Connection recovery method and apparatus, communication device, and storage medium
By employing the first security method to send the current connection restoration request in the 5G cellular mobile communication system, parameter differentiation is ensured, thus mitigating the risk of malicious spoofing of terminals in the inactive state and improving communication security and the flexibility of the request method.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING XIAOMI MOBILE SOFTWARE CO LTD
- Filing Date
- 2021-11-17
- Publication Date
- 2026-06-05
AI Technical Summary
In 5G cellular mobile communication systems, there is a risk that malicious devices may impersonate connection recovery requests when the terminal is inactive, which reduces communication security.
By selecting the first security method to send the current connection recovery request, it is ensured that at least some parameters of the current connection recovery request are different from those of the historical connection recovery requests, including the different methods of determining the terminal verification identifier, number, context, and security key. A connection recovery method selection indication is used to improve security.
This reduces the possibility of third-party devices impersonating terminals and communicating with base stations, and improves communication security and the flexibility of sending connection restoration requests.
Smart Images

Figure CN116458257B_ABST
Abstract
Description
Technical Field
[0001] This application relates to, but is not limited to, the field of wireless communication technology, and particularly to connection restoration methods, apparatus, communication devices, and storage media. Background Technology
[0002] In 5G (5th Generation) cellular mobile communication systems, the network and the terminal can retain some configuration information of the terminal, allowing the terminal to be in an inactive state when there is no data transmission. When data transmission occurs, the terminal can initiate a connection restoration process through a connection restoration request, thereby restoring the connection based on the previously retained configuration information. The terminal has the same energy-saving effect in both the inactive and idle states. Summary of the Invention
[0003] In view of the above, embodiments of this disclosure provide a connection restoration method, apparatus, communication device, and storage medium.
[0004] According to a first aspect of the present disclosure, a connection restoration method is provided, wherein the method is applied to a terminal, the method comprising:
[0005] Based on the connection recovery method selection indication, determine whether to send the current connection recovery request using the first security method;
[0006] When the current connection recovery request is sent using the first security method, at least some of the parameters of the current connection recovery request are different from the parameters of the historical connection recovery request.
[0007] In one embodiment, when the current connection recovery request is sent using the second security method, the parameters of the current connection recovery request are the same as those of the historical connection recovery request.
[0008] In one embodiment, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method;
[0009] And / or,
[0010] The method for determining the terminal number in the first security method is different from the method for determining the terminal number in the second security method;
[0011] And / or,
[0012] The method for determining the context of the first security method is different from the method for determining the context of the second security method;
[0013] And / or,
[0014] The method for determining the terminal security key in the first security method is different from the method for determining the terminal security key in the second security method.
[0015] In one embodiment, when the current connection recovery request is sent using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
[0016] In one embodiment, the method further includes:
[0017] Receive first indication information, wherein the first indication information indicates the first output parameter and / or the second input parameter.
[0018] In one embodiment, the method further includes:
[0019] Perform security verification on the first indication information;
[0020] In response to the failure of security verification of the first indication information, the first indication information is ignored;
[0021] In response to the successful security verification of the first indication information, the first output parameter and / or the second input parameter indicated by the first indication information are used.
[0022] In one embodiment, when the current connection recovery request is sent using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request.
[0023] In one embodiment, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N, where N is a positive integer.
[0024] In one embodiment, in response to receiving feedback information regarding the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N;
[0025] In response to the lack of feedback information received regarding the historical connection restoration request, the terminal number corresponding to the current connection restoration request is set to a predetermined initial value.
[0026] In one embodiment, the terminal number includes the COUNT of the Packet Data Convergence Protocol (PDCP).
[0027] In one embodiment, when the current connection recovery request is sent using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
[0028] In one embodiment, the terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
[0029] In one embodiment, when the current connection restoration request is sent using the first security method, the terminal security key is determined by the terminal.
[0030] In one embodiment, the method further includes:
[0031] Send a second indication message indicating the terminal security key.
[0032] In one embodiment, when the current connection recovery request is sent using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
[0033] In one embodiment, the terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
[0034] In one embodiment, the method includes one of the following:
[0035] Receive third indication information indicating the connection restoration method selection indication;
[0036] Based on the communication protocol, the connection restoration method selection indication is determined.
[0037] In one embodiment, receiving third indication information indicating the connection restoration mode selection includes one of the following:
[0038] Receive a Radio Resource Control (RRC) message carrying the third indication information;
[0039] Receive a broadcast message carrying the third instruction information.
[0040] According to a second aspect of the present disclosure, a connection restoration method is provided, wherein the method is applied to a base station, the method comprising:
[0041] Based on the connection recovery method selection indication, determine whether the terminal should send the current connection recovery request using the first security method;
[0042] When the terminal sends a current connection recovery request using the first security method, at least some parameters of the current connection recovery request are different from the parameters of the historical connection recovery request.
[0043] In one embodiment, when the terminal sends a current connection recovery request using a second security method, the parameters of the current connection recovery request are the same as those of a historical connection recovery request.
[0044] In one embodiment, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method;
[0045] And / or,
[0046] The method for determining the terminal number in the first security method is different from the method for determining the terminal number in the second security method;
[0047] And / or,
[0048] The method for determining the context of the first security method is different from the method for determining the context of the second security method;
[0049] And / or,
[0050] The method for determining the terminal security key in the first security method is different from the method for determining the terminal security key in the second security method.
[0051] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
[0052] In one embodiment, the method further includes:
[0053] Send a first indication message, wherein the first indication message indicates the first output parameter and / or the second input parameter.
[0054] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request.
[0055] In one embodiment, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N, where N is a positive integer.
[0056] In one embodiment, in response to receiving feedback information regarding the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N;
[0057] In response to the lack of feedback information received regarding the historical connection restoration request, the terminal number corresponding to the current connection restoration request is set to a predetermined initial value.
[0058] In one embodiment, the terminal number includes the COUNT of the Packet Data Convergence Protocol (PDCP).
[0059] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
[0060] In one embodiment, the terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
[0061] In one embodiment, when the terminal sends the current connection restoration request using the first security method, the terminal security key is determined by the terminal.
[0062] In one embodiment, the method further includes:
[0063] Receive second indication information indicating the terminal security key.
[0064] In one embodiment, when the terminal sends the current connection recovery request using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
[0065] In one embodiment, the terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
[0066] In one embodiment, the method includes one of the following:
[0067] Send a third indication message indicating the connection restoration method selection indication;
[0068] Based on the communication protocol, the connection restoration method selection indication is determined.
[0069] In one embodiment, the sending of third indication information indicating the connection restoration method selection includes one of the following:
[0070] Send a Radio Resource Control (RRC) message carrying the third indication information;
[0071] Send a broadcast message carrying the third instruction information.
[0072] In one embodiment, the method includes: in response to the base station being an anchor base station of the terminal, sending indication information to a non-anchor base station of the terminal indicating whether the terminal sends the current connection recovery request using the first security method.
[0073] According to a third aspect of the present disclosure, a connection restoration device is provided, wherein the device is applied to a terminal and includes:
[0074] The first determining module is configured to determine, based on the connection recovery method selection indication, whether to use the first security method to send the current connection recovery request;
[0075] When the current connection recovery request is sent using the first security method, at least some of the parameters of the current connection recovery request are different from the parameters of the historical connection recovery request.
[0076] In one embodiment, when the current connection recovery request is sent using the second security method, the parameters of the current connection recovery request are the same as those of the historical connection recovery request.
[0077] In one embodiment, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method;
[0078] And / or,
[0079] The method for determining the terminal number in the first security method is different from the method for determining the terminal number in the second security method;
[0080] And / or,
[0081] The method for determining the context of the first security method is different from the method for determining the context of the second security method;
[0082] And / or,
[0083] The method for determining the terminal security key in the first security method is different from the method for determining the terminal security key in the second security method.
[0084] In one embodiment, when the current connection recovery request is sent using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
[0085] In one embodiment, the apparatus further includes:
[0086] A first receiving module is configured to receive first indication information, wherein the first indication information indicates the first output parameter and / or the second input parameter.
[0087] In one embodiment, the apparatus further includes:
[0088] The verification module is configured to perform security verification on the first indication information;
[0089] In response to the failure of security verification of the first indication information, the first indication information is ignored;
[0090] In response to the successful security verification of the first indication information, the first output parameter and / or the second input parameter indicated by the first indication information are used.
[0091] In one embodiment, when the current connection recovery request is sent using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request.
[0092] In one embodiment, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N, where N is a positive integer.
[0093] In one embodiment, in response to receiving feedback information regarding the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N;
[0094] In response to the lack of feedback information received regarding the historical connection restoration request, the terminal number corresponding to the current connection restoration request is set to a predetermined initial value.
[0095] In one embodiment, the terminal number includes the COUNT of the Packet Data Convergence Protocol (PDCP).
[0096] In one embodiment, when the current connection recovery request is sent using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
[0097] In one embodiment, the terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
[0098] In one embodiment, when the current connection restoration request is sent using the first security method, the terminal security key is determined by the terminal.
[0099] In one embodiment, the apparatus further includes:
[0100] The first sending module is configured to send second indication information indicating the terminal security key.
[0101] In one embodiment, when the current connection recovery request is sent using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
[0102] In one embodiment, the terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
[0103] In one embodiment, the device includes one of the following:
[0104] The second receiving module is configured to receive third indication information that indicates the connection restoration method selection indication;
[0105] The second determining module is configured to determine the connection recovery method selection indication based on the communication protocol.
[0106] In one embodiment, the second receiving module is specifically configured as one of the following:
[0107] Receive a Radio Resource Control (RRC) message carrying the third indication information;
[0108] Receive a broadcast message carrying the third instruction information.
[0109] According to a fourth aspect of the present disclosure, a connection restoration apparatus is provided, wherein the apparatus is applied to a base station, the apparatus comprising:
[0110] The third determining module is configured to determine, based on the connection recovery method selection indication, whether the terminal uses the first security method to send the current connection recovery request.
[0111] When the terminal sends a current connection recovery request using the first security method, at least some parameters of the current connection recovery request are different from the parameters of the historical connection recovery request.
[0112] In one embodiment, when the terminal sends a current connection recovery request using a second security method, the parameters of the current connection recovery request are the same as those of a historical connection recovery request.
[0113] In one embodiment, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method;
[0114] And / or,
[0115] The method for determining the terminal number in the first security method is different from the method for determining the terminal number in the second security method;
[0116] And / or,
[0117] The method for determining the context of the first security method is different from the method for determining the context of the second security method;
[0118] And / or,
[0119] The method for determining the terminal security key in the first security method is different from the method for determining the terminal security key in the second security method.
[0120] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
[0121] In one embodiment, the apparatus further includes:
[0122] The second sending module is configured to send first indication information, wherein the first indication information indicates the first output parameter and / or the second input parameter.
[0123] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request.
[0124] In one embodiment, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N, where N is a positive integer.
[0125] In one embodiment, in response to receiving feedback information regarding the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N;
[0126] In response to the lack of feedback information received regarding the historical connection restoration request, the terminal number corresponding to the current connection restoration request is set to a predetermined initial value.
[0127] In one embodiment, the terminal number includes the COUNT of the Packet Data Convergence Protocol (PDCP).
[0128] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
[0129] In one embodiment, the terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
[0130] In one embodiment, when the terminal sends the current connection restoration request using the first security method, the terminal security key is determined by the terminal.
[0131] In one embodiment, the apparatus further includes:
[0132] The third receiving module is configured to receive second indication information indicating the terminal security key.
[0133] In one embodiment, when the terminal sends the current connection recovery request using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
[0134] In one embodiment, the terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
[0135] In one embodiment, the device includes one of the following:
[0136] The third sending module is configured to send third indication information indicating the connection recovery method selection indication;
[0137] The fourth determining module is configured to determine the connection recovery method selection indication based on the communication protocol.
