WO2024095485A1 - Authentication security device, terminal, communication system, and communication method - Google Patents

Abstract

This authentication security device comprises: a control unit that generates a request message that includes a command, an authentication request, and a security mode instruction, on the basis of information, which pertains to a terminal, acquired from a management device; a transmitting unit that transmits the request message to the terminal; and a receiving unit that receives, from the terminal, a response message that includes data acquired in accordance with the command and an authentication response generated in accordance with the authentication request, the response message being subjected to integrity protection and encrypted on the basis of authentication information previously held by the terminal. The control unit verifies the authentication response included in the response message and extracts the data when the authentication of the terminal is successful.

Description

AUTHENTICATION SECURITY DEVICE, TERMINAL, COMMUNICATION SYSTEM, AND COMMUNICATION METHOD

The present invention relates to technology for secure communication.

3GPP (registered trademark) (3rd Generation Partnership Project) is currently studying a wireless communication method called 5G or NR (New Radio) (hereinafter, this wireless communication method will be referred to as "5G" or "NR") in order to achieve even larger system capacity, even faster data transmission speeds, and even lower latency in wireless sections. In 5G, various wireless technologies are being studied to meet the requirements of achieving a throughput of 10 Gbps or more while keeping latency in wireless sections to 1 ms or less (for example, Non-Patent Document 1).

In addition, 3GPP (registered trademark) is currently examining use cases and requirements for Ambient IoT (Internet of Things) devices that can run on energy from the environment.

3GPP TS 38.300 V17.2.0 (2022-09) 3GPP TS 33.501 V17.7.0 (2022-09)

In conventional technology, there is no mechanism for easily and securely communicating between Ambient IoT devices and networks. This issue is not limited to Ambient IoT devices and can occur with any terminal.

The present invention has been made in consideration of the above points, and aims to provide technology that enables secure communication between a terminal and a network using simple procedures.

According to the disclosed technique, a control unit generates a request message including a command, an authentication request, and a security mode instruction based on information related to the terminal acquired from a management device;
a transmission unit that transmits the request message to the terminal;
a receiving unit that receives from the terminal a response message including data acquired in response to the command and an authentication response generated in response to the authentication request, the response message being integrity protected and encrypted based on authentication information previously held by the terminal;
The control unit verifies the authentication response included in the response message, and extracts the data if authentication of the terminal is successful. An authentication security device is provided.

The disclosed technology provides a technology that enables secure communication between a terminal and a network using simple procedures.

FIG. 1 is a diagram illustrating an example of a communication system. FIG. 1 is a diagram for explaining an example of a communication system in a roaming environment. FIG. 2 is a diagram illustrating an example of a communication procedure between a terminal and a network. FIG. 1 illustrates an example of a system configuration. FIG. 11 is a sequence diagram for explaining an example of the operation of the system. FIG. 4 is a diagram showing an example of information held by the management device 300. FIG. 2 is a diagram illustrating an example of a functional configuration of a terminal 20 according to an embodiment of the present invention. FIG. 1 is a diagram showing an example of a functional configuration of an authentication security device 100 according to an embodiment of the present invention. FIG. 2 is a diagram illustrating an example of a hardware configuration of an apparatus according to an embodiment of the present invention. 1 is a diagram showing an example of a configuration of a vehicle according to an embodiment of the present invention.

Below, an embodiment of the present invention will be described with reference to the drawings. Note that the embodiment described below is an example, and the embodiment to which the present invention can be applied is not limited to the following embodiment.

In the operation of the wireless communication system according to the embodiment of the present invention, existing technologies are used as appropriate. The existing technologies are, for example, existing LTE or existing NR (5G), but are not limited to existing LTE or existing NR.

Furthermore, in the embodiment of the present invention, "configuring" wireless parameters etc. may mean that predetermined values are pre-configured, or that wireless parameters notified from the network node device or terminal 20 are configured.

In addition, in this embodiment, it is assumed that the terminal 20 is an Ambient IoT device. However, the terminal 20 is not limited to an Ambient IoT device. In addition, the Ambient IoT device may be called a UE (User Equipment), or may not be called a UE and be recognized as a device different from a UE. In this embodiment, if it is assumed that the terminal 20 is an Ambient IoT device, the terminal 20 (Ambient IoT device) may be called a UE.

FIG. 1 is a diagram for explaining an example of a communication system. As shown in FIG. 1, the communication system is composed of a UE, which is a terminal 20, and multiple network node devices. In the following, it is assumed that one network node device corresponds to each function, but multiple functions may be realized by one network node device, or multiple network node devices may realize one function. In addition, the "connection" described below may be a logical connection or a physical connection.

RAN (Radio Access Network) is a network node device having a radio access function. The RAN may also be called a base station. The RAN is connected to the UE, the AMF (Access and Mobility Management Function), and the UPF (User plane function). The AMF is a network node device having functions such as RAN interface termination, NAS (Non-Access Stratum) termination, registration management, connection management, reachability management, and mobility management. The UPF is a network node device having functions such as a PDU (Protocol Data Unit) session point to the outside that interconnects with the DN (Data Network), packet routing and forwarding, and user plane QoS (Quality of Service) handling. The UPF and DN constitute a network slice. In the wireless communication network in the embodiment of the present invention, multiple network slices are constructed.

The AMF is connected to the UE, RAN, SMF (Session Management function), NSSF (Network Slice Selection Function), NEF (Network Exposure Function), NRF (Network Repository Function), UDM (Unified Data Management), UDR (Unified Data Repository), AUSF (Authentication Server Function), PCF (Policy Control Function), and AF (Application Function). The AMF, SMF, NSSF, NEF, NRF, UDM, UDR, AUSF, PCF, and AF are network node devices that are interconnected via interfaces based on their respective services: Namf, Nsmf, Nnssf, Nnef, Nnrf, Nudm, Nudr, Nausf, Npcf, and Naf.

The SMF is a network node device having functions such as session management, IP (Internet Protocol) address allocation and management for UEs, DHCP (Dynamic Host Configuration Protocol) function, ARP (Address Resolution Protocol) proxy, and roaming function. The NEF is a network node device having a function of notifying other NFs (Network Functions) of capabilities and events. The NSSF is a network node device having functions such as selecting the network slice to which the UE connects, determining the allowed NSSAI (Network Slice Selection Assistance Information), determining the NSSAI to be set, and determining the AMF set to which the UE connects. The PCF is a network node device having a function of controlling network policies. The AF is a network node device having a function of controlling application servers. The NRF is a network node device having a function of discovering NF instances that provide services. The UDM is a network node device that manages subscriber data, authentication data, etc. The UDM also stores (manages) dynamic information according to the connection status of the terminal 20, etc. The UDM is connected to a UDR (User Data Repository) that holds data.

Figure 2 is a diagram for explaining an example of a communication system in a roaming environment. As shown in Figure 2, the network is composed of a UE, which is a terminal 20, and multiple network node devices. The SEPP is a non-transparent proxy that filters control plane messages between PLMNs (Public Land Mobile Networks). The vSEPP shown in Figure 2 is a SEPP in a visited network, and the hSEPP is a SEPP in a home network.

