第一密钥,所述第一密钥为接入网设备执行接入层安全激活过程时生成的密钥;a processor, configured to acquire a first key, where the first key is a key generated when the access network device performs an access layer security activation process;
    所述处理器,还用于利用所述第一密钥对所述数据包进行解密。The processor is further configured to decrypt the data packet by using the first key.
  17. 根据权利要求16所述的设备,其特征在于,所述通信单元,还用于向所述接入网设备发送第一请求消息,所述第一请求消息用于请求所述第一密钥;The device according to claim 16, wherein the communication unit is further configured to send a first request message to the access network device, where the first request message is used to request the first key;
    所述通信单元,还用于在所述接入网设备生成第一密钥后,接收所述接入网设备发送的第一响应消息,所述第一响应消息携带有所述第一密钥。The communication unit is further configured to: after the first key is generated by the access network device, receive a first response message sent by the access network device, where the first response message carries the first key .
  18. 根据权利要求17所述的设备,其特征在于,所述第一请求消息包括,初始上下文设置请求initial context setup request,所述第一响应消息包括,初始上下文设置响应initial context setup response;或者,所述第一请求消息包括,接入承载建立请求ERAB setup request,所述第一响应消息包括,接入承载建立响应ERAB setup response。The device according to claim 17, wherein the first request message includes an initial context setup request, the first response message includes an initial context setup response, or an initial context setup response; The first request message includes an access bearer setup request ERAB setup request, and the first response message includes an access bearer setup response ERAB setup response.
  19. 根据权利要求16所述的设备,其特征在于,所述通信单元,还用于在所述接入网设备生成第一密钥后,接收所述接入网设备发送的第一指示信息,所述第一指示信息携带有所述第一密钥。The device according to claim 16, wherein the communication unit is further configured to: after the access network device generates the first key, receive the first indication information sent by the access network device, where The first indication information carries the first key.
  20. 根据权利要求19所述的设备,其特征在于,所述第一指示信息包括:初始上下文设置响应initial context setup response或接入承载建立响应ERAB setup response。The device according to claim 19, wherein the first indication information comprises: an initial context setup response or an access bearer setup response ERAB setup response.
  21. 根据权利要求16所述的设备,其特征在于,The device of claim 16 wherein:
    所述处理器,还用于在所述核心网设备执行非接入层安全激活过程中,生成第二密钥,所述第二密钥用于所述接入网设备推演所述第一密钥;The processor is further configured to: when the core network device performs a non-access stratum security activation process, generate a second key, where the second key is used by the access network device to derive the first secret key;
    所述通信单元,还用于将所述第二密钥发送给所述接入网设备;The communication unit is further configured to send the second key to the access network device;
    所述处理器,具体用于获取所述接入网设备推演第一密钥所使用的加密算法;以及,根据所述第二密钥以及所述加密算法,生成所述第一密钥。The processor is specifically configured to acquire an encryption algorithm used by the access network device to derive a first key; and generate the first key according to the second key and the encryption algorithm.
  22. 根据权利要求21所述的设备,其特征在于,所述通信单元,还用于 向所述接入网设备发送第二请求消息,所述第二请求消息用于请求所述接入网设备推演第一密钥所使用的加密算法的标识;The device according to claim 21, wherein said communication unit is further used for Sending a second request message to the access network device, where the second request message is used to request the access network device to derive an identifier of an encryption algorithm used by the first key;
    所述通信单元,还用于在所述接入网设备生成第一密钥后,接收所述接入网设备发送的第二响应消息,所述第二响应消息携带有所述加密算法的标识。The communication unit is further configured to: after the access network device generates the first key, receive a second response message sent by the access network device, where the second response message carries the identifier of the encryption algorithm .