[0138] In one embodiment, the third sending module is specifically configured as one of the following:
[0139] Send a Radio Resource Control (RRC) message carrying the third indication information;
[0140] Send a broadcast message carrying the third instruction information.
[0141] In one embodiment, the apparatus includes:
[0142] The fourth sending module is configured to, in response to the base station being the anchor base station of the terminal, send indication information to the non-anchor base station of the terminal, indicating whether the terminal should send the current connection recovery request using the first security method.
[0143] According to a fifth aspect of the present disclosure, a communication device apparatus is provided, including a processor, a memory, and an executable program stored in the memory and executable by the processor, wherein when the processor runs the executable program, it performs the steps of the connection restoration method as described in the first or second aspect.
[0144] According to a sixth aspect of the present disclosure, a storage medium is provided that stores an executable program thereon, wherein the executable program, when executed by a processor, implements the steps of the connection recovery method as described in the first or second aspect.
[0145] According to a fifth aspect of the present disclosure, a communication device apparatus is provided, including a processor, a memory, and an executable program stored in the memory and executable by the processor, wherein when the processor runs the executable program, it performs the steps of the connection restoration method as described in the first or second aspect.
[0146] According to a sixth aspect of the present disclosure, a storage medium is provided that stores an executable program thereon, wherein the executable program, when executed by a processor, implements the steps of the connection recovery method as described in the first or second aspect.
[0147] According to embodiments of this disclosure, a connection restoration method, apparatus, communication device, and storage medium are provided. A terminal determines whether to send a current connection restoration request using a first security method based on a connection restoration mode selection indication. When the first security method is used to send the current connection restoration request, at least some parameters of the current connection restoration request differ from the parameters of historical connection restoration requests. Thus, the connection restoration mode selection indication determines whether to send the current connection restoration request using the first security method. On one hand, this allows for selection of whether to use the first security method to send the current connection restoration request, increasing the flexibility of selecting the connection restoration request sending method. On the other hand, when the first security method is selected to send the current connection restoration request, since at least some parameters of the current connection restoration request differ from the parameters of historical connection restoration requests, the possibility of third-party communication devices communicating with the base station by copying historical connection restoration requests can be reduced, thereby improving communication security.
[0148] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit the embodiments of this disclosure. Attached Figure Description
[0149] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the embodiments of the invention.
[0150] Figure 1 This is a schematic diagram illustrating the structure of a wireless communication system according to an exemplary embodiment;
[0151] Figure 2 This is a schematic diagram illustrating a connection restoration interaction according to an exemplary embodiment;
[0152] Figure 3 This is a flowchart illustrating a connection restoration method according to an exemplary embodiment;
[0153] Figure 4 This is a flowchart illustrating another connection restoration method according to an exemplary embodiment;
[0154] Figure 5 This is a flowchart illustrating yet another connection restoration method according to an exemplary embodiment;
[0155] Figure 6 This is a flowchart illustrating another connection restoration method according to an exemplary embodiment;
[0156] Figure 7 This is a flowchart illustrating another connection restoration method according to an exemplary embodiment;
[0157] Figure 8 This is a block diagram illustrating a connection restoration device according to an exemplary embodiment;
[0158] Figure 9 This is a block diagram illustrating another connection restoration device according to an exemplary embodiment;
[0159] Figure 10 This is a block diagram illustrating an apparatus for connection restoration according to an exemplary embodiment. Detailed Implementation
[0160] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numerals in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with those of the present invention. Rather, they are merely examples of apparatuses and methods consistent with some aspects of the embodiments of the present invention as detailed in the appended claims.
[0161] The terminology used in this disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the present disclosure. The singular forms “a,” “the,” and “the” as used in this disclosure and the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.
[0162] It should be understood that although the terms first, second, third, etc., may be used to describe various information in embodiments of this disclosure, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, first information may also be referred to as second information without departing from the scope of embodiments of this disclosure, and similarly, second information may also be referred to as first information. Depending on the context, the word "if" as used herein may be interpreted as "when," "when," or "in response to a determination."
[0163] Please refer to Figure 1 This illustration shows a schematic diagram of the structure of a wireless communication system provided in an embodiment of this disclosure. Figure 1 As shown, the wireless communication system is a communication system based on cellular mobile communication technology. The wireless communication system may include: a number of terminals 11 and a number of base stations 12.
[0164] Terminal 11 can be a device that provides voice and / or data connectivity to a user. Terminal 11 can communicate with one or more core networks via a Radio Access Network (RAN). Terminal 11 can be an Internet of Things (IoT) terminal, such as a sensor device, a mobile phone (or "cellular" phone), and a computer with an IoT terminal. For example, it can be a fixed, portable, pocket-sized, handheld, computer-embedded, or vehicle-mounted device. Examples include a station (STA), subscriber unit, subscriber station, mobile station, mobile station, remote station, access point, remote terminal, access terminal, user terminal, user agent, user device, or user equipment (UE). Alternatively, terminal 11 can also be a device in an unmanned aerial vehicle (UAV). Alternatively, terminal 11 can also be a vehicle-mounted device, such as a vehicle computer with wireless communication capabilities, or a wireless communication device connected to an external vehicle computer. Alternatively, terminal 11 can also be a roadside device, such as a street light, traffic light, or other roadside device with wireless communication capabilities.
[0165] Base station 12 can be a network-side device in a wireless communication system. This wireless communication system can be a fourth-generation mobile communication (4G) system, also known as a Long Term Evolution (LTE) system; or it can be a 5G system, also known as a New Radio (NR) system or a 5G NR system. Alternatively, it can be a next-generation system after 5G. In this case, the access network in the 5G system can be called NG-RAN (New Generation-Radio Access Network). Alternatively, it can be an MTC system.
[0166] In this embodiment, base station 12 can be an evolved NB (eNB) used in a 4G system. Alternatively, base station 12 can also be a gNB (gNB) using a centralized-distributed architecture in a 5G system. When base station 12 adopts a centralized-distributed architecture, it typically includes a central unit (CU) and at least two distributed units (DU). The central unit is equipped with a protocol stack of Packet Data Convergence Protocol (PDCP), Radio Link Control (RLC), and Media Access Control (MAC) layers; the distributed units are equipped with a physical (PHY) layer protocol stack. This disclosure does not limit the specific implementation of base station 12.
[0167] Base station 12 and terminal 11 can establish a wireless connection via a wireless air interface. In different implementations, the wireless air interface is a wireless air interface based on the fourth-generation mobile communication network technology (4G) standard; or, the wireless air interface is a wireless air interface based on the fifth-generation mobile communication network technology (5G) standard, such as a new air interface; or, the wireless air interface can also be a wireless air interface based on a next-generation mobile communication network technology standard based on 5G.
[0168] In some embodiments, terminals 11 can also establish E2E (End to End) connections. Examples include V2V (vehicle to vehicle), V2I (vehicle to Infrastructure), and V2P (vehicle to pedestrian) communication scenarios in vehicle-to-everything (V2X) communication.
[0169] In some embodiments, the wireless communication system described above may further include a network management device 13.
[0170] Several base stations 12 are connected to network management device 13. Network management device 13 can be a core network device in a wireless communication system, such as a Mobility Management Entity (MME) in an Evolved Packet Core (EPC). Alternatively, it can be other core network devices, such as a Serving Gateway (SGW), a Public Data Network Gateway (PGW), a Policy and Charging Rules Function (PCRF), or a Home Subscriber Server (HSS). The implementation of network management device 13 is not limited in this embodiment.
[0171] The execution entities involved in the embodiments disclosed herein include, but are not limited to, terminals such as mobile phones in the NTN network, and base stations, etc.
[0172] like Figure 2 As shown, the specific steps for the terminal to enter the active state and initiate the connection restoration process through a connection restoration request include:
[0173] Step 201: The network side (e.g., the base station) sends a connection release message (RRCRelease) to suspend the terminal's RRC connection. This message includes configuration information for the connection recovery process, in addition to some configuration information for the terminal in the connected state. The terminal retains this configuration message in the inactive state, including: the current terminal's keys (including KgNB and KRRCint); the cell radio network temporary identifier (C-RNTI), cell identifier (e.g., CellIdentity), and physical cell identifier (PCI, PhysCellId) of the source PCell. The "nextHopChainingCount" configured in the RRCRelease message, i.e., the next-hop chain counter (NCC), specifies the key used by the terminal for subsequent connection recovery (e.g., NCC=0 corresponds to key 0, NCC=1 corresponds to key 1).
[0174] Step 202: When the terminal needs to restore the connection based on requirements (e.g., sending uplink data), the terminal sends a connection restoration request (RRCResumeRequest). This connection restoration request carries a "terminal authentication identifier" (e.g., resumeMAC-I). This "resumeMAC-I" is the 16 least significant bits (LSB) of the Integrity Message Authentication Code for Integrity (MAC-I), that is, it consists of the last 16 bits in the encoded bit order.
[0175] The input parameters for MAC-I calculations include:
[0176] The physical cell identifier of the UE's primary cell (PCell) before the RRC connection was suspended, the UE identifier C-RNTI of the UE's PCell before the RRC connection was suspended, and the cell identifier of the target cell for connection recovery.
[0177] The KRRCint key stored in the inactive context of the UE, and the integrity protection algorithm configured in the previous step;
[0178] Packet Data Convergence Protocol Count (PDCP COUNT), bearer identifier, and data transmission direction (e.g., uplink or downlink).
[0179] The terminal can deduce the KgNB key used for the connection recovery process based on the NCC indicated in step 201 or the current KgNB key.
[0180] Then, the terminal derives the KRRCenc key, KRRCint key, KUPint key, and KUPenc key.
[0181] Step 203: If the network side cannot accept the terminal's connection restoration request, such as due to network congestion, the network side sends a connection rejection message (i.e., RRCReject). The terminal then returns to the inactive state.
[0182] Step 204: If the terminal initiates the connection recovery process again, the terminal will resend the connection recovery request according to the process in step 202.
[0183] When a terminal receives a connection rejection message, the next time it initiates connection restoration, it will use the same terminal identifier (i.e., I-RNTI) and the same KRRCint key. This means the second connection restoration request (2) is identical to the first (1). Therefore, third-party communication devices, such as malicious devices, can capture connection restoration request 1 and impersonate the terminal to restore the connection with the base station, significantly increasing the terminal's communication security risk during the restoration process. For example, a malicious device can capture connection restoration request 1 and send it to the base station. The network side will successfully verify this request and modify the terminal's context. Therefore, when the terminal initiates connection restoration using its own retained context configuration, the connection restoration will fail due to the mismatch in context configuration.
[0184] Therefore, how to reduce the number of malicious devices impersonating terminals to send connection restoration messages and reduce the communication security risks of terminals during the connection restoration process is an urgent problem to be solved.
[0185] like Figure 3 As shown in the exemplary embodiment, this connection restoration method provides a connection restoration method that can be applied in a terminal, including:
[0186] Step 301: Based on the connection recovery method selection indication, determine whether to send the current connection recovery request using the first security method;
[0187] When the current connection recovery request is sent using the first security method, at least some of the parameters of the current connection recovery request are different from the parameters of the historical connection recovery request.
[0188] The terminal can be a mobile phone or other communication device that uses cellular mobile communication network technology for wireless communication.
[0189] In related technologies, when a terminal switches from an inactive state to a connected state, it sends a connection restoration request (connection restoration request 1) to the base station to request a return to the connected state. If the base station sends a connection rejection message (i.e., RRCReject) to reject the terminal's request, the terminal can send another connection restoration request (connection restoration request 2) to request a return to the connected state. Here, connection restoration request 1 and connection restoration request 2 are exactly the same. In this context, the inactive state can be an RRC inactive state, and the connected state can be an RRC connected state.
