Communication methods, devices, and systems

The communication method and device address security challenges in integrated communication scenarios by establishing secure connections using authentication keys and security contexts for heterogeneous technologies, ensuring data security.

JP7871381B2Active Publication Date: 2026-06-08HUAWEI TECH CO LTD

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
HUAWEI TECH CO LTD
Filing Date
2021-09-30
Publication Date
2026-06-08

AI Technical Summary

Technical Problem

Ensuring security requirements in integrated communication scenarios involving heterogeneous communication technologies remains a critical issue.

Method used

A communication method and device that establish secure connections between nodes supporting different communication technologies, such as short-range and 5G, using authentication keys and security contexts to ensure data transmission security.

Benefits of technology

Provides secure data transmission by establishing communication connections based on authentication keys and security contexts, ensuring the security of service data in integrated communication scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 0007871381000002
    Figure 0007871381000002
  • Figure 0007871381000003
    Figure 0007871381000003
  • Figure 0007871381000004
    Figure 0007871381000004
Patent Text Reader

Abstract

The present application provides a communication method, an apparatus, and a system, which relate to the field of communication technology. The method includes: acquiring first information by a first node / second node; and establishing a first communication connection to a second node based on the first information, the first communication connection being used to transmit data of a first service, the first communication connection corresponding to a first communication technology, the first node accessing a network corresponding to a second communication technology, and the first service being a service of the first communication technology or a service of the second communication technology. This solution helps to meet security requirements of heterogeneous communication technologies in unified communication scenarios.
Need to check novelty before this filing date? Find Prior Art

Description

[Technical Field]

[0001] Embodiments of this application relate to the field of telecommunications technology, and more particularly to telecommunications methods, apparatus, and systems. [Background technology]

[0002] With the rapid development of information technology, mobile devices (e.g., mobile phones, tablet computers, or other mobile intelligent devices) have become indispensable and important intelligent tools for individuals. In the age of the mobile internet, these mobile devices are more convenient to use than traditional computers (such as desktop workstations and servers), but they are also more likely to compromise and jeopardize personal information. Therefore, the security of communication technologies is crucial.

[0003] With the rapid development of emerging industries such as intelligent vehicles, intelligent terminals, intelligent homes, and intelligent manufacturing, new requirements and applications for innovation are constantly emerging. In some scenarios, the design of integrated communications based on different communication technologies has been proposed. However, how to ensure the security requirements of heterogeneous communication technologies in integrated communication scenarios remains a critical issue that urgently needs to be resolved. [Overview of the project]

[0004] Embodiments of this application provide communication methods, apparatus, and systems that help meet the security requirements of heterogeneous communication technologies in integrated communication scenarios. [Means for solving the problem]

[0005] According to a first aspect, one embodiment of the present application provides a communication method. The method may be applied to a first node, which may support a first communication technology and a second communication technology. The method may include the steps of: obtaining first information; and establishing a first communication connection to a second node based on the first information, wherein the first communication connection is used to transmit data for a first service, the first communication connection corresponds to a first communication technology, and the first node is a node that accesses a network corresponding to a second communication technology. For example, the first service may be a service of the first communication technology or a service of the second communication technology.

[0006] According to the method described above, the first node can establish a first communication connection between the first node and the second node based on first information associated with the first service. In this way, data corresponding to the first service can be transmitted by using the communication connection corresponding to the first service during service data transmission between the first node and the second node. To satisfy security requirements in an integrated communication scenario and to ensure the security of the corresponding service data, different communication connections may correspond to different service data transmissions. For example, the first communication technology may be a short-range communication technology, and the second communication technology may be the 5th generation mobile communication technology (5G).

[0007] It should be noted that in this embodiment of the present application, only the first communication technology and an integrated scenario based on the first communication technology are used as illustrative examples. This embodiment of the present application may also apply to other integrated communication scenarios. The first service may also include a service corresponding to another communication technology. This is not limited to the embodiments of the present application.

[0008] Referring to the first aspect, in one possible embodiment, the first information may include a first key used for authentication of communication with a second node, and the step of obtaining the first information may include the step of obtaining the first key based on the type corresponding to the second communication technology and / or the service type of the first service.

[0009] According to the method described above, the first node may trigger a process to establish a connection between the first node and the second node, the first node may obtain a first key based on the current communication scenario and / or service requirements, and based on the obtained first key, establish a corresponding first communication connection between the first node and the second node to transmit data corresponding to the first service. For example, the type corresponding to the second communication technology may be the type of communication standard used in the second communication technology, such as 5G technology.

[0010] Referring to the first aspect, in one possible embodiment, the first information may include a first key used for authentication of communication with a second node, the method further includes the step of receiving a first message from the second node, wherein the first message carries key type indication information or service type indication information, and the step of obtaining the first information includes the step of obtaining a first key based on the key type indication information or service type indication information.

[0011] According to the method described above, the second node may trigger a process to establish a connection between the first node and the second node, the first node may obtain a first key associated with the first service based on key type instruction information or service type instruction information from the second node, and based on the obtained first key, establish a corresponding first communication connection between the first node and the second node to transmit data corresponding to the first service.

[0012] Referring to the first aspect, in one possible embodiment, the step of establishing a first communication connection to a second node based on first information includes: sending a second message associated with a first key to the second node, the second message being used for identity authentication of the first node; receiving a third message in response to the second message, the third message being used for identity authentication of the second node; and, if identity authentication of the second node is successful, sending a fourth message to the second node, the fourth message being used to establish a first communication connection to the second node.

[0013] It should be noted that in this embodiment of the present application, the third message may correspond to a single message. For example, the message may be used to authenticate the second node and implicitly indicate that the authentication of the first node was successful. Alternatively, as another example, the message may be used to explicitly indicate that the authentication of the first node was successful and may also be used to authenticate the second node. Alternatively, the third message may correspond to at least two messages, for example, a message indicating that the authentication of the first node was successful and a message used to authenticate the second node. Specific embodiments of the third message are not limited to the embodiments of the present application. Similarly, the fourth message may also correspond to a single message. For example, the message may be used to establish a first communication connection to the second node and implicitly indicate that the authentication of the second node was successful. Alternatively, as another example, the message may be used to establish a first communication connection to the second node and may also be used to explicitly indicate that the authentication of the second node was successful. Alternatively, the fourth message may correspond to at least two messages, for example, a message used to establish a first communication connection to a second node and a message used to indicate that the identification and authentication of the second node was successful. Specific embodiments of the fourth message are not limited to the embodiments of this application.

[0014] According to the method described above, the first node can perform mutual identification authentication (or identification authentication) with the second node based on the first key obtained, and after successful mutual authentication, a secure first communication connection is established between the two parties.

[0015] Referring to the first aspect, in one possible embodiment, the first key is a key used for services of the first communication technology, or a key used for services of the second communication technology.

[0016] Referring to the first aspect, in one possible embodiment, if the first service is a service of the first communication technology, the first key is a key used for the service of the first communication technology, and / or, if the first service is a service of the second communication technology, the first key is a key used for the service of the second communication technology.

[0017] According to the method described above, the first node can obtain at least one key, and the first node can ensure the security of the service data of the first service by selecting a key from at least one key based on the first service in order to establish a first communication connection corresponding to the first service.

[0018] Referring to the first aspect, in one possible embodiment, the keys used for the service of the second communication technology include trusted keys and untrusted keys, where trusted keys are keys that are successfully authenticated over the network and untrusted keys are keys that are not authenticated over the network, and trusted keys have a higher priority than untrusted keys.

[0019] According to the method described above, at least one key obtained by the first node may have a corresponding priority and / or usage principle, and as a result, the first node may select a key closely related to the first service from at least one key based on the first service and priority and / or usage principle as the first key.

[0020] In this embodiment of the present application, it should be noted that the key corresponds to the service. When the first service is a service of the first communication technology, the key used for the service of the second communication technology is not used. When the first service is a service of the second communication technology, the key used for the service of the first communication technology is not used. When there is a trusted key, the untrusted key is not used.

[0021] Referring to the first aspect, in one possible embodiment, before the step of establishing the first communication connection, the method further includes the step of receiving, from the network, a key used for the service of the second communication technology.

[0022] According to the foregoing method, in an integrated communication scenario based on the first communication technology and the second communication technology, the network corresponding to the second communication technology is used to distribute the key used for the service of the second communication technology to the first node. The first node receives the key to establish the first communication connection between the first node and the second node based on the key in the integrated communication scenario. In this embodiment of the present application, it should be understood that the key used for the service of the second communication technology can be a default value or a dynamically changing value. This is not limited in the embodiments of the present application. In addition, when the key is a key that has been successfully authenticated via the network, the key is a trusted key. Or, when the key is a key that has not been authenticated via the network, the key is an untrusted key.

[0023] Referring to the first aspect, in one possible embodiment, the first information includes the first security context used for communication with the second node. The step of obtaining the first information includes the step of receiving, from the second node, a fifth message, where the fifth message carries an identifier associated with the first security context, and the step of obtaining the first information includes the step of obtaining the first security context based on the identifier.

[0024] According to the method described above, there may be multiple sets of security contexts at the second node. For example, the second node may select a first security context from the multiple sets of security contexts based on the type corresponding to the second communication technology and / or the service type of the first service, and send a fifth message to the first node to indicate the identifier of the first security context. The first node may obtain a first security context corresponding to the first service, based on the identifier associated with the first security context and indicated by the second node, and establish a secure first communication connection between the two parties based on the obtained first security context. For example, the type corresponding to the second communication technology may be the type of communication standard used in the second communication technology, such as 5G technology.

[0025] Referring to the first aspect, in one possible embodiment, the first security context is a security context used for services of a first communication technology, or a security context used for services of a second communication technology.

[0026] Referring to the first aspect, in one possible embodiment, if the first service is a service of the first communication technology, the first security context is the security context used for the service of the first communication technology, and / or, if the first service is a service of the second communication technology, the first security context is the security context used for the service of the second communication technology.

[0027] Referring to the first aspect, in one possible embodiment, the security context used for the service of the second communication technology includes a trusted security context or an untrusted security context, where the trusted security context is a security context that is successfully authenticated over the network, and the untrusted security context is a security context that is not authenticated over the network, and the trusted security context has a higher priority than the untrusted security context.

[0028] According to the method described above, there may be at least one set of security contexts between the first node and the second node, and the at least one set of security contexts may have corresponding priorities and / or usage principles, and as a result, the first node may select a security context closely related to the first service from the at least one set of security contexts as the first security context, based on the first service and priorities and / or usage principles.

[0029] In this embodiment of the present application, it should be noted that, like keys, security contexts also correspond to services. If the first service is a service of the first communication technology, the security context used for the service of the second communication technology is not used; if the first service is a service of the second communication technology, the security context used for the service of the first communication technology is not used; and if a trusted security context exists, an untrusted security context is not used.

[0030] Referring to the first aspect, in one possible embodiment, prior to the step of obtaining first information, the method further includes the step of sending a sixth message to a second node, the sixth message being used to indicate that the first node supports the second communication technology. It should be noted that in this embodiment of the application, the first node supporting the second communication technology may also be understood as the first node supporting the transmission of services of the second communication technology, the first node supporting service transmissions corresponding to the second communication technology, or the first node supporting service transmissions performed based on the second communication technology.

[0031] According to the method described above, the first node may add relevant instructional information to the sixth message to inform the second node of the service types supported by the first node, and as a result, the second node makes decisions based on the services performed between the second node and the first node, establishes a secure first communication connection, and transmits data for the first service between the two.

[0032] According to a second aspect, one embodiment of the present application provides a communication method. The method is applied to a second node. The second node may support a first communication technology, or the second node may support both the first and second communication technologies. The method may include the steps of: obtaining first information; and establishing a first communication connection to a first node based on the first information, wherein the first communication connection is used to transmit data for a first service, the first communication connection corresponds to a first communication technology, and the first node is a node that accesses a network corresponding to a second communication technology. For example, the first service may be a service of the first communication technology or a service of the second communication technology.

[0033] Referring to a second aspect, in one possible embodiment, the first information includes a first key used for communication authentication with a first node, and the step of obtaining the first information includes the step of obtaining the first key based on the type corresponding to a second communication technology and / or the service type of the first service. For example, the type corresponding to the second communication technology may be the type of communication standard used in the second communication technology, e.g., 5G technology. Referring to a second aspect, in one possible embodiment, the method further includes the step of sending a first message to a first node, wherein the first message carries information associated with the first key. For example, the information associated with the first key may include key type indicator information or service type indicator information. In an optional embodiment, the information associated with the first key may alternatively be the first key.

[0034] Referring to a second aspect, in one possible embodiment, the step of establishing a first communication connection to a first node based on first information includes: receiving a second message from the first node, the second message being associated with a first key and used for identity authentication of the first node; sending a third message to the first node, if the identity authentication of the first node is successful, the third message being used for identity authentication of the second node; and receiving a fourth message in response to the third message, the fourth message being used to establish a first communication connection to a second node.

[0035] It should be noted that in this embodiment of the present application, the third message may correspond to a single message. For example, the message may be used to authenticate the second node and implicitly indicate that the authentication of the first node was successful. Alternatively, as another example, the message may be used to explicitly indicate that the authentication of the first node was successful and may also be used to authenticate the second node. Alternatively, the third message may correspond to at least two messages, for example, a message indicating that the authentication of the first node was successful and a message used to authenticate the second node. Specific embodiments of the third message are not limited to the embodiments of the present application. Similarly, the fourth message may also correspond to a single message. For example, the message may be used to establish a first communication connection to the second node and implicitly indicate that the authentication of the second node was successful. Alternatively, as another example, the message may be used to establish a first communication connection to the second node and may also be used to explicitly indicate that the authentication of the second node was successful. Alternatively, the fourth message may correspond to at least two messages, for example, a message used to establish a first communication connection to a second node and a message used to indicate that the identification and authentication of the second node was successful. Specific embodiments of the fourth message are not limited to the embodiments of this application.

