Communication network device and method for secure communication of awareness information
By designing a communication network device that integrates wireless power supply, passive and active cellular base stations, and combining 3GPP and non-3GPP standard cryptographic algorithms, the security and coverage issues of sensing information communication are solved, achieving low-power and widely applicable secure communication.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
- Filing Date
- 2026-04-15
- Publication Date
- 2026-06-19
Smart Images

Figure CN122028041B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of 5G-A / 6G cellular mobile communication, and particularly to a communication network device and a secure communication method for sensing information. Background Technology
[0002] Currently, the industry's sensing information communication methods mainly fall into three categories: wired scenarios, active wireless scenarios, and passive wireless scenarios, such as... Figure 1 As shown.
[0003] The advantages of wired scenarios are that the physical isolation of wired channels provides high security, and there is no power supply issue; however, the disadvantages are also obvious. The wired connection will inevitably lead to a great limitation on application scenarios, and the cost will rise sharply as the scale increases.
[0004] The advantage of active wireless scenarios lies in the fact that its wireless communication method is free from the constraints of wires and has a communication distance and coverage range in the kilometers, making it the most widely used application scenario; however, there are also disadvantages, such as the openness of wireless channels bringing significant security risks and being very sensitive to power consumption.
[0005] The advantages of passive wireless scenarios are that their wireless communication method is free from the constraints of wired connections, and they have a communication distance and coverage range of hundreds of meters. They can be charged in small amounts using electromagnetic signals, freeing them from the constraints of power supply. The breadth of application scenarios is between that of wired and active wireless scenarios. The disadvantages are that the openness of wireless channels brings significant security risks, and the efficiency of charging by electromagnetic signals is insufficient to support high-frequency communication.
[0006] It can be seen that the current mainstream sensing information communication methods all have their own advantages and disadvantages, and there is a lack of a multifunctional sensing information security communication method that takes into account the advantages of various methods and avoids their respective disadvantages. Summary of the Invention
[0007] This application provides a communication network device and a secure communication method for sensing information to solve the problems in the background art.
[0008] Other features and advantages of this application will become apparent from the following detailed description, or may be learned in part from practice of this application.
[0009] According to a first aspect of the embodiments of this application, a communication network device is provided, including an integrated core network with integrated base station interconnection;
[0010] The integrated base station includes a wirelessly powered base station unit, a passive cellular base station unit, and an active cellular base station unit. The wirelessly powered base station unit provides wireless charging for passive cellular sensing devices and indirectly charges active sensing devices via the passive cellular sensing devices. The passive cellular base station unit provides communication functionality for passive cellular sensing devices and provides activation / wake-up commands to active cellular sensing devices via the passive cellular sensing devices. The active cellular base station unit provides secure communication functionality for active cellular sensing devices.
[0011] The integrated core network includes user plane network elements, user plane security enhancement function units, control plane network elements, control plane security enhancement function units, network management units, and security management units. Specifically, the user plane network elements provide standard 3GPP functions; the user plane security enhancement function units provide security protection for end-to-end transmission of service data; the control plane network elements provide standard 3GPP functions; the control plane security enhancement function units provide enhanced master authentication and authorization based on non-3GPP standard cryptographic algorithms, dedicated secondary authentication, and NAS signaling encryption protection based on non-3GPP standard cryptographic algorithms; the network management unit provides network management functions and coordination control functions between active and passive cellular communication; and the security management unit provides initial installation of security resources and configuration of security policies.
[0012] According to one embodiment of this application, the active cellular base station unit supports the air interface user plane data protection algorithm or empty algorithm supported by the 3GPP standard security mechanism, the negotiation mechanism based on non-3GPP standard cryptographic algorithms and standard air interface user plane protection algorithms, and extends the non-3GPP algorithm identifier to indicate non-3GPP standard algorithms.
[0013] According to a second aspect of the embodiments of this application, a method for secure communication of sensing information is provided, implemented based on the communication network device described in the first aspect, specifically including:
[0014] Initial security resource installation: The security management unit pre-configures all necessary security resources, security parameters, and security policies, and the security management unit completes the initial security resource installation for the user plane security enhancement function unit, the control plane security enhancement function unit, and the active cellular base station unit.
