Data processing method and apparatus, and device
By using the key provided by the core network equipment to decrypt terminal data through the access network equipment, the problem of poor data plane transmission security is solved, and higher data transmission security and privacy protection are achieved.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- VIVO MOBILE COMM CO LTD
- Filing Date
- 2025-12-17
- Publication Date
- 2026-06-25
AI Technical Summary
In data plane transmission, data between the terminal and the core network equipment is directly parsed by the access network equipment, resulting in poor data transmission security.
The access network device receives the first key sent by the core network device, which is used to decrypt the encrypted data sent by the terminal. This ensures that the first key matches the second key, so that authorization from the core network device is required when parsing terminal data. Access network devices that are not authorized or have not configured the key cannot parse the data.
It improves the security of data plane transmission, prevents unauthorized access network devices from parsing terminal data, and ensures the privacy and security of data transmission.
Smart Images

Figure CN2025143066_25062026_PF_FP_ABST
Abstract
Description
Data processing methods, apparatus and equipment
[0001] Cross-references to related applications
[0002] This application claims priority to Chinese Patent Application No. 202411883444.4, filed on December 19, 2024, entitled “Data Processing Method, Apparatus and Device”, the entire contents of which are incorporated herein by reference. Technical Field
[0003] This application belongs to the field of communication technology, and specifically relates to a data processing method, apparatus and device. Background Technology
[0004] The data plane consists of core network data plane functions, radio access network data plane functions, and terminal data plane functions, providing end-to-end connectivity. In related technologies, when implementing the data plane function, data transmission between the terminal and core network equipment passes through access network equipment. Access network equipment can directly parse the terminal's data, which leads to poor security in data plane transmission. Summary of the Invention
[0005] This application provides a data processing method, apparatus, and device that can solve the problem of poor security in data plane transmission.
[0006] Firstly, a data processing method is provided, executed by an access network device, the method comprising:
[0007] The access network device receives a first key sent by the core network device, and the first key is used for data plane transmission.
[0008] The access network device uses the first key to decrypt the encrypted data sent by the terminal, and the encrypted data is obtained by encrypting it with the second key, wherein the first key and the second key are matched.
[0009] Secondly, a data processing method is provided, executed by a core network device, the method comprising:
[0010] The core network equipment sends a first key to the access network equipment, and the first key is used for data plane transmission.
[0011] The core network device sends second information to the terminal, the second information being used to obtain a second key, wherein the first key matches the second key.
[0012] Thirdly, a data processing method is provided, executed by a terminal, the method comprising:
[0013] The terminal receives the second information sent by the core network device and obtains the second key based on the second information;
[0014] The terminal uses the second key to encrypt the collected data, thus obtaining encrypted data;
[0015] The terminal sends the encrypted data to the access network device.
[0016] Fourthly, a data processing apparatus is provided, comprising:
[0017] The receiving module is used to receive the first key sent by the core network equipment, and the first key is used for data plane transmission;
[0018] The processing module is used to decrypt the encrypted data sent by the terminal using the first key, wherein the encrypted data is obtained by encrypting it using a second key, and the first key matches the second key.
[0019] Fifthly, a data processing apparatus is provided, comprising:
[0020] The sending module is used to send a first key to the access network device, the first key being used for data plane transmission;
[0021] The sending module is further configured to: send second information to the terminal, the second information being used to obtain a second key, wherein the first key matches the second key.
[0022] Sixthly, a data processing apparatus is provided, comprising:
[0023] The receiving module is used to receive the second information sent by the core network device and obtain the second key based on the second information;
[0024] The processing module is used to encrypt the collected data using the second key to obtain encrypted data;
[0025] The sending module is used to send the encrypted data to the access network device.
[0026] In a seventh aspect, a data processing apparatus is provided, the apparatus being configured to perform the steps of the method described in the first aspect, or to implement the steps of the method described in the second aspect, or to implement the steps of the method described in the third aspect.
[0027] Eighthly, a terminal is provided, the terminal including a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the method as described in the third aspect.
[0028] Ninthly, a terminal is provided, including a processor and a communication interface, wherein,
[0029] A communication interface is used to receive second information sent by core network equipment and obtain a second key based on the second information;
[0030] The processor is used to encrypt the collected data using the second key to obtain encrypted data;
[0031] The communication interface is also used to send the encrypted data to the access network equipment.
[0032] In a tenth aspect, a network-side device is provided, the network-side device including a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the method as described in the first or second aspect.
[0033] Eleventhly, an access network device is provided, including a processor and a communication interface, wherein,
[0034] A communication interface is used to receive a first key sent by a core network device, the first key being used for data plane transmission.
[0035] The processor is configured to decrypt encrypted data sent by the terminal using the first key, wherein the encrypted data is obtained by encrypting the data using a second key, and the first key matches the second key.
[0036] In a twelfth aspect, a core network device is provided, including a processor and a communication interface, wherein...
[0037] A communication interface is used to send a first key to the access network device, the first key being used for data plane transmission;
[0038] The communication interface is also used to: send second information to the terminal, the second information being used to obtain a second key, wherein the first key matches the second key.
[0039] In a thirteenth aspect, a readable storage medium is provided, on which a program or instructions are stored, which, when executed by a processor, implement the steps of the method described in the first aspect, or the steps of the method described in the second aspect, or the steps of the method described in the third aspect.
[0040] In a fourteenth aspect, a wireless communication system is provided, comprising: a terminal, a core network device, and an access network device, wherein the terminal is configured to perform the steps of the method described in the third aspect, the access network device is configured to perform the steps of the method described in the first aspect, and the core network device is configured to perform the steps of the method described in the second aspect.
[0041] In a fifteenth aspect, a chip is provided, the chip including a processor and a communication interface coupled to the processor, the processor being configured to run a program or instructions to implement the method as described in the first aspect, or the method as described in the second aspect, or the method as described in the third aspect.
[0042] In a sixteenth aspect, a computer program / program product is provided, the computer program / program product being stored in a storage medium, the computer program / program product being executed by at least one processor to implement the method as described in the first aspect, or the method as described in the second aspect, or the method as described in the third aspect.