[0190] Here, a historical connection restoration request can include a prior connection restoration request sent by the terminal, and a current connection restoration request can include, but is not limited to, a subsequent connection restoration request sent by the terminal after the base station rejected a historical connection restoration request. For example, a current connection restoration request can also be a subsequent connection restoration request sent by the terminal after it has re-entered an inactive state following a historical connection restoration request received by the base station, when the terminal needs to restore the connection.
[0191] When a current connection recovery request is sent using the first security method, a historical connection recovery request can be sent using either the first security method or the second security method.
[0192] The connection restoration mode selection indicator is used to indicate whether the UE should send the current connection restoration request using the first security mode. If the first security mode is used, then at least some parameters of the current connection restoration request will differ from those of the historical connection restoration requests. Here, the historical connection restoration requests may have been sent using the first security mode, or they may have been sent using a different method.
[0193] The connection restoration method selection instruction can be pre-configured or sent by the network side. The instruction can be based on the actual needs of the terminal, indicating whether to use the primary security method. For example, the connection restoration method selection instruction can be configured based on the risk of the terminal being spoofed.
[0194] The differences in parameters between the current connection restoration request and historical connection restoration requests can be used by the base station to identify different connection restoration requests. Some of these parameters can be determined by the base station and the terminal of both communicating parties, and cannot be directly obtained or calculated by third-party communication devices. Therefore, third-party communication devices cannot determine the current connection restoration request from historical connection restoration requests, and thus cannot impersonate the terminal to communicate with the base station. This improves communication security between the terminal and the base station.
[0195] For example, some parameters may be determined by the base station and the UE using the same algorithm. This algorithm may be an encryption algorithm agreed upon by the base station and the UE, or it may use algorithm parameters that are unknown to the third-party communication equipment.
[0196] For example, at least one of the parameters carried in the current connection recovery request cannot be determined from the parameters carried in one or more previous historical connection recovery requests. This ensures that parameters leaked after previous connection recovery requests were intercepted cannot be used in the connection establishment process of the current (i.e., this) connection recovery request, thereby improving connection security.
[0197] Thus, the connection restoration method selection indicator determines whether to use the first security method to send the current connection restoration request. On the one hand, the option to use the first security method increases the flexibility in selecting the method for sending the connection restoration request. On the other hand, when the first security method is selected, since at least some parameters of the current connection restoration request differ from those of historical connection restoration requests, the possibility of third-party communication devices communicating with the base station by copying historical connection restoration requests can be reduced, thereby improving communication security.
[0198] In one embodiment, the method includes one of the following:
[0199] Receive third indication information indicating the connection restoration method selection indication;
[0200] Based on the communication protocol, the connection restoration method selection indication is determined.
[0201] Here, the connection restoration method selection indication can be determined by the network side. For example, the connection restoration method selection indication can be determined by the base station, which can indicate the connection restoration method selection indication by sending third indication information to the terminal.
[0202] The connection restoration method selection indicator can also be specified by the communication protocol.
[0203] In one embodiment, receiving third indication information indicating the connection restoration mode selection includes one of the following:
[0204] Receive a Radio Resource Control (RRC) message carrying the third indication information;
[0205] Receive a broadcast message carrying the third instruction information.
[0206] The base station can carry third indication information through dedicated configuration messages (such as RRC messages like RRCrelease messages) and / or broadcast information to indicate whether the terminal should send a connection restoration request using the first security method during the connection restoration process.
[0207] For example, if the third instruction terminal sends a connection restoration request using the first security method during the connection restoration process, then during the connection restoration process, the terminal calculates the terminal verification identifier (such as resumeMAC-I, etc.) based on whether the terminal uses the first security method to send the connection restoration request during the connection restoration process; otherwise, the terminal calculates the terminal verification identifier using the second security method.
[0208] In one embodiment, when the current connection recovery request is sent using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
[0209] Here, some parameters may include a terminal verification identifier, etc. The terminal verification identifier can be used to identify the terminal. The base station can determine the terminal that sent the connection restoration request based on the terminal verification identifier in the connection restoration request, and then proceed with the connection restoration process.
[0210] The terminal can determine the terminal verification identifier by means of agreement with the base station or by means of a protocol, and use a different terminal verification identifier in the current connection recovery request than in the historical connection recovery request.
[0211] The base station verifies whether the current connection restoration request was sent by a terminal using the terminal verification identifier in the current connection restoration request. If a third-party communication device uses a copied historical connection restoration request to communicate with the base station, and the terminal verification identifier in the historical connection restoration request is different from what the base station expects, then the verification will fail, and the device will be unable to impersonate the terminal to communicate with the base station.
[0212] Therefore, when the first security method is selected to send the current connection restoration request, because the terminal verification identifier of the current connection restoration request is different from that of the historical connection restoration request, third-party communication devices will fail verification when communicating with the base station by copying the historical connection restoration request. This reduces the likelihood of third-party communication devices communicating with the base station by copying historical connection restoration requests, thus improving communication security.
[0213] In one embodiment, the terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
[0214] MAC-I can be used to verify the integrity of signaling messages. Different MAC-I can be used for current connection recovery requests and historical connection recovery requests. MAC-I can be determined based on at least one of the following parameters: the physical cell identifier of the UE's primary cell (PCell) before the RRC connection suspension; the UE identifier C-RNTI of the UE's PCell before the RRC connection suspension; the cell identifier of the target cell for connection recovery; the KRRCint key stored in the inactive context of the UE, and the previously configured integrity protection algorithm; the data convergence protocol layer number (PDCP COUNT, Packet Data Convergence Protocol Count); the bearer identifier and the data transmission direction (e.g., uplink or downlink).
[0215] The current connection recovery request can obtain a different MAC-I than historical connection recovery requests by changing one or more parameters, or by changing the algorithm.
[0216] The MAC-I portion can be predetermined by the communication protocol or determined through negotiation between the base station and the terminal. For example, the MAC-I portion can be "resumeMAC-I", which is the 16 LSBs of MAC-I, consisting of the last 16 bits of the MAC-I encoded bits in sequence.
[0217] Therefore, when the first security method is selected to send the current connection restoration request, because all or part of the MAC-I of the current connection restoration request differs from that of the historical connection restoration request, third-party communication devices will fail authentication when communicating with the base station by copying the historical connection restoration request. This reduces the likelihood of third-party communication devices communicating with the base station by copying historical connection restoration requests, thus improving communication security.
[0218] like Figure 4 As shown in the figure, this disclosure provides an information transmission method, the method further comprising:
[0219] Step 302: When the current connection recovery request is sent using the second security method, the parameters of the current connection recovery request are the same as those of the historical connection recovery request.
[0220] Step 302 can be performed alone or in combination with step 201.
[0221] If the first security method is not selected to send the current connection recovery request, a second security method, different from the first security method, can be selected to send the current connection recovery request.
[0222] The parameters of the current connection restoration request sent using the second security method are the same as those of the historical connection restoration requests. When either the base station or the terminal cannot use the second security method, the first security method can be used, thereby improving the compatibility of connection restoration.
[0223] Thus, by using the connection restoration mode selection indicator, it is determined whether to send the current connection restoration request using the first security mode or the second security mode. This increases the flexibility in selecting the mode for sending connection restoration requests and meets different communication needs.
[0224] In one embodiment, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method;
[0225] And / or,
[0226] The method for determining the terminal number in the first security method is different from the method for determining the terminal number in the second security method;
[0227] And / or,
[0228] The method for determining the context of the first security method is different from the method for determining the context of the second security method;
[0229] And / or,
[0230] The method for determining the terminal security key in the first security method is different from the method for determining the terminal security key in the second security method.
[0231] Here, when using the second security method, the terminal authentication identifier, and / or terminal number, and / or context, and / or terminal security key can be used to determine the parameters that differ between the current connection recovery request and historical connection recovery requests. For example, some parameters can be the terminal authentication identifier; the terminal number, and / or context, and / or terminal security key can be used to determine some parameters through an algorithm, etc.
[0232] For example, when using the second security method, the terminal verification identifier, terminal number, context, and terminal security key determined for the current connection recovery request and the historical connection recovery request can be the same. Therefore, the current connection recovery request and the historical connection recovery request used in the second security method are the same. When using the first security method, at least one of the terminal verification identifier, and / or terminal number, and / or context, and / or terminal security key determined for the current connection recovery request and the historical connection recovery request is different. Therefore, the current connection recovery request and the historical connection recovery request used in the second security method are the same, but at least some parameters are different.
[0233] Terminal verification identifiers may include all or part of the MAC-I identifier.
[0234] Terminal numbers can include PDCP COUNT, etc.
[0235] Terminal security keys may include: KRRCint key, KgNB key, etc.
[0236] In one embodiment, when the current connection recovery request is sent using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
[0237] Here, the parameter that differs between the current connection restoration request sent using the first security method and the historical connection restoration requests may be the terminal verification identifier. The terminal verification identifier can be used to identify the terminal. The base station can determine the terminal that sent the connection restoration request based on the terminal verification identifier in the connection restoration request, and then proceed with the connection restoration process.
[0238] When a current connection recovery request is sent using the first security method, a historical connection recovery request can be sent using either the first security method or the second security method.
[0239] For example, the terminal verification identifier may include all or part of the MAC-I.
[0240] The terminal verification identifier can be determined by input parameters using a predetermined terminal verification identifier algorithm. The current connection recovery request and the historical connection recovery request can respectively use a first input parameter and a second input parameter, where the first input parameter differs from the second input parameter. Consequently, the terminal verification identifiers obtained for the current connection recovery request and the historical connection recovery request are different.
[0241] The first input parameter and the second input parameter may include, but are not limited to:
[0242] Context;
[0243] The content of the previous connection recovery request, for example, all or part of the MAC-I of the previous connection recovery request, such as the MAC-I excluding resumeMAC-I. Here, for the current connection recovery request, the previous connection recovery request can be a historical connection recovery request; for historical connection recovery requests, the previous connection recovery request can be a connection recovery request prior to the historical connection recovery request.
[0244] The terminal verification identifier for exemplary current connection restoration requests and historical connection restoration requests can be MAC-I. The first and second input parameters can include at least one of the following: the physical cell identifier of the UE's primary cell (PCell) before the RRC connection suspension; the UE identifier C-RNTI of the UE's PCell before the RRC connection suspension; the cell identifier of the target cell for connection restoration; the KRRCint key stored in the inactive context of the UE, and the integrity protection algorithm configured previously; the data convergence protocol layer number (PDCP COUNT, Packet Data Convergence ProtocolCount); the bearer identifier and the data transmission direction (e.g., uplink or downlink), etc. At least one of the first and second input parameters must be different.
[0245] For the second security method, the first input parameter and the second input parameter can be the same, and therefore the obtained terminal verification identifier is the same.
[0246] In one embodiment, the method further includes:
[0247] Receive first indication information, wherein the first indication information indicates the first output parameter and / or the second input parameter.
[0248] Here, the first indication information can be sent by either the anchor base station or a non-anchor base station. The anchor base station can forward the first indication information through the serving base station that has restored the terminal's current connection. Here, the anchor base station can be the serving base station that has restored the current connection.
[0249] The first indication information can be carried in dedicated signaling sent from the base station to the terminal. For example, the first indication information can be carried in an RRC reject signaling sent to the terminal.
[0250] For example, the anchor base station where the connection is restored provides first indication information.
[0251] The anchor base station that restores the connection can send the first indication information to the serving base station that currently restores the connection. The serving base station that currently restores the connection then sends the first indication information to the terminal.