As shown in Figure 2, the UE is in a roaming environment connected to the RAN and AMF in the VPLMN (Visited PLMN). The VPLMN and the HPLMN (Home PLMN) are connected via vSEPP and hSEPP. The UE can communicate with the UDM of the HPLMN, for example, via the AMF of the VPLMN.

The operation of this embodiment may be performed in either the configuration shown in FIG. 1 or FIG. 2. In addition, the operation of this embodiment may be performed in a configuration other than the configuration shown in FIG. 1 or FIG. 2.

The authentication security device 100 and management device 300 described below are each assumed to be network node devices in 5GS, but are not limited to this assumption, and the authentication security device 100 and management device 300 may each be devices in a communication system other than 5GS.

(About Ambient IoT devices)
In this embodiment, an overview of an Ambient IoT device will be described because it is assumed that an Ambient IoT device is used as the terminal 20. Note that the following description of the Ambient IoT device, the description of the operation mode, the description of the use case, etc. are not necessarily publicly known.

3GPP (registered trademark) is currently studying use cases and requirements for Ambient IoT devices. Ambient IoT devices may also be called Ambient power-enabled IoT devices.

An ambient IoT device is a device (terminal) that can cover its power consumption through environmental power generation. Environmental power generation is performed, for example, by radio waves, light, motion, heat, etc. An ambient IoT device may or may not have a storage battery. An ambient IoT device may not have a storage battery, but may have the ability to store only a limited amount of power (such as a capacitor).

(1) Operation Mode The Ambient IoT device in this embodiment has, for example, the following two operation modes A and B.

Operation mode A: Continuous operation The continuous operation mode corresponds to the operation mode of existing normal terminals. Ambient IoT devices in this operation mode have sufficient power and (a) transmit and receive as needed, or (b) transmit as needed when the device is started and receive periodically by using a timer.

It is anticipated that ambient IoT devices capable of continuous operation will be devices that use large-capacity environmental power generation, such as photovoltaic power generation, and have batteries that can store sufficient amounts of power.

Operation mode B: Intermittent operation Intermittent operation is a new operation mode that does not exist in existing normal terminals. In an Ambient IoT device that harvests energy, it is assumed that there are time periods when there is enough power for communication and time periods when there is not enough power for communication. An Ambient IoT device may not have power for a long period of time. If an Ambient IoT device does not have power, for example, the Ambient IoT device cannot even maintain a timer. In intermittent operation, for example, communication is performed during time periods when there is enough power for communication, and communication is not performed during time periods when there is not enough power for communication.

　A special case of the above intermittent operation is the on-demand operation format below.

Operation mode B-1: On-demand operation In the on-demand operation mode, an external entity decides when to supply power to an Ambient IoT device. The power supply also becomes a trigger for activating communication.

Note that the operation of an RFID reader reading an ID from an RFID tag is an example of the on-demand operation mentioned above. In this case, the RFID tag corresponds to the Ambient IoT device.

(2) Support for Operational Forms For example, depending on the type of Ambient IoT device, the Ambient IoT device may support any or all of the above operational forms.

(3) Examples of expected operations in on-demand operation An Ambient IoT device performing on-demand operation can receive a "read" command from the network. When the Ambient IoT device returns its own ID according to the subparameter, it can return some setting value or sensor data of the associated sensor.

(Example use case)
One of the use cases for using the Ambient IoT device envisioned in this embodiment is searching for a lost item.

In this use case, a user attaches an Ambient IoT device to an object around them. When the user loses sight of the object, a command (radio signal) requesting the device ID of the Ambient IoT device is sent from a terminal (e.g. a smartphone) or base station near the object. The Ambient IoT device that receives the command returns a response, which can lead to the lost item being found.

Another use case for on-demand Ambient IoT devices is the acquisition of sensor information over a wide area. In this use case, the Ambient IoT device acts as a sensor. The Ambient IoT device transmits sensor information in a response signal to a wireless signal received from a base station.

(Regarding the issues)
The technical problems associated with the present embodiment will be described in detail below. Note that the contents of the following description of the problems (including the sequence diagram) are not publicly known.

For on-demand operation, Ambient IoT devices communicate in a format where the network (e.g., a base station) transmits power and commands, and the Ambient IoT device responds with the necessary data.

By performing this process multiple times, it may be possible to configure a somewhat complex procedure. However, for the Ambient IoT device in question, due to factors such as the fact that the power supply is unstable and the Ambient IoT device may move and suddenly become detached from the reader, it is desirable to be able to complete the procedure with a small number of processes (e.g., one round trip). A procedure with a small number of processes (e.g., one round trip) may be called a "simple procedure."

On the other hand, there is a requirement that communication between Ambient IoT devices that perform on-demand operations and the network must be kept safe (secure), just like other communications.

It is believed that this requirement can be met, for example, by the processing sequence shown in Figure 3. Figure 3 shows an example sequence for secure communication between an Ambient IoT device and a network using an existing mechanism (e.g., Non-Patent Document 2). The terminal 20 in Figure 3 is an Ambient IoT device. The network node device 30 in Figure 3 is a network node device equipped with an authentication function. The network node device 30 may be a system composed of multiple devices (e.g., multiple NFs).

In S1 of FIG. 3, the terminal 20 transmits a registration request to the network node device 30. The registration request includes the security capabilities of the terminal 20.

In S2, the network node device 30 sends an authentication request to the terminal 20. The authentication request includes RAND and AUthentication Token (AUTN). RAND is a random number generated by the network node device 30, and AUTN is authentication data. By checking the AUTN, the terminal 20 can confirm that the RAND has not been tampered with by a third party.

In S3, the terminal 20 returns an authentication response to the network node device 30. The authentication response includes RES. RES is a response value calculated from the common key and RAND.

In S4, the network node device 30 transmits a security mode instruction to the terminal 20. The security mode instruction includes the selected security algorithm, the received security capabilities, and a read command for the terminal (Ambient IoT).

In S5, the terminal 20 sends a security mode completion message to the network node device 30. The security mode completion message includes the read command response data. The message is integrity protected and encrypted based on the selected security algorithm.

When communicating securely between an Ambient IoT device and a network using existing mechanisms, as described above, two and a half round trips of communication are required, starting with a transmission from the Ambient IoT device. In other words, with conventional technologies such as existing specifications, there is no procedure for reading data from an Ambient IoT device safely in one round trip. Below, we explain the system configuration and operation for solving this problem.

(Overview of the embodiment)
<System configuration example>
In this embodiment, as NFs in the core network in the communication system (5GS) shown in Figures 1 and 2, an authentication security device 100 that authenticates Ambient IoT devices and sets up a secure communication path with the Ambient IoT devices, and a management device 300 that manages the Ambient IoT devices are provided. The authentication security device 100 may be called an Ambient IoT NF. The management device 300 may be called an Ambient IoT management NF.

However, both the authentication security device 100 and the management device 300 do not have to be NFs in 5GS. For example, both the authentication security device 100 and the management device 300 may be terminals, base stations, or servers external to 5GS. Furthermore, both the authentication security device 100 and the management device 300 may be existing NFs (network node devices) in 5GS. In other words, the functions of the authentication security device 100 or the management device 300 may be provided within an existing NF (network node device).