[0036] Referring to a second aspect, in one possible embodiment, the first key is a key used for services of a first communication technology, or a key used for services of a second communication technology.

[0037] Referring to a second aspect, in one possible embodiment, if the first service is a service of the first communication technology, the first key is a key used for the service of the first communication technology, and / or, if the first service is a service of the second communication technology, the first key is a key used for the service of the second communication technology.

[0038] Referring to the second aspect, in one possible embodiment, the keys used for the service of the second communication technology include trusted keys and untrusted keys, where trusted keys are keys that are successfully authenticated over the network and untrusted keys are keys that are not authenticated over the network, and trusted keys have a higher priority than untrusted keys.

[0039] Referring to a second aspect, in one possible embodiment, prior to the step of establishing a first communication connection, the method further includes the step of receiving a key from a network, which is used to provide services of a second communication technology.

[0040] Referring to a second aspect, in one possible embodiment, the first information includes a first security context, which is used by a second node to establish a first communication connection to a first node, and the step of obtaining the first information includes the step of obtaining the first security context based on the type corresponding to a second communication technology and / or the service type of the first service. For example, the type corresponding to a second communication technology may be the type of communication standard used in the second communication technology, e.g., 5G technology.

[0041] Referring to a second aspect, in one possible embodiment, the first security context is a security context used for services of a first communication technology, or a security context used for services of a second communication technology.

[0042] Referring to a second aspect, in one possible embodiment, if the first service is a service of the first communication technology, the first security context is a security context used for the service of the first communication technology, and / or, if the first service is a service of the second communication technology, the first security context is a security context used for the service of the second communication technology.

[0043] Referring to the second aspect, in one possible embodiment, the security context used for the service of the second communication technology includes a trusted security context or an untrusted security context, where the trusted security context is a security context that is successfully authenticated over the network, and the untrusted security context is a security context that is not authenticated over the network, and the trusted security context has a higher priority than the untrusted security context. Referring to the second aspect, in one possible embodiment, the method further includes the step of sending a fifth message to a first node, wherein the fifth message carries an identifier associated with the first security context.

[0044] Referring to a second aspect, in one possible embodiment, the method further includes the step of receiving a sixth message from a first node, the sixth message carrying information used to indicate that the first node supports a second communication technology. It should be noted that in this embodiment of the application, the first node supporting a second communication technology may also be understood as the first node supporting the transmission of services of the second communication technology, the first node supporting service transmissions corresponding to the second communication technology, or the first node supporting service transmissions performed on behalf of the second communication technology.

[0045] According to a third aspect, one embodiment of the present application provides a communication device. The communication device includes a communication unit applied to a first node and configured to communicate with a second node, and a processing unit configured to acquire first information and establish a first communication connection to the second node based on the first information, wherein the first communication connection is used to transmit data for a first service, the first communication connection corresponds to a first communication technology, and the first node is a node that accesses a network corresponding to a second communication technology. For example, the first service is a service of the first communication technology or a service of the second communication technology.

[0046] Referring to a third aspect, in one possible embodiment, the first information includes a first key used for communication authentication with a second node, and the processing unit is configured to retrieve the first key based on the type corresponding to the second communication technology and / or the service type of the first service. For example, the type corresponding to the second communication technology may be the type of communication standard used in the second communication technology, e.g., 5G technology. Referring to a third aspect, in one possible embodiment, the first information includes a first key used for communication authentication with a second node, and the communication unit is configured to receive a first message from the second node, the first message carrying key type indication information or service type indication information, and the processing unit is configured to retrieve the first key based on the key type indication information or service type indication information.

[0047] Referring to a third aspect, in one possible embodiment, the communication unit is configured to send a second message associated with a first key to a second node, the second message being used for identity authentication of the first node, receive a third message in response to the second message, the third message being used for identity authentication of the second node, and if the identity authentication of the second node is successful, send a fourth message to the second node, the fourth message being used to establish a first communication connection to the second node.

[0048] Referring to a third aspect, in one possible embodiment, the first key is a key used for services of a first communication technology, or a key used for services of a second communication technology.

[0049] Referring to a third aspect, in one possible embodiment, if the first service is a service of the first communication technology, the first key is a key used for the service of the first communication technology, and / or, if the first service is a service of the second communication technology, the first key is a key used for the service of the second communication technology.

[0050] Referring to the third aspect, in one possible embodiment, the keys used for the service of the second communication technology include trusted keys and untrusted keys, where trusted keys are keys that are successfully authenticated over the network and untrusted keys are keys that are not authenticated over the network, and trusted keys have a higher priority than untrusted keys.

[0051] Referring to a third aspect, in one possible embodiment, before the processing unit establishes a first communication connection, the communication unit is further configured to receive a key from the network, which is used to provide services for the second communication technology.

[0052] Referring to a third aspect, in one possible embodiment, the first information includes a first security context used for communication with a second node, the communication unit is configured to receive a fifth message from the second node, the fifth message carrying an identifier associated with the first security context, and the processing unit is configured to retrieve the first security context based on the identifier.

[0053] Referring to a third aspect, in one possible embodiment, the first security context is a security context used for services of a first communication technology, or a security context used for services of a second communication technology.

[0054] Referring to a third aspect, in one possible embodiment, if the first service is a service of the first communication technology, the first security context is a security context used for the service of the first communication technology, and / or, if the first service is a service of the second communication technology, the first security context is a security context used for the service of the second communication technology.

[0055] Referring to a third aspect, in one possible embodiment, the security context used to serve the second communication technology includes a trusted security context or an untrusted security context, where the trusted security context is a security context that is successfully authenticated over the network, and the untrusted security context is a security context that is not authenticated over the network, with the trusted security context having a higher priority than the untrusted security context. Referring to a third aspect, in one possible embodiment, the communication unit is further configured to send a sixth message to a second node before the processing unit obtains the first information, the sixth message carrying information used to indicate that the first node supports the second communication technology.

[0056] According to a fourth aspect, one embodiment of the present application provides a communication device including: a communication unit configured to communicate with a first node; and a processing unit configured to acquire first information and establish a first communication connection to the first node based on the first information, wherein the first communication connection is used to transmit data for a first service, the first communication connection corresponds to a first communication technology, and the first node is a node that accesses a network corresponding to a second communication technology. For example, the first service may be a service of the first communication technology or a service of the second communication technology.

[0057] Referring to a fourth aspect, in one possible embodiment, the first information includes a first key used for communication authentication with a first node, and the processing unit is configured to retrieve the first key based on the type corresponding to a second communication technology and / or the service type of the first service. For example, the type corresponding to the second communication technology may be the type of communication standard used in the second communication technology, e.g., 5G technology. Referring to a fourth aspect, in one possible embodiment, the communication unit is further configured to send a first message to a first node, the first message carrying information associated with the first key. For example, the information associated with the first key may include key type indication information or service type indication information.

[0058] Referring to a fourth aspect, in one possible embodiment, the communication unit is configured to receive a second message from a first node, the second message is associated with a first key, the second message is used for the authentication of the first node, and if the authentication of the first node is successful, it sends a third message to the second node, the third message is used for the authentication of the second node, it receives a fourth message in response to the third message, and the fourth message is used to establish a first communication connection to the second node.

[0059] Referring to the fourth aspect, in one possible embodiment, the first key is a key used for services of the first communication technology, or a key used for services of the second communication technology.

[0060] Referring to the fourth aspect, in one possible embodiment, if the first service is a service of the first communication technology, the first key is a key used for the service of the first communication technology, and / or, if the first service is a service of the second communication technology, the first key is a key used for the service of the second communication technology.

[0061] Referring to the fourth aspect, in one possible embodiment, the keys used for the service of the second communication technology include trusted keys and untrusted keys, where trusted keys are keys that are successfully authenticated over the network and untrusted keys are keys that are not authenticated over the network, and trusted keys have a higher priority than untrusted keys.

[0062] Referring to a fourth aspect, in one possible embodiment, before the processing unit establishes a first communication connection, the communication unit is configured to receive a key from the network, which is used to provide services for the second communication technology.

[0063] Referring to the fourth aspect, in one possible embodiment, the first information includes a first security context, which is used by a second node to establish a first communication connection to a first node, and the processing unit is configured to obtain the first security context based on the type corresponding to a second communication technology and / or the service type of the first service. For example, the type corresponding to a second communication technology may be the type of communication standard used in the second communication technology, e.g., 5G technology.

[0064] Referring to the fourth aspect, in one possible embodiment, the first security context is a security context used for services of a first communication technology, or a security context used for services of a second communication technology.

[0065] Referring to the fourth aspect, in one possible embodiment, if the first service is a service of the first communication technology, the first security context is a security context used for the service of the first communication technology, and / or, if the first service is a service of the second communication technology, the first security context is a security context used for the service of the second communication technology.

[0066] Referring to the fourth aspect, in one possible embodiment, the security context used for the service of the second communication technology includes a trusted security context or an untrusted security context, where the trusted security context is a security context that is successfully authenticated over the network, and the untrusted security context is a security context that is not authenticated over the network, and the trusted security context has a higher priority than the untrusted security context.

[0067] Referring to the fourth aspect, in one possible embodiment, the communication unit is further configured to send a fifth message to the first node, the fifth message carrying an identifier associated with the first security context.

[0068] Referring to a fourth aspect, in one possible embodiment, the communication unit is further configured to receive a sixth message from a first node, the sixth message carrying information used to indicate that the first node supports the second communication technology.

[0069] According to a fifth aspect, one embodiment of the present application provides a communication device including a processor and a memory. The memory is configured to store a program, and the processor is configured to execute a program stored in the memory, so that the device implements a method according to the first aspect and one possible embodiment of the first aspect, or a method according to the second aspect and one possible embodiment of the second aspect.

[0070] According to a sixth aspect, one embodiment of the present application provides a communication device including at least one processor and an interface circuit. The interface circuit is configured to provide data or code instructions to at least one processor. The at least one processor is configured to implement a method according to any one of the first aspect and one possible embodiment of the first aspect, or a method according to any one of the second aspect and one possible embodiment of the second aspect, by using logic circuits or by executing code instructions.

[0071] According to the seventh aspect, one embodiment of the present application provides a communication system including a communication device according to the third aspect and one possible embodiment of the third aspect, and a communication device according to the fourth aspect and one possible embodiment of the fourth aspect.

[0072] According to the eighth aspect, one embodiment of the present application provides a computer-readable storage medium that stores program code. When the program code is executed on a computer, the computer is able to perform a method according to any one of the first aspect and one possible embodiment of the first aspect, or when the program code is executed on a computer, the computer is able to perform a method according to any one of the second aspect and one possible embodiment of the second aspect.

[0073] According to the ninth aspect, one embodiment of the present application provides a computer program product. When the computer program product is executed on a computer, the computer is able to perform a method according to the first aspect and one possible embodiment of the first aspect, or a method according to one possible embodiment of the second aspect and one possible embodiment of the second aspect.

[0074] According to a tenth aspect, one embodiment of the present application provides a chip system. The chip system includes a processor configured to call a computer program or computer instruction stored in memory, the processor performing a method according to any one of the first aspect and one possible embodiment of the first aspect, or a method according to any one of the second aspect and one possible embodiment of the second aspect.

[0075] Referring to the tenth aspect, in one possible embodiment, the processor is coupled to memory by using an interface.

[0076] Referring to the tenth aspect, in one possible embodiment, the chip system further includes memory, which stores computer programs or computer instructions.

[0077] According to the eleventh aspect, one embodiment of the present application provides a processor. The processor is configured to call a computer program or computer instruction stored in memory, and as a result, the processor performs a method according to the first aspect and one possible embodiment of the first aspect, or a method according to the second aspect and one possible embodiment of the second aspect.

[0078] According to a twelfth aspect, one embodiment of the present application provides a terminal device. The terminal device may be configured to carry out a method according to the first aspect and one possible embodiment of the first aspect, or a method according to the second aspect and one possible embodiment of the second aspect. For example, the terminal device includes, but is not limited to, intelligent transport equipment (vehicles, ships, unmanned aerial vehicles, trains, trucks, etc.), intelligent manufacturing equipment (robots, industrial equipment, intelligent logistics, or smart factories, etc.), and intelligent terminals (mobile phones, computers, tablet computers, palmtop computers, desktop computers, headsets, audio equipment, wearable devices, in-vehicle equipment, etc.).

[0079] According to a thirteenth aspect, one embodiment of the present application provides a vehicle. The vehicle may be configured to carry out a method according to the first aspect and one possible embodiment of the first aspect, and / or a method according to the second aspect and one possible embodiment of the second aspect.

[0080] According to the fourteenth aspect, one embodiment of the present application provides a vehicle. The vehicle may include a communication device according to any one of the third aspect and one possible embodiment of the third aspect, and / or a communication device according to any one of the fourth aspect and one possible embodiment of the fourth aspect.

[0081] Based on the embodiments provided in the aforementioned aspects, the embodiments of this application may be further combined to provide more embodiments.

[0082] For technical effects that can be achieved in any one possible embodiment of the second through fourteenth embodiments, please refer to the corresponding description of technical effects that can be achieved in any one possible embodiment of the first embodiment. No repetition is provided. [Brief explanation of the drawing]

[0083] [Figure 1] This is a schematic diagram of a system architecture to which one embodiment of this application can be applied. [Figure 2] This is a schematic diagram of a system architecture to which one embodiment of this application can be applied. [Figure 3] This is a schematic flowchart of a communication method according to one embodiment of this application. [Figure 4a] This is a schematic flowchart of a communication method according to one embodiment of this application. [Figure 4b] This is a schematic flowchart of a communication method according to one embodiment of this application. [Figure 4c] This is a schematic flowchart of a communication method according to one embodiment of this application. [Figure 4d] This is a schematic flowchart of a communication method according to one embodiment of this application. [Figure 5] This is a schematic diagram of a communication device according to one embodiment of the present application. [Figure 6] This is a schematic diagram of a communication device according to one embodiment of the present application. [Modes for carrying out the invention]

[0084] Embodiments of this application provide communication methods, apparatus, and systems that help meet the security requirements of heterogeneous communication technologies in integrated communication scenarios. The methods and apparatus are based on the same technical concept. Since the problem-solving principle of the methods is the same as that of the apparatus, embodiments of the apparatus and methods can be mutually referenced. Repeating parts will not be described in detail. For ease of understanding, the following description will be provided with reference to the accompanying drawings and embodiments.