[0252] Alternatively, the serving base station for the current connection restoration determines and sends a first indication message to the terminal, and then sends the first indication message to the anchor base station for connection restoration.
[0253] In one embodiment, the method further includes:
[0254] Perform security verification on the first indication information;
[0255] In response to the failure of security verification of the first indication information, the first indication information is ignored;
[0256] In response to the successful security verification of the first indication information, the first output parameter and / or the second input parameter indicated by the first indication information are used.
[0257] The terminal can perform security verification on the first indication information sent by the base station, and only use the first input parameter and / or the second input parameter after the security verification is successful.
[0258] For example, the RRCReject message carries first indication information, such as network security authentication information (e.g., rejectMAC-I) when sending the RRCReject message. The terminal uses the first indication information after successful security verification of this authentication information. If security verification fails, the terminal does not use the first indication information. For example, the terminal may enter an idle state or discard the RRCReject message.
[0259] By performing security verification on the first indication information, the security of the transmission of the first indication information can be improved, thereby improving the security of the current connection recovery request and enhancing communication security.
[0260] In one embodiment, when the current connection recovery request is sent using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request.
[0261] The terminal number can be a record number for the session between the terminal and the base station. The terminal number can be maintained by both the base station and the terminal. The terminal number can be used to identify different connection restoration requests. It can also be used to determine some parameters of the current connection restoration request. For example, the terminal number can be used to determine all or part of the terminal authentication identifier, such as MAC-I.
[0262] In one embodiment, the terminal number includes: the COUNT of the Packet Data Convergence Protocol (PDCP).
[0263] Data PDUs in PDCP can be used to transmit MAC-I, and PDCP numbers can be used for integrity protection and encryption operations. Therefore, previous connection recovery requests using different PDCP numbers than historical connection recovery requests can result in different data packets.
[0264] In one embodiment, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N, where N is a positive integer.
[0265] For example, in the first security mode, during the connection restoration process, the terminal can maintain the PDCP COUNT value. When the terminal triggers connection restoration process 1 and sends a historical connection restoration request via SRB, the SRB COUNT value will be incremented by 1. Subsequently, when the terminal triggers connection restoration process 2 and sends a current connection restoration request via SRB, the SRB COUNT value will be incremented by N based on the previous connection restoration process 1, such as N being 1.
[0266] For the second security approach, a method similar to related technologies can be used to maintain the PDCP COUNT value. For example: when the terminal triggers connection recovery process 1, it sends a historical connection recovery request via the SRB, at which point the SRB's COUNT value is incremented by 1. Subsequently, when the terminal triggers connection recovery process 2, the terminal restores the SRB's COUNT value from the connection recovery request sent in connection recovery process 1 to its initial value (e.g., "0"), and sends the current connection recovery request.
[0267] Thus, the current connection recovery request sent using the first security method is different from the current connection recovery request sent using the second security method, i.e., related technology. Third-party user equipment cannot deduce the current connection recovery request, thereby improving the security of communication between the base station and the terminal.
[0268] In one embodiment, in response to receiving feedback information regarding the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N;
[0269] In response to the lack of feedback information received regarding the historical connection restoration request, the terminal number corresponding to the current connection restoration request is set to a predetermined initial value.
[0270] For example, if the terminal receives feedback information from the network side (such as an RRCReject message or an RRCRelease message), the terminal maintains the PDCP COUNT count. When the terminal triggers connection recovery process 1, it sends a historical connection recovery request via the SRB, and the SRB's COUNT value is incremented by 1. If the terminal receives an RRCReject message from the network side, when the terminal triggers connection recovery process 2, it sends a connection recovery request via the SRB, and the SRB's COUNT value is incremented by N based on the previous connection recovery process 1. If the terminal does not receive an RRCReject message from the network, after connection recovery process 1 ends, when the terminal triggers connection recovery process 2, the terminal restores the SRB's COUNT value from the connection recovery request sent in connection recovery process 1 to a predetermined initial value.
[0271] In one embodiment, when the current connection recovery request is sent using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
[0272] Here, the context corresponding to a historical connection recovery request can be used to calculate the terminal verification identifier in that request. Similarly, the context corresponding to the current connection recovery request can be used to calculate the terminal verification identifier in that request. This terminal verification identifier may include MAC-I. The first security approach calculates different terminal verification identifiers based on different contexts, ensuring that the current connection recovery request differs from historical ones. This reduces the success rate of third-party communication devices using historical connection recovery requests to communicate with the base station, thereby improving the security of communication between the base station and the terminal.
[0273] The context corresponding to the current connection recovery request can be determined based on the context corresponding to the historical connection recovery request, combined with the current cell identifier and different values of the specified parameters in the context.
[0274] The second security approach can employ related timing, using the same context to calculate the context of the current connection recovery request and the context of the historical connection recovery request.
[0275] In one embodiment, the terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
[0276] Here, the terminal security key may include the KgNB key, etc.
[0277] For example, when a terminal sends a historical connection recovery request, it can calculate the terminal verification identifier for the historical connection recovery request based on the stored context (context 1), such as the context stored when the RRC connection was released. Then, the terminal can deduce the context (context 2) corresponding to the current connection recovery request based on this context 1.
[0278] For example, the KgNB key in context 2 can be derived from the KgNB key in context 1, combined with the identifier of the current serving cell or serving base station, or the KgNB key in context 2 can be derived from the instructions of NH and / or NCC.
[0279] In one embodiment, when the current connection restoration request is sent using the first security method, the terminal security key is determined by the terminal.
[0280] Terminal security keys can include terminal access layer keys, such as KgNB keys. Terminal security keys can be used to encrypt signaling between the base station and the terminal, such as RRC signaling like Current Connection Restoration Requests. Terminal security keys can also be used to determine parameters of Current Connection Restoration Requests, such as terminal authentication identifiers.
[0281] By determining the terminal security key, the terminal can specify the terminal security key used for the current connection recovery request, thereby reducing the possibility of the current connection recovery request being the same as the historical connection recovery request, and thus improving communication security.
[0282] For example, if a terminal has a terminal security key 0 corresponding to NCC=0 and a terminal security key 1 corresponding to NCC=1, then the terminal indicates the key it uses to the network side.
[0283] When the current connection restoration request is sent using the second security method, the terminal security key can be determined based on relevant technologies.
[0284] For example, when a terminal initiates a connection restoration process, the key used to calculate the terminal verification identifier is the terminal security key stored in the context. Subsequently, the terminal can derive a new terminal security key based on this key. This new terminal security key is used in subsequent steps of the connection restoration process, such as receiving feedback information from the network side, including RRCReject, RRCLease, or RRCResume messages. Because third-party communication devices cannot obtain the terminal security key, they cannot parse the feedback information, thus preventing impersonation by third-party devices and improving communication security.
[0285] In one embodiment, the method further includes:
[0286] Send a second indication message indicating the terminal security key.
[0287] The terminal can indicate its terminal security key to the base station. The base station can then send feedback information from the network side, such as an RRCReject message, an RRCLease message, or an RRCesume message, based on the terminal security key indicated by the terminal.
[0288] For example, a terminal can indicate different terminal security keys by specifying the NCC. For instance, it can indicate terminal security key 0 by specifying NCC:0, or terminal security key 1 by specifying NCC:1, etc.
[0289] Here, the second indication information can be carried in the connection restoration request or in Msg1 or MsgA of the random access procedure and sent to the base station.
[0290] like Figure 5 As shown in the exemplary embodiment, this connection restoration method provides a connection restoration method that can be applied in a base station, including:
[0291] Step 501: Based on the connection recovery mode selection indication, determine whether the terminal should send the current connection recovery request using the first security mode;
[0292] When the terminal sends a current connection recovery request using the first security method, at least some parameters of the current connection recovery request are different from the parameters of the historical connection recovery request.
[0293] The terminal can be a mobile phone or other communication device that uses cellular mobile communication network technology for wireless communication. Here, the base station can be an anchor base station for the terminal to restore connection, or a non-anchor base station for connection restoration.
[0294] In related technologies, when a terminal switches from an inactive state to a connected state, it sends a connection restoration request (connection restoration request 1) to the base station to request a return to the connected state. If the base station sends a connection rejection message (i.e., RRCReject) to reject the terminal's request, the terminal can send another connection restoration request (connection restoration request 2) to request a return to the connected state. Here, connection restoration request 1 and connection restoration request 2 are exactly the same. In this context, the inactive state can be an RRC inactive state, and the connected state can be an RRC connected state.
[0295] Here, a historical connection restoration request can include a prior connection restoration request sent by the terminal, and a current connection restoration request can include, but is not limited to, a subsequent connection restoration request sent by the terminal after the base station rejected a historical connection restoration request. For example, a current connection restoration request can also be a subsequent connection restoration request sent by the terminal after it has re-entered an inactive state following a historical connection restoration request received by the base station, when the terminal needs to restore the connection.
[0296] When a current connection recovery request is sent using the first security method, a historical connection recovery request can be sent using either the first security method or the second security method.
[0297] The connection restoration mode selection indicator is used to indicate whether the UE should send the current connection restoration request using the first security mode. If the first security mode is used, then at least some parameters of the current connection restoration request will differ from those of the historical connection restoration requests. Here, the historical connection restoration requests may have been sent using the first security mode, or they may have been sent using a different method.
[0298] The connection restoration method selection instruction can be pre-configured or sent by the network side. The instruction can be based on the actual needs of the terminal, indicating whether to use the primary security method. For example, the connection restoration method selection instruction can be configured based on the risk of the terminal being spoofed.
[0299] The differences in parameters between the current connection restoration request and historical connection restoration requests can be used by the base station to identify different connection restoration requests. Some of these parameters can be determined by the base station and the terminal of both communicating parties, and cannot be directly obtained or calculated by third-party communication devices. Therefore, third-party communication devices cannot determine the current connection restoration request from historical connection restoration requests, and thus cannot impersonate the terminal to communicate with the base station. This improves the communication security between the terminal and the base station.
[0300] For example, some parameters may be determined by the base station and the UE using the same algorithm. This algorithm may be an encryption algorithm agreed upon by the base station and the UE, or it may use algorithm parameters that are unknown to the third-party communication equipment.
[0301] For example, at least one of the parameters carried in the current connection recovery request cannot be determined from the parameters carried in one or more previous historical connection recovery requests. This ensures that parameters leaked after previous connection recovery requests were intercepted cannot be used in the connection establishment process of the current (i.e., this) connection recovery request, thereby improving connection security.
[0302] Thus, the connection restoration method selection indicator determines whether to use the first security method to send the current connection restoration request. On the one hand, the option to use the first security method increases the flexibility in selecting the method for sending the connection restoration request. On the other hand, when the first security method is selected, since at least some parameters of the current connection restoration request differ from those of historical connection restoration requests, the possibility of third-party communication devices communicating with the base station by copying historical connection restoration requests can be reduced, thereby improving communication security.
[0303] In one embodiment, the method includes one of the following:
[0304] Send a third indication message indicating the connection restoration method selection indication;
[0305] Based on the communication protocol, the connection restoration method selection indication is determined.
[0306] Here, the connection restoration method selection indication can be determined by the network side. For example, the connection restoration method selection indication can be determined by the base station, which can indicate the connection restoration method selection indication by sending third indication information to the terminal.
[0307] The connection restoration method selection indicator can also be specified by the communication protocol.
[0308] In one embodiment, the sending of third indication information indicating the connection restoration method selection includes one of the following:
[0309] Send a Radio Resource Control (RRC) message carrying the third indication information;
[0310] Send a broadcast message carrying the third instruction information.
[0311] The base station can carry third indication information through dedicated configuration messages (such as RRC messages like RRCrelease messages) and / or broadcast information to indicate whether the terminal should send a connection restoration request using the first security method during the connection restoration process.