[0015] Secure network access and attachment: The network access and attachment process is triggered according to the type of cellular sensing device. In the network access and attachment process, an authentication vector is generated according to the policy to complete the main authentication and authorization.
[0016] Secure transmission of business data: The cellular sensing device acquires sensing information and initiates transmission with the integrated base station; the integrated base station selects the corresponding cellular base station unit according to the type of cellular sensing device to complete the encryption and decryption of uplink and downlink data.
[0017] According to one embodiment of this application, the initial installation of security resources by the security management unit for the user plane security enhancement function unit, the control plane security enhancement function unit, and the active cellular base station unit specifically includes:
[0018] The security management unit adds the necessary security resources, security parameters, and security policies to the control plane security enhancement functions.
[0019] The security management unit adds the necessary security resources, security parameters, and security policies to the user plane security enhancement functions.
[0020] The security management unit adds the necessary security resources, security parameters, and security policies to the active cellular base station unit.
[0021] According to one embodiment of this application, the secure network access attachment includes performing a network access attachment process for an active cellular sensing device using a standard strategy, specifically including:
[0022] The authentication vector is directly generated by the control plane network element based on the AES algorithm of the 3GPP standard.
[0023] After the active cellular sensing device completes the identity authentication of the network it is accessing according to the AES algorithm of the 3GPP standard, it returns an authentication response;
[0024] The authentication response is verified by the control plane network elements;
[0025] After verification, the network access and attachment are completed.
[0026] According to one embodiment of this application, the secure network access attachment includes performing a network access attachment process for an active cellular sensing device using an enhanced strategy, specifically including:
[0027] The authentication vector is generated by the control plane security enhancement function unit based on a non-3GPP standard cryptographic algorithm, and the algorithm identifier is encrypted and embedded in the authentication vector.
[0028] After the active cellular sensing device completes the identity authentication of the accessed network according to the algorithm indicated by the algorithm identifier, it returns an authentication response;
[0029] The authentication response is verified by the control plane security enhancement function unit;
[0030] After verification, the network access and attachment are completed.
[0031] According to one embodiment of this application, the secure network access attachment includes performing a network access attachment process for a passive cellular sensing device using a standard strategy, specifically including:
[0032] The authentication vector is directly generated by the control plane network element based on the AES algorithm of the 3GPP standard and transmitted to the passive cellular sensing device.
[0033] Passive cellular sensing devices return authentication responses according to the AES algorithm of the 3GPP standard;
[0034] The authentication response is verified by the control plane network elements;
[0035] After verification, the network access and attachment are completed.
[0036] According to one embodiment of this application, the secure network access attachment includes performing a network access attachment process for a passive cellular sensing device using an enhanced strategy, specifically including:
[0037] The authentication vector is generated by the control plane security enhancement function unit based on a non-3GPP standard cryptographic algorithm, and the algorithm identifier is encrypted and embedded in the authentication vector.
[0038] The passive cellular sensing device returns an authentication response according to the algorithm indicated by the algorithm identifier;
[0039] The authentication response is verified by the control plane security enhancement function unit;
[0040] After verification, the network access and attachment are completed.
[0041] According to one embodiment of this application, the data transmission process of the active cellular sensing device in the secure transmission of service data includes:
[0042] A passive cellular sensing device wakes up an active cellular sensing device, which then begins to acquire sensing information or receive instruction information.
[0043] The SMC negotiation process based on 3GPP is extended, and the algorithm identifier determines whether an empty algorithm, a 3GPP standard algorithm, or a non-3GPP standard cryptographic algorithm is negotiated. If the negotiation result is an empty algorithm, no security protection will be provided subsequently; if the negotiation result is a 3GPP standard algorithm, the AES algorithm specified by the 3GPP standard will be used to provide protection subsequently; if the negotiation result is a non-3GPP standard cryptographic algorithm, the non-3GPP standard cryptographic algorithm will be used to provide protection subsequently.