[0085] Figure 1 is a schematic diagram of a system architecture to which one embodiment of this application can be applied.

[0086] As shown in Figure 1, the system architecture may include a first node 110, a second node 120, and a third node 130. The first node 110 and the second node 120 may form a first communication system, which may communicate with each other using a first communication technology. The first node 110 and the third node 130 may form a second communication system, which may communicate with each other using a second communication technology. The first communication technology is different from the second communication technology. In an integrated communication scenario based on the first and second communication technologies, a communication connection may be established between the first and second communication systems to form a heterogeneous communication system, as a result of which corresponding communication services are performed and / or communication service data is transmitted within the heterogeneous communication system. For example, a heterogeneous communication system may also be called an integrated communication system, a tight interworking communication system, or an interworking communication system.

[0087] In this embodiment of the present application, one of the first node 110, the second node 120, or the third node 130 may be an electronic device having data transmission and reception capabilities.

[0088] For example, an electronic device may be a terminal device that includes equipment that provides voice and / or data connectivity to a user. Specifically, a terminal device may include equipment that provides voice to a user, equipment that provides data connectivity to a user, or equipment that provides both voice and data connectivity to a user. For example, a terminal device may include a handheld device with wireless connectivity or a processing device connected to a wireless modem. For example, a terminal device may communicate with a core network via a radio access network (RAN) and exchange voice and / or data with the RAN.

[0089] In the specific implementation process, terminal equipment may include, but is not limited to, vehicles, user equipment (UE), wireless terminal equipment, mobile terminal equipment, device-to-device (D2D) terminal equipment, vehicle-to-everything (V2X) terminal equipment, machine-to-machine / machine-type communications (M2M / MTC) terminal equipment, Internet of Things (IoT) terminal equipment or narrow-band Internet of Things (NB-IoT) terminal equipment, subscriber units, subscriber stations, mobile stations, mobile consoles, remote stations, access points (AP), remote terminal equipment, access terminal equipment, user terminal equipment, user agents, or user devices. In another example, terminal devices may be specifically implemented as dedicated terminal devices within computers, IoT devices, industrial control devices, remote medical devices, smart grid devices, or smart city devices that have mobile terminal devices (or what are called "cellular" phones) or mobile terminal devices, or as personal communication service (PCS) phones, cordless phones, Session Initiation Protocol (SIP) phones, Wireless Local Loop (WLL) stations, or Personal Digital Assistants (PDAs).In an optional design, the terminal device may be implemented as a limited device, such as a relatively low-power device, a device with limited memory capacity, or a device with limited computing power. In an optional design, the terminal device may include components such as barcodes, radio frequency identification (RFID), sensors, global positioning systems (GPS), and laser scanners.

[0090] In optional designs, terminal devices may be replaced by wearable devices. Wearable devices, sometimes called wearable smart devices or smart wearable devices, are a general term for wearable devices developed by intelligently designing everyday clothing using wearable technology, such as glasses, gloves, watches, clothing, and shoes. Wearable devices are portable devices that are worn directly on the body or integrated into the user's clothing or accessories. Wearable devices are not only a type of hardware device, but can also implement powerful functionality through software support, data exchange, and cloud interaction. Generalized wearable smart devices include devices that have full functionality and a large size and implement full or partial functionality without relying on a smartphone, such as smartwatches or smart glasses, and devices that focus only on certain application functions and need to be used in conjunction with another device such as a smartphone, such as various smart bands for body sign monitoring, smart helmets, and smart jewelry.

[0091] In the optional design, the terminal device may instead be a machine-intelligent device, such as a self-driving device, a transportation safety device, a virtual reality (VR) terminal device, or an augmented reality (AR) terminal device.

[0092] When the various terminal devices described above are located within a vehicle (for example, placed or installed within the vehicle), all of them can be considered in-vehicle terminal devices. In-vehicle terminal devices are sometimes also called on-board units (OBUs).

[0093] In an optional design, the terminal equipment may further include a relay. Alternatively, it is understood that the terminal equipment may include any equipment capable of performing data communication with a base station.

[0094] For example, electronic devices may be replaced by network devices. For example, network devices include access network (AN) devices. Access network devices may include devices such as base stations or access points that communicate with wireless terminal devices via an air interface in the access network by using one or more cells. Base stations may be configured to perform translation between received wireless frames and Internet Protocol (IP) packets and act as routers between terminal devices and the rest of the access network. The rest of the access network may include IP networks. In an optional design, network devices may include base stations of second-generation (2G) communication systems, third-generation (3G) communication systems, or fourth-generation (4G) communication systems, such as evolved NodeBs (NodeB, eNB, or e-NodeB, evolutional NodeB) of long-term evolution (LTE) or long-term evolution-advanced (LTE-A) systems. Alternatively, the network equipment may include next-generation NodeBs (gNBs) of the 5th generation (5G) new radio (NR) system (also known as the NR system), or centralized units (CUs) and distributed units (DUs) in a cloud radio access network (Cloud RAN) system, as well as base stations in various future communication systems, such as base stations in a 6th generation (6G) communication system. This is not limited to the embodiments of this application.In another example, network equipment may include network equipment within V2X, i.e., road side units (RSUs). An RSU may include fixed infrastructure entities that support the V2X application and may exchange messages with other entities that support the V2X application. In yet another example, network equipment may, alternatively, include core network equipment. Core network equipment may include, for example, one or more of the following items in a 5G system: access and mobility management function (AMF), session management function (SMF), and user plane function (UPF), or a mobility management entity (MME) in a 4G system.

[0095] It should be understood that in some technical scenarios, electronic devices having similar data transmission and reception capabilities may not be referred to as nodes. However, for the sake of clarity, in the embodiments of this application, electronic devices having data transmission and reception capabilities are collectively referred to as nodes.

[0096] In this embodiment of the present application, in the heterogeneous communication system shown in Figure 1, the equipment types of the first node 110, the second node 120, and the third node 130 may be the same or different. For example, the first node 110, the second node 120, and the third node 130 may all be terminal equipment or network equipment, or the first node 110 and the second node 120 may be terminal equipment and the third node 130 may be network equipment. For example, the first communication technology is short-range communication technology and the second communication technology is 5G communication technology. As shown in Figure 2, the first node 110 and the second node 120 may be terminal devices with short-range communication capabilities, and the third node 130 may include, but is not limited to, access devices, i.e., a Trusted Non-3GPP Gateway Function (TNGF), and core network devices, i.e., at least one of functional entities such as SMF, AMF, UPF, and Data Network (DN). The first node 110 may support the first and second communication technologies and may be used as the master node (or authenticated node) of the second node 120. The first node 110 communicates with the second node 120 over short distances. Furthermore, the first node 110 communicates with the third node 130 over 5G. It should be noted that the ability of the first node 110 to support the first communication technology may be understood as the ability of the first node to support service transmissions performed based on the first communication technology, or the ability of the first node to support services of the first communication technology, and the ability of the second node 120 to support the second communication technology may be understood as the ability of the second node to support service transmissions performed based on the second communication technology, or the ability of the second node to support services of the second communication technology.

[0097] Nodes or functional entities may be connected to each other via interfaces. Interface sequence numbers or interface names are not limited to the embodiments of this application. Interfaces defined based on 3GPP-related standard protocols of 5G systems may be used, or interfaces of future communication systems may be used. For example, a second node 120 may communicate with a first node 110 via a Yt interface, the first node 110 may communicate with a TNGF via a Ta interface, and the second node 120 may communicate with a TNGF via a NWt interface. The second node 120 and the first node 110 may communicate with an AMF via a next generation (N)1 interface (abbreviated as N1), network equipment (e.g., a TNGF) may communicate with an AMF via an N2 interface (abbreviated as N2), the TNGF may communicate with a local UPF via an N3 interface (abbreviated as N3), and the UPF may communicate with a DN via an N6 interface (abbreviated as N6). The AMF communicates with the SMF via the N11 interface (abbreviated as N11), and the SMF communicates with the UPF via the N4 interface (abbreviated as N4). In this way, the 5G network can perceive important information such as the equipment status, network status, and service status of the second node 110 by using the first node 120, and can remotely access, perceive, and manage field networks and services in industry.

[0098] The above merely demonstrates that a heterogeneous communication system may include a first node 110, a second node 120, and a third node 130, and provides an example illustrating the communication mode between each node and the functional module of the heterogeneous communication system. It should be noted that this does not limit the number of nodes or the interface sequence number or interface name. In certain embodiments, the number of first nodes 110, second nodes 120, and third nodes 130 may not each be limited to one.

[0099] In addition, it should be noted that in this embodiment of the present application, in an optional design, the first node 110 may perform the process of establishing a radio resource control (RRC) connection to the third node 130. After the first node 110 has established an RRC connection with the third node 130, the RRC status of the first node 110 is the RRC connected state. Subsequently, the RRC status of the first node 110 may switch between the following states: RRC idle (RRC_IDLE), RRC connected (RRC_CONNECTED), and RRC inactive (RRC_INACTIVE). In the integrated communication scenario in this embodiment of the present application, the first node 110 may be in any of the aforementioned idle, connected, and inactive states. This is not limited to the embodiment of the present application. In addition, in this embodiment of the present application, the establishment of a communication connection between any two nodes means that signal transmission and exchange may be performed between the two nodes to carry out communication between the two nodes. Communication connections include, but are not limited to, physical or virtual connections. Connections are not distinguished individually below.

[0100] In embodiments of this application, short-range communication technology may include technologies that support wireless short-range communication. Wireless short-range communication refers to two communicating parties transmitting information using radio waves over a relatively short range (e.g., within 100 meters) and includes, but is not limited to, Bluetooth technology, Wireless Fidelity (Wi-Fi) technology, Near Field Communication (NFC) technology, Wi-Fi Aware technology, general-purpose short-range communication technology, and Star Alliance specification short-range communication technology. Short-range communication can be widely applied in various forms such as file transfer, remote control, projection, and perception of surrounding devices (e.g., intelligent vehicles, intelligent terminal devices, intelligent home devices, and intelligent manufacturing equipment). Examples of some short-range communication technologies are described below.

[0101] Bluetooth: Bluetooth is a wireless technology that supports short-range communication between devices and can be used to exchange wireless information between multiple devices such as mobile phones, wireless headsets, notebook computers, and related peripherals. By using Bluetooth technology, communication between mobile communication terminal devices can be effectively simplified, and communication between devices and the internet can also be successfully simplified, resulting in faster and more efficient data transmission and expanding the scope of wireless communication.

[0102] Wireless fidelity (Wi-Fi) technology, also known as Wireless Local Area Network (WLAN) Direct Connectivity or Wi-Fi Direct, is part of the Wi-Fi protocol cluster. It allows devices to easily connect to each other without the need for intermediate wireless access points. Wi-Fi technology has applications ranging from web browsing to file transfer. It enables multiple devices to communicate with each other simultaneously, fully utilizing the speed advantages of Wi-Fi. Devices that meet this standard can easily connect to each other, even if they are from different manufacturers.

[0103] Wi-Fi Aware Technology: In Wi-Fi technology, Wi-Fi Aware technology is responsible for perception and discovery, and can help Wi-Fi devices perceive surrounding services, such as surrounding devices, in order to enable peer-to-peer (P2P) message exchange between two devices in close proximity via Wi-Fi Aware. Because Wi-Fi Aware can be used to perceive surrounding devices, multiple functions can be implemented, such as perceiving nearby people, adding friends and establishing connections to play the same game, discovering surrounding devices to perform photo sharing, location sharing, etc., or securely sending files to a printer without accessing a network (e.g., cellular or wireless network).

[0104] It should be noted that, in addition to the aforementioned short-range communication technologies, other existing short-range communication technologies, or other short-range communication technologies that may emerge in the future as communication technologies evolve, may also be applicable to this solution.

[0105] In addition, it should be noted that the functional entities or network elements in Figure 2 may, alternatively, interact with each other via service-oriented interfaces. For example, the service-oriented interface provided externally by the AMF may be a network access and mobility management function (Namf) interface, and the service-oriented interface provided externally by the SMF may be a network session management function (Nsmf) interface. For further details, see the 5G system architecture defined in the 3rd Generation Partnership Project (3GPP)-23501 standard. Details are not provided herein.

[0106] Each function included in the system architecture may be called a functional entity or network element, or may have another name. For example, an SMF may be called an SMF entity. In an optional design, each function in this embodiment of the application may be implemented by one device, by multiple devices together, or by one or more functional modules within a device. This is not particularly limited to the embodiments of the application. It will be understood that each function in this embodiment of the application may be a function of a network element in a hardware device, or a function of software running on dedicated hardware, a function implemented by a combination of hardware and software, or a virtualization function instantiated on a platform (e.g., a cloud platform).

[0107] It should be noted that the distribution of functions is not limited in the embodiments of this application. In an optional design, the functions included in the aforementioned system architecture may also correspond to any combination of any of the aforementioned functions, or to other functional entities formed after a combination of any of the aforementioned functions with another function, for example, a functional entity having two functions: session management and policy control, a functional entity having three functions: session management, access and mobility management, and policy control, or a functional entity having two functions: network opening and application functions.

[0108] It should be noted that the system architectures shown in Figures 1 and 2 do not constitute a limitation on the system architectures to which the embodiments of this application can be applied. The number of terminal devices in Figure 2 is merely an example. In actual use, network equipment may serve multiple terminal devices. All or some of the network equipment and multiple terminal devices may each use the communication methods provided in the embodiments of this application. Each function or device in the embodiments of this application may also be referred to as a communication device. The function or device may be a general-purpose device or a dedicated device. This is not limited to the embodiments of this application.