[0312] For example, if the third instruction terminal sends a connection restoration request using the first security method during the connection restoration process, then during the connection restoration process, the terminal calculates the terminal verification identifier (such as resumeMAC-I, etc.) based on whether the terminal uses the first security method to send the connection restoration request during the connection restoration process; otherwise, the terminal calculates the terminal verification identifier using the second security method.
[0313] In one embodiment, when the terminal sends the current connection recovery request using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
[0314] Here, some parameters may include a terminal verification identifier, etc. The terminal verification identifier can be used to identify the terminal. The base station can determine the terminal that sent the connection restoration request based on the terminal verification identifier in the connection restoration request, and then proceed with the connection restoration process.
[0315] The terminal can determine the terminal verification identifier by means of agreement with the base station or by means of a protocol, and use a different terminal verification identifier in the current connection recovery request than in the historical connection recovery request.
[0316] The base station verifies whether the current connection restoration request was sent by a terminal using the terminal verification identifier in the current connection restoration request. If a third-party communication device uses a copied historical connection restoration request to communicate with the base station, and the terminal verification identifier in the historical connection restoration request is different from what the base station expects, then the verification will fail, and the device will be unable to impersonate the terminal to communicate with the base station.
[0317] Therefore, when the first security method is selected to send the current connection restoration request, because the terminal verification identifier of the current connection restoration request is different from that of the historical connection restoration request, third-party communication devices will fail verification when communicating with the base station by copying the historical connection restoration request. This reduces the likelihood of third-party communication devices communicating with the base station by copying historical connection restoration requests, thus improving communication security.
[0318] In one embodiment, the terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
[0319] MAC-I can be used to verify the integrity of signaling messages. Different MAC-I can be used for current connection recovery requests and historical connection recovery requests. MAC-I can be determined based on at least one of the following parameters: the physical cell identifier of the UE's primary cell (PCell) before the RRC connection suspension; the UE identifier C-RNTI of the UE's PCell before the RRC connection suspension; the cell identifier of the target cell for connection recovery; the KRRCint key stored in the inactive context of the UE, and the previously configured integrity protection algorithm; the data convergence protocol layer number (PDCP COUNT, Packet Data Convergence Protocol Count); the bearer identifier and the data transmission direction (e.g., uplink or downlink).
[0320] The current connection recovery request can obtain a different MAC-I than historical connection recovery requests by changing one or more parameters, or by changing the algorithm.
[0321] The MAC-I portion can be predetermined by the communication protocol or determined through negotiation between the base station and the terminal. For example, the MAC-I portion can be "resumeMAC-I", which is the 16 LSBs of MAC-I, consisting of the last 16 bits of the MAC-I encoded bits in sequence.
[0322] Therefore, when the first security method is selected to send the current connection restoration request, because all or part of the MAC-I of the current connection restoration request differs from that of the historical connection restoration request, third-party communication devices will fail authentication when communicating with the base station by copying the historical connection restoration request. This reduces the likelihood of third-party communication devices communicating with the base station by copying historical connection restoration requests, thus improving communication security.
[0323] like Figure 6 As shown in the figure, this disclosure provides an information transmission method, the method further comprising:
[0324] Step 502: When the terminal sends a current connection recovery request using the second security method, the parameters of the current connection recovery request are the same as those of the historical connection recovery request.
[0325] Step 502 can be performed alone or in combination with step 501.
[0326] If the first security method is not selected to send the current connection recovery request, a second security method, different from the first security method, can be selected to send the current connection recovery request.
[0327] The parameters of the current connection restoration request sent using the second security method are the same as those of the historical connection restoration requests. When either the base station or the terminal cannot use the second security method, the first security method can be used, thereby improving the compatibility of connection restoration.
[0328] Thus, by using the connection restoration mode selection indicator, it is determined whether to send the current connection restoration request using the first security mode or the second security mode. This increases the flexibility in selecting the mode for sending connection restoration requests and meets different communication needs.
[0329] In one embodiment, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method;
[0330] And / or,
[0331] The method for determining the terminal number in the first security method is different from the method for determining the terminal number in the second security method;
[0332] And / or,
[0333] The method for determining the context of the first security method is different from the method for determining the context of the second security method;
[0334] And / or,
[0335] The method for determining the terminal security key in the first security method is different from the method for determining the terminal security key in the second security method.
[0336] Here, when using the second security method, the terminal authentication identifier, and / or terminal number, and / or context, and / or terminal security key can be used to determine the parameters that differ between the current connection recovery request and historical connection recovery requests. For example, some parameters can be the terminal authentication identifier; the terminal number, and / or context, and / or terminal security key can be used to determine some parameters through an algorithm, etc.
[0337] For example, when using the second security method, the terminal verification identifier, terminal number, context, and terminal security key determined for the current connection recovery request and the historical connection recovery request can be the same. Therefore, the current connection recovery request and the historical connection recovery request used in the second security method are the same. When using the first security method, at least one of the terminal verification identifier, and / or terminal number, and / or context, and / or terminal security key determined for the current connection recovery request and the historical connection recovery request is different. Therefore, the current connection recovery request and the historical connection recovery request used in the second security method are the same, but at least some parameters are different.
[0338] Terminal verification identifiers may include all or part of the MAC-I identifier.
[0339] Terminal numbers can include PDCP COUNT, etc.
[0340] Terminal security keys may include: KRRCint key, KgNB key, etc.
[0341] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
[0342] Here, the parameter that differs between the current connection restoration request sent using the first security method and the historical connection restoration requests may be the terminal verification identifier. The terminal verification identifier can be used to identify the terminal. The base station can determine the terminal that sent the connection restoration request based on the terminal verification identifier in the connection restoration request, and then proceed with the connection restoration process.
[0343] When a current connection recovery request is sent using the first security method, a historical connection recovery request can be sent using either the first security method or the second security method.
[0344] For example, the terminal verification identifier may include all or part of the MAC-I.
[0345] The terminal verification identifier can be determined by input parameters using a predetermined terminal verification identifier algorithm. The current connection recovery request and the historical connection recovery request can respectively use a first input parameter and a second input parameter, where the first input parameter differs from the second input parameter. Consequently, the terminal verification identifiers obtained for the current connection recovery request and the historical connection recovery request are different.
[0346] The first input parameter and the second input parameter may include, but are not limited to:
[0347] Context;
[0348] The content of the previous connection recovery request, for example, all or part of the MAC-I of the previous connection recovery request, such as the MAC-I excluding resumeMAC-I. Here, for the current connection recovery request, the previous connection recovery request can be a historical connection recovery request; for historical connection recovery requests, the previous connection recovery request can be a connection recovery request prior to the historical connection recovery request.
[0349] The terminal verification identifier for exemplary current connection restoration requests and historical connection restoration requests can be MAC-I. The first and second input parameters can include at least one of the following: the physical cell identifier of the UE's primary cell (PCell) before the RRC connection suspension; the UE identifier C-RNTI of the UE's PCell before the RRC connection suspension; the cell identifier of the target cell for connection restoration; the KRRCint key stored in the inactive context of the UE, and the integrity protection algorithm configured previously; the data convergence protocol layer number (PDCP COUNT, Packet Data Convergence ProtocolCount); the bearer identifier and the data transmission direction (e.g., uplink or downlink), etc. At least one of the first and second input parameters must be different.
[0350] For the second security method, the first input parameter and the second input parameter can be the same, and therefore the obtained terminal verification identifier is the same.
[0351] In one embodiment, the method further includes:
[0352] Send a first indication message, wherein the first indication message indicates the first output parameter and / or the second input parameter.
[0353] Here, the first indication information can be sent by either the anchor base station or a non-anchor base station. The anchor base station can forward the first indication information through the serving base station that has restored the terminal's current connection. Here, the anchor base station can be the serving base station that has restored the current connection.
[0354] The first indication information can be carried in dedicated signaling sent from the base station to the terminal. For example, the first indication information can be carried in an RRC reject signaling sent to the terminal.
[0355] For example, the anchor base station where the connection is restored provides first indication information.
[0356] The anchor base station that restores the connection can send the first indication information to the serving base station that currently restores the connection. The serving base station that currently restores the connection then sends the first indication information to the terminal.
[0357] Alternatively, the serving base station for the current connection restoration determines and sends a first indication message to the terminal, and then sends the first indication message to the anchor base station for connection restoration.
[0358] In one embodiment, the method further includes:
[0359] The terminal performs security verification on the first indication information;
[0360] In response to the failure of security verification of the first indication information, the first indication information is ignored;
[0361] In response to the successful security verification of the first indication information, the first output parameter and / or the second input parameter indicated by the first indication information are used.
[0362] The terminal can perform security verification on the first indication information sent by the base station, and only use the first input parameter and / or the second input parameter after the security verification is successful.
[0363] For example, the RRCReject message carries first indication information, such as network security authentication information (e.g., rejectMAC-I) when sending the RRCReject message. The terminal uses the first indication information after successful security verification of this authentication information. If security verification fails, the terminal does not use the first indication information. For example, the terminal may enter an idle state or discard the RRCReject message.
[0364] By performing security verification on the first indication information, the security of the transmission of the first indication information can be improved, thereby improving the security of the current connection restoration request and enhancing communication security.
[0365] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request.
[0366] The terminal number can be a record number for the session between the terminal and the base station. The terminal number can be maintained by both the base station and the terminal. The terminal number can be used to identify different connection restoration requests. It can also be used to determine some parameters of the current connection restoration request. For example, the terminal number can be used to determine all or part of the terminal authentication identifier, such as MAC-I.
[0367] In one embodiment, the terminal number includes: the COUNT of the Packet Data Convergence Protocol (PDCP).
[0368] Data PDUs in PDCP can be used to transmit MAC-I, and PDCP numbers can be used for integrity protection and encryption operations. Therefore, previous connection recovery requests using different PDCP numbers than historical connection recovery requests can result in different data packets.
[0369] In one embodiment, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N, where N is a positive integer.
[0370] For example, in the first security mode, during the connection restoration process, the terminal can maintain the PDCP COUNT value. When the terminal triggers connection restoration process 1 and sends a historical connection restoration request via SRB, the SRB COUNT value will be incremented by 1. Subsequently, when the terminal triggers connection restoration process 2 and sends a current connection restoration request via SRB, the SRB COUNT value will be incremented by N based on the previous connection restoration process 1, such as N being 1.
[0371] For the second security approach, a method similar to related technologies can be used to maintain the PDCP COUNT value. For example: when the terminal triggers connection recovery process 1, it sends a historical connection recovery request via the SRB, at which point the SRB's COUNT value is incremented by 1. Subsequently, when the terminal triggers connection recovery process 2, the terminal restores the SRB's COUNT value from the connection recovery request sent in connection recovery process 1 to its initial value (e.g., "0"), and sends the current connection recovery request.
[0372] Thus, the current connection recovery request sent using the first security method is different from the current connection recovery request sent using the second security method, i.e., related technology. Third-party user equipment cannot deduce the current connection recovery request, thereby improving the security of communication between the base station and the terminal.
[0373] In one embodiment, in response to receiving feedback information regarding the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N;
[0374] In response to the lack of feedback information received regarding the historical connection restoration request, the terminal number corresponding to the current connection restoration request is set to a predetermined initial value.
[0375] For example, if the terminal receives feedback information from the network side (such as an RRCReject message or an RRCRelease message), the terminal maintains the PDCP COUNT count. When the terminal triggers connection recovery process 1, it sends a historical connection recovery request via the SRB, and the SRB's COUNT value is incremented by 1. If the terminal receives an RRCReject message from the network side, when the terminal triggers connection recovery process 2, it sends a connection recovery request via the SRB, and the SRB's COUNT value is incremented by N based on the previous connection recovery process 1. If the terminal does not receive an RRCReject message from the network, after connection recovery process 1 ends, when the terminal triggers connection recovery process 2, the terminal restores the SRB's COUNT value from the connection recovery request sent in connection recovery process 1 to a predetermined initial value.