Figure 4 shows an example configuration of a system including an authentication security device 100 and a management device 300. In the system shown in Figure 4, communication is possible at least between devices connected by wires. That is, communication is possible between the application server 200 and the authentication security device 100, communication is possible between the authentication security device 100 and the terminal 20, and communication is possible between the management device 300 and the authentication security device 100. It is assumed that the terminal 20 is an ambient IoT device.

Note that communication between the application server 200 and the authentication security device 100 is performed via the NEF. However, the system may be configured so that the application server 200 and the authentication security device 100 can communicate directly without going through the NEF.

In the configuration shown in FIG. 4, for example, when the authentication security device 100 receives a read request from the application server 200, it transmits the read request to the terminal 20, thereby acquiring response data from the terminal 20, and returns the response data to the application server 200. In this process, the authentication security device 100 can communicate securely with the terminal 20.

<Outline of the solution>
In this embodiment, the security capability of the terminal 20 is held on the network side (specifically, the management device 300).

In addition, the authentication request, security mode instruction, and read command are combined into one message (= secure read request), and the authentication response, security mode completion, and read command response data are combined into one message (= secure read response).

As a result, with one round-trip communication between the terminal 20 and the network node device (specifically, the authentication security device 100), the read command response data can be read in an integrity-protected and encrypted form at the network node device.

In addition, the read command sent from the network node device to the terminal 20 can be viewed by an attacker, but the terminal 20 sends the received "read command" in a secure read response so that the attacker cannot change it.

However, this process (putting the received "read command" in a secure read response) may not be performed.

(Example of system operation)
An example of the operation of the communication system according to the present embodiment will be described with reference to FIG.

The terminal 20 is assumed to be an Ambient IoT device. However, the process described in FIG. 5 can also be applied to a terminal 20 that is not an Ambient IoT device. The "terminal" described below is assumed to be an "Ambient IoT device."

The application server 200 is a server that sends a read request to the terminal 20 and acquires data from the terminal 20. It is expected that the application server 200 will be used in a variety of use cases. For example, when the application server 200 receives a device discovery request from a user (e.g., the user's smartphone) for an Ambient IoT device (terminal 20) attached to a lost property, it executes processing for device discovery (e.g., sending a read request).

<Advance preparations>
The management device 300 holds the common key and security capabilities for each terminal, binding them to a device ID. Specifically, the management device 300 holds these common keys and security capabilities in a storage device. Fig. 6 shows an image of the common key and security capabilities held by the management device 300. The device ID may be a SUPI, an IMSI, or another identifier.

Security capability is, for example, the set of ciphering and integrity algorithms that terminal 20 supports.

The shared key and security capabilities of each terminal may be registered in the management device 300 when the terminal is shipped, may be registered in the management device 300 when the terminal is purchased (sold), or may be registered in the management device 300 by the user who purchased the terminal.

The common key is stored in advance in each terminal. If the terminal has a SIM, the common key may be stored in the SIM. The sequence in Figure 5 is explained below.

<S101>
In S101, the authentication security device 100 receives a device read request from the application server 200. The device read request includes the device ID of the terminal 20 to be read and a read command for Ambient IoT. Note that the "read command" may be rephrased as a "command", a "data transmission command", or the like.

<S102, S103>
In S102, the authentication security device 100 transmits an inquiry to the management device 300 to acquire the common key and security capabilities of the terminal 20. This inquiry includes the device ID of the terminal 20.

In S103, the management device 300 acquires the common key and security capabilities of the terminal 20 based on the device ID, and transmits them to the authentication security device 100. The authentication security device 100 acquires the common key and security capabilities.

<S104>
In S104, the authentication security device 100 derives an authentication vector (RAND, AUTN, XRES, anchor key) from the common key acquired from the management device 300. Note that XRES (eXpected RESponse) is an expected value of a response from the terminal 20. The anchor key is a key used to derive a security key. In addition, the authentication security device 100 selects an appropriate security algorithm based on the security capability of the terminal 20.

<S105>
In S105, the authentication security device 100 generates a secure read request and transmits it to the terminal 20. The secure read request includes, for example, RAND, AUTN, a selected security algorithm, a device ID, and a read command for Ambient IoT. The "secure read request" may be called a "request message." The selected security algorithm corresponds to a "security mode instruction." RAND corresponds to an "authentication request."

<S106>
In S106, the terminal 20 accumulates power generated by, for example, the received radio wave, confirms that there is no problem with the AUTN, and generates a RES. The RES is generated, for example, by applying a predefined function to the common key and RAND. The terminal 20 proceeds with the procedure in the same manner as when the authentication is successful and a security mode command is received in the existing technology. The terminal 20 also acquires response data in response to the Ambient IoT read command. The response data is, for example, sensor information. The RES may be called an "authentication response."

Then, the terminal 20 uses a key derived from the common key and a security algorithm selected by the network (here, the authentication security device 100) to integrity-protect and encrypt a message (response message) including "RES, the received read command, and the read command response data." The "key derived from the common key" may also be called authentication information.

<S107>
In S107, the terminal 20 transmits the message encrypted in S106 to the authentication security device 100 as a secure read response.

<S108>
Upon receiving the secure read response message, the authentication security device 100 decrypts the message and checks its integrity (there is no tampering, omissions, etc.).

Furthermore, because the above message can be decrypted (the integrity of the decrypted information can be confirmed), it is possible to determine that the terminal 20 is a legitimate terminal and therefore that there is no problem with the authentication of the terminal 20 at this point. In this embodiment, the authentication security device 100 further compares RES with XRES and confirms that they match, thereby confirming that there is no problem with the authentication.

Furthermore, the authentication security device 100 verifies that the read command extracted from the received message is identical to the read command sent in S105.

<S109>
In S<b>109 , the authentication security device 100 extracts the read command response data from the received message, and transmits the response data to the application server 200 .

(Other examples)
For example, in cases where the security capabilities of a particular type of terminal 20 are predetermined (fixed), when targeting that terminal 20, the security capabilities may not be used in the sequence shown in FIG. 5.

In addition, while this embodiment is directed to an authentication method that uses a shared key, such as AKA authentication, the technology according to the present invention is applicable to authentication methods that are not limited to those that use a shared key. For example, the technology according to the present invention may be applied to authentication methods that use a public key and a private key. The shared key, public key, and private key may be collectively referred to as key information.

The authentication security device 100 may also select either an authentication method using a common key or an authentication method using a public key and private key, depending on the security capabilities acquired from the management device 300, and proceed with subsequent processing using the selected method.

The technology according to the present embodiment described above makes it possible to perform secure communication between a terminal and a network using simple procedures.

(Device configuration)
Next, a description will be given of an example of the functional configuration of the terminal 20 that performs the processes and operations described above, and the authentication security device 100. Note that the base station, the management device 300, and the application server 200 may each have a transmission unit, a reception unit, a control unit, and a setting unit, similar to the authentication security device 100, etc.

Authentication Security Device 100
Fig. 7 is a diagram showing an example of the functional configuration of the authentication security device 100. As shown in Fig. 7, the authentication security device 100 has a transmitting unit 110, a receiving unit 120, a setting unit 130, and a control unit 140. The functional configuration shown in Fig. 7 is merely an example. The names of the functional divisions and functional units may be any as long as they can perform the operations related to the embodiment of the present invention.