[0109] In embodiments of this application, it should be noted that “at least one” means one or more, and “multiple” means two or more. “And / or” describes an association between related objects and indicates that three relationships may exist. For example, A and / or B may mean the following cases: that only A exists, that both A and B exist, and that only B exists, in which case A and B may each be singular or plural. The letter “ / ” generally indicates that the related objects are in an “or” relationship. “At least one of the following” or a similar expression means any combination of those items, including any single (item) or any combination of multiple (items). For example, at least one of a, b, or c means a, b, c, a and b, a and c, b and c, or a, b, and c, in which a, b, and c may each be singular or plural.

[0110] Furthermore, unless otherwise specified, the ordinal numbers such as “first,” “second,” and “third” as referred to in the embodiments of this application are used to distinguish multiple objects, but not to limit the priority or importance of multiple objects. For example, the first node, the second node, and the third node are used simply to distinguish different nodes, rather than indicating different priorities or importance of three nodes.

[0111] In addition, it should be noted that in embodiments of this application, the services of the first communication technology may be understood as services implemented by using the first communication technology (e.g., services implemented by using non-5G technology, and services implemented by using short-range communication technology), or services corresponding to the first communication technology (e.g., non-5G services, and short-range communication services). The services of the second communication technology may include services of the second communication technology in an integrated communication scenario. The services of the second communication technology may be understood as services implemented by using the second communication technology (e.g., services implemented via 5G) or services corresponding to the second communication technology (e.g., 5G services). In embodiments of this application, the correspondence of the first communication connection to the first communication technology may be understood as the connection being implemented based on the first communication technology. For example, if the first communication technology is short-range communication technology, then the first communication connection is a connection being implemented by using short-range communication technology. Furthermore, optionally, the communication connection may be used to transmit services of the first communication technology or to transmit services of the second communication technology. These will not be described in detail below. In embodiments of this application, the network corresponding to the second communication technology may be understood as a network that supports at least the second communication technology, or a network that supports at least service transmission implemented based on the second communication technology, for example, a 5G network or a 5G core network.

[0112] Based on the system architecture shown in Figures 1 and 2, in the integrated communication scenario of this embodiment of the present application, in an optional design, for a first communication system including a first node 110 and a second node 120, in order to ensure the communication security of the first communication system, after selecting a trusted first node 110, the second node 120 may perform mutual identification authentication with the first node 110 by using a preset key when first establishing a link to the first node 110, and after successful identification authentication, a communication connection between the two parties is established based on the security context corresponding to the key. Furthermore, in order to ensure the communication security of a heterogeneous communication system including the first node 110, the second node 120, and a third node 130, the second node 120 may further initiate a new identification authentication and / or new security context negotiation procedure to the third node 130 by using the first node 110, and through negotiation determine a new key and corresponding security context between the three nodes.

[0113] If the first node 110 and the second node 120 have at least two sets of keys and / or corresponding security contexts, the first node 110 and the second node 120 may further select the necessary keys or security contexts from at least two sets of keys and / or corresponding security contexts in order to establish a secure communication connection to the peer node based on the selected keys or security contexts. This ensures the security requirements for performing the corresponding communication service and / or transmitting communication service data between the two parties.

[0114] In this embodiment of the present application, it should be noted that the key is a parameter and may be a parameter input in an algorithm for converting plaintext to ciphertext or an algorithm for converting ciphertext to plaintext. Any two of the first node 110, the second node 120, and the third node 130 may initiate an identity authentication procedure and / or a security context negotiation procedure based on the key. After successful identity authentication between the two parties, they can obtain the security context agreed upon through negotiation, i.e., access control attributes. Based on the security context, the two parties may initiate a connection establishment procedure to establish a secure communication connection between them. If a security context agreed upon through negotiation already exists between any two of the first node 110, the second node 120, and the third node 130, it should be understood that the two parties do not need to perform the identity authentication procedure and / or security context negotiation procedure and can directly use the security context agreed upon through negotiation to initiate a connection establishment procedure to establish a secure communication connection between them.

[0115] In this embodiment of the present application, it should be understood that the first node 110, the second node 120, and the third node 130 may all support one or more key agreement algorithms. Before initiating the identification and authentication procedure and / or the security context negotiation procedure, any two of the first node 110, the second node 120, and the third node 130 may further complete a key agreement between them through information exchange. For example, key agreement algorithms may include, but are not limited to, asymmetric encryption algorithms such as the public-key cryptography (Rivest-Shamir-Adleman, RSA) algorithm or the elliptic curve cryptography (ECC) algorithm, private key exchange algorithms such as the Diffie-Hellman algorithm (DH) algorithm or the elliptic curve Diffie-Hellman key exchange (ECDH) algorithm, and shared-key algorithms such as the pre-shared key (PSK) algorithm. This is not limited to the embodiments of the present application. For the sake of clarity, the specific implementation process of the communication method in the embodiment of this application will be described below using the PSK algorithm as an example. Further details are not described herein.

[0116] Identification authentication, also known as "identity verification" or "identity authentication," refers to completing the identification verification of a node by using specific means. Many embodiments of identification authentication methods include, for example, PSK-based identification authentication methods, biological characteristic-based identification authentication methods, and public-key cryptographic algorithm-based identification authentication methods. Pre-shared key-based identification authentication means that a single key or group of keys may be shared between at least two nodes, for example, between a first node 110 and a second node 120, between a first node 110 and a third node 130, or between a first node 110, a second node 120, and a third node 130. When identification authentication needs to be performed, the first node 110, the second node 120, or the third node 130 may send a PSK (or associated parameters associated with the PSK, specific embodiments of the associated parameters are not limited to the embodiments of this application) to the peer node. After receiving the PSK, the peer node checks whether the PSK matches a locally stored key. If the PSK matches a locally stored key, identity authentication may be determined to be successful; if the PSK does not match a locally stored key, identity authentication may be determined to be failed. The security context agreed upon through negotiation can only be obtained if any two nodes have successfully performed mutual identity authentication, and based on the security context, a secure communication connection is established between the two parties, ensuring the security requirements for performing corresponding communication services and / or transmitting communication service data.

[0117] In a particular implementation process, in one possible embodiment, a first node 110 and a second node 120 may select first information associated with a first service (including, for example, a first key and / or a first security context), exchange information based on the first information, and establish a first communication connection between the first node 110 and the second node 120. The first communication connection may be used to transmit data of the first service to satisfy security requirements in an integrated communication scenario, and for a third node 130 to perceive relevant information of the second node 120 by using the first node 110, thereby remotely accessing, perceiving, and managing the network and services corresponding to the second node 120. In implementation, in different scenarios, the steps of the communication method may be triggered by the first node 110 or the second node 120. This is not limited to the embodiments of this application.

[0118] For ease of understanding, the communication method will be described below with reference to the attached drawings and embodiments. It should be noted that the steps included in the method embodiments described in this application are merely examples of optional steps in the communication method and do not limit the specific implementation process of the communication method. In some optional embodiments, the execution sequence numbers of the steps in any of the method embodiments may be substituted.

[0119] As shown in Figure 3, in one example, the method procedure may be triggered by the first node 110 and may include the following steps.

[0120] S310: The first node 110 obtains the first piece of information.

[0121] S320: The first node 110 establishes a first communication connection to the second node 120 based on first information, the first communication connection is used to transmit data for the first service, the first communication connection corresponds to a first communication technology, and the first node 110 is a node that accesses a network corresponding to a second communication technology.

[0122] It will be understood that the first piece of information is associated with the first service. For example, the first service may be a service of the first communication technology or a service of the second communication technology.

[0123] In this embodiment of the present application, it should be understood that the terms "first node" and "second node" are used to distinguish different nodes. In some examples, the first node may be the second node, and the second node may be the first node. The method procedure shown in Figure 3 may be triggered by the second node 120. Specifically, the second node 120 may acquire first information and, based on the first information, establish a first communication connection to the first node 110. This is not limited to the embodiments of the present application.

[0124] The first information may include relevant information necessary to establish a secure communication connection between the first node 110 and the second node 120. The first information may be pre-stored in the first node 110 or the second node 120, or it may be obtained by the first node 110 or the second node 120 from the network side or another device side. This is not limited to the embodiments of this application.

[0125] In this embodiment of the present application, the first node 110 and the second node 120 may be in a scenario where no security context exists, and the first information may include a first key used for communication authentication between the first node 110 and the second node 120. During the execution of S320, the first node 110 may perform identification authentication and security context negotiation procedures with the second node 120 based on the first key. Furthermore, the first communication connection may be established between the first node 110 and the second node 120 based on the first security context obtained through negotiation. Alternatively, the first node 110 and the second node 120 may be in a scenario where a security context exists, and the first information may include a first security context used for communication between the first node 110 and the second node 120. During the execution of S320, the first communication connection may be established between the first node 110 and the second node 120 based on the first security context.

[0126] In a possible design, if the first information is a key used for communication authentication between the first node 110 and the second node 120, the key may include a preset key corresponding to the first node 110 or the second node 120, or the key may be from a network corresponding to a second communication technology (e.g., a core network corresponding to the third node 130). For example, the key may be a key used for services of the second communication technology.

[0127] In this embodiment of the present application, the specific implementation processes of S310 and S320 may differ depending on the case. For ease of understanding, the following will be explained with reference to a method flowchart.

[0128] Case 1: The first piece of information includes a first key used for communication authentication between the first node 110 and the second node 120.

[0129] In this case, neither the first node 110 nor the second node 120 has a first security context associated with the first service. During the establishment of the first communication connection between the first node 110 and the second node 120, the first key may be obtained first, and then mutual identification authentication and negotiation of the first security context may be performed based on the obtained first key. Once the identification authentication between the two parties is successful and the first security context is obtained, the first node 110 may initiate a message to the second node 110 based on the obtained first security context in order to establish the first communication connection between the first node 120 and the second node 120 based on the first security context.

[0130] Method Example 1: In Method Example 1, the second node 120 may obtain the first key. After obtaining the first key, the second node 120 may report key type indication information or service type indication information to the first node 110. The first node 110 determines the first key based on the key type indication information or service type indication information reported by the second node 120 and performs identification authentication and security context negotiation procedures with the second node 120 to establish a secure first communication connection between the first node 110 and the second node 120. It should be noted that steps S411 to S419 included in Method Example 1 are merely examples of optional steps. In some examples, the execution sequence numbers of the following steps may be substituted. This is not particularly limited in the embodiments of this application. As shown in Figure 4a, the communication method may include, for example, the following steps.

[0131] S411 (Optional): The first node 110 sends a sixth message (for example, a system message). In response, the second node 120 may receive the sixth message.

[0132] For example, a sixth message may carry (or transport) a first instruction information, which may be used to indicate the type of service supported by the first node 110 (including services corresponding to the second communication technology).

[0133] In the optional design, the first instruction information may further indicate one or more key agreement algorithms supported by the first node 110, and as a result, the second node 120 may, based on the first instruction information, select a key agreement algorithm supported by the second node 120 that is also supported by the first node 110, to complete the key agreement between the two parties, and generate relevant authentication parameters used for node identification authentication based on the key agreement algorithm determined through negotiation (e.g., the PSK algorithm described above). It should be understood that the key agreement between the first node 110 and the second node 120 is not limited to being performed by using the sixth message. This is not limited to the embodiments of this application. For ease of understanding and explanation, the PSK algorithm is used as an illustrative example herein.

[0134] Furthermore, the sixth message may also carry identification information of the first node 110 (e.g., a domain identifier (Domain ID)), which may be used to uniquely identify the first node 110.

[0135] For example, the sixth message may be a unicast message. In S411, the first node 110 may send the sixth message to the second node 120. Alternatively, the sixth message may be a broadcast message. In S411, the first node 110 may broadcast the sixth message, and the second node 120 may be within the coverage area of ​​the broadcast signal and receive the sixth message.

[0136] After receiving the sixth message, the second node 120 can learn the service types supported by the first node 110 by parsing the sixth message.

[0137] S412: The second node 120 (for example, the service layer of the second node 120) obtains the first key or the type of the first key based on the type corresponding to the second communication technology and / or the service type of the first service.

[0138] For example, the type corresponding to the second communication technology may be the type of communication standard used in the second communication technology, such as 5G technology.

[0139] During the execution of S412, the second node 120 may, alternatively, obtain the first key or the type of the first key based on relevant instruction information entered by the user, or obtain the first key or the type of the first key based on relevant instruction information from another device. This is not limited to the embodiments of this application.

[0140] In this embodiment of the present application, it should be understood that the second node 120 may obtain the first key or the type of the first key in a different manner. This is not limited to the embodiments of the present application.

[0141] In this embodiment of the present application, in an integrated communication scenario based on a first communication technology and a second communication technology, the first key may be implemented in any one of the following ways:

[0142] Example 1: The first key is the key used for the service of the first communication technology.

[0143] The first key may be a key configured between the first node 110 and the second node 120 (for example, the corresponding preset key described above). The key corresponds to a service of the first communication technology and may be used to establish a first communication connection after identity authentication and security context negotiation are completed between the first node 110 and the second node 120, and to perform a service of the first communication technology or secure transmission of service data based on the established first communication connection. Correspondingly, the security context corresponding to the key is the security context of the service of the first communication technology. In this embodiment of the present application, for ease of distinction, the key used for the service of the first communication technology may also be called a common key, and the security context corresponding to the common key may also be called a common security context.

[0144] The example given is that the shared key is a shared PSK. Methods for constructing a shared PSK may include any one of the following:

[0145] (1) Key configuration method: The common PSK is pre-configured at the first node 110 and the second node 120 by using a pre-configuration method. Detailed embodiments of the pre-configuration method are not described herein.

[0146] (2) Password configuration method: The user enters the same password for both the first node 110 and the second node 120. The password may be converted to a common PSK. For example, the password may be converted to a common PSK by using an algorithm within the node (e.g., a key agreement algorithm). It should be understood that different second nodes 120 may be connected to the same first node 110 by using different passwords. Further details are not described herein.