[0376] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
[0377] Here, the context corresponding to a historical connection recovery request can be used to calculate the terminal verification identifier in that request. Similarly, the context corresponding to the current connection recovery request can be used to calculate the terminal verification identifier in that request. This terminal verification identifier may include MAC-I. The first security approach calculates different terminal verification identifiers based on different contexts, ensuring that the current connection recovery request differs from historical ones. This reduces the success rate of third-party communication devices using historical connection recovery requests to communicate with the base station, thereby improving the security of communication between the base station and the terminal.
[0378] The context corresponding to the current connection recovery request can be determined based on the context corresponding to the historical connection recovery request, combined with the current cell identifier and different values of the specified parameters in the context.
[0379] The second security approach can employ related timing, using the same context to calculate the context of the current connection recovery request and the context of the historical connection recovery request.
[0380] In one embodiment, the terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
[0381] Here, the terminal security key may include the KgNB key, etc.
[0382] For example, when a terminal sends a historical connection recovery request, it can calculate the terminal verification identifier for the historical connection recovery request based on the stored context (context 1), such as the context stored when the RRC connection was released. Then, the terminal can deduce the context (context 2) corresponding to the current connection recovery request based on this context 1.
[0383] For example, the KgNB key in context 2 can be derived from the KgNB key in context 1, combined with the identifier of the current serving cell or serving base station, or the KgNB key in context 2 can be derived from the instructions of NH and / or NCC.
[0384] In one embodiment, when the current connection restoration request is sent using the first security method, the terminal security key is determined by the terminal.
[0385] Terminal security keys can include terminal access layer keys, such as KgNB keys. Terminal security keys can be used to encrypt signaling between the base station and the terminal, such as RRC signaling like Current Connection Restoration Requests. Terminal security keys can also be used to determine parameters of Current Connection Restoration Requests, such as terminal authentication identifiers.
[0386] By determining the terminal security key, the terminal can specify the terminal security key used for the current connection recovery request, thereby reducing the possibility of the current connection recovery request being the same as the historical connection recovery request, and thus improving communication security.
[0387] For example, if a terminal has a terminal security key 0 corresponding to NCC=0 and a terminal security key 1 corresponding to NCC=1, then the terminal indicates the key it uses to the network side.
[0388] When the current connection restoration request is sent using the second security method, the terminal security key can be determined based on relevant technologies.
[0389] For example, when a terminal initiates a connection restoration process, the key used to calculate the terminal verification identifier is the terminal security key stored in the context. Subsequently, the terminal can derive a new terminal security key based on this key. This new terminal security key is used in subsequent steps of the connection restoration process, such as receiving feedback information from the network side, including RRCReject, RRCLease, or RRCResume messages. Because third-party communication devices cannot obtain the terminal security key, they cannot parse the feedback information, thus preventing impersonation by third-party devices and improving communication security.
[0390] In one embodiment, the method further includes:
[0391] Receive second indication information indicating the terminal security key.
[0392] The terminal can indicate its terminal security key to the base station. The base station can then send feedback information from the network side, such as an RRCReject message, an RRCLease message, or an RRCesume message, based on the terminal security key indicated by the terminal.
[0393] For example, a terminal can indicate different terminal security keys by specifying the NCC. For instance, it can indicate terminal security key 0 by specifying NCC:0, or terminal security key 1 by specifying NCC:1, etc.
[0394] Here, the second indication information can be carried in the connection restoration request or in Msg1 or MsgA of the random access procedure and sent to the base station.
[0395] In one embodiment, the method includes: in response to the base station being an anchor base station of the terminal, sending indication information to a non-anchor base station of the terminal indicating whether the terminal sends the current connection recovery request using the first security method.
[0396] Based on the received terminal connection restoration request information, the network side executes the connection restoration process according to the first security method. For example, the base station sends feedback information according to the first security method, such as a connection restoration message, a connection rejection message, or a connection release message.
[0397] The base stations may include anchor base stations for connection restoration and non-anchor base stations for connection restoration (such as the currently serving base station for connection restoration). The anchor base stations and non-anchor base stations for connection restoration may pre-agree on the specific implementation method of connection restoration, which may include at least one of the following:
[0398] Specific Implementation 1: The non-anchor base station that has restored the connection uses a first security method to verify the terminal. Then, the non-anchor base station that has restored the connection verifies the terminal using the first security method based on at least one of the following information provided by the anchor base station that has restored the connection:
[0399] Indication information indicating whether the terminal is configured to use the first security mode.
[0400] Instructions on whether the terminal supports using the first security mode.
[0401] The context corresponding to the terminal's current connection restoration request.
[0402] Specific Implementation 2: The anchor base station that restores the connection uses a first security method to verify the terminal. Then, the anchor base station that restores the connection uses a "specific security method" to verify the terminal based on at least one of the following information provided by the non-anchor base station that restored the connection:
[0403] 1. Terminal verification identification information. This "terminal verification identification information" includes at least one of the following:
[0404] Connection restoration requests, such as RRRCResumeRequest;
[0405] Terminal verification identifier, such as resumeMAC-I;
[0406] Terminal identifiers, such as the inactive wireless network temporary identifier I-RNTI.
[0407] 2. Auxiliary parameters used to verify "terminal verification information":
[0408] The target cell identifier for connection restoration, such as the Cell Global Identifier (CGI);
[0409] The physical identifier of the target cell for connection restoration, such as the Physical Cell Identifier (PCI).
[0410] The target cell frequency for connection restoration, such as the Absolute Radio Frequency Channel Number (ARFCN).
[0411] The target cell bandwidth identifier for connection restoration, such as BWP-1;
[0412] The terminal uses a "specific security method", such as "terminal verification identifier calculation method 2";
[0413] The key used by the terminal, such as NCC=1;
[0414] Bearer identifier, such as SRB1.
[0415] PDCP number, such as COUNT;
[0416] Data transmission direction, such as uplink RRC signaling.
[0417] The following provides a specific example in conjunction with any of the above embodiments:
[0418] like Figure 7 As shown, the specific steps for restoring the terminal connection include:
[0419] Step 701: The terminal determines whether to use a "specific security method" to restore the connection based on the instructions or protocol agreed upon by the network side.
[0420] "Specific security method" can be a "new security method" (i.e., the first security method). Both the terminal and the network side may support the "new security method" and the "old security method" (i.e., the second security method). Here, the connection recovery request 1 and connection recovery request 2 used in the first security method are different, while the connection recovery request 1 and connection recovery request 2 used in the second security method are the same. Connection recovery request 2 can be a connection recovery request sent after connection recovery request 1 is rejected by the network.
[0421] The network instructs the terminal to use the "new security method" to send the connection restoration request during the connection restoration process via an RRRCRelease message (or broadcast information). If so, the terminal uses the "new security method" to calculate the terminal authentication identifier (such as resumeMAC-I) during the connection restoration process; otherwise, the terminal uses the "old security method" to calculate the terminal authentication identifier.
[0422] The network-side indication information includes at least one of the following:
[0423] Dedicated configuration message;
[0424] Broadcast message.
[0425] For example, after receiving an instruction to use a "specific security method" in both the RRRCRelease message and the broadcast message from the cell initiating the connection restoration, the terminal performs the connection restoration process using the "specific security method" in the cell initiating the connection restoration. This "specific security method" includes at least one of the following:
[0426] 1. A specific method for calculating terminal verification identifiers. This "specific method for calculating terminal verification identifiers" includes at least one of the following:
[0427] a) Terminal verification identifier calculation method 1: The "terminal verification identifier calculation method" for the connection recovery process described in the background technology.
[0428] b) Terminal Authentication Identifier Calculation Method 2: Change at least one of the input parameters for calculating the "Terminal Authentication Identifier" (e.g., the "MAC-I Calculation Input Parameters" described in the background section). (For example, at least one of the input parameters for calculating the "Terminal Authentication Identifier" sent in the previous RRCresumeRequest message differs from the value of the input parameters for calculating the "Terminal Authentication Identifier" sent in the current RRCresumeRequest message.)
[0429] Specifically, for "Terminal Authentication Identifier Calculation Method 2," the terminal calculates the "Terminal Authentication Identifier" using the "Input Parameters for 'Terminal Authentication Identifier Calculation'" indicated by the network when initiating connection restoration. (For example, the network indicates the "Input Parameters for 'Terminal Authentication Identifier Calculation'" in the RRCReject message.)
[0430] The input parameters for calculating the "Terminal Authentication Identifier" as indicated by the network include at least one of the following:
[0431] "Context," such as the "context" determined in a specific terminal context maintenance method a).
[0432] The content of the previous connection recovery request (e.g., a portion (e.g., the connection recovery request excluding resumeMAC-I), or the entire connection recovery request).
[0433] Furthermore, the terminal only uses the input parameters calculated from the "Terminal Authentication Identifier" indicated by the network after successfully verifying the security of the network-indicated information. (For example, if the network carries network authentication information: rejectMAC-I when sending an RRCReject message, then the terminal uses the input parameters calculated from the "Terminal Authentication Identifier" indicated by the network after successfully verifying the security of that network authentication information. If the security verification fails, the terminal does not use the input parameters calculated from the "Terminal Authentication Identifier" indicated by the network. The terminal can enter the IDLE state or discard the RRCReject message.
[0434] The network indicates the input parameters for calculating the "terminal verification identifier" using any of the following methods:
[0435] The network indicates that the "Terminal Verification Identifier" calculation method 1 is provided by the "Anchor Base Station of Connection Recovery". The "Terminal Verification Identifier" calculation input parameters are provided by the "Anchor Base Station of Connection Recovery".
[0436] Furthermore, the "anchor base station for connection restoration" sends the input parameters calculated by the "terminal verification identifier" to the "current serving base station for connection restoration". Then, the "current serving base station for connection restoration" sends the input parameters calculated by the "terminal verification identifier" to the terminal.
[0437] The network indicates that the "Terminal Verification Identifier" calculation method 2 is: "The current serving base station where the connection has been restored" provides the input parameters for the calculation of the "Terminal Verification Identifier".
[0438] Furthermore, the "current serving base station for connection restoration" sends the input parameters calculated by the "terminal verification identifier" to the "anchor base station for connection restoration".
[0439] 2. Specific terminal number maintenance methods (e.g., the maintenance method for the PDCP COUNT value (where the COUNT value is an input parameter for the encryption and authentication process)).
[0440] a) Terminal ID Maintenance Method 1: During the connection recovery process, the terminal resets the PDCP COUNT value. (For example, when the terminal triggers connection recovery process 1, it sends a connection recovery request via SRB, at which point the SRB COUNT value is incremented by 1. Subsequently, when the terminal triggers connection recovery process 2, it restores the SRB COUNT value from the connection recovery request sent in connection recovery process 1 to its initial value (e.g., "0") and sends the connection recovery request again.)
[0441] b) Terminal Number Maintenance Method 2: During the connection restoration process, the terminal maintains the PDCP COUNT value. (For example, when the terminal triggers connection restoration process 1 and sends a connection restoration request via SRB, the SRB COUNT value will be incremented by 1. Subsequently, when the terminal triggers connection restoration process 2 and sends a connection restoration request via SRB, the SRB COUNT value will continue to be incremented by 1 based on the previous connection restoration process 1.)