The transmitting unit 110 generates information to be sent to other devices and transmits the information via wired or wireless communication. The receiving unit 120 receives various types of information sent from other devices.

The setting unit 130 stores various setting information in a storage device and reads it from the storage device as needed.

The control unit 140 controls the entire device. In addition, the control unit 140 can generate a request message including a command, an authentication request, and a security mode instruction based on information related to the terminal obtained from the management device 300. The functional unit related to information transmission in the control unit 140 may be included in the transmitting unit 110, and the functional unit related to information reception in the control unit 140 may be included in the receiving unit 120.

<Terminal 20>
Fig. 8 is a diagram showing an example of the functional configuration of the terminal 20. As shown in Fig. 8, the terminal 20 has a transmitting unit 210, a receiving unit 220, a setting unit 230, and a control unit 240. The functional configuration shown in Fig. 8 is merely an example. As long as the operation related to the embodiment of the present invention can be executed, the names of the functional divisions and functional units may be any. The transmitting unit 210 and the receiving unit 220 may be collectively referred to as a communication unit.

In addition, when the terminal 20 is an Ambient IoT device, the function of performing energy harvesting is provided, for example, in the receiving unit 220. The function of performing energy harvesting may be provided in any one of the transmitting unit 210, the setting unit 230, or the control unit 240.

The transmitter 210 creates a transmission signal from the transmission data and transmits the transmission signal wirelessly. The receiver 220 receives various signals wirelessly and obtains higher layer signals from the received physical layer signals. The receiver 220 also has the function of receiving NR-PSS, NR-SSS, NR-PBCH, DL/UL/SL control signals, DCI via PDCCH, data via PDSCH, etc. transmitted from the base station. Also, for example, the transmitting unit 210 may transmit a PSCCH (Physical Sidelink Control Channel), a PSSCH (Physical Sidelink Shared Channel), a PSDCH (Physical Sidelink Discovery Channel), a PSBCH (Physical Sidelink Broadcast Channel), or the like to another terminal 20 as D2D communication, and the receiving unit 220 may receive a PSCCH, a PSSCH, a PSDCH, or a PSBCH, or the like, from the other terminal 20.

The setting unit 230 stores various setting information received by the receiving unit 220 from a base station or other terminals in a storage device provided in the setting unit 230, and reads it from the storage device as necessary. The setting unit 230 also stores setting information that is set in advance.

The control unit 240 controls the terminal 20. The control unit 240 can also obtain data based on a command received from the authentication security device 100, and can encrypt a response message including the data while protecting its integrity using the authentication information. The functional unit in the control unit 240 related to information transmission may be included in the transmitting unit 210, and the functional unit in the control unit 240 related to information reception may be included in the receiving unit 220.

This embodiment discloses at least the following:

<Additional Notes>
(Additional Note 1)
a control unit that generates a request message including a command, an authentication request, and a security mode instruction based on information regarding the terminal acquired from the management device;
a transmission unit that transmits the request message to the terminal;
a receiving unit that receives from the terminal a response message including data acquired in response to the command and an authentication response generated in response to the authentication request, the response message being integrity protected and encrypted based on authentication information previously held by the terminal;
The control unit verifies the authentication response included in the response message, and extracts the data if authentication of the terminal is successful.
(Additional Note 2)
2. The authentication security device of claim 1, wherein the information about the terminal is a common key and security capabilities.
(Additional Note 3)
2. The authentication security device according to claim 1, wherein the response message includes the command received by the terminal.
(Additional Note 4)
a receiving unit for receiving a request message including a command, an authentication request, and a security mode instruction from the authentication security device;
a control unit that acquires data in response to the command, generates an authentication response in response to the authentication request, and integrity protects and encrypts a response message including the data and the authentication response based on pre-stored authentication information;
a transmitter for transmitting the integrity protected and encrypted response message.
(Additional Note 5)
The system includes a management device that holds information about each terminal, and an authentication security device,
The authentication security device comprises:
a control unit that generates a request message including a command, an authentication request, and a security mode instruction based on information regarding the terminal acquired from the management device;
a transmission unit that transmits the request message to the terminal;
a receiving unit that receives from the terminal a response message including data acquired in response to the command and an authentication response generated in response to the authentication request, the response message being integrity protected and encrypted based on authentication information previously held by the terminal;
The control unit verifies the authentication response included in the response message, and extracts the data if authentication of the terminal is successful.
(Additional Note 6)
generating a request message including a command, an authentication request, and a security mode instruction based on information about the terminal obtained from the management device;
sending the request message to the terminal;
receiving from the terminal a response message including data obtained in response to the command and an authentication response generated in response to the authentication request, the response message being integrity protected and encrypted based on authentication information previously held by the terminal;
verifying the authentication response included in the response message and extracting the data if authentication of the terminal is successful.

All of Supplementary Items 1 to 6 provide technology that allows secure communication between a terminal and a network with simple procedures. Supplementary Item 2 makes it possible to acquire security capabilities without communication between the terminal and the network. Supplementary Item 3 makes it possible to detect any tampering that may have occurred on the command transmission path.

(Hardware configuration)
The block diagrams (FIGS. 7 and 8) used in the description of the above embodiments show functional blocks. These functional blocks (components) are realized by any combination of at least one of hardware and software. The method of realizing each functional block is not particularly limited. That is, each functional block may be realized using one device that is physically or logically coupled, or may be realized using two or more devices that are physically or logically separated and directly or indirectly connected (for example, using wires, wirelessly, etc.). The functional block may be realized by combining the one device or the multiple devices with software.

Functions include, but are not limited to, judgement, determination, judgment, calculation, computation, processing, derivation, investigation, search, confirmation, reception, transmission, output, access, resolution, selection, election, establishment, comparison, assumption, expectation, regard, broadcasting, notifying, communicating, forwarding, configuring, reconfiguring, allocating, mapping, and assignment. For example, a functional block (component) that performs the transmission function is called a transmitting unit or transmitter. As mentioned above, there are no particular limitations on the method of realization for either of these.

For example, the terminal 20, authentication security device 100, etc. in one embodiment of the present disclosure may function as a computer that processes the communication method of the present disclosure. FIG. 9 is a diagram showing an example of the hardware configuration of each of the terminal 20 and authentication security device 100 in one embodiment of the present disclosure. The base station, management device 300, and application server 200 may each have the configuration shown in FIG. 9, similar to the authentication security device 100, etc.

The terminal 20, authentication security device 100, etc. may be physically configured as a computer device including a processor 1001, a memory device 1002, an auxiliary memory device 1003, a communication device 1004, an input device 1005, an output device 1006, a bus 1007, etc.

In the following description, the term "apparatus" can be interpreted as a circuit, device, unit, etc. The hardware configuration of the base station 10 and the terminal 20 may be configured to include one or more of the devices shown in the figure, or may be configured to exclude some of the devices.

The functions of the terminal 20, authentication security device 100, etc. are realized by loading specific software (programs) onto hardware such as the processor 1001 and storage device 1002, causing the processor 1001 to perform calculations, control communications via the communication device 1004, and control at least one of the reading and writing of data in the storage device 1002 and auxiliary storage device 1003.