[0044] During uplink transmission, active cellular sensing devices initiate sensing information transmission; during downlink transmission, integrated base station devices initiate command information transmission.
[0045] The integrated base station uses a negotiated algorithm to perform channel encryption processing on downlink air interface data and channel decryption processing on uplink air interface data;
[0046] The user plane security enhancement function unit of the integrated core network uses non-3GPP standard cryptographic algorithms to perform source encryption processing on downlink application data;
[0047] The user plane security enhancement function unit of the integrated core network uses non-3GPP standard cryptographic algorithms to decrypt uplink application data, and adopts zero trust and access control mechanisms to determine the type, flow and permissions of service data, block illegal service data, and aggregate and transmit legal service data back.
[0048] According to one embodiment of this application, the data transmission process of the passive cellular sensing device in the secure transmission of service data includes:
[0049] Trigger passive cellular sensing devices to acquire sensing information;
[0050] The algorithm strategy for subsequent NAS signaling protection is determined based on the master authentication algorithm strategy, including the empty algorithm, the 3GPP standard algorithm, or the non-3GPP standard cryptographic algorithm.
[0051] Passive cellular sensing devices initiate the transmission of sensing information;
[0052] The integrated base station uses the selected algorithm to encrypt the downlink NAS signaling and decrypt the uplink NAS signaling;
[0053] The user plane security enhancement function unit of the integrated core network uses non-3GPP standard cryptographic algorithms to perform source encryption processing on downlink application data;
[0054] The user plane security enhancement function unit of the integrated core network uses non-3GPP standard cryptographic algorithms to perform source decryption processing on uplink application data.
[0055] Compared with existing technologies, the beneficial effects of adopting the above technical solution are as follows: Under the premise of compatibility with standards and industrial chains, the present invention takes into account the advantages of low power consumption, medium and long distance coverage, and secure communication. It is suitable for active cellular communication, passive cellular communication and other scenarios, and can be widely used in various application scenarios, while meeting the high security requirements of key industries. Attached Figure Description
[0056] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application. It is obvious that the drawings described below are merely some embodiments of this application, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.
[0057] Figure 1 This is a schematic diagram of existing sensing information communication methods.
[0058] Figure 2 This is a schematic diagram of the communication network device composition according to an embodiment of this application.
[0059] Figure 3 This is a schematic diagram of a wide-area coverage scenario according to an embodiment of this application.
[0060] Figure 4 This is a schematic diagram of a local coverage scenario according to an embodiment of this application.
[0061] Figure 5 This is a schematic diagram of a mobile application scenario according to an embodiment of this application. Detailed Implementation
[0062] The embodiments of this application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar modules or modules having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain this application, and should not be construed as limiting this application. Rather, the embodiments of this application include all variations, modifications, and equivalents falling within the spirit and scope of the appended claims.
[0063] To address the shortcomings of existing technologies, embodiments of this application provide a communication network device and a secure communication method for sensing information. While maintaining compatibility with standards and the industry chain, it also takes into account the advantages of low power consumption, medium-to-long-range coverage, and secure communication. It is applicable to active cellular communication, passive cellular communication, and other scenarios, and can be widely used in various application scenarios, while meeting the high security requirements of key industries.
[0064] The communication network device proposed in this application can be applied to various wide-area coverage scenarios, local-area coverage scenarios, and mobile application scenarios, providing secure communication capabilities for the comprehensive networking of personnel, equipment, materials, facilities, and environment. Please refer to... Figure 2 The communication network device mainly consists of two parts: an integrated base station and an integrated core network. In practical applications, these two parts can be deployed centrally, remotely, or independently in conjunction with other third-party base stations and core networks.