[0442] c) Terminal Number Maintenance Method 3: During the connection recovery process, if the terminal receives feedback information from the network side (e.g., an RRCReject message or an RRCRelease message), the terminal maintains the PDCP COUNT value. (For example, when the terminal triggers connection recovery process 1 and sends a connection recovery request via SRB, the SRB COUNT value is incremented by 1. If the terminal receives an RRCReject message from the network, subsequently, when the terminal triggers connection recovery process 2 and sends a connection recovery request via SRB, the SRB COUNT value will continue to be incremented by 1 based on the previous connection recovery process 1. If the terminal does not receive an RRCReject message from the network, after connection recovery process 1 ends, subsequently, when the terminal triggers connection recovery process 2, the terminal restores the SRB COUNT value of the connection recovery request sent in connection recovery process 1 to its initial value.)
[0443] 3. Specific terminal context maintenance method. The "terminal context maintenance method" is as follows: upon receiving an indication message (such as an RRCReject message or an RRCRelease message) sent by the network side, the "first context" is discarded, and the "second context" is retained.
[0444] a) Terminal Context Maintenance Method 1: For this connection recovery process, the "first context" is the "historical context," and the "second context" is the "new context derived from the historical context." (For example, when the terminal sends a connection recovery request, it calculates the "terminal verification identifier" based on the previously stored historical "context-1" (e.g., the context stored when the RRC connection was released). Then, the terminal derives a new "context-2" based on this historical "context-1" (e.g., a new KgNB key derived from the currently (stored) KgNB key; or a new KgNB key derived from "NH (NextHop)" and "NCC" instructions).)
[0445] b) Terminal context maintenance method 2: For this connection recovery process, the "first context" is the "new context derived from the historical context", and the "second context" is the "historical context".
[0446] 4. Specific terminal security key usage methods.
[0447] a) Terminal security key usage method 1: The terminal indicates the key it uses (e.g., if the terminal has a key corresponding to NCC=0 and a key corresponding to NCC=1, then the terminal indicates the key it uses to the network side (e.g., indicating the value of NCC through a connection recovery request (or, Msg1 or MsgA in the random access procedure)).
[0448] b) Terminal Security Key Usage Method 2: The terminal uses the "old security key" when calculating the "terminal verification identifier," and then uses a "new security key derived from the old security key" after calculating the "terminal verification identifier." (For example, when the terminal initiates a connection recovery process, the key used when calculating the "terminal verification identifier" is the key in the terminal's current storage context. Afterwards, the terminal uses the "new security key derived from the old security key," which is used in subsequent steps of this connection recovery process (e.g., receiving feedback information from the network side (e.g., RRCReject message, or RRCLease message, or RRCResume message, etc.)).
[0449] The "context" includes at least one of the following: a key (e.g., an encryption key, or an integrity verification key); a security algorithm (e.g., an encryption algorithm, or an integrity verification algorithm); the PDCP COUNT value; the physical cell identifier of the UE's PCell before the RRC connection was suspended; the UE identifier of the UE's PCell before the RRC connection was suspended; the bearer identifier; and the data transmission direction.
[0450] Step 702: Based on the received terminal connection restoration request, the network side executes the connection restoration process according to the "specific security method". (For example, the network side sends feedback information (such as a "connection restoration message", "connection rejection message", or "connection release message") according to the "specific security method".)
[0451] Furthermore, the "network side performing the connection restoration process according to a 'specific security method'" includes the "current serving base station for connection restoration" and the "anchor base station for connection restoration" negotiating the "specific security method" used in the connection restoration process. This negotiation method includes at least one of the following:
[0452] Negotiation Method 1: The "current serving base station that has restored the connection" verifies the terminal using a "specific security method." Then, the "current serving base station that has restored the connection" verifies the terminal using a "specific security method" based on at least one of the following information provided by the "anchor base station that has restored the connection":
[0453] Indication information indicating whether the terminal is configured to use a "specific security method".
[0454] Indication information regarding whether the terminal supports the use of "specific security methods".
[0455] The terminal's "context" (wherein the "context" is the same as in step 1).
[0456] Negotiation Method 2: The "anchor base station where the connection has been restored" uses a "specific security method" to verify the terminal. The "anchor base station where the connection has been restored" uses a "specific security method" to verify the terminal based on at least one of the following information provided by the "current serving base station where the connection has been restored":
[0457] 1. Terminal verification identification information. This "terminal verification identification information" includes at least one of the following:
[0458] Connection restoration requests, such as RRRCResumeRequest;
[0459] Terminal verification identifier, such as resumeMAC-I;
[0460] Terminal identifiers, such as the inactive wireless network temporary identifier I-RNTI.
[0461] 2. Auxiliary parameters used to verify "terminal verification information":
[0462] The target cell identifier for connection restoration, such as the Cell Global Identifier (CGI);
[0463] The physical identifier of the target cell for connection restoration, such as the Physical Cell Identifier (PCI).
[0464] The target cell frequency for connection restoration, such as the Absolute Radio Frequency Channel Number (ARFCN).
[0465] The target cell bandwidth identifier for connection restoration, such as BWP-1;
[0466] The terminal uses a "specific security method", such as "terminal verification identifier calculation method 2";
[0467] The key used by the terminal, such as NCC=1;
[0468] Bearer identifier, such as SRB1.
[0469] PDCP number, such as COUNT;
[0470] Data transmission direction, such as uplink RRC signaling.
[0471] This invention also provides a connection restoration device, applied in a cellular mobile wireless communication terminal, such as... Figure 8 As shown, the device 100 includes:
[0472] The first determining module 110 is configured to determine, based on the connection recovery method selection indication, whether to use the first security method to send the current connection recovery request;
[0473] When the current connection recovery request is sent using the first security method, at least some of the parameters of the current connection recovery request are different from the parameters of the historical connection recovery request.
[0474] In one embodiment, when the current connection recovery request is sent using the second security method, the parameters of the current connection recovery request are the same as those of the historical connection recovery request.
[0475] In one embodiment, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method;
[0476] And / or,
[0477] The method for determining the terminal number in the first security method is different from the method for determining the terminal number in the second security method;
[0478] And / or,
[0479] The method for determining the context of the first security method is different from the method for determining the context of the second security method;
[0480] And / or,
[0481] The method for determining the terminal security key in the first security method is different from the method for determining the terminal security key in the second security method.
[0482] In one embodiment, when the current connection recovery request is sent using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
[0483] In one embodiment, the device 100 further includes:
[0484] The first receiving module 120 is configured to receive first indication information, wherein the first indication information indicates the first output parameter and / or the second input parameter.
[0485] In one embodiment, the device 100 further includes:
[0486] Verification module 130 is configured to perform security verification on the first indication information;
[0487] In response to the failure of security verification of the first indication information, the first indication information is ignored;
[0488] In response to the successful security verification of the first indication information, the first output parameter and / or the second input parameter indicated by the first indication information are used.
[0489] In one embodiment, when the current connection recovery request is sent using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request.
[0490] In one embodiment, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N, where N is a positive integer.
[0491] In one embodiment, in response to receiving feedback information regarding the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N;
[0492] In response to the lack of feedback information received regarding the historical connection restoration request, the terminal number corresponding to the current connection restoration request is set to a predetermined initial value.
[0493] In one embodiment, the terminal number includes the COUNT of the Packet Data Convergence Protocol (PDCP).
[0494] In one embodiment, when the current connection recovery request is sent using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
[0495] In one embodiment, the terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
[0496] In one embodiment, when the current connection restoration request is sent using the first security method, the terminal security key is determined by the terminal.
[0497] In one embodiment, the device 100 further includes:
[0498] The first sending module 140 is configured to send second indication information indicating the terminal security key.
[0499] In one embodiment, when the current connection recovery request is sent using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
[0500] In one embodiment, the terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
[0501] In one embodiment, the device 100 includes one of the following:
[0502] The second receiving module 150 is configured to receive third indication information indicating the connection restoration method selection indication;
[0503] The second determining module 160 is configured to determine the connection recovery method selection indication based on the communication protocol.
[0504] In one embodiment, the second receiving module 150 is specifically configured as one of the following:
[0505] Receive a Radio Resource Control (RRC) message carrying the third indication information;
[0506] Receive a broadcast message carrying the third instruction information.
[0507] This invention also provides a connection restoration device, applied in a cellular mobile wireless communication base station, such as... Figure 9 As shown, the device 200 includes:
[0508] The third determining module 210 is configured to determine, based on the connection recovery method selection indication, whether the terminal uses the first security method to send the current connection recovery request.
[0509] When the terminal sends a current connection recovery request using the first security method, at least some parameters of the current connection recovery request are different from the parameters of the historical connection recovery request.
[0510] In one embodiment, when the terminal sends a current connection recovery request using a second security method, the parameters of the current connection recovery request are the same as those of a historical connection recovery request.
[0511] In one embodiment, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method;
[0512] And / or,
[0513] The method for determining the terminal number in the first security method is different from the method for determining the terminal number in the second security method;
[0514] And / or,
[0515] The method for determining the context of the first security method is different from the method for determining the context of the second security method;
[0516] And / or,
[0517] The method for determining the terminal security key in the first security method is different from the method for determining the terminal security key in the second security method.
[0518] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
[0519] In one embodiment, the device 200 further includes:
[0520] The second sending module 220 is configured to send first indication information, wherein the first indication information indicates the first output parameter and / or the second input parameter.
[0521] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request.
[0522] In one embodiment, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N, where N is a positive integer.
[0523] In one embodiment, in response to receiving feedback information regarding the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N;
[0524] In response to the lack of feedback information received regarding the historical connection restoration request, the terminal number corresponding to the current connection restoration request is set to a predetermined initial value.
[0525] In one embodiment, the terminal number includes the COUNT of the Packet Data Convergence Protocol (PDCP).
[0526] In one embodiment, when the terminal sends the current connection recovery request using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
[0527] In one embodiment, the terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
[0528] In one embodiment, when the terminal sends the current connection restoration request using the first security method, the terminal security key is determined by the terminal.
[0529] In one embodiment, the device 200 further includes:
[0530] The third receiving module 230 is configured to receive second indication information indicating the terminal security key.
[0531] In one embodiment, when the terminal sends the current connection recovery request using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
[0532] In one embodiment, the terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
[0533] In one embodiment, the device 200 includes one of the following:
[0534] The third sending module 240 is configured to send third indication information indicating the connection recovery method selection indication;
[0535] The fourth determining module 250 is configured to determine the connection recovery method selection indication based on the communication protocol.
[0536] In one embodiment, the third sending module 240 is specifically configured as one of the following:
[0537] Send a Radio Resource Control (RRC) message carrying the third indication information;
[0538] Send a broadcast message carrying the third instruction information.
[0539] In one embodiment, the device 200 includes:
[0540] The fourth sending module 260 is configured to, in response to the base station being the anchor base station of the terminal, send indication information to the non-anchor base station of the terminal indicating whether the terminal should send the current connection restoration request using the first security method.
[0541] In an exemplary embodiment, the first determining module 110, the first receiving module 120, the verification module 130, the first sending module 140, the second receiving module 150, the second determining module 160, the third determining module 210, the second sending module 220, the third receiving module 230, the third sending module 240, the fourth determining module 250, and the fourth sending module 260 may be implemented by one or more central processing units (CPUs), graphics processing units (GPUs), baseband processors (BPs), application-specific integrated circuits (ASICs), DSPs, programmable logic devices (PLDs), complex programmable logic devices (CPLDs), field-programmable gate arrays (FPGAs), general-purpose processors, controllers, microcontrollers (MCUs), microprocessors, or other electronic components to perform the aforementioned method.
[0542] Figure 10 This is a block diagram illustrating a connection restoration device 3000 according to an exemplary embodiment. For example, device 3000 may be a mobile phone, computer, digital broadcasting terminal, messaging device, game console, tablet device, medical device, fitness equipment, personal digital assistant, etc.