[0147] (3) Method for performing configuration using authentication credentials from a third-party server: The main purpose of the method for performing configuration using authentication credentials from a third-party server is to determine whether the second node 120 and the first node 110 satisfy a pre-configured coupling relationship. The second node 120 should be able to obtain the identification information of the first node 110, generate verification information using the identification information of the second node 120 and the identification information of the first node 110, and send the verification information to the third-party server to obtain an authentication password. After obtaining the authentication password sent by the third-party server, the first node 110 and the second node obtain a common PSK based on the authentication password.

[0148] According to any of the configuration methods described above, the same common PSK can be configured between the second node 120 and the first node 110. In this embodiment of the present application, it should be understood that the second node 120 and the first node 110 may, alternatively, complete the process of configuring the PSK used for the service of the first communication technology between the two nodes by using another method. Details are not described herein.

[0149] Example 2: The first key is the key used for the service of the second communication technology.

[0150] To facilitate distinction, the key used in the second communication technology may be called a fused key. In certain embodiments, the fused key may include trusted or untrusted keys. A trusted key is a key that has been successfully authenticated over the network (e.g., the aforementioned new key determined between the first node 120, the second node 110 and the third node 130 through a new identity authentication and / or security context negotiation procedure initiated by the second node 120 to the third node 130 in an integrated communication scenario by using the first node 110). An untrusted key is a key that has not been authenticated over the network (e.g., the aforementioned preset key used when the second node first establishes a link to the first node, and the preset key may be used for mutual identity authentication between the first node and the second node). The network as used herein may be understood as the network corresponding to the third node. For example, the network may be a 5G core network. In this embodiment of the present application, it should be understood that a key not authenticated over the network may be understood as a key that is not verified over the network or does not need to be verified over the network (e.g., a default key), or a key that has been verified over the network but has not been successfully verified. Accordingly, the first key may be a trusted key or an untrusted key. The first key corresponds to a service of the second communication technology and may be used in an integrated communication scenario to ensure that the service of the second communication technology is securely performed between the first node 110, the second node 120, and the third node 130, or that service data performed by using the second communication technology is securely transmitted. The first key may be, for example, a key obtained through negotiation between the third node 130 and at least one of the first node 110 and the second node 120 (e.g., the key is, correspondingly, the new key described above, or correspondingly, a trusted key). For example, the first key may be a key obtained through negotiation between the third node 130 and the first node 110.As another example, the first key may be a key obtained through negotiation between the third node 130 and the second node 120. As yet another example, the first key may be a key obtained through negotiation between the first node 110, the second node 120, and the third node 130. As yet another example, the first key may be an untrusted key.

[0151] For example, the fusion key is a fusion PSK. The fusion PSK may be delivered to the first node 110 and / or the second node 120 by a core network corresponding to a third node 130, or the PSK may be a default key parameter configured at the first node 110 or the second node 120. The configuration embodiment may be one of the three methods of Embodiment 1 or another embodiment. This is not limited to the embodiments of this application. The first node or the second node may receive a fusion key from a network corresponding to a second communication technology. For example, before a first communication connection is established between the first node and the second node, the first node or the second node may receive a fusion key from the network and store the fusion key locally, so that in the subsequent process of establishing the first communication connection, the first node or the second node may determine a first key to be used in the process of establishing the first communication connection based on the type corresponding to the second communication technology and / or the service type of the first service. Before establishing the first communication connection, the first node receives a fusion key from a network corresponding to the second communication technology, and as a result, in the process of establishing the first communication connection, the first node further obtains the first key based on the received first information.

[0152] A fused PSK is an untrusted fused PSK if it is not authenticated via the core network corresponding to the third node 130 (e.g., the 5G core network), or not obtained via the key agreement process, or if it is obtained after the key agreement process but not agreed upon. A fused PSK is a trusted fused PSK if it is authenticated via the core network corresponding to the third node 130 and / or obtained after the key agreement process and agreed upon. Correspondingly, the security context corresponding to a trusted fused PSK is a trusted security context used for services of the second communication technology in an integrated communication scenario, and the security context corresponding to an untrusted fused PSK is an untrusted security context used for services of the second communication technology in an integrated communication scenario. In this embodiment of the present application, the network corresponding to the second communication technology may be understood as a network that supports at least the second communication technology, or a network that supports at least service transmissions carried out based on the second communication technology.

[0153] During the implementation of S412, the second node 120 selects a key as the first key from at least two keys described in Example 1 or Example 2, based on the type corresponding to the second communication technology and / or the service type of the first service, etc.

[0154] In this embodiment of the present application, it should be noted that if multiple keys exist, the multiple keys may have a priority order and usage principles. The first key is associated with the first service, and the first key must be selected from the multiple keys according to at least the following principles: If the first service is a service of the first communication technology, the first key is the key used for the service of the first communication technology, and / or, if the first service is a service corresponding to the second communication technology, the first key is the key used for the service of the second communication technology.

[0155] Using a common PSK, a trusted fused PSK, and an untrusted fused PSK as examples, the principles for using multiple keys may specifically be as follows: (1) In an integrated communication scenario, if a trusted fused PSK exists for the service of the second communication technology, the untrusted fused PSK is not used, and the trusted fused PSK is used; in other words, the trusted fused PSK has a higher priority than the untrusted fused PSK. (2) In an integrated communication scenario, if a trusted fused PSK does not exist for the service of the second communication technology, the untrusted fused PSK is used instead of the common PSK. (3) In the service of the first communication technology, even if a trusted fused PSK exists, the common PSK must be used to ensure the security of the private service between the first node 110 and the second node 120.

[0156] Based on the aforementioned key usage principles, the second node 120 may obtain a corresponding first key or a corresponding type of first key based on the service type of the first service. For example, if the first service is a service of the second communication technology in an integrated communication scenario, the trusted fused PSK will be used if one exists (and if a connection cannot be established based on the trusted fused PSK, the untrusted fused PSK will be used), and if a trusted fused PSK does not exist, the untrusted fused PSK will be used. Typically, the untrusted fused PSK may be a default value. For example, if the first node 110 and the second node 120 are devices supporting the second communication technology, the untrusted fused PSK may be configured on both the first node 110 and the second node 120. As another example, if the first service is a service of the first communication technology, the first node 110 and the second node 120 may establish a first communication connection with each other by using a common PSK.

[0157] S413a: The second node 120 (for example, the service layer of the second node 120) sends the first message to the first node 110. In response, the first node 110 may receive the first message from the second node 120.

[0158] In this embodiment of the present application, the first message may also be called a key instruction message, and the first message may carry information associated with the first key, such as key type instruction information, service type instruction information, or other information.

[0159] In this embodiment of the present application, key type indication information may be used to indicate that the key type is one of the following: an untrusted fused key (e.g., the aforementioned untrusted fused PSK), a trusted fused key (e.g., the aforementioned trusted fused PSK), or a common key (e.g., the aforementioned common PSK). Service type indication information may be used to indicate that the service type is one of the following: a service of a first communication technology or a service of a second communication technology in an integrated communication scenario.

[0160] In some designs, the first message may further carry identification information for the second node 120 (e.g., a media access layer identifier). For example, the first message may be represented as the following tuple: (ID, key type information, or service type information)

[0161] S414: The first node 110 obtains the first key based on key type instruction information or service type instruction information.

[0162] In this embodiment of the present application, the first node 110 may store multiple keys. During the execution of S414, the first node 110 may obtain a first key from multiple local keys based on key type indication information or service type indication information. Alternatively, during the execution of S414, the first node 110 may obtain a first key from another device based on key type indication information or service type indication information. This is not limited to the embodiments of the present application. For example, the first key may be any one of the common PSK, untrusted fused PSK, or trusted fused PSK described above. For the configuration process of the common PSK, untrusted fused PSK, or trusted fused PSK, see the relevant description in S412. Further details are not described again.

[0163] Therefore, the first node 110 and the second node 120 may agree on a first key selected through negotiation. Furthermore, the first node 110 and the second node 120 may perform identity authentication and security context negotiation procedures based on the acquired first key.

[0164] For example, as shown in Figure 4a, the identification authentication and security context negotiation procedure may include the following steps:

[0165] S415a (Optional): The second node 120 sends an association request message to the first node 110. In response, the first node 110 receives the association request message.

[0166] For example, an association request message may carry the identification information of the second node 120 (e.g., a domain identifier), and relevant authentication parameters used for identifying and authenticating the second node 120, including but not limited to a key agreement algorithm selected by the second node 120 (e.g., KE alg), key agreement parameters (e.g., represented by KEt), the security capability of the second node 120 (sec capability), and random numbers (e.g., represented by NONCEt). The security capability may include one or more of the key derivation function (KDF), encryption algorithms, integrity protection algorithms, and authenticated encryption algorithms supported by the second node 120. Further details are not described herein.

[0167] The first node 110 may process the association request message based on the relevant information carried in the association request message.

[0168] For example, if a whitelist is configured on the first node 110 for a second node 120 that connects using a key configuration scheme, the first node 110 may determine whether the fixed identification information of the second node 120 is in the whitelist based on the identification information of the second node 120. If the fixed identification information of the second node 120 is not in the whitelist, the association request message is discarded.

[0169] As another example, the first node 110 may determine whether the key agreement algorithm selected by the second node 120 is present in the information carried in the sixth message described above (e.g., the first instruction information). If the key agreement algorithm is not present in the information, the first node 110 discards the association request message. If the key agreement algorithm is present in the information, the first node 110 may select the highest-priority algorithm, including the highest-priority key derivation function, signaling plane authentication cryptographic algorithm, and signaling plane integrity protection algorithm, as well as the highest-priority user plane authentication cryptographic algorithm and user plane integrity protection algorithm, or the highest-priority user plane authentication cryptographic algorithm, based on the security capabilities of the second node 120, the pre-configured optimal algorithm selection policy at the first node 110, and the service type. The policy for optimal algorithm selection may be implemented by using a list of algorithms sorted on a priority basis, for example, a key derivation function priority list, a signaling plane authentication cryptographic algorithm priority list, a signaling plane integrity protection algorithm priority list, a user plane authentication cryptographic algorithm priority list, and a user plane integrity protection algorithm priority list pre-configured at the first node 110. The algorithms selected for the signaling plane and the user plane may be different. In the optional design, if the selected integrity algorithm or authentication cryptographic algorithm supports multiple Message Integrity Code (MIC) lengths, the first node 110 may further select MIC lengths for signaling plane integrity protection based on the MIC lengths supported by the selected signaling plane integrity protection algorithm. For example, this process may be implemented by using the corresponding behavior of the Star Alliance specification, or by other means. This is not particularly limited to the embodiments of this application.

[0170] In the optional design, the first node 110 may further generate relevant authentication parameters used for the identification and authentication of the first node 110, based on the relevant information carried in the first message and / or the relevant algorithm selected by the first node 110.

[0171] For example, the first node 110 may generate a private key and a corresponding public key according to a selected key agreement algorithm (for example, see the relevant description in S411 for a specific key agreement algorithm). The public key may be used as the key agreement parameter of the first node 110 (e.g., represented by KEg). Alternatively, the first node 110 may generate a random number (e.g., represented by NONCEg). Alternatively, the first node 110 may generate a shared key (e.g., K) through computation based on the KEt and key agreement algorithm carried in the first message. KE Alternatively, the first node 110 may obtain K by using the selected key derivation function. KE The shared key (e.g., represented as Kgt) may be obtained by computation based on NONCEt and NONCEg. The computation method is as follows: Kgt=KDF(K KE (NONCEt, NONCEg)

[0172] Alternatively, the first node 110 may generate a Kgt identifier (e.g., represented by a Kgt ID). Alternatively, the first node 110 may calculate authentication parameters (e.g., represented by AUTHg). The calculation method is as follows: AUTHg=AUF(PSK, K KE (NONCEg, association request message) 上位32ビット Here, AUF()| 上位32ビット This indicates that after calculating the parameters contained within the parentheses using the key derivation function AUF, the upper 32 bits of information are set to AUTHg. The aforementioned AUF and KDF use the same authentication cryptographic algorithm.

[0173] The first node 110 may generate a security context request message (an example of a second message) based on the acquired first key and one or more of the associated authentication parameters described above.

[0174] For example, a security context request message may include, but is not limited to, relevant authentication parameters used for identifying and authenticating the first node 110, including the key agreement parameter KEg of the first node 110, a random number NONCEg, an identifier Kgt ID associated with the first security context corresponding to the first key, a selected algorithm, MIC length, and authentication parameter AUTHg. The selected algorithm may include one or more of the following: a key derivation algorithm, a signaling plane encryption algorithm, a signaling plane integrity protection algorithm, a user plane encryption algorithm, a user plane integrity protection algorithm, and a user plane authentication encryption algorithm.

[0175] In the optional design, the first node 110 may further perform integrity protection on the security context request message by using a selected signaling plane integrity protection algorithm and a selected signaling plane integrity protection key Ks.int, i.e., by calculating the MIC and adding the MIC to the security context request message.

[0176] For example, a security context request message may be represented as the following tuple: (KEg,NONCEg,Kgt ID,algorithm,MIC length,AUTHg) MIC Here () MIC This indicates that the security context request message is a message for which integrity protection processing has been performed.

[0177] S416: The first node 110 sends a security context request message (an example of the second message) associated with the first key to the second node. In response, the second node 120 receives the security context request message from the first node 110.

[0178] In this embodiment of the present application, the second message may be used for the identification and authentication of the first node 110. In this embodiment of the present application, the fact that the second message may be used for the identification and authentication of the first node 110 may be understood as the information contained in or carried by the second message may be used for the identification and authentication of the first node 110.

[0179] In this embodiment of the present application, the second message is associated with the first key. In an optional design, the information carried in the second message includes information generated based on the first key.

[0180] In an optional design, the second node 120 may obtain the shared key Kgt, signaling plane security key, user plane security key, etc., by computation in the same way as used by the first node 110, based on the key derivation function selected by the first node 110.

[0181] In the optional design, the second node 120 may check the integrity of the second message, i.e., it may check whether the MIC is correct. If the integrity check fails, the second node 120 may discard the message and resend the association request message.