[0043] In this embodiment, the access network device receives a first key sent by the core network device. This first key is used for data plane transmission. The access network device uses the first key to decrypt encrypted data sent by the terminal. The encrypted data is obtained by encrypting it using a second key, and the first key matches the second key. Thus, when parsing data from the terminal, the access network device needs to decrypt it using the first key sent by the core network device. Access network devices that are not authorized or have not configured with the first key cannot parse the terminal's data, thereby improving the security of data plane transmission. Attached Figure Description
[0044] Figure 1 is a block diagram of a wireless communication system applicable to an embodiment of this application;
[0045] Figure 2a is a schematic diagram of one of the data planes applicable to the embodiments of this application;
[0046] Figure 2b is a second schematic diagram of a data plane that can be applied to an embodiment of this application;
[0047] Figure 3 is a flowchart of one of the data processing methods provided in the embodiments of this application;
[0048] Figure 4 is a second flowchart of a data processing method provided in an embodiment of this application;
[0049] Figure 5 is a flowchart of a data processing method provided in an embodiment of this application;
[0050] Figure 6 is a flowchart of a data processing method provided in an embodiment of this application;
[0051] Figure 7 is a fifth flowchart of a data processing method provided in an embodiment of this application;
[0052] Figure 8 is a flowchart of a data processing method provided in an embodiment of this application;
[0053] Figure 9 is a schematic diagram of one of the data processing devices provided in an embodiment of this application;
[0054] Figure 10 is a second schematic diagram of the structure of a data processing device provided in an embodiment of this application;
[0055] Figure 11 is a third schematic diagram of the structure of a data processing device provided in an embodiment of this application;
[0056] Figure 12 is a schematic diagram of the structure of a communication device provided in an embodiment of this application;
[0057] Figure 13 is a schematic diagram of the structure of a terminal provided in an embodiment of this application;
[0058] Figure 14 is one of the structural schematic diagrams of a network-side device provided in an embodiment of this application;
[0059] Figure 15 is a second schematic diagram of the structure of a network-side device provided in an embodiment of this application. Detailed Implementation
[0060] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application are within the scope of protection of this application.
[0061] The terms "first," "second," etc., used in this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such terms can be used interchangeably where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first" and "second" are generally of the same class, not limited in number; for example, the first object can be one or more. Furthermore, "or" in this application indicates at least one of the connected objects. For example, the scope of protection for "A or B" covers at least three scenarios: Scenario 1: including A but not B; Scenario 2: including B but not A; Scenario 3: including both A and B. In addition, the terms "A and / or B," "at least one of A and B," and "at least one of A or B" also cover at least the above three scenarios. The character " / " generally indicates that the preceding and following objects are in an "or" relationship.
[0062] The term "instruction" in this application can be either a direct instruction (or explicit instruction) or an indirect instruction (or implicit instruction). A direct instruction can be understood as one in which the sender explicitly informs the receiver of specific information, the operation to be performed, or the requested result, etc., in the instruction sent. An indirect instruction can be understood as one in which the receiver determines the corresponding information based on the instruction sent by the sender, or makes a judgment and determines the operation to be performed or the requested result, etc., based on the judgment result.
[0063] It is worth noting that the technologies described in this application are not limited to Long Term Evolution (LTE) / LTE-Advanced (LTE-A) systems, but can also be used in other wireless communication systems, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access (OFDMA), Single-carrier Frequency-Division Multiple Access (SC-FDMA), or other systems. The terms "system" and "network" in this application are often used interchangeably, and the described technologies can be used with the systems and radio technologies mentioned above, as well as with other systems and radio technologies. The following description describes New Radio (NR) systems for illustrative purposes, and the term NR is used in most of the following description; however, these technologies can also be applied to systems other than NR systems, such as 6th generation (6G) radio systems. th Generation 6G communication system.
[0064] Figure 1 shows a block diagram of a wireless communication system applicable to an embodiment of this application. The wireless communication system includes a terminal 11 and a network-side device 12. The terminal 11 can be a mobile phone, tablet computer, laptop computer, notebook computer, personal digital assistant (PDA), handheld computer, netbook, ultra-mobile personal computer (UMPC), mobile internet device (MID), augmented reality (AR), virtual reality (VR) device, robot, wearable device, flight vehicle, vehicle user equipment (VUE), shipboard equipment, pedestrian user equipment (PUE), smart home (home devices with wireless communication capabilities, such as refrigerators, televisions, washing machines, or furniture), game console, personal computer (PC), ATM, or self-service machine, etc. Wearable devices include: smartwatches, smart bracelets, smart headphones, smart glasses, smart jewelry (smart bracelets, smart chains, smart rings, smart necklaces, smart anklets, smart anklets, etc.), smart wristbands, smart clothing, etc. Among these, in-vehicle devices can also be referred to as in-vehicle terminals, in-vehicle controllers, in-vehicle modules, in-vehicle components, in-vehicle chips, or in-vehicle units, etc. It should be noted that the specific type of terminal 11 is not limited in this application embodiment. Network-side equipment 12 may include access network equipment or core network equipment, wherein access network equipment may also be referred to as Radio Access Network (RAN) equipment, radio access network function, or radio access network unit. Access network equipment may include base stations, Wireless Local Area Network (WLAN) access points (APs), or Wireless Fidelity (WiFi) nodes, etc.The term "base station" can be referred to as Node B (NB), Evolved Node B (eNB), Next Generation Node B (gNB), New Radio Node B (NR Node B), Access Point, Relay Base Station (RBS), Serving Base Station (SBS), Base Transceiver Station (BTS), Radio Base Station, Radio Transceiver, Basic Service Set (BSS), Extended Service Set (ESS), Home Node B (HNB), Home Evolved Node B, Transmit / Receive Point (TRP), or any other suitable term in the relevant field, as long as the same technical effect is achieved. The term "base station" is not limited to any specific technical terminology. It should be noted that this application embodiment only uses a base station in an NR system as an example for description and does not limit the specific type of base station.
[0065] Core network equipment, also known as core network nodes, core network functions, or core network elements, includes, but is not limited to, at least one of the following: Mobility Management Entity (MME), Access and Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), Policy Control Function (PCF), Policy and Charging Rules Function (PCRF), Edge Application Server Discovery Function (EASDF), Unified Data Management (UDM), Unified Data Repository (UDR), Home Subscriber Server (HSS), Centralized network configuration (CNC), Network Repository Function (NRF), Network Exposure Function (NEF), Local NEF (or L-NEF), and Binding Support. The core network functions include: BSF (Block Network Function), Application Function (AF), Location Management Function (LMF), Gateway Mobile Location Centre (GMLC), and Network Data Analytics Function (NWDAF). It should be noted that this application embodiment only uses core network equipment in the NR system as an example and does not limit the specific type of core network equipment. If the name of the core network equipment mentioned in this application embodiment changes in subsequent protocol versions (e.g., 6G), it will still be within the scope of protection of this application.
[0066] Optionally, the core network equipment can be implemented by one or more functional modules in a single device, or by multiple devices working together; this application does not specifically limit this. It is understood that the aforementioned functional modules can be network elements in hardware devices, software functional modules running on dedicated hardware, or virtualized functional modules instantiated on a platform (e.g., a cloud platform).
[0067] For ease of understanding, the following explains some aspects of the embodiments of this application:
[0068] 1. Data plane
[0069] The data plane consists of core network data plane functions, radio access network data plane functions, and UE data plane functions, providing end-to-end connectivity. The data plane is responsible for data control, including data collection coordination, data collection configuration, and data transmission configuration. It also handles data acquisition, data transmission, data preprocessing, data privacy and security, data analysis, data storage, and data services. Schematic diagrams of the data plane are shown in Figures 2a and 2b.