[0543] Reference Figure 10 The device 3000 may include one or more of the following components: processing component 3002, memory 3004, power supply component 3006, multimedia component 3008, audio component 3010, input / output (I / O) interface 3012, sensor component 3014, and communication component 3016.
[0544] Processing component 3002 typically controls the overall operation of device 3000, such as operations associated with display, telephone calls, data communication, camera operation, and recording. Processing component 3002 may include one or more processors 3020 to execute instructions to complete all or part of the steps of the methods described above. Furthermore, processing component 3002 may include one or more modules to facilitate interaction between processing component 3002 and other components. For example, processing component 3002 may include a multimedia module to facilitate interaction between multimedia component 3008 and processing component 3002.
[0545] Memory 3004 is configured to store various types of data to support the operation of device 3000. Examples of this data include instructions for any application or method operating on device 3000, contact data, phonebook data, messages, pictures, videos, etc. Memory 3004 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk.
[0546] Power supply component 3006 provides power to various components of device 3000. Power supply component 3006 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power to device 3000.
[0547] Multimedia component 3008 includes a screen that provides an output interface between device 3000 and the user. In some embodiments, the screen may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touchscreen to receive input signals from the user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensors may sense not only the boundaries of touch or swipe actions but also the duration and pressure associated with the touch or swipe operation. In some embodiments, multimedia component 3008 includes a front-facing camera and / or a rear-facing camera. When device 3000 is in an operating mode, such as a shooting mode or a video mode, the front-facing camera and / or rear-facing camera may receive external multimedia data. Each front-facing camera and rear-facing camera may be a fixed optical lens system or have focal length and optical zoom capabilities.
[0548] Audio component 3010 is configured to output and / or input audio signals. For example, audio component 3010 includes a microphone (MIC) configured to receive external audio signals when device 3000 is in an operating mode, such as call mode, recording mode, and voice recognition mode. The received audio signals may be further stored in memory 3004 or transmitted via communication component 3016. In some embodiments, audio component 3010 also includes a speaker for outputting audio signals.
[0549] I / O interface 3012 provides an interface between processing component 3002 and peripheral interface modules, such as keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to, home buttons, volume buttons, start buttons, and lock buttons.
[0550] Sensor assembly 3014 includes one or more sensors for providing state assessments of various aspects of device 3000. For example, sensor assembly 3014 may detect the on / off state of device 3000, the relative positioning of components such as the display and keypad of device 3000, changes in the position of device 3000 or a component of device 3000, the presence or absence of user contact with device 3000, the orientation or acceleration / deceleration of device 3000, and temperature changes of device 3000. Sensor assembly 3014 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. Sensor assembly 3014 may also include an optical sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, sensor assembly 3014 may also include an accelerometer, a gyroscope, a magnetometer, a pressure sensor, or a temperature sensor.
[0551] Communication component 3016 is configured to facilitate wired or wireless communication between device 3000 and other devices. Device 3000 can access wireless networks based on communication standards, such as Wi-Fi, 2G, or 3G, or combinations thereof. In one exemplary embodiment, communication component 3016 receives broadcast signals or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, communication component 3016 also includes a near-field communication (NFC) module to facilitate short-range communication. For example, the NFC module may be implemented based on radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
[0552] In an exemplary embodiment, the apparatus 3000 may be implemented by one or more application-specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field-programmable gate arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components to perform the methods described above.
[0553] In an exemplary embodiment, a non-transitory computer-readable storage medium including instructions is also provided, such as a memory 3004 including instructions, which can be executed by a processor 3020 of the device 3000 to perform the above-described method. For example, the non-transitory computer-readable storage medium may be a ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, and optical data storage device, etc.
[0554] Other embodiments of the invention will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the embodiments of the invention that follow the general principles of the embodiments of the invention and include common knowledge or customary techniques in the art not disclosed in this disclosure. The specification and embodiments are to be considered exemplary only, and the true scope and spirit of the embodiments of the invention are indicated by the following claims.
[0555] It should be understood that the embodiments of the present invention are not limited to the precise structures described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from their scope. The scope of the embodiments of the present invention is limited only by the appended claims.
Claims
1. A connection restoration method, wherein, Applied to a terminal, the method includes: Based on the connection recovery method selection indication, determine whether to send the current connection recovery request using the first security method; When the current connection recovery request is sent using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request; wherein, in response to receiving feedback information for the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N; in response to not receiving feedback information for the historical connection recovery request, the terminal number corresponding to the current connection recovery request is a predetermined initial value; wherein, the terminal number includes: the COUNT number of the Packet Data Convergence Protocol (PDCP); When the second security method is used to send the current connection recovery request, the parameters of the current connection recovery request are the same as those of the historical connection recovery request; Specifically, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method; the method for determining the terminal number of the first security method is different from the method for determining the terminal number of the second security method; the method for determining the context of the first security method is different from the method for determining the context of the second security method; and the method for determining the terminal security key of the first security method is different from the method for determining the terminal security key of the second security method.
2. The method according to claim 1, wherein, When the current connection recovery request is sent using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
3. The method according to claim 2, wherein, The method further includes: Receive first indication information, wherein the first indication information indicates the first output parameter and / or the second input parameter.
4. The method according to claim 3, wherein, The method further includes: Perform security verification on the first indication information; In response to the failure of security verification of the first indication information, the first indication information is ignored; In response to the successful security verification of the first indication information, the first output parameter and / or the second input parameter indicated by the first indication information are used.
5. The method according to claim 1, wherein, When the current connection recovery request is sent using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
6. The method according to claim 5, wherein, The terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
7. The method according to claim 1, wherein, When the current connection restoration request is sent using the first security method, the terminal security key is determined by the terminal.
8. The method according to claim 7, wherein, The method further includes: Send a second indication message indicating the terminal security key.
9. The method according to any one of claims 1 to 8, wherein, When the current connection recovery request is sent using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
10. The method according to claim 9, wherein, The terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
11. The method according to any one of claims 1 to 8, wherein, The method includes one of the following: Receive third indication information indicating the connection restoration method selection indication; Based on the communication protocol, the connection restoration method selection indication is determined.
12. The method according to claim 11, wherein, The third indication information received, indicating the recovery mode selection, includes one of the following: Receive a Radio Resource Control (RRC) message carrying the third indication information; Receive a broadcast message carrying the third instruction information.
13. A connection restoration method, wherein, Applied to a base station, the method includes: Based on the connection recovery method selection indication, determine whether the terminal should send the current connection recovery request using the first security method; When the terminal sends a current connection recovery request using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request; wherein, in response to receiving feedback information for the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N; in response to not receiving feedback information for the historical connection recovery request, the terminal number corresponding to the current connection recovery request is a predetermined initial value; wherein, the terminal number includes: the COUNT number of the Packet Data Convergence Protocol (PDCP); When the terminal sends a current connection recovery request using the second security method, the parameters of the current connection recovery request are the same as those of the historical connection recovery request; Specifically, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method; the method for determining the terminal number of the first security method is different from the method for determining the terminal number of the second security method; the method for determining the context of the first security method is different from the method for determining the context of the second security method; and the method for determining the terminal security key of the first security method is different from the method for determining the terminal security key of the second security method.
14. The method according to claim 13, wherein, When the terminal sends the current connection recovery request using the first security method, the first input parameter used to determine the terminal verification identifier of the current connection recovery request is different from the second input parameter used to determine the terminal verification identifier of the historical connection recovery request.
15. The method according to claim 14, wherein, The method further includes: Send a first indication message, wherein the first indication message indicates the first output parameter and / or the second input parameter.
16. The method according to claim 13, wherein, When the terminal sends the current connection recovery request using the first security method, the context corresponding to the current connection recovery request is determined based on the context corresponding to the historical connection recovery request, wherein the context corresponding to the historical connection recovery request is different from the context corresponding to the current connection recovery request.
17. The method according to claim 16, wherein, The terminal security key in the context corresponding to the current connection recovery request is determined based on the terminal security key in the context corresponding to the historical connection recovery request, and / or the next hop NH, and / or the next hop chain counter NCC.
18. The method according to claim 13, wherein, When the terminal sends the current connection restoration request using the first security method, the terminal security key is determined by the terminal.
19. The method according to claim 18, wherein, The method further includes: Receive second indication information indicating the terminal security key.
20. The method according to any one of claims 13 to 19, wherein, When the terminal sends the current connection recovery request using the first security method, at least the terminal verification identifier of the current connection recovery request is different from the terminal verification identifier of the historical connection recovery request.
21. The method according to claim 20, wherein, The terminal verification identifier includes all or part of the Integrity Message Verification Code (MAC-I).
22. The method according to any one of claims 13 to 19, wherein, The method includes one of the following: Send a third indication message indicating the connection restoration method selection indication; Based on the communication protocol, the connection restoration method selection indication is determined.
23. The method according to claim 22, wherein, The third indication information sent to indicate the recovery mode selection includes one of the following: Send a Radio Resource Control (RRC) message carrying the third indication information; Send a broadcast message carrying the third instruction information.
24. The method according to any one of claims 13 to 19, wherein, The method includes: in response to the base station being an anchor base station of the terminal, sending indication information to a non-anchor base station of the terminal indicating whether the terminal should send the current connection recovery request using the first security method.
25. A connection restoration device, wherein, Applied to a terminal, the device includes: The first determining module is configured to determine whether to send the current connection recovery request using the first security method based on the connection recovery method selection indication; When the current connection recovery request is sent using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request; wherein, in response to receiving feedback information for the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N; in response to not receiving feedback information for the historical connection recovery request, the terminal number corresponding to the current connection recovery request is a predetermined initial value; wherein, the terminal number includes: the COUNT number of the Packet Data Convergence Protocol (PDCP); When the second security method is used to send the current connection recovery request, the parameters of the current connection recovery request are the same as those of the historical connection recovery request; Specifically, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method; the method for determining the terminal number of the first security method is different from the method for determining the terminal number of the second security method; the method for determining the context of the first security method is different from the method for determining the context of the second security method; and the method for determining the terminal security key of the first security method is different from the method for determining the terminal security key of the second security method.
26. A connection restoration device, wherein, Applied to a base station, the device includes: The third determining module is configured to determine, based on the connection recovery method selection indication, whether the terminal uses the first security method to send the current connection recovery request. When the terminal sends a current connection recovery request using the first security method, the terminal number corresponding to the current connection recovery request is different from the terminal number corresponding to the historical connection recovery request; wherein, in response to receiving feedback information for the historical connection recovery request, the terminal number corresponding to the current connection recovery request is the sum of the terminal number corresponding to the historical connection recovery request and N; in response to not receiving feedback information for the historical connection recovery request, the terminal number corresponding to the current connection recovery request is a predetermined initial value; wherein, the terminal number includes: the COUNT number of the Packet Data Convergence Protocol (PDCP); When the terminal sends a current connection recovery request using the second security method, the parameters of the current connection recovery request are the same as those of the historical connection recovery request; Specifically, the method for determining the terminal verification identifier of the first security method is different from the method for determining the terminal verification identifier of the second security method; the method for determining the terminal number of the first security method is different from the method for determining the terminal number of the second security method; the method for determining the context of the first security method is different from the method for determining the context of the second security method; and the method for determining the terminal security key of the first security method is different from the method for determining the terminal security key of the second security method.
27. A communication device apparatus, comprising a processor, a memory, and an executable program stored in the memory and executable by the processor, wherein, When the processor runs the executable program, it performs the steps of the connection restoration method as described in any one of claims 1 to 12 or 13 to 24.
28. A storage medium having an executable program stored thereon, wherein, When the executable program is executed by a processor, it implements the steps of the connection restoration method as described in any one of claims 1 to 12 or 13 to 24.