[0065] Specifically, the integrated base station mainly includes a wirelessly powered base station unit, a passive cellular base station unit, and an active cellular base station unit. The wirelessly powered base station unit provides wireless charging for passive cellular sensing devices and indirectly charges traditional active IoT sensing devices through these passive cellular sensing devices. The passive cellular base station unit provides communication functions for passive cellular sensing devices such as AIoT and RFID, and provides activation / wake-up commands to active cellular sensing devices through these passive cellular sensing devices. The active cellular base station unit mainly provides secure communication functions for active cellular sensing devices such as NB-IoT and RedCap. In this embodiment, in addition to supporting the 3GPP standard communication mechanisms, the active cellular base station unit also supports activating active cellular communication through passive cellular signals, thereby indirectly acting as a low-power paging signal. Furthermore, besides supporting the air interface user plane data protection algorithms or null algorithms supported by the 3GPP standard security mechanisms, it also supports negotiation mechanisms based on non-3GPP standard cryptographic algorithms and standard-based air interface user plane protection algorithms, extending the non-3GPP algorithm identifier to indicate non-3GPP standard algorithms.
[0066] In this embodiment, the non-3GPP standard cryptographic algorithms mainly include domestically developed commercial cryptographic algorithms and dedicated cryptographic algorithms, hereinafter referred to as domestic / dedicated cryptographic algorithms. Dedicated cryptographic algorithms refer to special cryptographic algorithms specific to a particular industry. It should be noted that these cryptographic algorithms are existing cryptographic algorithms known to those skilled in the art, and the algorithms themselves are not the focus of this application; therefore, they will not be described in detail here.
[0067] Furthermore, the integrated core network is primarily used to provide unified security enhancement core network control functions for both active and passive cellular IoT. This integrated core network includes user plane network elements, user plane security enhancement function units, control plane network elements, control plane security enhancement function units, network management units, and security management units. Specifically, user plane network elements provide standard 3GPP functions. User plane security enhancement function units provide security protection functions for end-to-end transmission of service data, including source encryption, access control, and zero-trust functions. Control plane network elements provide standard 3GPP functions. Control plane security enhancement function units provide additional security enhancement functions conforming to 3GPP standard procedures and protocols, including enhanced master authentication based on domestic / dedicated cryptographic algorithms, dedicated secondary authentication, and NAS signaling encryption protection functions based on domestic / dedicated cryptographic algorithms. The network management unit provides network management functions and coordination control functions between active and passive cellular communication. The security management unit provides initial installation of security resources and configuration of security policies.
[0068] Based on the aforementioned communication network device, this embodiment also proposes a method for secure communication of sensing information, specifically including:
[0069] S100, Initial Security Resource Installation: Pre-configure all necessary security resources, security parameters, and security policies for the security management unit, and complete the initial security resource installation for the user plane security enhancement function unit, the control plane security enhancement function unit, and the active cellular base station unit.
[0070] In this embodiment, all security resources, security parameters, and security policies for security enhancement functions beyond those specified in the 3GPP standard are pre-configured for the security management unit in the integrated core network. It should be noted that only resources, parameters, and policies related to additional security enhancement algorithms are pre-configured here. The standard functions of the base station and core network already possess the standard functions of 3GPP.
[0071] Then, the security management unit adds the necessary security resources, security parameters, and security policies to the control plane security enhancement function. The security management unit also adds the necessary security resources, security parameters, and security policies to the user plane security enhancement function unit. Finally, the security management unit adds the necessary security resources, security parameters, and security policies to the active cellular base station unit.
[0072] At this point, the initial installation of security resources is complete.
[0073] S200, Secure Network Access and Attachment: Trigger the network access and attachment process according to the type of cellular sensing device. In the network access and attachment process, generate an authentication vector according to the policy to complete the main authentication and authorization.
[0074] In this embodiment, secure network access attachment is divided into two parts: active cellular sensing device and passive cellular sensing device network access attachment.
[0075] For active cellular sensing devices, the network access and attachment process depends on the strategy employed.
[0076] If the standard strategy is adopted, the network access attachment process follows the standard 3GPP procedure: First, the control plane network element directly generates the authentication vector based on the 3GPP standard AES algorithm; then, after the active cellular sensing device completes the identity authentication of the network to be accessed according to the 3GPP standard AES algorithm, it returns an authentication response; next, the control plane network element verifies the authentication response; finally, after the verification is completed, the network access attachment is completed.