[0070] 2. Data plane security technology
[0071] Here are some commonly used data security methods:
[0072] (1) Data encryption
[0073] Storage encryption: Encrypting stored data using encryption algorithms (such as Advanced Encryption Standard (AES) or public-key cryptography algorithm RSA) ensures that even if the data is stolen, it cannot be read by unauthorized individuals.
[0074] Encryption during transmission: Encryption is achieved using protocols such as Secure Socket Layer (SSL) or Transport Layer Security (TLS) during data transmission to prevent data from being eavesdropped on or tampered with over the network.
[0075] End-to-end encryption: Data is encrypted directly between the two communicating parties, ensuring that only the sender and receiver can decrypt the data, and intermediate nodes cannot view the data content.
[0076] (2) Data desensitization
[0077] Data masking: Prevents the leakage of sensitive information by covering or replacing sensitive data (such as only showing the last four digits of a credit card number).
[0078] Pseudonymization and anonymization: Modifying or removing personal identity information so that even if the data is leaked, it cannot be associated with a specific individual.
[0079] (3) Access Control
[0080] Access control: Use role-based access control (RBAC) or attribute-based access control (ABAC) to restrict access to data and ensure that only authorized users can view or modify data.
[0081] Multi-factor authentication: By combining multiple authentication methods such as passwords, mobile verification codes, and fingerprints, access security is improved.
[0082] (4) Data backup and recovery
[0083] Regular backups: Back up your data regularly to different locations and devices so that you can quickly recover your data in the event of data loss or ransomware attacks.
[0084] Data recovery plan: Establish a detailed data recovery process to ensure a rapid response mechanism in the event of data loss.
[0085] (5) Data integrity check
[0086] Checksums and hashes: Use hash algorithms such as MD5 and SHA to verify the integrity of data and ensure that the data has not been tampered with during transmission and storage.
[0087] Digital signature: Verifying the origin and integrity of data through digital signature technology to prevent forgery and tampering.
[0088] (6) Data isolation
[0089] Network isolation: By dividing the network into different regions (such as intranet and extranet) and isolating the network where sensitive data is located, the risk of data leakage is reduced.
[0090] Containerization and virtualization isolation: Using virtual machines or container technology to isolate data from different applications and users, avoiding cross-influence of data.
[0091] (7) Logs and audits
[0092] Log recording: Records operations such as accessing and modifying data, making it easier to track the flow of data and promptly detect and respond to abnormal behavior.
[0093] Regular audits: Through regular security audits, potential risks in the system are identified and remediated to ensure compliance requirements are met.
[0094] (8) Data Loss Prevention (DLP)
[0095] Sensitive data detection and control: DLP systems can monitor and restrict the outward transmission of sensitive data, preventing data from being leaked into insecure environments.
[0096] Real-time alarms: The DLP system will issue an alarm in real time when it detects illegal data operations, so that timely measures can be taken.
[0097] (9) Privacy Computing
[0098] Homomorphic encryption: allows computations to be performed on encrypted data, ensuring that private data is not leaked during use.
[0099] Federated learning enables different institutions to collaboratively train machine learning models without sharing their respective data.
[0100] Differential privacy: Privacy protection of data analysis results is achieved by adding random noise to individuals in the dataset.
[0101] (10) Monitoring of Artificial Intelligence and Machine Learning
[0102] Utilize artificial intelligence (AI) or machine learning (ML) technologies to monitor and analyze data access and usage patterns, identify abnormal behavior, and promptly detect potential security threats.
[0103] These data security methods each have their own advantages and are often used in combination to provide multi-layered security.
[0104] The data processing methods, apparatus, and related equipment provided in this application will be described in detail below with reference to the accompanying drawings and through some embodiments and application scenarios.
[0105] Referring to Figure 3, which is a flowchart of a data processing method provided in an embodiment of this application, the data processing method includes the following steps:
[0106] Step 101: The access network device receives the first key sent by the core network device. The first key is used for data plane transmission.
[0107] Step 102: The access network device uses the first key to decrypt the encrypted data sent by the terminal. The encrypted data is obtained by encrypting it using the second key, and the first key matches the second key.
[0108] The first key and the second key may be the same or different. Matching the first key and the second key can mean that data encrypted with the second key can be decrypted using the first key, or that the first key can be used to decrypt data encrypted with the second key.
[0109] In one implementation, the first key is used for data plane transmission, which can be used for data collection. The first key being used for data plane transmission can be understood and replaced with the first key being used for data collection.
[0110] In one implementation, the destination address of the encrypted data sent by the terminal can be an internal node of the network.
[0111] In one implementation, the terminal can be understood and replaced as a data providing node.
[0112] In one implementation, the access network device can be understood and replaced as a data preprocessing node.
[0113] In one implementation, the core network equipment can be understood and replaced by a data control node and / or a data consumption node. The data control node and the data consumption node can be different network elements within the core network equipment, or they can be the same network element within the core network equipment; this embodiment does not limit this. That is, the data control node and the data consumption node can be deployed on the same equipment or different equipment in the core network.
[0114] In addition, the access network device can perform data preprocessing on the decrypted data; or perform data analysis on the decrypted data; or perform data storage on the decrypted data, etc. This embodiment does not limit the subsequent processing of the decrypted data by the access network device.
[0115] It should be noted that the terminal can use a second key to encrypt the collected data, obtain encrypted data, and send the encrypted data to the access network device.
[0116] In addition, core network equipment can send the first key to access network equipment.
[0117] For example, the core network device can determine whether a data preprocessing function (or simply preprocessing function) needs to be activated, and if it determines that a data preprocessing function needs to be activated, it sends a first key to the access network device.
[0118] It should be noted that the first key can be sent from the core network device to the access network device. As an alternative implementation, the first key can also be sent from the terminal to the access network device. That is to say, the access network device can receive the first key sent by the terminal.
[0119] In one implementation, a core network device sends a first key to a data preprocessing node (such as an access network device). The data preprocessing node uses the first key to parse the data and then completes the data preprocessing. This first key can be a reused key between a data providing node (such as a terminal) and a data consuming node (such as a core network device), or it can be a dedicated key between the data providing node and the data preprocessing node derived from the key between the data providing node and the data consuming node.
[0120] In one implementation, when a multi-terminal data collection task is initiated and data preprocessing is required in an access network device (such as a base station), a dedicated first key can be generated based on the task. The data preprocessing node (such as the access network device) uses the first key to process the data uniformly. The first key can be used to notify the terminals performing the data collection task via multicast using a public channel, or it can be used to notify the terminals performing the data collection task individually using a dedicated channel.