[0182] In an optional design, after successfully verifying the identity authentication of the first node 110, the second node 120 may further verify whether AUTHg is correct based on the first key agreed upon through negotiation. If the AUTHg verification fails, the second node 120 may discard the second message and retransmit the association request message. In this embodiment of the present application, it should be understood that checking the integrity of a message may include checking the integrity of the information contained in or carried by the message.

[0183] Furthermore, the second node 120 may further generate relevant authentication parameters used for the identity authentication of the second node 120 based on the relevant information carried in the security context request message and / or the relevant algorithms of the second node 120.

[0184] For example, the second node 120 may calculate the authentication parameter AUTHt, and its calculation method satisfies the following formula. AUTHt = AUF(PSK, K KE , security context request message, NONCEt, key agreement algorithm capabilities of the first node 110, first instruction information)| 上位32ビット , where AUF()| 上位32ビット indicates that after calculating the parameters contained in the parentheses by using the key derivation function AUF, the upper 32-bit information is taken as AUTHt. The aforementioned AUF and KDF use the same authentication encryption algorithm.

[0185] In an optional design, after successfully executing the identity authentication of the first node 110, the second node 120 may generate a security context response message (an example of the third message) based on the generated relevant authentication parameters.

[0186] S417: The second node 120 sends a security context response message (an example of a third message) to the first node 110. In response, the first node 110 receives a security context response message from the second node 120.

[0187] In this embodiment of the present application, the third message may be used for the identification and authentication of the second node, and the third message may be sent when the identification and authentication of the first node 110 is successful.

[0188] In this embodiment of the present application, the third message may be used to indicate that the authentication of the first node 110 was successful, or to authenticate the second node 120, and it should be understood that the third message contains or carries information used to indicate that the authentication of the first node was successful and information used to authenticate the second node. In addition, in an optional design, in this embodiment of the present application, the information used to indicate that the authentication of the first node 110 was successful and information used to authenticate the second node 120 may be transmitted by using the same message or by using different messages. Accordingly, the third message may correspond to one message or to multiple messages. This is not limited to the embodiments of the present application. For example, the third message may include AUTHt.

[0189] For example, the second node 120 may perform integrity protection on the security context response message by using the signaling plane integrity protection algorithm and the signaling plane integrity protection key Ks.int.

[0190] In this embodiment of the present application, the ability of the second node 120 to perform integrity protection on a security context response message by using the signaling plane integrity protection algorithm and the signaling plane integrity protection key Ks.int may be understood as the ability of the second node 120 to perform integrity protection on information contained in or carried in the security context response message by using the signaling plane integrity protection algorithm and the signaling plane integrity protection key Ks.int. The MIC generated by the integrity protection may be carried in the security context response message. Once signaling plane cryptographic protection is initiated, the second node 120 may perform cryptographic protection on the security context response message by using the signaling plane cryptographic algorithm and the signaling plane cryptographic key Ks.enc.

[0191] For example, a security context response message may be expressed as follows: (AUTHt) MIC Here AUTHt is an example of relevant authentication parameters carried in the security context response message, () MIC This indicates that the security context response message is a message that has undergone integrity protection processing.

[0192] In addition, if the second node 120 encrypts the security context response message (or encrypts the information contained in or carried in the security context response message), the first node 110 can decrypt the security context response message (or decrypt the information contained in or carried in the security context response message) after receiving the security context response message.

[0193] The first node 110 may check the integrity of the security context response message (or the integrity of any message contained in or carried in the security context response message) and verify whether the AUTHt carried in the security context response message is correct. If the integrity or AUTHt verification fails, in other words, if the identity authentication of the second node 120 fails, the first node 110 may send an association establishment failure message to the second node 120. If the integrity and authentication verification is successful, the first node 110 may generate a temporary ID (e.g., a physical layer identifier) ​​for the second node 120 that will be used to identify the identity information of the second node 120.

[0194] The first node 110 may perform identification authentication to the second node 120 based on relevant information carried in the security context response message. For example, this process may be carried out by using the corresponding behavior of the Star Alliance specification, or by other means. This is not particularly limited to the embodiments of this application.

[0195] S418: If the first node 110 successfully authenticates the second node 120, it may send an association establishment message (an example of the fourth message) to the second node. In response, the second node 120 receives the association establishment message from the first node 110.

[0196] In this embodiment of the present application, the fourth message may be used to establish a first communication connection to the second node, and the fourth message may be sent if the identification authentication of the second node 120 is successful.

[0197] In this embodiment of the present application, the fourth message may be used to indicate that the authentication of the second node has been successful, or to request the establishment of a first communication connection to the second node, and it should be understood that the fourth message includes or carries information used to indicate that the authentication of the second node has been successful, and information used to request the establishment of a first communication connection to the second node. In addition, in an optional design, in this embodiment of the present application, the information used to indicate that the authentication of the second node has been successful, and information used to request the establishment of a first communication connection to the second node, may be transmitted by using the same message, or by using different messages. Accordingly, the fourth message may correspond to one message, or to multiple messages. This is not limited to the embodiments of the present application.

[0198] For example, the fourth message may include one or more of the following parameters generated by the first node 110 for the second node 120: a temporary ID (T-ID) (e.g., a physical layer identifier), a shared key Kgt expiration, [GKc / GK], [GK ID], [Galgorithm], and [GK expiration].

[0199] [GKc / GK] indicates that the group key (e.g., represented by GK) of the group to which the second node 120 belongs is carried in the fourth message if it is notified that cryptographic protection of the signaling plane is enabled in unicast mode, and is carried in the fourth message if it is notified that cryptographic protection of the signaling plane is disabled in unicast mode. GKc is obtained by performing an exclusive OR operation between GK and the secret key (e.g., represented by Kg) of the protected group key GK. Kg=KDF(Kgt,COUNTERg,”group key”), and

number

[0200] In the optional design, the first node 110 may perform integrity protection on the association establishment message by using the signaling plane integrity protection algorithm and the signaling plane integrity protection key Ks.int.

[0201] In this embodiment of the present application, the ability of the first node 110 to perform integrity protection on an association establishment message by using a signaling plane integrity protection algorithm and a signaling plane integrity protection key Ks.int may be understood as the ability of the first node 110 to perform integrity protection on information contained in or carried in an association establishment message by using a signaling plane integrity protection algorithm and a signaling plane integrity protection key Ks.int. The MIC generated by the integrity protection may be carried in the association establishment message. Once signaling plane cryptographic protection is initiated, the first node 110 may perform cryptographic protection on an association establishment message by using a signaling plane cryptographic algorithm and a signaling plane cryptographic key Ks.enc.

[0202] In this embodiment of the present application, the ability of the first node 110 to provide cryptographic protection to an association establishment message by using a signaling plane encryption algorithm and a signaling plane encryption key Ks.enc may be understood as the ability of the first node 110 to provide cryptographic protection to information contained in or carried in an association establishment message by using a signaling plane encryption algorithm and a signaling plane encryption key Ks.enc.

[0203] For example, an association establishment message may be represented as the following tuple: (Temporary ID, Kgt expiration, [GKc / GK], [GK ID], [Galgorithm], [GK expiration]) MIC Here () MIC This indicates that the association establishment message is a message that has undergone integrity protection processing.

[0204] In the optional design, if an association establishment failure message is received, the second node 120 may restart the association request message.

[0205] In the optional design, when the second node 120 receives an association establishment message, if the association establishment message is encrypted (or if the information contained in or carried by the association establishment message is encrypted), the second node 120 may decrypt the association establishment message (or decrypt the information contained in or carried by the association establishment message). The second node 120 may further check the integrity of the association establishment message (or check the integrity of the information contained in or carried by the association establishment message).

[0206] If integrity verification fails, the second node 120 discards the message.

[0207] If the integrity verification is successful, the following S419 is performed. The second node 120 may send an association completion message to the first node 110. In response, the first node 110 may receive an association completion message from the second node 120. The association completion message may be used to indicate that the establishment of the first communication connection is complete.

[0208] In the optional design, the second node 120 may perform integrity protection of the association completion message by using the signaling plane integrity protection algorithm and the signaling plane integrity protection key Ks.int.

[0209] In this embodiment of the present application, the ability of the second node 120 to perform integrity protection on an association completion message by using a signaling plane integrity protection algorithm and a signaling plane integrity protection key Ks.int may be understood as the ability of the second node 120 to perform integrity protection on information contained in or carried in an association completion message by using a signaling plane integrity protection algorithm and a signaling plane integrity protection key Ks.int. Once signaling plane cryptographic protection is initiated, the second node 120 may perform cryptographic protection on an association completion message by using a signaling plane cryptographic algorithm and a signaling plane cryptographic key Ks.enc. In this embodiment of the present application, the ability of the second node 120 to provide cryptographic protection to the association completion message by using the signaling plane encryption algorithm and the signaling plane encryption key Ks.enc may be understood as the ability of the second node 120 to provide cryptographic protection to information contained in or carried in the association completion message by using the signaling plane encryption algorithm and the signaling plane encryption key Ks.enc.

[0210] For example, an association completion message may be expressed as follows: (Association complete message) MIC Here () MIC This indicates that the association completion message is a message that has undergone integrity protection processing.

[0211] The first node 110 may process the received association completion message.

[0212] For example, if the association completion message is encrypted (or if the information contained in or carried by the association completion message is encrypted), the first node 110 may decrypt the association completion message (or decrypt the information contained in or carried by the association completion message). Alternatively, the first node 110 may check the integrity of the association completion message (or check the integrity of the information contained in or carried by the association completion message). If the integrity check fails, the message is discarded. If the integrity check is successful, the subsequent steps are performed. Further details are not described herein.

[0213] After the negotiation and association of the security context is complete, the first node 110 and the second node 120 may store the first security context obtained through the negotiation.

[0214] For example, the first security context may include, but is not limited to, an identification ID, a temporary ID, a KGT, a KGT expiration date, a KGT ID, a key agreement algorithm, a signaling plane cryptographic algorithm and a signaling plane integrity protection algorithm, a signaling plane cryptographic key and a signaling plane integrity protection key, a user plane cryptographic algorithm and a user plane integrity protection algorithm or a user plane authentication cryptographic algorithm, a user plane cryptographic key and a user plane integrity protection key or a user plane authentication cryptographic key, a GK, a GK ID, a group algorithm, and a GK expiration date.

[0215] In an optional design, in this embodiment of the present application, the first node 110 and the second node 120 may further support a mechanism for deleting expired security contexts, and the clock may be configured such that the node that needs to store security contexts supports such a mechanism. Details are not described herein. Alternatively, the first node 110 may further store the correspondence between the identification information of the second node 120 and the first key, and the second node 120 may further store the correspondence between the identification information of the first node 110 and the first key.

[0216] After the establishment of the first communication connection is complete, during the execution of services between the first node 110 and the second node 120, the service range corresponding to the first communication connection may be determined based on the key type or service type, and services corresponding to the service range are transmitted.

[0217] For example, a communication connection (including security context) established based on a trusted fused PSK can only be used for services of the second communication technology in an integrated communication scenario. A communication connection (including security context) established based on a common PSK can be used for services of the first communication technology (which may be services other than those of the second communication technology in an integrated communication scenario).

[0218] Method Example 2: In Method Example 2, the second node 120 may acquire the first key. After acquiring the first key, the second node 120 may synchronously acquire the relevant parameters used for the identification and authentication of the second node 120 and add the key type indication information or service type indication information and the relevant parameters used for the identification and authentication of the second node 120 to a single message (e.g., an association request message). As a result, the first node 110 may determine the first key based on the key type indication information or service type indication information reported by the second node 120 and perform identification and authentication and security context negotiation procedures with the second node 120 based on the relevant parameters reported by the second node 120 to establish a secure first communication connection between the first node 110 and the second node 120. Note that steps S411 to S419 included in Method Example 2 are merely examples of optional steps. In some examples, the execution sequence numbers of the following steps may be substituted. This is not particularly limited to the embodiments of this application.

[0219] As shown in Figure 4b, in Example Method 2, the communication method may include the following steps.

[0220] S411 (Optional): The first node 110 sends a sixth message (e.g., a system message). In response, the second node 120 may receive the sixth message. For a detailed embodiment, see Figure 4a and the relevant description of S411 above. Further details are not described herein.

[0221] S412: The second node 120 (for example, the service layer of the second node 120) obtains the first key or the type of the first key based on the type corresponding to the second communication technology and / or the service type of the first service. For detailed embodiments, see Figure 4a and the relevant description of S412 above. Further details are not described herein.

[0222] S413b (Optional): The second node 120 sends an association request message to the first node 110. In response, the first node 110 may receive an association request message from the second node 120.

[0223] Compared to Method Example 1 described in Figure 4a, in Method Example 2, the association request message sent by the second node 120 carries key type indication information or service type indication information. Specifically, the association request message in Method Example 2 corresponds to the combination of the first message and the association request message in Method Example 1. The association request message may carry the ID of the first node 110, key type indication information or service type indication information, the KE alg, KEt selected by the second node 120, the security capability of the second node 120, and relevant authentication parameters used for the identification and authentication of the second node 120, including but not limited to NONCEt. The security capability may include one or more of the KDF, encryption algorithms, integrity protection algorithms, and authentication encryption algorithms supported by the second node 120. For detailed embodiments, refer to the relevant descriptions of S413a and S415a above with reference to Figure 4a. Further details will not be provided in this specification.

[0224] S414: The first node 110 acquires the first key based on key type instruction information or service type instruction information. For a detailed embodiment, refer to Figure 4a and S414 described above. Further details are not described herein.

[0225] S416: The first node 110 sends a security context request message associated with the first key (an example of the second message) to the second node. In response, the second node 120 receives the security context request message from the first node 110. For a detailed embodiment, refer to Figure 4a and the relevant description of S416 described above. Further details are not described herein.

[0226] S417: The second node 120 sends a security context response message (an example of a third message) to the first node 110. In response, the first node 110 receives a security context response message from the second node 120. For a detailed embodiment, refer to Figure 4a and the relevant description of S417 described above. Further details are not described herein.