[0077] If an enhanced strategy is adopted, the network access attachment process is an enhanced process compatible with the 3GPP standard procedure: First, the control plane security enhancement function unit generates an authentication vector based on a domestic / dedicated cryptographic algorithm and encrypts and embeds an algorithm identifier in the authentication vector; then, after the active cellular sensing device completes the identity authentication of the network to be accessed according to the algorithm indicated by the algorithm identifier, it returns an authentication response; next, the control plane security enhancement function unit verifies the authentication response; finally, after the verification is completed, the network access attachment is completed. In one embodiment, the algorithm identifier is used to indicate which algorithm is used. For example, 0 represents an empty algorithm, 1-3 represent standard foreign algorithms, and 4 and later identify extended domestic cryptographic algorithms, dedicated cryptographic algorithms, etc.
[0078] For passive cellular sensing devices, the network access and attachment process is also related to the strategy adopted.
[0079] If the standard strategy is adopted, the network access attachment process follows the standard 3GPP procedure: First, the control plane network element directly generates the authentication vector based on the 3GPP standard AES algorithm and transmits it to the passive cellular sensing device; then, the passive cellular sensing device returns the authentication response according to the 3GPP standard AES algorithm; next, the control plane network element verifies the authentication response; finally, after the verification is completed, the network access attachment is completed.
[0080] If an enhanced strategy is adopted, the network access attachment process is an enhanced process compatible with the 3GPP standard procedure: First, the control plane security enhancement function unit generates an authentication vector based on a domestic / dedicated cryptographic algorithm and encrypts and embeds an algorithm identifier in the authentication vector; then, the passive cellular sensing device returns an authentication response according to the algorithm indicated by the algorithm identifier; next, the control plane security enhancement function unit completes the verification of the authentication response; finally, after the verification is completed, the network access attachment is completed.
[0081] S300, Secure Transmission of Service Data: The cellular sensing device acquires sensing information and initiates transmission with the integrated base station; the integrated base station selects the corresponding cellular base station unit according to the type of cellular sensing device to complete the encryption and decryption of uplink and downlink data.
[0082] Similarly, in this embodiment, the process of secure transmission of business data is also related to the type of cellular sensing device.
[0083] Specifically, for active cellular sensing devices, the secure transmission process of their service data includes:
[0084] S311. The passive cellular sensing device wakes up the active cellular sensing device, and the active cellular sensing device begins to acquire sensing information or receive instruction information.
[0085] S312. The SMC negotiation process based on 3GPP is extended. The algorithm identifier determines whether to negotiate an empty algorithm, a 3GPP standard algorithm, or a domestic / dedicated cryptographic algorithm. If the negotiation result is an empty algorithm, no security protection will be provided subsequently. If the negotiation result is a 3GPP standard algorithm, the AES algorithm specified by the 3GPP standard will be used for protection subsequently. If the negotiation result is a domestic / dedicated cryptographic algorithm, the domestic / dedicated cryptographic algorithm will be used for protection subsequently.
[0086] S313. When transmitting uplink services, the active cellular sensing device initiates sensing information transmission; when transmitting downlink services, the integrated base station device initiates command information transmission.
[0087] S314. The integrated base station uses a negotiated algorithm to perform channel encryption processing on downlink air interface data and channel decryption processing on uplink air interface data.
[0088] S315. The user plane security enhancement function unit of the integrated core network uses domestic / dedicated cryptographic algorithms to perform source encryption processing on downlink application data;
[0089] S316. The user plane security enhancement function unit of the integrated core network uses domestic / dedicated cryptographic algorithms to decrypt uplink application data, and adopts zero trust and access control mechanisms to determine the type, flow and permissions of business data, block illegal business data, and aggregate and transmit legal business data back.
[0090] For passive cellular sensing devices, secure transmission of service data includes:
[0091] S321. Trigger the passive cellular sensing device to acquire sensing information;
[0092] S322. Determine the algorithm strategy for subsequent NAS signaling protection based on the main authentication and authorization algorithm strategy, such as the empty algorithm, 3GPP standard algorithm or domestic / dedicated cryptographic algorithm.