[0121] In related technologies, data plane and data security technologies are two independent research directions. Currently, there is no detailed discussion on data plane security issues, and data preprocessing security issues are not addressed, nor are there specific implementation use cases. In the 6G data plane, when data is transmitted from the data provider node to the data consumer node, it needs to be preprocessed at intermediate nodes such as base stations to perform functions such as data deduplication, data cleaning, or data merging. In the embodiments of this application, data transmission from the data provider node (such as a terminal) to the data consumer node (such as core network equipment) is encrypted, and the data preprocessing node (such as access network equipment) cannot directly obtain this data. In addition, the embodiments of this application provide that the data preprocessing node can only obtain the data transmitted by the data provider node when configured or allowed to perform preprocessing, thus ensuring high data security.
[0122] In this embodiment, the access network device receives a first key sent by the core network device. This first key is used for data plane transmission. The access network device uses the first key to decrypt encrypted data sent by the terminal. The encrypted data is obtained by encrypting it using a second key, and the first key matches the second key. Thus, when parsing data from the terminal, the access network device needs to decrypt it using the first key sent by the core network device. Access network devices that are not authorized or have not configured with the first key cannot parse the terminal's data, thereby improving the security of data plane transmission.
[0123] Optionally, the method further includes:
[0124] The access network device performs data preprocessing on the decrypted data to obtain the first data;
[0125] The access network device sends the first data to the core network device.
[0126] Data preprocessing may include data deduplication, data cleaning, or data merging. This application does not limit the specific implementation of data preprocessing.
[0127] In this embodiment, when the data plane data transmitted between the terminal and the core network device is encrypted, the access network device can decrypt the encrypted data of the terminal using the first key sent by the core network device and perform data preprocessing. This also prevents the access network device from parsing or processing the terminal data without permission or without configuring the first key, thereby improving the security of data plane transmission.
[0128] Optionally, the method further includes:
[0129] The access network device receives the first information sent by the core network device;
[0130] The first information includes at least one of the following:
[0131] Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; information used by the terminal to perform the data acquisition task.
[0132] The first information can be a data preprocessing start message, which can be used to start the data preprocessing function.
[0133] In addition, information indicating the data preprocessing method may include preprocessing instructions, such as averaging, standard deviation calculation, or filtering.
[0134] Additionally, information used to indicate data preprocessing time may include preprocessing time, such as start time and / or end time.
[0135] In addition, the triggering event for data preprocessing can also be described as a preprocessing triggering event, such as triggering data preprocessing when the amount of data exceeds a threshold.
[0136] Additionally, information used to indicate the start or end of data preprocessing may include preprocessing start or end indications.
[0137] In one embodiment, when the data plane transmission is used for multi-terminal data acquisition services, the first information includes information about the terminal performing the data acquisition task. Thus, the access network device can obtain information about the terminal performing the data acquisition task through the first information.
[0138] In this embodiment, the access network device can preprocess the encrypted data of the terminal according to the first information configured by the core network device, and the configuration of the data preprocessing function can be realized through the first information.
[0139] Optionally, the first key is a first data plane key, which is used for decrypting data plane transmissions between the core network device and the terminal; or,
[0140] The first key is a key generated based on the first data plane key; or,
[0141] The first key is a key generated based on the task information of the data acquisition task.
[0142] The first key can be a first data plane key, which the core network device can generate based on data plane security configuration information and terminal information. The terminal can generate a second data plane key based on data plane security configuration information and terminal information, and the second key can be a second data plane key. The first data plane key and the second data plane key can be the same.
[0143] The first key can be generated based on the first data plane key. The core network device can generate the first data plane key based on data plane security configuration information and terminal information, and derive the first key from the first data plane key. The algorithm used to derive the first key can be pre-configured or pre-defined. The terminal can generate a second data plane key based on data plane security configuration information and terminal information, and derive the second key from the second data plane key. The algorithm used to derive the second key can be pre-configured or pre-defined. The first data plane key and the second data plane key can be the same.
[0144] The first key can be a key generated based on task information of the data acquisition task, and the algorithm for generating the first key based on the task information can be pre-configured or pre-defined. This embodiment does not limit the algorithm for generating the first key.
[0145] In one implementation, the first key is a first data plane key. Taking the access network device as a base station as an example, the data transmitted from the terminal to the core network is preprocessed at the base station. The data preprocessing node (such as the base station) directly uses the first data plane key to parse the data uploaded by the terminal. The base station preprocesses the parsed data and then sends it to the core network.
[0146] In one embodiment, the first key is a key generated based on the first data plane key. Taking the access network device as a base station as an example, the data transmitted from the terminal to the core network is preprocessed at the base station. The core network and the terminal are derived keys for the preprocessing process. When the terminal sends data, it uses the derived key to encrypt it. After receiving the data, the data preprocessing node (such as the base station) decrypts it using the derived key. The base station preprocesses the decrypted data and then sends it to the core network.
[0147] In one implementation, the first key is a key generated based on the task information of the data acquisition task. Taking the access network device as a base station as an example, the data transmitted from the terminal to the core network is preprocessed at the base station; the core network starts a multi-UE data collection task, generates a unified key based on the task, and the data preprocessing node (such as the base station) uses the key to parse the data. The base station preprocesses the parsed data and sends it to the core network.
[0148] Optionally, the task information of the data acquisition task includes at least one of the following:
[0149] Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task.
[0150] Optionally, the method further includes at least one of the following:
[0151] The access network device receives the second information and stops performing the data preprocessing based on the second information, wherein the second information is used to indicate the cessation of data preprocessing.
[0152] The access network device stops performing the data preprocessing based on information used to indicate the data preprocessing time.
[0153] It should be noted that, if the access network device stops performing the data preprocessing, the core network device can initiate a key update process to update the key for data plane transmission between the core network device and the terminal; or, if it is determined that the access network device has stopped performing data preprocessing, the terminal can stop using the second key. This prevents untrusted access network devices from parsing terminal data, further improving the security of data plane transmission.
[0154] In this embodiment, the data preprocessing function can be turned off through the second information or information used to indicate the data preprocessing time, so that the access network device cannot continue to parse terminal data after the data preprocessing function is stopped, thereby further improving the security of data plane transmission.
[0155] The following examples will provide further explanation:
[0156] Example 1:
[0157] In this example, the original key is reused for data preprocessing encryption and decryption. The data preprocessing node directly uses the key of the data consumer node to parse the data sent by the data provider node, and then completes the data preprocessing, thus solving the problem that the data preprocessing node cannot parse the encrypted data sent by the data provider node. When preprocessing is no longer needed, the key between the data consumer node and the data acquisition node needs to be updated to prevent the data preprocessing node from continuing to view and parse the data.