The processor 1001, for example, operates an operating system to control the entire computer. The processor 1001 may be configured as a central processing unit (CPU) including an interface with peripheral devices, a control device, an arithmetic unit, registers, etc. For example, the above-mentioned control unit 140, control unit 240, etc. may be realized by the processor 1001.

The processor 1001 also reads out programs (program codes), software modules, data, etc. from at least one of the auxiliary storage device 1003 and the communication device 1004 to the storage device 1002, and executes various processes according to these. The programs used are those that cause a computer to execute at least some of the operations described in the above-mentioned embodiments. For example, both the control unit 140 and the control unit 240 may be realized by a control program stored in the storage device 1002 and running on the processor 1001. Although the above-mentioned various processes have been described as being executed by one processor 1001, they may be executed simultaneously or sequentially by two or more processors 1001. The processor 1001 may be implemented by one or more chips. The programs may be transmitted from a network via a telecommunications line.

The storage device 1002 is a computer-readable recording medium and may be composed of, for example, at least one of a ROM (Read Only Memory), an EPROM (Erasable Programmable ROM), an EEPROM (Electrically Erasable Programmable ROM), a RAM (Random Access Memory), etc. The storage device 1002 may also be called a register, a cache, a main memory, etc. The storage device 1002 can store executable programs (program codes), software modules, etc. for implementing a communication method relating to one embodiment of the present disclosure.

The auxiliary storage device 1003 is a computer-readable recording medium, and may be, for example, at least one of an optical disk such as a CD-ROM (Compact Disc ROM), a hard disk drive, a flexible disk, a magneto-optical disk (e.g., a compact disk, a digital versatile disk, a Blu-ray (registered trademark) disk), a smart card, a flash memory (e.g., a card, a stick, a key drive), a floppy (registered trademark) disk, a magnetic strip, etc. The above-mentioned storage medium may be, for example, a database, a server, or other suitable medium that includes at least one of the storage device 1002 and the auxiliary storage device 1003.

The communication device 1004 is hardware (transmitting/receiving device) for communicating between computers via at least one of a wired network and a wireless network, and is also referred to as, for example, a network device, a network controller, a network card, a communication module, etc. The communication device 1004 may be configured to include a high-frequency switch, a duplexer, a filter, a frequency synthesizer, etc., to realize at least one of, for example, Frequency Division Duplex (FDD) and Time Division Duplex (TDD). For example, the transmitting/receiving antenna, an amplifier unit, a transmitting/receiving unit, a transmission path interface, etc. may be realized by the communication device 1004. The transmitting/receiving unit may be implemented as a transmitting unit or a receiving unit that is physically or logically separated.

The input device 1005 is an input device (e.g., a keyboard, a mouse, a microphone, a switch, a button, a sensor, etc.) that accepts input from the outside. The output device 1006 is an output device (e.g., a display, a speaker, an LED lamp, etc.) that performs output to the outside. Note that the input device 1005 and the output device 1006 may be integrated into one structure (e.g., a touch panel).

Furthermore, each device such as the processor 1001 and the storage device 1002 is connected by a bus 1007 for communicating information. The bus 1007 may be configured using a single bus, or may be configured using different buses between each device.

Furthermore, the terminal 20 and the authentication security device 100 may be configured to include hardware such as a microprocessor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA), and some or all of the functional blocks may be realized by the hardware. For example, the processor 1001 may be implemented using at least one of these pieces of hardware.

Furthermore, the terminal 20 or the authentication security device 100 may be provided in the vehicle 2001. FIG. 10 shows an example of the configuration of the vehicle 2001. As shown in FIG. 10, the vehicle 2001 includes a drive unit 2002, a steering unit 2003, an accelerator pedal 2004, a brake pedal 2005, a shift lever 2006, front wheels 2007, rear wheels 2008, an axle 2009, an electronic control unit 2010, various sensors 2021-2029, an information service unit 2012, and a communication module 2013. The authentication security device 100 according to each aspect/embodiment described in this disclosure may be applied to a communication device mounted on the vehicle 2001, for example, to the communication module 2013.

The drive unit 2002 is composed of, for example, an engine, a motor, or a hybrid of an engine and a motor. The steering unit 2003 includes at least a steering wheel (also called a handlebar), and is configured to steer at least one of the front wheels and the rear wheels based on the operation of the steering wheel operated by the user.

The electronic control unit 2010 is composed of a microprocessor 2031, memory (ROM, RAM) 2032, and a communication port (IO port) 2033. Signals are input to the electronic control unit 2010 from various sensors 2021 to 2029 provided in the vehicle 2001. The electronic control unit 2010 may also be called an ECU (Electronic Control Unit).

Signals from the various sensors 2021-2029 include a current signal from a current sensor 2021 that senses the motor current, a front and rear wheel rotation speed signal obtained by a rotation speed sensor 2022, a front and rear wheel air pressure signal obtained by an air pressure sensor 2023, a vehicle speed signal obtained by a vehicle speed sensor 2024, an acceleration signal obtained by an acceleration sensor 2025, an accelerator pedal depression amount signal obtained by an accelerator pedal sensor 2029, a brake pedal depression amount signal obtained by a brake pedal sensor 2026, a shift lever operation signal obtained by a shift lever sensor 2027, and a detection signal for detecting obstacles, vehicles, pedestrians, etc. obtained by an object detection sensor 2028.

The information service unit 2012 is composed of various devices, such as a car navigation system, an audio system, speakers, a television, and a radio, for providing (outputting) various information such as driving information, traffic information, and entertainment information, and one or more ECUs for controlling these devices. The information service unit 2012 uses information acquired from an external device via the communication module 2013 or the like to provide various multimedia information and multimedia services to the occupants of the vehicle 2001. The information service unit 2012 may include input devices (e.g., a keyboard, a mouse, a microphone, a switch, a button, a sensor, a touch panel, etc.) that accept input from the outside, and may also include output devices (e.g., a display, a speaker, an LED lamp, a touch panel, etc.) that perform output to the outside.

The driving assistance system unit 2030 is composed of various devices that provide functions for preventing accidents and reducing the driving burden on the driver, such as a millimeter wave radar, LiDAR (Light Detection and Ranging), a camera, a positioning locator (e.g., GNSS, etc.), map information (e.g., high definition (HD) maps, autonomous vehicle (AV) maps, etc.), a gyro system (e.g., IMU (Inertial Measurement Unit), INS (Inertial Navigation System), etc.), AI (Artificial Intelligence) chip, and AI processor, as well as one or more ECUs that control these devices. In addition, the driving assistance system unit 2030 transmits and receives various information via the communication module 2013 to realize driving assistance functions or autonomous driving functions.

The communication module 2013 can communicate with the microprocessor 2031 and components of the vehicle 2001 via the communication port. For example, the communication module 2013 transmits and receives data via the communication port 2033 between the drive unit 2002, steering unit 2003, accelerator pedal 2004, brake pedal 2005, shift lever 2006, front wheels 2007, rear wheels 2008, axle 2009, microprocessor 2031 and memory (ROM, RAM) 2032 in the electronic control unit 2010, and sensors 2021 to 29, which are provided on the vehicle 2001.