  23. 根据权利要求22所述的设备,其特征在于,所述第二请求消息包括,初始上下文设置请求initial context setup request,所述第二响应消息包括,初始上下文设置响应initial context setup response;或者,所述第二请求消息包括,接入承载建立请求ERAB setup request,所述第二响应消息包括,接入承载建立响应ERAB setup response。The device according to claim 22, wherein the second request message includes an initial context setup request, the second response message includes an initial context setup response, or an initial context setup response; The second request message includes an access bearer setup request ERAB setup request, and the second response message includes an access bearer setup response ERAB setup response.
  24. 根据权利要求21所述的设备,其特征在于,所述通信单元,还用于在所述接入网设备生成所述第一密钥后,接收所述接入网设备发送的第二指示信息,所述第二指示信息携带有所述接入网设备推演第一密钥所使用的加密算法的标识。The device according to claim 21, wherein the communication unit is further configured to: after the access network device generates the first key, receive second indication information sent by the access network device The second indication information carries an identifier of an encryption algorithm used by the access network device to derive the first key.
  25. 根据权利要求24所述的设备,其特征在于,所述第二指示信息包括:初始上下文设置响应initial context setup response或接入承载建立响应ERAB setup response。The device according to claim 24, wherein the second indication information comprises: an initial context setup response or an access bearer setup response ERAB setup response.
  26. 根据权利要求16-25所述的设备,其特征在于,所述通信单元,具体用于在无无线资源控制协议RRC连接时,接收所述用户设备发送的数据包。The device according to any one of claims 16-25, wherein the communication unit is configured to receive a data packet sent by the user equipment when there is no RRC connection.
  27. 一种接入网设备,其特征在于,包括:An access network device, comprising:
    处理器,用于在接入网设备执行接入层安全激活过程时,生成第一密钥;a processor, configured to generate a first key when the access network device performs an access layer security activation process;
    通信单元,用于将所述第一密钥或所述接入网设备推演第一密钥所使用的加密算法的标识发送给核心网设备,其中,所述第一密钥用于所述核心网设备对用户设备发送给所述核心网设备的数据进行解密。a communication unit, configured to send, to the core network device, an identifier of the encryption algorithm used by the first key or the access network device to derive the first key, where the first key is used for the core The network device decrypts data sent by the user equipment to the core network device.
  28. 根据权利要求27所述的设备,其特征在于,所述通信单元,还用于 将所述第一密钥或所述加密算法的标识携带在初始上下文设置响应initial context setup response或接入承载建立响应ERAB setup response中,发送给所述核心网设备。The device according to claim 27, wherein said communication unit is further used for The identifier of the first key or the encryption algorithm is carried in an initial context setup response or an access bearer setup response ERAB setup response, and is sent to the core network device.
  29. 根据权利要求27或28所述的设备,其特征在于,Device according to claim 27 or 28, characterized in that
    所述通信单元,还用于接收所述核心网设备发送的请求消息,所述请求消息用于请求第一密钥或所述加密算法的标识。The communication unit is further configured to receive a request message sent by the core network device, where the request message is used to request the identifier of the first key or the encryption algorithm.
  30. 根据29所述的设备,其特征在于,所述请求消息包括,初始上下文设置请求initial context setup request或接入承载建立请求ERAB setup request。 The device according to 29, wherein the request message comprises an initial context setup request or an access bearer setup request ERAB setup request.
PCT/CN2016/072818 2016-01-29 2016-01-29 Communication method and equipment WO2017128306A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/072818 WO2017128306A1 (en) 2016-01-29 2016-01-29 Communication method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/072818 WO2017128306A1 (en) 2016-01-29 2016-01-29 Communication method and equipment