[0158] As shown in Figure 4, the data processing method includes the following steps:
[0159] (1) The data control node (such as the core network) starts data services and initiates the data plane security process.
[0160] (2) The data control node (e.g., the core network) notifies the data providing node (e.g., the terminal) to start the data service, and carries the data plane security configuration information:
[0161] a. Generate a core network-side data plane key (i.e., the first data plane key) based on data plane security configuration information and terminal information in the core network.
[0162] b. Generate the terminal's data plane key (i.e., the second data plane key) based on the data plane security configuration information and the terminal's information.
[0163] (3) The data control node determines whether the data preprocessing function needs to be started. If so, it notifies the data preprocessing node (such as the base station).
[0164] (4) The data control node sends a data preprocessing start message to the preprocessing node. The data preprocessing start message contains at least one of the following:
[0165] The data plane key (i.e., the first key) on the core network side;
[0166] Preprocessing instructions (e.g., averaging, standard deviation calculation, filtering, etc.);
[0167] Preprocessing time, such as start time and / or end time;
[0168] Preprocessing trigger events, such as when the data volume exceeds a threshold;
[0169] Preprocessing start or end indication.
[0170] (5) After the terminal successfully collects data, it encrypts the data using the key on the data plane and then sends it.
[0171] (6) After receiving the encrypted data, the base station decrypts the data using the key configured in the core network (i.e., the first key), and preprocesses the data after successful decryption.
[0172] (7) The base station may stop the data preprocessing process in any of the following ways:
[0173] The data control node sends a signaling notification to stop the data preprocessing function;
[0174] Configure the start and stop times for the data preprocessing function, and stop it when the stop time is reached.
[0175] When the preprocessing function stops, the base station also stops preprocessing. Optionally: If the data service continues, to prevent untrusted base stations from continuing to parse data, the data control node can initiate a key update process. The terminal uses the updated key to encrypt the data, ensuring that the data preprocessing node cannot continue to view and parse data after stopping the preprocessing function.
[0176] Example 2:
[0177] In this example, data preprocessing encryption and decryption use a derived key. The data provider node and data consumer node derive a private key based on the key between them. During the data preprocessing function's activation, the data provider node and data consumer node use the derived key to encrypt and decrypt data.
[0178] As shown in Figure 5, the data processing method includes the following steps:
[0179] (1) The data control node (such as the core network) starts data services and initiates the data plane security process.
[0180] (2) When it is necessary to start the data preprocessing function on the RAN node, step (3) is required; otherwise, the data providing node (such as the terminal) is notified directly to start the data plane service and carry the data plane security configuration information. The data plane preprocessing function is set to be disabled.
[0181] (3) If the preprocessing function needs to be started, the data control node (such as the core network) notifies the terminal to start the data plane service and carries the data plane security configuration information. The data plane preprocessing function is set to enable, and optionally carries the start and stop time of the preprocessing function.
[0182] a. Generate a core network-side data plane key (i.e., the first data plane key) based on data plane security configuration information and terminal information, and derive a dedicated data plane key (i.e., the first key) for data preprocessing on the data preprocessing node (e.g., base station) side.
[0183] b. Generate the terminal's data plane key (i.e., the second data plane key) based on the data plane security configuration information and the terminal's information, and deduce the terminal-side data plane key (i.e., the second key) dedicated to data preprocessing.
[0184] (4) The data control node sends a data preprocessing start message to the preprocessing node. The data preprocessing start message contains at least one of the following:
[0185] The preprocessed private key (i.e., the first key);
[0186] Preprocessing instructions (e.g., averaging, standard deviation calculation, filtering, etc.);
[0187] Preprocessing time, such as start time and / or end time;
[0188] Preprocessing trigger events, such as when the data volume exceeds a threshold;
[0189] Preprocessing start or end indication.
[0190] (5) After the terminal successfully collects data, it is encrypted using the special key (i.e. the second key) of the data plane preprocessing and then sent.
[0191] (6) After receiving the data, the base station decrypts the data using the dedicated key for data plane preprocessing (i.e., the first key), and then preprocesses the data after successful decryption.
[0192] (7) The base station may stop the data preprocessing process in any of the following ways:
[0193] The data control node sends a signaling notification to stop the data preprocessing function;
[0194] Configure the start and stop times for the data preprocessing function, and stop it when the time is up.
[0195] When the preprocessing function stops, the terminal stops using the professional key for data plane preprocessing, and the base station stops the data preprocessing function.
[0196] Example 3:
[0197] In this example, data preprocessing encryption and decryption use a task-generated key. When multi-terminal data collection is initiated, the data control node generates a unified key based on the data plane task information. The data preprocessing node uses this key to parse the data sent by the multiple terminals and complete the data preprocessing. The information used to generate the unified data plane key may include: the data task identifier (ID), the task start time, the purpose of data collection, the data control node information, etc. The data control node notifies each terminal of the generated key, either via multicast through a public channel or by individual terminal notification through a dedicated channel.
[0198] As shown in Figure 6, the data processing method includes the following steps:
[0199] (1) The multi-terminal data acquisition service is initiated, and a unified key is generated based on the data acquisition task information. The data acquisition task information may include one or more of the following:
[0200] The task ID (i.e., task identifier); the task start time; the task objective (or the purpose of the task); and information about the terminal used to perform the data acquisition task (or information about multiple terminals).
[0201] (2) The data control node (such as the core network) notifies each terminal of the start of data plane services via multicast, carrying a key (i.e., a second key); or,
[0202] (3) The data control node (such as the core network) notifies each terminal of the start of data plane service through a dedicated channel, and carries a key (i.e., the second key).
[0203] (4) When data preprocessing is required, the data control node (such as the core network) sends a data preprocessing start message to the data preprocessing node (such as the base station). The data preprocessing start message shall contain at least one of the following:
[0204] A pre-processed private key (i.e., the first key), such as a key generated based on task information;
[0205] Preprocessed terminal list;
[0206] Preprocessing instructions (e.g., averaging, standard deviation calculation, or filtering);
[0207] Preprocessing time, such as start time and / or end time;
[0208] Preprocessing trigger events, for example, triggering data preprocessing when the amount of data exceeds a threshold;
[0209] Preprocessing start or end indication.
[0210] (5) After the terminal successfully collects data, it encrypts the data using a unified key (i.e., the second key) and then sends it.
[0211] (6) After receiving the data, the base station decrypts the data using the unified key for data plane preprocessing (i.e., the first key), and then preprocesses the data after successful decryption.
[0212] (7) The base station may stop the data preprocessing process in any of the following ways:
[0213] The data control node sends a signaling message to the data preprocessing node to notify the data preprocessing function to stop;
[0214] Configure the start and stop times for the data preprocessing function. When the stop time is reached, the data preprocessing node stops the preprocessing function.