The communication module 2013 is a communication device that can be controlled by the microprocessor 2031 of the electronic control unit 2010 and can communicate with an external device. For example, it transmits and receives various information to and from the external device via wireless communication. The communication module 2013 may be located either inside or outside the electronic control unit 2010. The external device may be, for example, a base station, a mobile station, etc.

The communication module 2013 may transmit at least one of the signals from the various sensors 2021-2028 described above input to the electronic control unit 2010, information obtained based on the signals, and information based on input from the outside (user) obtained via the information service unit 2012 to an external device via wireless communication. The electronic control unit 2010, the various sensors 2021-2028, the information service unit 2012, etc. may be referred to as input units that accept input. For example, the PUSCH transmitted by the communication module 2013 may include information based on the above input.

The communication module 2013 receives various information (traffic information, signal information, vehicle distance information, etc.) transmitted from an external device and displays it on the information service unit 2012 provided in the vehicle 2001. The information service unit 2012 may be called an output unit that outputs information (for example, outputs information to a device such as a display or speaker based on the PDSCH (or data/information decoded from the PDSCH) received by the communication module 2013). The communication module 2013 also stores various information received from an external device in a memory 2032 that can be used by the microprocessor 2031. Based on the information stored in the memory 2032, the microprocessor 2031 may control the drive unit 2002, steering unit 2003, accelerator pedal 2004, brake pedal 2005, shift lever 2006, front wheels 2007, rear wheels 2008, axles 2009, sensors 2021 to 2029, etc. provided in the vehicle 2001.

(Supplementary description of the embodiment)
Although the embodiment of the present invention has been described above, the disclosed invention is not limited to such an embodiment, and those skilled in the art will understand various modifications, modifications, alternatives, replacements, and the like. Although the description has been given using specific numerical examples to facilitate understanding of the invention, unless otherwise specified, those numerical values are merely examples and any appropriate value may be used. The division of items in the above description is not essential to the present invention, and matters described in two or more items may be used in combination as necessary, and matters described in one item may be applied to matters described in another item (as long as there is no contradiction). The boundaries of functional units or processing units in the functional block diagram do not necessarily correspond to the boundaries of physical parts. The operations of multiple functional units may be physically performed by one part, or the operations of one functional unit may be physically performed by multiple parts. The order of the processing procedures described in the embodiment may be changed as long as there is no contradiction. For convenience of the processing description, the terminal 20 and the authentication security device 100 have been described using functional block diagrams, but such devices may be realized by hardware, software, or a combination thereof. The software operated by the processor of the authentication security device 100 in accordance with an embodiment of the present invention and the software operated by the processor of the terminal 20 in accordance with an embodiment of the present invention may each be stored in random access memory (RAM), flash memory, read only memory (ROM), EPROM, EEPROM, register, hard disk (HDD), removable disk, CD-ROM, database, server or any other suitable storage medium.

Furthermore, the notification of information is not limited to the aspects/embodiments described in the present disclosure and may be performed using other methods. For example, the notification of information may be performed by physical layer signaling (e.g., Downlink Control Information (DCI), Uplink Control Information (UCI)), higher layer signaling (e.g., Radio Resource Control (RRC) signaling, Medium Access Control (MAC) signaling), broadcast information (Master Information Block (MIB), System Information Block (SIB)), other signals, or a combination of these. Furthermore, RRC signaling may be referred to as an RRC message, and may be, for example, an RRC Connection Setup message, an RRC Connection Reconfiguration message, etc.

Each aspect/embodiment described in this disclosure may be a mobile communication system (mobile communications system) for mobile communications over a wide range of networks, including LTE (Long Term Evolution), LTE-A (LTE-Advanced), SUPER 3G, IMT-Advanced, 4G (4th generation mobile communication system), 5G (5th generation mobile communication system), 6th generation mobile communication system (6G), xth generation mobile communication system (xG) (xG (x is, for example, an integer or a decimal number)), FRA (Future Ra The present invention may be applied to at least one of systems using IEEE 802.11 (Wi-Fi (registered trademark)), IEEE 802.16 (WiMAX (registered trademark)), IEEE 802.20, UWB (Ultra-WideBand), Bluetooth (registered trademark), and other appropriate systems, and next-generation systems that are expanded, modified, created, or defined based on these. It may also be applied to a combination of multiple systems (for example, a combination of at least one of LTE and LTE-A with 5G, etc.).

The processing steps, sequences, flow charts, etc. of each aspect/embodiment described herein may be reordered unless inconsistent. For example, the methods described in this disclosure present elements of various steps using an exemplary order and are not limited to the particular order presented.

In this specification, certain operations that are described as being performed by the base station 10 may in some cases be performed by its upper node. In a network consisting of one or more network nodes having a base station 10, it is clear that various operations performed for communication with a terminal 20 may be performed by at least one of the base station 10 and other network nodes other than the base station 10 (such as, but not limited to, an MME or S-GW). Although the above example shows a case where there is one other network node other than the base station 10, the other network node may be a combination of multiple other network nodes (such as an MME and an S-GW).

The information or signals described in this disclosure may be output from a higher layer (or a lower layer) to a lower layer (or a higher layer). They may be input and output via multiple network nodes.

The input and output information may be stored in a specific location (e.g., memory) or may be managed using a management table. The input and output information may be overwritten, updated, or added to. The output information may be deleted. The input information may be sent to another device.

The determination in this disclosure may be based on a value represented by one bit (0 or 1), a Boolean (true or false) value, or a comparison of numerical values (e.g., a comparison with a predetermined value).

Software shall be construed broadly to mean instructions, instruction sets, code, code segments, program code, programs, subprograms, software modules, applications, software applications, software packages, routines, subroutines, objects, executable files, threads of execution, procedures, functions, etc., whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise.

Software, instructions, information, etc. may also be transmitted and received via a transmission medium. For example, if the software is transmitted from a website, server, or other remote source using at least one of wired technologies (such as coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL)), and/or wireless technologies (such as infrared, microwave), then at least one of these wired and wireless technologies is included within the definition of a transmission medium.

The information, signals, etc. described in this disclosure may be represented using any of a variety of different technologies. For example, the data, instructions, commands, information, signals, bits, symbols, chips, etc. that may be referred to throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or magnetic particles, optical fields or photons, or any combination thereof.

Note that the terms explained in this disclosure and the terms necessary for understanding this disclosure may be replaced with terms having the same or similar meanings. For example, at least one of the channel and the symbol may be a signal (signaling). Also, the signal may be a message. Also, the component carrier (CC) may be called a carrier frequency, a cell, a frequency carrier, etc.

As used in this disclosure, the terms "system" and "network" are used interchangeably.

In addition, the information, parameters, etc. described in this disclosure may be represented using absolute values, may be represented using relative values from a predetermined value, or may be represented using other corresponding information. For example, a radio resource may be indicated by an index.

The names used for the above-mentioned parameters are not limiting in any respect. Furthermore, the formulas etc. using these parameters may differ from those explicitly disclosed in this disclosure. The various channels (e.g., PUCCH, PDCCH, etc.) and information elements may be identified by any suitable names, and therefore the various names assigned to these various channels and information elements are not limiting in any respect.