[0227] S418: If the first node 110 successfully authenticates the second node 120, it may send an association establishment message (an example of the fourth message) to the second node. In response, the second node 120 receives the association establishment message from the first node 110. For detailed embodiments, please refer to Figure 4a and the relevant description of S418 above. Further details are not described herein.

[0228] S419: The second node 120 may send an association completion message to the first node 110. In response, the first node 110 may receive an association completion message from the second node 120. For detailed embodiments, please refer to Figure 4a and the relevant description of S419 above. Further details are not described herein.

[0229] Method Example 3: In Method Example 3, the first node 110 may obtain a first key, and based on the first key, the first node 110 may perform identification authentication and security context negotiation procedures with the second node 120 to establish a secure first communication connection between the first node 110 and the second node 120. Note that steps S421 to S427 included in Method Example 3 are merely examples of optional steps. In some examples, the execution sequence numbers of the following steps may be substituted. This is not particularly limited in the embodiments of this application.

[0230] As shown in Figure 4c, the communication method may include, for example, the following steps:

[0231] S421 (Optional): The first node 110 sends a sixth message (e.g., a system message). In response, the second node 120 may receive the sixth message. For a detailed embodiment, see Figure 4a and refer to S411 described above. Further details are not described herein.

[0232] S422 (Optional): The second node 120 sends an association request message to the first node 110. In response, the first node 110 may receive an association request message from the second node 120.

[0233] In this embodiment of the present application, the association request message may carry an identification ID of the second node 120 (e.g., a media access layer identifier) ​​and relevant parameters used to indicate the capabilities of the second node 120, the relevant parameters including, but not limited to, a key agreement algorithm selected by the second node 120 (e.g., KE alg), key agreement parameters (e.g., represented by KEt), the security capability of the second node 120 (sec capability), and a random number NONCEt. The security capability may include one or more of the following supported by the second node 120: a key derivation function KDF, an encryption algorithm, an integrity protection algorithm, an authenticated encryption algorithm, etc. Further details are again not described herein.

[0234] For example, an association request message may be represented as the following tuple: (ID,KE alg,KEt,sec capabilities,NONCEt)

[0235] S423: The first node 110 obtains the first key based on the type corresponding to the second communication technology and / or the service type of the first service.

[0236] It should be understood that during the execution of S423, the first node 110 may, alternatively, acquire the first key based on relevant instruction information entered by the user, or based on relevant instruction information from another device. This is not limited to the embodiments of this application. For a detailed embodiment of S423, see S412 described above with reference to Figure 4a. Further details are again not described herein.

[0237] S424: The first node 110 sends a security context request message (an example of the second message) to the second node based on the first key. In response, the second node 120 receives the security context request message from the first node 110. The security context request message is associated with the first key. For further details of the embodiment, see the relevant description of S416 in Figure 4a. Further details are not described herein again.

[0238] S425: The second node 120 sends a security context response message (an example of a third message) to the first node 110. In response, the first node 110 receives a security context response message from the second node 120. For details of the embodiment, see the relevant description of S417 in Figure 4a. Further details are not described herein.

[0239] S426: When the first node 110 successfully authenticates the second node 120, it sends an association establishment message (an example of the fourth message) to the second node. In response, the second node 120 receives the association establishment message from the first node 110. For details of the embodiment, please refer to the relevant description of S418 in Figure 4a. Further details are not described herein.

[0240] S427: The second node 120 may send an association completion message to the first node 110. In response, the first node 110 may receive an association completion message from the second node. For further details of the embodiment, see the relevant description of S419 in Figure 4a. Further details are not described herein again.

[0241] Therefore, in the communication methods shown in Figures 4a, 4b, and 4c, in a scenario where multiple keys exist, the first node 110 and the second node 120 can select a first key associated with the first service, complete the bilateral identification authentication and security context negotiation procedures based on the first key, and establish a secure first communication connection between the two parties. In this way, while a service is running between the first node 110 and the second node 120, data corresponding to the service can be transmitted based on a secure communication connection established by using different keys to satisfy the security requirements in the integrated communication scenario and ensure the security of the corresponding service data.

[0242] In contrast to the communication methods shown in Figures 4a and 4b, the communication method shown in Figure 4c allows the first node 110 to proactively select a key for the second node 120 as the first key based on the relevant capabilities of the second node 120, such as the service type, service characteristics, and communication capabilities reported during registration. Therefore, the second node 120 and the first node 110 do not need to exchange a first message (i.e., a key instruction message) with each other. This can reduce signaling overhead.

[0243] Case 2: The first information includes a first security context used for communication between the first node 110 and the second node 120.

[0244] In this case, each of the first node 110 and the second node 120 has at least two sets of security contexts, for example, a common security context, a trusted security context, and an untrusted security context. The first node 110 and the second node 120 can determine the required first security context from at least two sets of security contexts through negotiation and establish a secure first communication connection based on the first security context. It should be noted that steps S431 to S435 included in Case 2 are merely examples of optional steps. In some examples, the execution sequence numbers of the following steps may be substituted. This is not particularly limited in the embodiments of this application.

[0245] As shown in Figure 4d, the communication method may include, for example, the following steps:

[0246] S431 (Optional): The first node 110 sends a sixth message (e.g., a system message). In response, the second node 120 may receive the sixth message. For a detailed embodiment, see Figure 4a and refer to S411 described above. Further details are not described herein.

[0247] S432: The second node 120 obtains the first security context or the type of the first security context based on the type corresponding to the second communication technology and / or the service type of the first service.

[0248] During the execution of S432, the second node 120 may, alternatively, obtain the first security context or the type of the first security context based on relevant instruction information entered by the user, or obtain the first security context or the type of the first security context based on relevant instruction information from another device. This is not limited to the embodiments of this application. In this embodiment of this application, the second node 120 may, alternatively, obtain the first security context or the type of the first security context in another manner. This is not limited to the embodiments of this application.

[0249] In this embodiment of the present application, in an integrated communication scenario, the first security context may be implemented in any one of the following ways:

[0250] Example 3: The first security context is the security context used for the service of the second communication technology.

[0251] The security context used for the service of the second communication technology includes trusted security contexts or untrusted security contexts, where a trusted security context is a security context that is successfully authenticated through the network, and an untrusted security context is a security context that is not authenticated through the network. The network as used herein may be understood as a network corresponding to a third node. For example, the network may be a 5G core network. In this embodiment of the present application, it should be understood that a security context that is not authenticated through the network may be understood as a key that is not verified through the network or does not need to be verified through the network (e.g., a security context corresponding to a default key), or a key that has been verified through the network but is not successfully verified (e.g., a security context corresponding to the aforementioned key that is not authenticated through the network).

[0252] The aforementioned security context corresponding to the PSK is used as an example. If the security context is not authenticated via the core network corresponding to the third node 130 (e.g., the 5G core network), or is not obtained via the key agreement process, or if the security context is obtained after agreement but is not agreed upon, then the security context is an untrusted security context and corresponds to the aforementioned untrusted fused PSK. If the security context is authenticated via the core network corresponding to the third node 130, obtained after the key agreement process, and agreed upon, then the security context is a trusted security context and corresponds to the aforementioned trusted fused PSK.

[0253] Example 4: The first security context is the security context used for the service of the first communication technology.

[0254] Similar to the prioritization and usage principles for multiple keys described above, in this embodiment of the present application, at least two sets of security contexts may also have security context prioritization and usage principles. A first security context is associated with a first service, and the first security context must be selected from at least two sets of security contexts according to at least the following principle: If the first service is a service of a first communication technology, the first security context is the security context used for the service of the first communication technology, and / or, if the first service is a service of a second communication technology, the first security context is the security context used for the service of the second communication technology.

[0255] For example, (1) with respect to the service of the second communication technology in the integrated communication scenario, if a trusted security context exists to be used for the service of the second communication technology in the integrated communication scenario, then an untrusted security context used for the service of the second communication technology in the integrated communication scenario will not be used, and the trusted security context will be used; in other words, the trusted security context will have a higher priority than the untrusted security context; (2) with respect to the service of the second communication technology in the integrated communication scenario, the security context used for the service of the second communication technology in the integrated communication scenario will be used, and the security context used for the service of the first communication technology will not be used; in other words, the untrusted security context used for the service of the second communication technology in the integrated communication scenario will have a higher priority than the security context used for the service of the first communication technology; and (3) with respect to the service of the first communication technology, even if a security context exists to be used for the service of the second communication technology in the integrated communication scenario, the security context used for the service of the first communication technology must be used to ensure the security of the private service between the first node 110 and the second node 120.

[0256] During the execution of S432, the second node 120 may acquire a first security context, such as a security context used for the service of the first communication technology, an untrusted security context in an integrated communication scenario, or a trusted security context in an integrated communication scenario, based on the type corresponding to the second communication technology and / or the service type of the first service, and based on the usage principles described above. For example, the type corresponding to the second communication technology may be the type of communication standard used for the second communication technology, such as 5G technology.

[0257] S433: The second node 120 sends an association request message (an example of the fifth message) to the first node 110. In response, the first node 110 receives the association request message.

[0258] For example, the association request message may include a temporary ID of the second node 120 (e.g., a physical layer identifier) ​​and / or an identifier associated with the first security context. For example, the identifier may be represented as a Kgt ID.

[0259] In the optional design, the second node 120 may further provide integrity protection to the association request message by using a signaling plane integrity protection algorithm and a signaling plane integrity protection key Ks.int. The MIC obtained through computation may be carried in the association request message.

[0260] For example, an association request message may be represented as the following tuple: (temporary ID, Kgt ID) MIC Here () MIC This indicates that the association request message is a message that has undergone integrity protection processing.

[0261] S434: The first node 110 obtains the first security context based on the temporary ID and / or KGT ID.

[0262] In the optional design, the first node 110 may check the integrity of the association request message based on the first security context.

[0263] If the first node 110 does not have a temporary ID for the second node 120, or does not have a corresponding first security context, or if the first node 110 fails the MIC check, the first node 110 may send a failure message to the second node 120 carrying a cause value (not shown). After receiving the failure message, the second node 120 may initiate an identification authentication procedure and a security context negotiation procedure if a security context does not exist. For example, see the method steps in Figure 4a or Figure 4b for details. Further details are not described herein.

[0264] If the first node 110 successfully checks the integrity of the association request message, the first node 110 may generate a new temporary ID (T-ID) for the second node 120.

[0265] S435: The first node 110 sends an association establishment message (i.e., the seventh message) to the second node 120. In response, the second node 120 may receive the seventh message from the first node.

[0266] In the optional design, the association establishment message may include a new temporary ID (T-ID) generated by the first node 110 for the second node 120.

[0267] In the optional design, the first node 110 may further protect the integrity of the association establishment message by using a signaling plane integrity protection algorithm and a signaling plane integrity protection key Ks.int. Once signaling plane cryptographic protection is initiated, the first node 110 may perform cryptographic protection of the association establishment message by using a signaling plane cryptographic algorithm and a signaling plane cryptographic key Ks.enc.

[0268] For example, an association establishment message may be represented as the following tuple: (New temporary ID) MIC Here () MIC This indicates that the association establishment message is a message that has undergone integrity protection processing.

[0269] If the first node 110 encrypts the association establishment message, the second node 120 may decrypt the association establishment message. The second node 120 may further check the integrity of the association establishment message. If the integrity check fails, the message is discarded. If the integrity check is successful, the following S436 is performed. The second node 120 may send an association completion message (i.e., the eighth message) to the first node 110.

[0270] The second node 120 may provide integrity protection to the association completion message by using the signaling plane integrity protection algorithm and the signaling plane integrity protection key Ks.int. When signaling plane cryptographic protection is initiated, the second node 120 may provide cryptographic protection to the association completion message by using the signaling plane cryptographic algorithm and the signaling plane cryptographic key Ks.enc.

[0271] For example, an association completion message may be expressed as follows: (Association complete message) MIC Here () MIC This indicates that the association completion message is a message that has undergone integrity protection processing.

[0272] Therefore, in the communication method shown in FIG. 4d, in a scenario where there are multiple sets of security contexts, the first node 110 and the second node 120 may select a first security context associated with the first service and establish a first communication connection between the two based on the first security context. In this way, during the execution of the service between the first node 110 and the second node 120, the data corresponding to the service can be transmitted based on the first communication connection established by using different security contexts in order to meet the security requirements in the integrated communication scenario and ensure the security of the corresponding service data.

[0273] In this embodiment of the present application, when the second node 120 cannot establish an association with the first node 110 multiple times by using the stored security context, the second node 120 deletes the stored security context and may attempt to initiate an association procedure without a security context between the second node 120 and the first node 110 by using the method shown in FIG. 4a or FIG. 4b. Details will not be described again in this specification.

[0274] One embodiment of the present application further provides a communication device configured to execute the method executed by the first node in the embodiment of the foregoing method. For related features, reference may be made to the embodiment of the foregoing method. Details will not be described again in this specification.

[0275] As shown in Figure 5, the apparatus 500 may include a communication unit 501 configured to communicate with a second node, and a processing unit 502 configured to acquire first information and establish a first communication connection to the second node based on the first information, wherein the first communication connection is used to transmit data for a first service, the first communication connection corresponds to a first communication technology, and the first node is a node that accesses a network corresponding to a second communication technology. For example, the first service may be a service of the first communication technology or a service of the second communication technology. For specific embodiments, please refer to the relevant descriptions of embodiments shown in Figures 1 to 4d. Further details are not described herein.

[0276] In an optional design, the communication device 500 shown in Figure 5 may be further configured to perform the method performed by the second node in the method embodiment described above. For example, a communication unit 501 is configured to communicate with the first node, and a processing unit 502 is configured to acquire first information and establish a first communication connection to the first node based on the first information, the first communication connection is used to transmit data for a first service, the first communication connection corresponds to a first communication technology, and the first node is a node that accesses a network corresponding to a second communication technology. For example, the first service may be a service of the first communication technology or a service of the second communication technology. For relevant features, please refer to the embodiment of the method described above. Further details are again not described herein.