[0215] In this embodiment, even when the data is encrypted, the data preprocessing node can still acquire the data and complete the preprocessing function. Simultaneously, it prevents the data preprocessing node from parsing or processing the data without permission or configuration. When the data preprocessing function is not configured or enabled, the data preprocessing node cannot obtain the key and therefore cannot parse the corresponding data. After disabling the data preprocessing function, key updates can prevent the data preprocessing node from continuing to acquire data after the data preprocessing function has ended. Ultimately, this allows the data preprocessing node to perform data preprocessing while ensuring data security.
[0216] This application also provides a data processing method, including:
[0217] The data preprocessing node receives a first key sent by the data control node, and the first key is used for data plane transmission.
[0218] The data preprocessing node uses the first key to decrypt the encrypted data sent by the data providing node, and the encrypted data is obtained by encrypting it with the second key, wherein the first key and the second key are matched.
[0219] Optionally, the method further includes:
[0220] The data preprocessing node performs data preprocessing on the decrypted data to obtain the first data;
[0221] The data preprocessing node sends the first data to the data consumption node.
[0222] Optionally, the method further includes:
[0223] The data preprocessing node receives the first information sent by the data control node;
[0224] The first information includes at least one of the following:
[0225] Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; information used to indicate the data providing nodes that perform data acquisition tasks.
[0226] Optionally, the first key is a first data plane key, which is used for decrypting data plane transmissions between the data consuming node and the data providing node; or,
[0227] The first key is a key generated based on the first data plane key; or,
[0228] The first key is a key generated based on the task information of the data acquisition task.
[0229] Optionally, the task information of the data acquisition task includes at least one of the following:
[0230] Task identifier; task start time; task objective; information about the data providing node used to perform the data acquisition task.
[0231] Optionally, the method further includes at least one of the following:
[0232] The data preprocessing node receives second information and stops performing data preprocessing based on the second information, wherein the second information is used to indicate the cessation of data preprocessing.
[0233] The data preprocessing node stops performing the data preprocessing based on information indicating the data preprocessing time.
[0234] It should be noted that the implementation of the data preprocessing node in this embodiment is similar to the implementation of the access network device in the embodiment shown in Figure 3. For specific implementation details, please refer to the relevant description of the embodiment shown in Figure 3. To avoid repetition, this embodiment will not repeat the description.
[0235] Referring to Figure 7, which is a flowchart of a data processing method provided in an embodiment of this application, the data processing method includes the following steps:
[0236] Step 201: The core network device sends a first key to the access network device. The first key is used for data plane transmission.
[0237] Step 202: The core network device sends second information to the terminal. The second information is used to obtain a second key, and the first key matches the second key.
[0238] In one embodiment, the second information may be data plane security configuration information, and the terminal may generate a second data plane key based on the data plane security configuration information and terminal information. The second key may be the second data plane key.
[0239] In one embodiment, the second information may be data plane security configuration information. The terminal may generate a second data plane key based on the data plane security configuration information and terminal information. The terminal may deduce a second key based on the second data plane key. The algorithm used to deduce the second key may be pre-configured or pre-defined.
[0240] In one implementation, the second information may include a second key. The core network device can send the second key to the terminal via multicast; alternatively, it can send the second key to the terminal via a dedicated channel. The second information can also be used to initiate data plane services on the terminal.
[0241] For example, when the terminal performs a multi-terminal data acquisition service, the second information includes a second key.
[0242] In this embodiment, the core network device sends a first key to the access network device, the first key being used for data plane transmission; the core network device sends second information to the terminal, the second information being used to obtain a second key, and the first key matches the second key. Thus, when the access network device parses the terminal's data, it needs to decrypt it using the first key sent by the core network device. Access network devices that are not authorized or have not configured with the first key cannot parse the terminal's data, thereby improving the security of data plane transmission.
[0243] Optionally, the method further includes:
[0244] The core network device receives the first data sent by the access network device;
[0245] The first data is the data obtained by decrypting the encrypted data sent by the terminal using the first key and then preprocessing the decrypted data.
[0246] Optionally, the method further includes:
[0247] The core network device sends first information to the access network device;
[0248] The first information includes at least one of the following:
[0249] Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; information used by the terminal to perform the data acquisition task.
[0250] Optionally, the first key is a first data plane key, which is used for decrypting data plane transmissions between the core network device and the terminal; or,
[0251] The first key is a key generated based on the first data plane key; or,
[0252] The first key is a key generated based on the task information of the data acquisition task.
[0253] Optionally, the task information of the data acquisition task includes at least one of the following:
[0254] Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task.
[0255] Optionally, the method further includes:
[0256] The core network device sends a second message to the access network device, the second message being used to instruct the cessation of data preprocessing.
[0257] Optionally, when the first key is the first data plane key, the method further includes:
[0258] If the access network device stops performing data preprocessing, the core network device initiates a key update process, which is used to update the key for data plane transmission between the core network device and the terminal.
[0259] In this implementation, by disabling the data preprocessing function, the access network device can be prevented from continuing to parse terminal data after the data preprocessing function is disabled through the key update process, thereby further improving the security of data plane transmission.
[0260] It should be noted that this embodiment is an implementation of the core network device corresponding to the embodiment shown in Figure 3. For the specific implementation, please refer to the relevant description of the embodiment shown in Figure 3. To avoid repetition, this embodiment will not be described again.
[0261] This application also provides a data processing method, including:
[0262] The data control node sends a first key to the data preprocessing node, and the first key is used for data plane transmission.
[0263] The data control node sends second information to the data providing node, the second information being used to obtain a second key, the first key being matched with the second key.
[0264] Optionally, the method further includes:
[0265] The data control node sends first information to the data preprocessing node;
[0266] The first information includes at least one of the following:
[0267] Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; information used to indicate the data providing nodes that perform data acquisition tasks.
[0268] Optionally, the first key is a first data plane key, which is used for decrypting data plane transmissions between the data consuming node and the data providing node; or,
[0269] The first key is a key generated based on the first data plane key; or,
[0270] The first key is a key generated based on the task information of the data acquisition task.
[0271] Optionally, the task information of the data acquisition task includes at least one of the following:
[0272] Task identifier; task start time; task objective; information about the data providing node used to perform the data acquisition task.
[0273] Optionally, the method further includes:
[0274] The data control node sends a second message to the data preprocessing node, the second message being used to instruct the data preprocessing to stop.
[0275] Optionally, when the first key is the first data plane key, the method further includes:
[0276] If the data preprocessing node stops performing data preprocessing, the data control node initiates a key update process, which is used to update the key for data plane transmission between the data consumer node and the data provider node.
[0277] It should be noted that the implementation of the data control node in this embodiment is similar to the implementation of the core network device in the embodiment shown in Figure 7. For specific implementation details, please refer to the relevant description of the embodiment shown in Figure 7. To avoid repetition, this embodiment will not repeat the description.