In this disclosure, terms such as "base station (BS)", "radio base station", "base station", "fixed station", "NodeB", "eNodeB (eNB)", "gNodeB (gNB)", "access point", "transmission point", "reception point", "transmission/reception point", "cell", "sector", "cell group", "carrier", and "component carrier" may be used interchangeably. A base station may also be referred to by terms such as macrocell, small cell, femtocell, and picocell.

A base station can accommodate one or more (e.g., three) cells. When a base station accommodates multiple cells, the entire coverage area of the base station can be divided into multiple smaller areas, and each smaller area can also provide communication services by a base station subsystem (e.g., a small indoor base station (RRH: Remote Radio Head)). The term "cell" or "sector" refers to a part or the entire coverage area of at least one of the base station and base station subsystems that provide communication services in this coverage.

In this disclosure, a base station transmitting information to a terminal may be interpreted as the base station instructing the terminal to control or operate based on the information.

In this disclosure, terms such as "Mobile Station (MS)," "user terminal," "User Equipment (UE)," and "terminal" may be used interchangeably.

A mobile station may also be referred to by those skilled in the art as a subscriber station, mobile unit, subscriber unit, wireless unit, remote unit, mobile device, wireless device, wireless communication device, remote device, mobile subscriber station, access terminal, mobile terminal, wireless terminal, remote terminal, handset, user agent, mobile client, client, or some other suitable terminology.

At least one of the base station and the mobile station may be called a transmitting device, a receiving device, a communication device, etc. At least one of the base station and the mobile station may be a device mounted on a moving object, the moving object itself, etc. The moving object is a movable object, and the moving speed is arbitrary. It also includes the case where the moving object is stopped. The moving object includes, but is not limited to, for example, a vehicle, a transport vehicle, an automobile, a motorcycle, a bicycle, a connected car, an excavator, a bulldozer, a wheel loader, a dump truck, a forklift, a train, a bus, a handcar, a rickshaw, a ship and other watercraft, an airplane, a rocket, an artificial satellite, a drone (registered trademark), a multicopter, a quadcopter, a balloon, and objects mounted thereon. The moving object may also be a moving object that travels autonomously based on an operation command. It may be a vehicle (e.g., a car, an airplane, etc.), an unmanned moving object (e.g., a drone, an autonomous vehicle, etc.), or a robot (manned or unmanned). In addition, at least one of the base station and the mobile station may be a device that does not necessarily move during communication operations. For example, at least one of the base station and the mobile station may be an IoT (Internet of Things) device such as a sensor.

Furthermore, the base station in the present disclosure may be read as a terminal. For example, each aspect/embodiment of the present disclosure may be applied to a configuration in which communication between a base station and a terminal is replaced with communication between multiple terminals 20 (which may be called, for example, D2D (Device-to-Device) or V2X (Vehicle-to-Everything)). In this case, the terminal 20 may be configured to have the functions of the base station 10 described above. Furthermore, terms such as "uplink" and "downlink" may be read as terms corresponding to communication between terminals (for example, "side"). For example, the uplink channel, downlink channel, etc. may be read as a side channel.

Similarly, the terminal in this disclosure may be interpreted as a base station. In this case, the base station may be configured to have the functions of the terminal described above.

As used in this disclosure, the terms "determining" and "determining" may encompass a wide variety of actions. "Determining" and "determining" may include, for example, judging, calculating, computing, processing, deriving, investigating, looking up, search, inquiry (e.g., searching in a table, database, or other data structure), and considering ascertaining as "judging" or "determining." Also, "determining" and "determining" may include receiving (e.g., receiving information), transmitting (e.g., sending information), input, output, accessing (e.g., accessing data in memory), and considering ascertaining as "judging" or "determining." Additionally, "judgment" and "decision" can include considering resolving, selecting, choosing, establishing, comparing, etc., to have been "judged" or "decided." In other words, "judgment" and "decision" can include considering some action to have been "judged" or "decided." Additionally, "judgment (decision)" can be interpreted as "assuming," "expecting," "considering," etc.

The terms "connected," "coupled," or any variation thereof, refer to any direct or indirect connection or coupling between two or more elements, and may include the presence of one or more intermediate elements between two elements that are "connected" or "coupled" to each other. The coupling or connection between elements may be physical, logical, or a combination thereof. For example, "connected" may be read as "access." As used in this disclosure, two elements may be considered to be "connected" or "coupled" to each other using at least one of one or more wires, cables, and printed electrical connections, as well as electromagnetic energy having wavelengths in the radio frequency range, microwave range, and optical (both visible and invisible) range, as some non-limiting and non-exhaustive examples.

The reference signal may also be abbreviated as RS (Reference Signal) or may be called a pilot depending on the applicable standard.

As used in this disclosure, the phrase "based on" does not mean "based only on," unless expressly stated otherwise. In other words, the phrase "based on" means both "based only on" and "based at least on."

Any reference to an element using a designation such as "first," "second," etc., used in this disclosure does not generally limit the quantity or order of those elements. These designations may be used in this disclosure as a convenient method of distinguishing between two or more elements. Thus, a reference to a first and a second element does not imply that only two elements may be employed or that the first element must precede the second element in some way.

The "means" in the configuration of each of the above devices may be replaced with "part," "circuit," "device," etc.

When the terms "include," "including," and variations thereof are used in this disclosure, these terms are intended to be inclusive, similar to the term "comprising." Additionally, the term "or," as used in this disclosure, is not intended to be an exclusive or.

A radio frame may be composed of one or more frames in the time domain. Each of the one or more frames in the time domain may be called a subframe. A subframe may further be composed of one or more slots in the time domain. A subframe may have a fixed time length (e.g., 1 ms) that is independent of numerology.

Numerology may be a communication parameter that applies to at least one of the transmission and reception of a signal or channel. Numerology may indicate, for example, at least one of the following: Subcarrier Spacing (SCS), bandwidth, symbol length, cyclic prefix length, Transmission Time Interval (TTI), number of symbols per TTI, radio frame structure, a specific filtering process performed by the transceiver in the frequency domain, a specific windowing process performed by the transceiver in the time domain, etc.

A slot may consist of one or more symbols in the time domain (such as OFDM (Orthogonal Frequency Division Multiplexing) symbols, SC-FDMA (Single Carrier Frequency Division Multiple Access) symbols, etc.). A slot may be a time unit based on numerology.

A slot may include multiple minislots. Each minislot may consist of one or multiple symbols in the time domain. A minislot may also be called a subslot. A minislot may consist of fewer symbols than a slot. A PDSCH (or PUSCH) transmitted in a time unit larger than a minislot may be called PDSCH (or PUSCH) mapping type A. A PDSCH (or PUSCH) transmitted using a minislot may be called PDSCH (or PUSCH) mapping type B.

Radio frame, subframe, slot, minislot, and symbol all represent time units for transmitting signals. Radio frame, subframe, slot, minislot, and symbol may each be referred to by a different name that corresponds to the radio frame, subframe, slot, minislot, and symbol.

For example, one subframe may be called a transmission time interval (TTI), multiple consecutive subframes may be called a TTI, or one slot or one minislot may be called a TTI. In other words, at least one of the subframe and the TTI may be a subframe (1 ms) in existing LTE, a period shorter than 1 ms (e.g., 1-13 symbols), or a period longer than 1 ms. Note that the unit representing the TTI may be called a slot, minislot, etc., instead of a subframe. Also, one slot may be called a unit time. The unit time may differ for each cell depending on the numerology.