[0277] It should be noted that in the embodiments of this application, modularization is merely an example and represents only a logical functional division. Other division methods may be used in actual implementation. Functional units in the embodiments of this application may be integrated into a single processing unit, or each unit may exist physically independently, or two or more units may be integrated into a single unit. The integrated unit may be implemented in hardware form or in the form of a software functional unit.

[0278] If the integrated unit is implemented in the form of a software function unit and sold or used as an independent product, the integrated unit may be stored on a computer-readable storage medium. Based on such understanding, the technical solution of this application may be implemented in the form of a software product, either essentially, in part, or in whole or in part, in the form of a software product. A computer software product is stored on a storage medium and includes several instructions for instructing a computer device (which may be a personal computer, server, or network device, etc.) or processor to perform all or part of the steps of the method in the embodiments of this application. The aforementioned storage medium includes any medium capable of storing program code, such as a USB flash drive, removable hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk.

[0279] In one possible embodiment, one embodiment of the present application provides a computer-readable storage medium. The computer-readable storage medium stores program code. When a computer program is executed on a computer, the computer is able to perform the method in the embodiment of the method described above.

[0280] In one possible embodiment, one embodiment of the present application provides a computer program product. When the computer program product is executed on a computer, the computer becomes capable of performing the method in the embodiment of the method described above.

[0281] In a simple embodiment, a person skilled in the art will understand that all communication devices in the embodiments described above may be in the form shown in Figure 6.

[0282] The device 600 shown in Figure 6 includes at least one processor 610 and a communication interface 630. In an optional design, the device may further include memory 620.

[0283] The specific connecting medium between the processor 610 and the memory 620 is not limited to the embodiments of this application.

[0284] In the device shown in Figure 6, when communicating with another device, the processor 610 can transmit data via the communication interface 630.

[0285] If the communication device is in the configuration shown in Figure 6, the processor 610 in Figure 6 may call computer executable instructions stored in the memory 620, and as a result, the device 600 may perform the method executed by the communication device in any of the method embodiments described above.

[0286] One embodiment of this application relates to a chip system. The chip system includes a processor configured to call a computer program or computer instruction stored in memory, thereby performing the method in any one of the embodiments described above.

[0287] In one possible embodiment, the processor may be coupled to memory by using an interface.

[0288] In one possible embodiment, the chip system may further directly include memory, which stores computer programs or computer instructions.

[0289] The memory may be volatile memory or non-volatile memory, or it may include both volatile and non-volatile memory. Non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EPROM, EEPROM), or flash memory. Volatile memory may be random access memory (RAM) and used as an external cache. As an example rather than a limited explanation, many forms of RAM exist, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous dynamic random access memory (ESDRAM), and synchlink dynamic random access memory. DRAM (SLDRAM) and direct rambus random access memory (direct rambus RAM, DR RAM) may be used.

[0290] One embodiment of this application further relates to a processor. The processor is configured to call a computer program or computer instruction stored in memory, and as a result, the processor performs the method in any one of the embodiments described above.

[0291] For example, in this embodiment of the present application, the processor is an integrated circuit chip having signal processing capabilities. For example, the processor may be a field programmable gate array (FPGA), a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or another programmable logic device, discrete gate or transistor logic device, or discrete hardware component, or a system on a chip (SoC), a central processor unit (CPU), a network processor (NP), a microcontroller unit (MCU), or a programmable logic device (PLD), or another integrated chip, and the processor may implement or execute the methods, steps, and logic block diagrams disclosed in embodiments of the present application. The general-purpose processor may be a microprocessor, or the processor may be any conventional processor, etc. The steps of the methods disclosed with reference to embodiments of the present application may be performed and completed directly by using a hardware decoding processor, or by using a combination of hardware and software modules in the decoding processor. The software module may reside in a mature storage medium in the art, such as random-access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, or registers. The storage medium is located in memory, and the processor reads the information in memory and, in cooperation with the processor hardware, completes the steps of the method described above.

[0292] It should be understood that embodiments of the present application can be provided as a method, system, or computer program product. Therefore, the present application can use forms of embodiments having only hardware embodiments, only software embodiments, or embodiments having a combination of software and hardware. Furthermore, the present application can use the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk memory, CD-ROM, optical memory, etc.) containing computer-usable program code.

[0293] These computer program instructions may alternatively be stored in a computer-readable memory that can indicate that a computer or another programmable data processing device operates in a specific manner, such that the instructions stored in the computer-readable memory generate an artifact that includes an instruction device. The instruction device implements the specific functions of one or more steps of a flowchart and / or one or more blocks of a block diagram.

[0294] These computer program instructions may alternatively be loaded onto a computer or another programmable data processing device, resulting in a series of operations and steps being executed on the computer or another programmable device, and as a result, a computer-implemented process is generated. Therefore, the instructions executed on a computer or another programmable device provide steps for implementing the specific functions in one or more steps of a flowchart and / or one or more blocks of a block diagram.

[0295] Obviously, those skilled in the art can make various modifications and deformations to the embodiments of the present application without departing from the scope of the embodiments of the present application. Therefore, if these modifications and deformations in the embodiments of the present application fall within the scope of the claims of the present application and their equivalent technologies, the present application is intended to include these modifications and deformations as well.

Explanation of Reference Numerals

[0296] 110 First node 120 Second node 130 Third Node 500 devices 501 Communication Unit 502 Processing Unit 600 equipment 610 Processor 620 memory 630 Communication Interface

Claims

1. A communication method, wherein the method is applied to a first node, The first step is to obtain the information, A step of establishing a first communication connection to a second node based on the first information, wherein the first communication connection is used to transmit data for a first service, and the first communication connection corresponds to a first communication technology. Step A, wherein the first node is a node that accesses a network corresponding to the second communication technology, and the first service is a service of the first communication technology or a service of the second communication technology. Includes, The first information includes a first key used for communication authentication with the second node, and the step of obtaining the first information is A step of obtaining the first key based on the type of communication standard used in the second communication technology and / or the service type of the first service, wherein the service type indicates that the first service is either a service of the first communication technology or a service of the second communication technology in an integrated communication scenario. A communication method that includes this.

2. The first information includes a first key used for communication authentication with the second node, and the method is A step of receiving a first message from the second node, wherein the first message carries key type information or service type information. It further includes, The step of obtaining the first information is, Steps to acquire the first key based on the key type information or the service type information. The method according to claim 1, including the method described in claim 1.

3. The step of establishing a first communication connection to a second node based on the first information is, A step of sending a second message associated with the first key to the second node, wherein the second message is used for identity authentication of the first node. A step of receiving a third message in response to the second message, wherein the third message is used for the identification and authentication of the second node, Steps include: sending a fourth message to the second node if the identification authentication of the second node is successful, wherein the fourth message is used to establish the first communication connection to the second node; The method according to claim 1 or 2, including the method described in claim 1 or 2.

4. If the first service is a service of the first communication technology, then the first key is a key used for the service of the first communication technology, or If the first service is a service of the second communication technology, then the first key is the key used for the service of the second communication technology. The method according to any one of claims 1 to 3.

5. The method according to claim 4, wherein the key used for the service of the second communication technology includes a trusted key and an untrusted key, the trusted key is a key that is successfully authenticated over the network, the untrusted key is a key that is not authenticated over the network, and the priority of the trusted key is higher than the priority of the untrusted key.

6. Prior to the step of establishing the first communication connection, the method A step of receiving a key from the aforementioned network that is used for the service of the second communication technology, The method according to any one of claims 1 to 5, further comprising:

7. The first information includes a first security context used for communication with the second node, and the step of obtaining the first information is: A step of receiving a fifth message from the second node, wherein the fifth message carries an identifier associated with the first security context. Includes, The step of obtaining the first information is, Steps to obtain the first security context based on the identifier The method according to claim 1, including the method described in claim 1.

8. If the first service is a service of the first communication technology, then the first security context is the security context used for the service of the first communication technology, or If the first service is a service of the second communication technology, the first security context is the security context used for the service of the second communication technology. The method according to claim 7.

9. The method according to claim 8, wherein the security context used for the service of the second communication technology includes a trusted security context or an untrusted security context, the trusted security context is a security context that is successfully authenticated through the network, the untrusted security context is a security context that is not authenticated through the network, and the priority of the trusted security context is higher than the priority of the untrusted security context.

10. Prior to the step of obtaining the first information, the method A step of sending a sixth message to the second node, wherein the sixth message carries information used to indicate that the first node supports the second communication technology. The method according to any one of claims 1 to 9, further comprising:

11. A communication method, wherein the method is applied to a second node, The first step is to obtain the information, A step of establishing a first communication connection to a first node based on the first information, wherein the first communication connection is used to transmit data for a first service, and the first communication connection corresponds to a first communication technology. Step A, wherein the first node is a node that accesses a network corresponding to the second communication technology, and the first service is a service of the first communication technology or a service of the second communication technology. Includes, The first information includes a first key used for communication authentication with the first node, and the step of obtaining the first information is: A step of obtaining the first key based on the type of communication standard used in the second communication technology and / or the service type of the first service, wherein the service type indicates that the first service is either a service of the first communication technology or a service of the second communication technology in an integrated communication scenario. A communication method that includes this.

12. The method described above is A step of sending a first message to the first node, wherein the first message carries information associated with the first key. The method according to claim 11, further comprising:

13. The step of establishing a first communication connection to the first node based on the first information is, A step of receiving a second message from the first node, wherein the second message is associated with the first key and the second message is used for identity authentication of the first node. Steps include: sending a third message to the first node if the authentication of the first node is successful, wherein the third message is used for the authentication of the second node; A step of receiving a fourth message in response to the third message, wherein the fourth message is used to establish the first communication connection to the second node, The method according to claim 11 or 12, including the method described in claim 11 or 12.

14. If the first service is a service of the first communication technology, then the first key is a key used for the service of the first communication technology, or If the first service is a service of the second communication technology, then the first key is the key used for the service of the second communication technology. The method according to any one of claims 11 to 13.

15. The method according to claim 14, wherein the key used for the service of the second communication technology includes a trusted key and an untrusted key, the trusted key is a key that is successfully authenticated through the network, the untrusted key is a key that is not authenticated through the network, and the priority of the trusted key is higher than the priority of the untrusted key.

16. Prior to the step of establishing the first communication connection, the method The step of receiving a key from the aforementioned network that is used for the service of the second communication technology. The method according to any one of claims 11 to 15, further comprising:

17. The first information includes a first security context, the first security context is used by the second node to establish the first communication connection to the first node, and the step of obtaining the first information is, Steps to obtain the first security context based on the type of communication standard used in the second communication technology and / or the service type of the first service, wherein the service type indicates that the first service is either a service of the first communication technology or a service of the second communication technology in an integrated communication scenario. The method according to claim 11, including the method described in claim 11.

18. If the first service is a service of the first communication technology, then the first security context is the security context used for the service of the first communication technology, or If the first service is a service of the second communication technology, the first security context is the security context used for the service of the second communication technology. The method according to claim 17.

19. The method according to claim 18, wherein the security context used for the service of the second communication technology includes a trusted security context or an untrusted security context, the trusted security context is a security context that is successfully authenticated through the network, the untrusted security context is a security context that is not authenticated through the network, and the priority of the trusted security context is higher than the priority of the untrusted security context.

20. The method described above is A step of sending a fifth message to the first node, wherein the fifth message carries an identifier associated with the first security context. The method according to any one of claims 17 to 19, further comprising:

21. The method described above is A step of receiving a sixth message from the first node, wherein the sixth message carries information used to indicate that the first node supports the second communication technology. The method according to any one of claims 11 to 20, further comprising:

22. A communication device applied to the first node, A communication unit configured to communicate with a second node, A processing unit configured to acquire first information and establish a first communication connection to a second node based on the first information, wherein the first communication connection is used to transmit data for a first service, the first communication connection corresponds to a first communication technology, the first node is a node that accesses a network corresponding to a second communication technology, and the first service is a service of the first communication technology or a service of the second communication technology. Equipped with, A communication device wherein the first information includes a first key used for communication authentication with the second node, the processing unit is configured to obtain the first key based on the type of communication standard used in the second communication technology and / or the service type of the first service, the service type indicating that the first service is either a service of the first communication technology or a service of the second communication technology in an integrated communication scenario.

23. If the first service is a service of the first communication technology, the first key is a key used for the service of the first communication technology, or if the first service is a service of the second communication technology, the first key is a key used for the service of the second communication technology. The apparatus according to claim 22.

24. A communication unit configured to communicate with a first node, A processing unit configured to acquire first information and establish a first communication connection to a first node based on the first information, wherein the first communication connection is used to transmit data for a first service, the first communication connection corresponds to a first communication technology, the first node is a node that accesses a network corresponding to a second communication technology, and the first service is a service of the first communication technology or a service of the second communication technology. Equipped with, A communication device wherein the first information includes a first key used for communication authentication with the first node, the processing unit is configured to obtain the first key based on the type of communication standard used in the second communication technology and / or the service type of the first service, the service type indicating that the first service is either a service of the first communication technology or a service of the second communication technology in an integrated communication scenario.

25. The apparatus according to claim 24, wherein if the first service is a service of the first communication technology, the first key is a key used for the service of the first communication technology, or if the first service is a service of the second communication technology, the first key is a key used for the service of the second communication technology.

26. A communication device comprising at least one processor and an interface circuit, wherein the interface circuit is configured to provide data or code instructions to the at least one processor, and the at least one processor is configured to carry out the method according to any one of claims 1 to 10 or 11 to 21 by using a logic circuit or by executing the code instructions.

27. A communication system comprising a communication device configured to carry out the method described in any one of claims 1 to 10, and a communication device configured to carry out the method described in any one of claims 11 to 21.

28. A computer-readable storage medium that stores program code, and when the program code is executed on a computer, the computer becomes capable of performing the method described in any one of claims 1 to 10, or when the program code is executed on a computer, the computer becomes capable of performing the method described in any one of claims 11 to 21.