[0278] Referring to Figure 8, which is a flowchart of a data processing method provided in an embodiment of this application, the data processing method includes the following steps:
[0279] Step 301: The terminal receives the second information sent by the core network device and obtains the second key based on the second information;
[0280] Step 302: The terminal uses the second key to encrypt the collected data to obtain encrypted data;
[0281] Step 303: The terminal sends the encrypted data to the access network device.
[0282] In this embodiment, the terminal receives second information sent by the core network device and obtains a second key based on the second information; the terminal uses the second key to encrypt the collected data to obtain encrypted data; the terminal sends the encrypted data to the access network device. Thus, when the access network device parses the terminal's data, it needs to use a key matching the second key to decrypt the encrypted data. Unauthorized access network devices cannot parse the terminal's data, thereby improving the security of data plane transmission.
[0283] Optionally, the second key is a second data plane key, which is used for encryption of data plane transmission between the core network device and the terminal; or,
[0284] The second key is a key generated based on the second data plane key; or,
[0285] The second key is a key generated based on the task information of the data acquisition task.
[0286] Optionally, the task information of the data acquisition task includes at least one of the following:
[0287] Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task.
[0288] Optionally, the method further includes:
[0289] If the access network device is determined to have stopped performing data preprocessing, the terminal stops using the second key.
[0290] It should be noted that this embodiment is an implementation of the terminal corresponding to the embodiment shown in Figure 3 or Figure 7. For the specific implementation, please refer to the relevant description of the embodiment shown in Figure 3 or Figure 7. To avoid repetition, this embodiment will not be described again.
[0291] This application also provides a data processing method, including:
[0292] The data providing node receives the second information sent by the data control node and obtains the second key based on the second information;
[0293] The data providing node uses the second key to encrypt the collected data, thus obtaining encrypted data;
[0294] The data providing node sends the encrypted data to the data preprocessing node.
[0295] Optionally, the second key is a second data plane key, which is used for encryption of data plane transmission between the data consuming node and the data providing node; or,
[0296] The second key is a key generated based on the second data plane key; or,
[0297] The second key is a key generated based on the task information of the data acquisition task.
[0298] Optionally, the task information of the data acquisition task includes at least one of the following:
[0299] Task identifier; task start time; task objective; information about the data providing node used to perform the data acquisition task.
[0300] Optionally, the method further includes:
[0301] If it is determined that the data preprocessing node has stopped performing data preprocessing, the data providing node shall stop using the second key.
[0302] It should be noted that the implementation of the data providing node in this embodiment is similar to the implementation of the terminal in the embodiment shown in Figure 7. For specific implementation details, please refer to the relevant description of the embodiment shown in Figure 7. To avoid repetition, this embodiment will not repeat the description.
[0303] The data processing method provided in this application can be executed by a data processing device. This application uses an example of a data processing device executing the data processing method to illustrate the data processing apparatus provided in this application.
[0304] This application provides a data processing apparatus. As an example, the data processing apparatus may be a communication device or a component within a communication device, such as a chip. The communication device may be a terminal, a network-side device, or a server, etc. Exemplarily, the terminal may include, but is not limited to, the type of terminal 11 listed above, and the network-side device may include, but is not limited to, the type of network-side device 12 listed above. This application does not impose specific limitations.
[0305] The data processing device includes a receiving module, a transmitting module, and a processing module. These modules can be implemented in software or hardware. When implemented in hardware, the processing module can be implemented by a processor. For example, the processor can include general-purpose processors, special-purpose processors, such as a Central Processing Unit (CPU), microprocessor, Digital Signal Processor (DSP), Artificial Intelligence (AI) processor, Graphics Processing Unit (GPU), Application Specific Integrated Circuit (ASIC), Network Processor (NP), Field Programmable Gate Array (FPGA), or other programmable logic devices, gate circuits, transistors, discrete hardware components, etc. The receiving and transmitting modules can be implemented by a communication interface, which can include one or more of the following: transceiver, pins, circuits, bus, radio frequency unit, etc.
[0306] Specifically, referring to Figure 9, when the data processing device is an access network device or a component within an access network device, the data processing device 400 includes:
[0307] The receiving module 401 is used to receive a first key sent by the core network device, the first key being used for data plane transmission;
[0308] The processing module 402 is used to decrypt the encrypted data sent by the terminal using the first key, wherein the encrypted data is obtained by encrypting it using a second key, and the first key matches the second key.
[0309] Optionally, the processing module is further configured to: perform data preprocessing on the decrypted data to obtain first data;
[0310] The device further includes a sending module, which is used to send the first data to the core network equipment.
[0311] Optionally, the receiving module is further configured to: receive first information sent by the core network device;
[0312] The first information includes at least one of the following:
[0313] Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; information used by the terminal to perform the data acquisition task.
[0314] Optionally, the first key is a first data plane key, which is used for decrypting data plane transmissions between the core network device and the terminal; or,
[0315] The first key is a key generated based on the first data plane key; or,
[0316] The first key is a key generated based on the task information of the data acquisition task.
[0317] Optionally, the task information of the data acquisition task includes at least one of the following:
[0318] Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task.
[0319] Optionally, the receiving module is further configured to: receive second information, and stop the data preprocessing based on the second information, wherein the second information is used to indicate the cessation of data preprocessing;
[0320] The processing module is also configured to: stop the data preprocessing based on information indicating the data preprocessing time.
[0321] Referring to Figure 10, when the data processing device is a core network device or a component within a core network device, the data processing device 500 includes:
[0322] The sending module 501 is used to send a first key to the access network device, the first key being used for data plane transmission;
[0323] The sending module 501 is further configured to: send second information to the terminal, the second information being used to obtain a second key, wherein the first key matches the second key.
[0324] Optionally, the device further includes:
[0325] The receiving module is used to receive the first data sent by the access network device;
[0326] The first data is the data obtained by decrypting the encrypted data sent by the terminal using the first key and then preprocessing the decrypted data.
[0327] Optionally, the sending module is further configured to: send first information to the access network device;
[0328] The first information includes at least one of the following:
[0329] Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; information used by the terminal to perform the data acquisition task.
[0330] Optionally, the first key is a first data plane key, which is used for decrypting data plane transmissions between the core network device and the terminal; or,
[0331] The first key is a key generated based on the first data plane key; or,
[0332] The first key is a key generated based on the task information of the data acquisition task.
[0333] Optionally, the task information of the data acquisition task includes at least one of the following:
[0334] Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task.
[0335] Optionally, the sending module is further configured to: send second information to the access network device, the second information being used to indicate that data preprocessing should be stopped.
[0336] Optionally, when the first key is the first data plane key, the apparatus further includes:
[0337] The processing module is used to initiate a key update process when it is determined that the access network device has stopped performing data preprocessing. The key update process is used to update the key for data plane transmission between the core network device and the terminal.