[0093] S323, Passive cellular sensing device initiates sensing information transmission;
[0094] S324. The integrated base station uses the selected algorithm to encrypt the downlink NAS signaling (carrying downlink instruction information) and decrypt the uplink NAS signaling (carrying uplink sensing information).
[0095] S325. The user plane security enhancement function unit of the integrated core network uses domestic / dedicated cryptographic algorithms to perform source encryption processing on downlink application data;
[0096] S326. The user plane security enhancement function unit of the integrated core network uses domestic / dedicated cryptographic algorithms to perform source decryption processing on uplink application data.
[0097] To more clearly illustrate the communication network device and the secure communication method for sensing information provided in this application, the following description is in conjunction with the appendix. Figures 3-5 Further explanation is needed.
[0098] Please refer to Figure 3 This illustrates a wide-area coverage scenario, primarily used for applications such as smart logistics and material dispatching. Relevant functional entities include: sensing host devices (active / passive cellular sensing devices), terminal communication modules, integrated base stations (in this scenario, the integrated core network is not functional), the operator's public core network, and industry applications. Specific secure communication methods are as follows:
[0099] Step A1: The integrated base station completes the initial resource installation, including passive cellular base station units and active cellular base station units;
[0100] Step A2: Active or passive cellular sensing devices and terminal communication modules, in accordance with 3GPP standards, are provided with access authentication and attachment control functions by the operator's public network core network, and network access authentication and attachment are completed using standard algorithms;
[0101] Step A 3: Industry applications trigger the terminal communication module to collect the sensing information of the host device through the integrated base station;
[0102] Step A4-1: In the active case, the terminal communication module completes air interface channel encryption protection through an algorithm negotiated with the integrated base station, such as the empty algorithm, 3GPP standard algorithm, domestic / dedicated cryptographic algorithm, etc.
[0103] Step A4-2: In the passive case, the terminal communication module uses 3GPP standard algorithms to complete the encryption protection of NAS signaling, such as the null algorithm and 3GPP standard algorithms.
[0104] Please refer to Figure 4 This illustrates a local coverage scenario, primarily used for smart warehousing and inventory management. Related functional entities include: sensing host devices (active / passive cellular sensing devices), terminal communication modules, industry-built integrated base stations, integrated core networks, and industry applications. Specific secure communication methods are as follows:
[0105] Step B1: Complete the initial resource installation for the integrated base station and integrated core network;
[0106] Step B2: Set security policies for the terminal communication module and the integrated core network, indicating the use of domestic / dedicated cryptographic algorithms, and complete network access authentication and attachment;
[0107] Step B3: Industry applications trigger the terminal communication module through the integrated base station to collect the sensing information of the host device and issue instruction information;
[0108] Step B4: Set security policies for the terminal communication module, integrated base station, and integrated core network, instructing the use of domestic / dedicated cryptographic algorithms to provide channel and source encryption protection, and upload the perceived information to industry applications after source and channel encryption based on domestic / dedicated cryptographic algorithms.
[0109] Please refer to Figure 5 This illustrates a mobile application scenario, primarily used for personnel search and rescue, personnel management, and other mobile applications. Related functional entities include: a sensing host device, a terminal communication module, an integrated central station (including an integrated base station and an integrated core network), and industry applications. Specific secure communication methods are as follows:
[0110] Step C1: The integrated central station completes the initial resource installation;
[0111] Step C2: Set security policies for the terminal communication module and the integrated core network, indicating the use of domestic / dedicated cryptographic algorithms, and complete network access authentication and attachment;
[0112] Step C3: The industry application triggers the terminal communication module through the integrated center to collect the sensing information of the host device and issue instruction information;
[0113] Step C4: Set security policies for the terminal communication module and the integrated central station, instructing the use of domestic / dedicated cryptographic algorithms to provide channel and source encryption protection, and upload the perceived information to industry applications after source and channel encryption based on domestic / dedicated cryptographic algorithms.