Publications (1)

Publication Number Publication Date
WO2017128306A1 true WO2017128306A1 (en) 2017-08-03

Family

ID=59397226

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/072818 WO2017128306A1 (en) 2016-01-29 2016-01-29 Communication method and equipment

Country Status (1)

Country Link
WO (1) WO2017128306A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866967A (en) * 2019-04-29 2020-10-30 华为技术有限公司 Switching processing method and device
CN112788594A (en) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN113301566A (en) * 2021-05-25 2021-08-24 广州瀚信通信科技股份有限公司 Two-standard four-real data security access system based on 5G edge calculation
CN113596789A (en) * 2020-04-30 2021-11-02 维沃移动通信有限公司 Device interaction method and core network device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931953A (en) * 2010-09-20 2010-12-29 中兴通讯股份有限公司 Method and system for generating safety key bound with device
US20120039464A1 (en) * 2009-05-04 2012-02-16 Zte Corporation Emergency call-based security algorithm negotiation method and apparatus
CN102595390A (en) * 2011-01-18 2012-07-18 中兴通讯股份有限公司 Safe-mode configuration method and terminal
CN103081522A (en) * 2010-08-16 2013-05-01 株式会社Ntt都科摩 Mobile communication method, relay node and wireless base station
US20130201924A1 (en) * 2012-02-07 2013-08-08 Qualcomm Incorporated Data radio bearer (drb) enhancements for small data transmissions apparatus, systems, and methods

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120039464A1 (en) * 2009-05-04 2012-02-16 Zte Corporation Emergency call-based security algorithm negotiation method and apparatus
CN103081522A (en) * 2010-08-16 2013-05-01 株式会社Ntt都科摩 Mobile communication method, relay node and wireless base station
CN101931953A (en) * 2010-09-20 2010-12-29 中兴通讯股份有限公司 Method and system for generating safety key bound with device
CN102595390A (en) * 2011-01-18 2012-07-18 中兴通讯股份有限公司 Safe-mode configuration method and terminal
US20130201924A1 (en) * 2012-02-07 2013-08-08 Qualcomm Incorporated Data radio bearer (drb) enhancements for small data transmissions apparatus, systems, and methods

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Digital cellular telecommunications system (phase 2+); Universal Mobile Telecommunications system (UMTS); LTE", 3GPPSYSTEM ARCHITECTURE EVOLUTION (SAE) '' ETSI TS 133.401, 14 January 2016 (2016-01-14), pages 27 - 47 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866967A (en) * 2019-04-29 2020-10-30 华为技术有限公司 Switching processing method and device
CN113596789A (en) * 2020-04-30 2021-11-02 维沃移动通信有限公司 Device interaction method and core network device
CN112788594A (en) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112788594B (en) * 2020-06-03 2023-06-27 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN113301566A (en) * 2021-05-25 2021-08-24 广州瀚信通信科技股份有限公司 Two-standard four-real data security access system based on 5G edge calculation
CN113301566B (en) * 2021-05-25 2022-07-12 广州瀚信通信科技股份有限公司 Two-standard four-real data security access system based on 5G edge calculation

Similar Documents

Publication Publication Date Title
CN109716810B (en) Authorization verification method and device
CN108966220B (en) A kind of method and the network equipment of secret key deduction
CN108353275B (en) Security of proxied devices
CN104737570B (en) The method and apparatus for generating the key communicated to equipment for the equipment between the first user equipment and second user equipment
CN109922474B (en) Method for triggering network authentication and related equipment
US11109206B2 (en) Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment
WO2016134536A1 (en) Key generation method, device and system
JP2011512750A (en) System and method for performing key management while performing handover or handover in a wireless communication system
JP2013081252A (en) Encryption in wireless telecommunications
EP3536027B1 (en) Handover of a device which uses another device as relay
WO2014169451A1 (en) Method and device for data transmission
EP3535999B1 (en) Deriving a security key for relayed communication
WO2013181847A1 (en) Method, apparatus and system for wlan access authentication
KR20150084224A (en) Security supporting method and system for service discovery and group communication in mobile telecommunication system environment
WO2017197596A1 (en) Communication method, network equipment, and user equipment
WO2021047454A1 (en) Location information acquisition method, location service configuration method, and communication device
WO2012171281A1 (en) Security parameter modification method and base station
WO2018166338A1 (en) Key update method and apparatus
US20220345883A1 (en) Security key updates in dual connectivity
WO2017128306A1 (en) Communication method and equipment
WO2022027476A1 (en) Key management method and communication apparatus
TWI531257B (en) Wireless communication system and authentication method thereof
US20240172176A1 (en) Managing downlink early data transmission
US20250063348A1 (en) Key management method and communication apparatus
US20240340995A1 (en) Communicating early and non-early data between a user device and a core network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16887190

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16887190

Country of ref document: EP

Kind code of ref document: A1