Here, TTI refers to, for example, the smallest time unit for scheduling in wireless communication. For example, in an LTE system, a base station performs scheduling to allocate wireless resources (such as frequency bandwidth and transmission power that can be used by each terminal 20) to each terminal 20 in TTI units. Note that the definition of TTI is not limited to this.

The TTI may be a transmission time unit for a channel-coded data packet (transport block), a code block, a code word, etc., or may be a processing unit for scheduling, link adaptation, etc. When a TTI is given, the time interval (e.g., the number of symbols) in which a transport block, a code block, a code word, etc. is actually mapped may be shorter than the TTI.

Note that when one slot or one minislot is called a TTI, one or more TTIs (i.e., one or more slots or one or more minislots) may be the minimum time unit of scheduling. In addition, the number of slots (minislots) that constitute the minimum time unit of scheduling may be controlled.

A TTI having a time length of 1 ms may be called a normal TTI (TTI in LTE Rel. 8-12), normal TTI, long TTI, normal subframe, normal subframe, long subframe, slot, etc. A TTI shorter than a normal TTI may be called a shortened TTI, short TTI, partial or fractional TTI, shortened subframe, short subframe, minislot, subslot, slot, etc.

Note that a long TTI (e.g., a normal TTI, a subframe, etc.) may be interpreted as a TTI having a time length of more than 1 ms, and a short TTI (e.g., a shortened TTI, etc.) may be interpreted as a TTI having a TTI length shorter than the TTI length of a long TTI and equal to or greater than 1 ms.

A resource block (RB) is a resource allocation unit in the time domain and frequency domain, and may include one or more consecutive subcarriers in the frequency domain. The number of subcarriers included in an RB may be the same regardless of the numerology, and may be, for example, 12. The number of subcarriers included in an RB may be determined based on the numerology.

Furthermore, the time domain of an RB may include one or more symbols and may be one slot, one minislot, one subframe, or one TTI in length. One TTI, one subframe, etc. may each be composed of one or more resource blocks.

In addition, one or more RBs may be referred to as a physical resource block (PRB), a sub-carrier group (SCG), a resource element group (REG), a PRB pair, an RB pair, etc.

Furthermore, a resource block may be composed of one or more resource elements (REs). For example, one RE may be a radio resource area of one subcarrier and one symbol.

A Bandwidth Part (BWP), which may also be referred to as a partial bandwidth, may represent a subset of contiguous common resource blocks (RBs) for a given numerology on a given carrier, where the common RBs may be identified by an index of the RB relative to a common reference point of the carrier. PRBs may be defined in a BWP and numbered within the BWP.

The BWP may include a BWP for UL (UL BWP) and a BWP for DL (DL BWP). One or more BWPs may be configured for a UE within one carrier.

At least one of the configured BWPs may be active, and the UE may not expect to transmit or receive a given signal/channel outside the active BWP. Note that "cell," "carrier," etc. in this disclosure may be read as "BWP."

The above-mentioned structures of radio frames, subframes, slots, minislots, and symbols are merely examples. For example, the number of subframes included in a radio frame, the number of slots per subframe or radio frame, the number of minislots included in a slot, the number of symbols and RBs included in a slot or minislot, the number of subcarriers included in an RB, as well as the number of symbols in a TTI, the symbol length, and the cyclic prefix (CP) length can be changed in various ways.

In this disclosure, where articles have been added through translation, such as a, an, and the in English, this disclosure may include that the nouns following these articles are plural.

In this disclosure, the term "A and B are different" may mean "A and B are different from each other." The term may also mean "A and B are each different from C." Terms such as "separate" and "combined" may also be interpreted in the same way as "different."

Each aspect/embodiment described in this disclosure may be used alone, in combination, or switched depending on the execution. In addition, notification of specific information (e.g., notification that "X is the case") is not limited to being done explicitly, but may be done implicitly (e.g., not notifying the specific information).

　Although the present disclosure has been described in detail above, it is clear to those skilled in the art that the present disclosure is not limited to the embodiments described herein. The present disclosure can be implemented in modified and altered forms without departing from the spirit and scope of the present disclosure as defined by the claims. Therefore, the description of the present disclosure is intended to be illustrative and does not have any limiting meaning on the present disclosure.

20 Terminal 210 Transmitter 220 Receiver 230 Setting unit 240 Control unit 100 Authentication security device 110 Transmitter 120 Receiver 130 Setting unit 140 Control unit 200 Application server 300 Management device 1001 Processor 1002 Storage device 1003 Auxiliary storage device 1004 Communication device 1005 Input device 1006 Output device 2001 Vehicle 2002 Driving unit 2003 Steering unit 2004 Accelerator pedal 2005 Brake pedal 2006 Shift lever 2007 Front wheel 2008 Rear wheel 2009 Axle 2010 Electronic control unit 2012 Information service unit 2013 Communication module 2021 Current sensor 2022 RPM sensor 2023 Air pressure sensor 2024 Vehicle speed sensor 2025 Acceleration sensor 2026 Brake pedal sensor 2027 Shift lever sensor 2028 Object detection sensor 2029 Accelerator pedal sensor 2030 Driving support system unit 2031 Microprocessor 2032 Memory (ROM, RAM)
2033 Communication port (IO port)

Claims (6)

a control unit that generates a request message including a command, an authentication request, and a security mode instruction based on information regarding the terminal acquired from the management device;
a transmission unit that transmits the request message to the terminal;
a receiving unit that receives from the terminal a response message including data acquired in response to the command and an authentication response generated in response to the authentication request, the response message being integrity protected and encrypted based on authentication information previously held by the terminal;
The control unit verifies the authentication response included in the response message, and extracts the data if authentication of the terminal is successful. The authentication security device of claim 1 , wherein the information about the terminal is a common key and security capabilities. The authentication security device of claim 1 , wherein the response message includes the command received by the terminal. a receiving unit for receiving a request message including a command, an authentication request, and a security mode instruction from the authentication security device;
a control unit that acquires data in response to the command, generates an authentication response in response to the authentication request, and integrity protects and encrypts a response message including the data and the authentication response based on pre-stored authentication information;
a transmitter for transmitting the integrity protected and encrypted response message. The system includes a management device that holds information about each terminal, and an authentication security device,
The authentication security device comprises:
a control unit that generates a request message including a command, an authentication request, and a security mode instruction based on information regarding the terminal acquired from the management device;
a transmission unit that transmits the request message to the terminal;
a receiving unit that receives from the terminal a response message including data acquired in response to the command and an authentication response generated in response to the authentication request, the response message being integrity protected and encrypted based on authentication information previously held by the terminal;
The control unit verifies the authentication response included in the response message, and extracts the data if authentication of the terminal is successful. generating a request message including a command, an authentication request, and a security mode instruction based on information about the terminal obtained from the management device;
sending the request message to the terminal;
receiving from the terminal a response message including data obtained in response to the command and an authentication response generated in response to the authentication request, the response message being integrity protected and encrypted based on authentication information previously held by the terminal;
verifying the authentication response included in the response message and extracting the data if authentication of the terminal is successful.

Images