[0114] This application proposes a communication network device and a method and device for secure communication of sensing information. Under the premise of compatibility with standards and industry chain, it takes into account the advantages of low power consumption, medium and long distance coverage, and secure communication. It is applicable to active cellular communication, passive cellular communication and other scenarios, and can be widely used in various application scenarios while meeting the high security requirements of key industries.
[0115] For those skilled in the art, the specific meanings of the above terms in this invention can be understood according to the specific circumstances; the accompanying drawings in the embodiments are used to clearly and completely describe the technical solutions in the embodiments of this invention. Obviously, the described embodiments are some embodiments of this invention, but not all embodiments. Generally, the components of the embodiments of this invention described and shown in the accompanying drawings can be arranged and designed in various different configurations.
[0116] Although embodiments of this application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting this application. Those skilled in the art can make changes, modifications, substitutions and variations to the above embodiments within the scope of this application.
Claims
1. A communication network device, characterized in that, This includes integrated base stations and integrated core networks interconnected with them; The integrated base station includes a wirelessly powered base station unit, a passive cellular base station unit, and an active cellular base station unit. The wirelessly powered base station unit provides wireless charging for passive cellular sensing devices and indirectly charges active sensing devices via the passive cellular sensing devices. The passive cellular base station unit provides communication functionality for passive cellular sensing devices and provides activation / wake-up commands to active cellular sensing devices via the passive cellular sensing devices. The active cellular base station unit provides secure communication functionality for active cellular sensing devices. The integrated core network includes user plane network elements, user plane security enhancement function units, control plane network elements, control plane security enhancement function units, network management units, and security management units. Specifically, the user plane network elements provide standard 3GPP functions; the user plane security enhancement function units provide security protection for end-to-end transmission of service data; the control plane network elements provide standard 3GPP functions; the control plane security enhancement function units provide enhanced master authentication and authorization based on non-3GPP standard cryptographic algorithms, dedicated secondary authentication, and NAS signaling encryption protection based on non-3GPP standard cryptographic algorithms; the network management unit provides network management functions and coordination control functions between active and passive cellular communication; and the security management unit provides initial installation of security resources and configuration of security policies.
2. The communication network device according to claim 1, characterized in that, The active cellular base station unit supports the air interface user plane data protection algorithm or empty algorithm supported by the 3GPP standard security mechanism, the negotiation mechanism based on non-3GPP standard cryptographic algorithms and air interface user plane protection algorithms based on the 3GPP standard, and extends the non-3GPP algorithm identifier to indicate non-3GPP standard algorithms.
3. A method for secure information communication based on a communication network device according to any one of claims 1 to 2, characterized in that, include: Initial security resource installation: The security management unit pre-configures all necessary security resources, security parameters, and security policies, and the security management unit completes the initial security resource installation for the user plane security enhancement function unit, the control plane security enhancement function unit, and the active cellular base station unit. Secure network access and attachment: The network access and attachment process is triggered according to the type of cellular sensing device. In the network access and attachment process, an authentication vector is generated according to the policy to complete the main authentication and authorization. The secure network access attachment process includes executing the network access attachment process of active cellular sensing devices using standard strategies. Specifically, this includes: the control plane network element directly generating an authentication vector based on the 3GPP standard AES algorithm; after the active cellular sensing device completes the identity authentication of the network it is accessing according to the 3GPP standard AES algorithm, it returns an authentication response; the control plane network element verifies the authentication response; after the verification is completed, the network access attachment is completed. The secure network access attachment process includes employing an enhanced strategy to execute the network access attachment process for active cellular sensing devices. Specifically, this includes: the control plane security enhancement function unit generating an authentication vector based on a non-3GPP standard cryptographic algorithm and encrypting and embedding an algorithm identifier in the authentication vector; after the active cellular sensing device completes the identity authentication of the network it is accessing according to the algorithm indicated by the algorithm identifier, it returns an authentication response; the control plane security enhancement function unit verifies the authentication response; after verification, the network access attachment is completed. Secure transmission of business data: The cellular sensing device acquires sensing information and initiates transmission with the integrated base station; the integrated base station selects the corresponding cellular base station unit according to the type of cellular sensing device to complete the encryption and decryption of uplink and downlink data.
4. The secure communication method for sensing information according to claim 3, characterized in that, The initial installation of security resources by the security management unit for the user plane security enhancement function unit, the control plane security enhancement function unit, and the active cellular base station unit specifically includes: The security management unit adds the necessary security resources, security parameters, and security policies to the control plane security enhancement functions. The security management unit adds the necessary security resources, security parameters, and security policies to the user plane security enhancement functions. The security management unit adds the necessary security resources, security parameters, and security policies to the active cellular base station unit.
5. The secure communication method for sensing information according to claim 3, characterized in that, The secure network access attachment process includes executing the network access attachment process for passive cellular sensing devices using standard strategies, specifically including: The authentication vector is directly generated by the control plane network element based on the AES algorithm of the 3GPP standard and transmitted to the passive cellular sensing device. Passive cellular sensing devices return authentication responses according to the AES algorithm of the 3GPP standard; The authentication response is verified by the control plane network elements; After verification, the network access and attachment are completed.
6. The method for secure communication of sensing information according to claim 3, characterized in that, The secure network access attachment process includes employing enhanced strategies to perform the network access attachment process for passive cellular sensing devices, specifically including: The authentication vector is generated by the control plane security enhancement function unit based on a non-3GPP standard cryptographic algorithm, and the algorithm identifier is encrypted and embedded in the authentication vector. The passive cellular sensing device returns an authentication response according to the algorithm indicated by the algorithm identifier; The authentication response is verified by the control plane security enhancement function unit; After verification, the network access and attachment are completed.
7. The method for secure communication of sensing information according to claim 3, characterized in that, In the secure transmission of the aforementioned business data, the data transmission process of the active cellular sensing device includes: A passive cellular sensing device wakes up an active cellular sensing device, which then begins to acquire sensing information or receive instruction information. The SMC negotiation process based on 3GPP is extended, and the algorithm identifier determines whether an empty algorithm, a 3GPP standard algorithm, or a non-3GPP standard cryptographic algorithm is negotiated. If the negotiation result is an empty algorithm, no security protection will be provided subsequently; if the negotiation result is a 3GPP standard algorithm, the AES algorithm specified by the 3GPP standard will be used to provide protection subsequently; if the negotiation result is a non-3GPP standard cryptographic algorithm, the non-3GPP standard cryptographic algorithm will be used to provide protection subsequently. During uplink transmission, active cellular sensing devices initiate sensing information transmission; during downlink transmission, integrated base station devices initiate command information transmission. The integrated base station uses a negotiated algorithm to perform channel encryption processing on downlink air interface data and channel decryption processing on uplink air interface data; The user plane security enhancement function unit of the integrated core network uses non-3GPP standard cryptographic algorithms to perform source encryption processing on downlink application data; The user plane security enhancement function unit of the integrated core network uses non-3GPP standard cryptographic algorithms to decrypt uplink application data, and adopts zero trust and access control mechanisms to determine the type, flow and permissions of service data, block illegal service data, and aggregate and transmit legal service data back.
8. The secure communication method for sensing information according to claim 3, characterized in that, In the secure transmission of the aforementioned business data, the data transmission process of the passive cellular sensing device includes: Trigger passive cellular sensing devices to acquire sensing information; The algorithm strategy for subsequent NAS signaling protection is determined based on the master authentication algorithm strategy, including the empty algorithm, the 3GPP standard algorithm, or the non-3GPP standard cryptographic algorithm. Passive cellular sensing devices initiate the transmission of sensing information; The integrated base station uses the selected algorithm to encrypt the downlink NAS signaling and decrypt the uplink NAS signaling; The user plane security enhancement function unit of the integrated core network uses non-3GPP standard cryptographic algorithms to perform source encryption processing on downlink application data; The user plane security enhancement function unit of the integrated core network uses non-3GPP standard cryptographic algorithms to perform source decryption processing on uplink application data.