[0338] Referring to Figure 11, when the data processing device is a terminal or a component within a terminal, the data processing device 600 includes:
[0339] The receiving module 601 is used to receive the second information sent by the core network device and obtain the second key based on the second information;
[0340] Processing module 602 is used to encrypt the collected data using the second key to obtain encrypted data;
[0341] The sending module 603 is used to send the encrypted data to the access network device.
[0342] Optionally, the second key is a second data plane key, which is used for encryption of data plane transmission between the core network device and the terminal; or,
[0343] The second key is a key generated based on the second data plane key; or,
[0344] The second key is a key generated based on the task information of the data acquisition task.
[0345] Optionally, the task information of the data acquisition task includes at least one of the following:
[0346] Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task.
[0347] Optionally, the processing module is further configured to:
[0348] If it is determined that the access network device has stopped performing data preprocessing, the use of the second key shall be stopped.
[0349] The data processing apparatus provided in this application embodiment can implement the various processes implemented in the method embodiments of Figures 3, 7 to 8, and achieve the same technical effect. To avoid repetition, it will not be described again here.
[0350] As shown in Figure 12, this application embodiment also provides a communication device 700, including a processor 701 and a memory 702. The memory 702 stores programs or instructions that can run on the processor 701. For example, when the communication device 700 is an access network device, the program or instructions executed by the processor 701 implement the various steps of the above-described data processing method embodiment for access network devices, and achieve the same technical effect. When the communication device 700 is a core network device, the program or instructions executed by the processor 701 implement the various steps of the above-described data processing method embodiment for core network devices, and achieve the same technical effect. To avoid repetition, this will not be repeated here. When the communication device 700 is a terminal, the program or instructions executed by the processor 701 implement the various steps of the above-described data processing method embodiment for terminals, and achieve the same technical effect. To avoid repetition, this will not be repeated here.
[0351] This application also provides a terminal, including a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the steps in the method embodiment shown in FIG8. This terminal embodiment corresponds to the above-described terminal-side method embodiment, and all implementation processes and methods of the above-described method embodiments can be applied to this terminal embodiment and can achieve the same technical effect. The terminal may be the data processing device shown in FIG11. Specifically, FIG13 is a schematic diagram of the hardware structure of a terminal implementing an embodiment of this application.
[0352] The terminal 800 includes, but is not limited to, at least some of the following components: radio frequency unit 801, network module 802, audio output unit 803, input unit 804, sensor 805, display unit 808, user input unit 807, interface unit 808, memory 809, and processor 810.
[0353] Those skilled in the art will understand that the terminal 800 may also include a power supply (such as a battery) for powering various components. The power supply can be logically connected to the processor 810 through a power management system, thereby enabling functions such as charging, discharging, and power consumption management through the power management system. The terminal structure shown in Figure 13 does not constitute a limitation on the terminal. The terminal may include more or fewer components than shown, or combine certain components, or have different component arrangements, which will not be elaborated here.
[0354] It should be understood that, in this embodiment, the input unit 804 may include a graphics processor 8041 and a microphone 8042. The graphics processor 8041 processes image data of still images or videos obtained by an image capture device (such as a camera) in video capture mode or image capture mode. The display unit 806 may include a display panel 8061, which may be configured in the form of a liquid crystal display, an organic light-emitting diode, etc. The user input unit 807 includes at least one of a touch panel 8071 and other input devices 8072. The touch panel 8071 is also called a touch screen. The touch panel 8071 may include two parts: a touch detection device and a touch controller. Other input devices 8072 may include, but are not limited to, physical keyboards, function keys (such as volume control buttons, power buttons, etc.), trackballs, mice, and joysticks, which will not be described in detail here.
[0355] In this embodiment, after receiving downlink data from the network-side device, the radio frequency unit 801 can transmit it to the processor 810 for processing; in addition, the radio frequency unit 801 can send uplink data to the network-side device. Typically, the radio frequency unit 801 includes, but is not limited to, antennas, amplifiers, transceivers, couplers, low-noise amplifiers, duplexers, etc.
[0356] The memory 809 can be used to store software programs or instructions, as well as various data. The memory 809 may primarily include a first storage area for storing programs or instructions and a second storage area for storing data. The first storage area may store the operating system, application programs or instructions required for at least one function (such as sound playback, image playback, etc.). Furthermore, the memory 809 may include volatile memory or non-volatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory can be random access memory (RAM), static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), and direct memory bus RAM (DRRAM). The memory 809 in the embodiments of this application includes, but is not limited to, these and any other suitable types of memory.
[0357] Processor 810 may include one or more processing units; optionally, processor 810 integrates an application processor and a modem processor, wherein the application processor mainly handles operations involving the operating system, user interface, and applications, and the modem processor mainly handles wireless communication signals, such as a baseband processor. It is understood that the aforementioned modem processor may also not be integrated into processor 810.
[0358] The radio frequency unit 801 is used to: receive second information sent by the core network device and obtain a second key based on the second information;
[0359] Processor 810 is used to: encrypt the collected data using the second key to obtain encrypted data;
[0360] The radio frequency unit 801 is also used to send the encrypted data to the access network equipment.
[0361] Optionally, the second key is a second data plane key, which is used for encryption of data plane transmission between the core network device and the terminal; or,
[0362] The second key is a key generated based on the second data plane key; or,
[0363] The second key is a key generated based on the task information of the data acquisition task.
[0364] Optionally, the task information of the data acquisition task includes at least one of the following:
[0365] Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task.
[0366] Optionally, the processor 810 is further configured to: stop using the second key if it is determined that the access network device has stopped performing data preprocessing.
[0367] It is understood that the implementation process of each implementation method mentioned in this embodiment can refer to the relevant description in Figure 8 of the method embodiment and achieve the same or corresponding technical effects. To avoid repetition, it will not be described again here.
[0368] This application also provides a network-side device, including a processor and a communication interface. The communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the steps of the method embodiments shown in FIG3 or FIG7. This network-side device embodiment corresponds to the above-described access network device or core network device method embodiments. All implementation processes and methods of the above-described method embodiments can be applied to this network-side device embodiment and can achieve the same technical effect.
[0369] Specifically, this application embodiment also provides a network-side device, which may be the data processing device shown in FIG9 or FIG10. As shown in FIG14, the network-side device 900 includes: an antenna 901, a radio frequency device 902, a baseband device 903, a processor 904, and a memory 905. The antenna 901 is connected to the radio frequency device 902. In the uplink direction, the radio frequency device 902 receives information through the antenna 901 and sends the received information to the baseband device 903 for processing. In the downlink direction, the baseband device 903 processes the information to be transmitted and sends it to the radio frequency device 902, which processes the received information and then transmits it through the antenna 901.
[0370] The method executed by the network-side device in the above embodiments can be implemented in the baseband device 903, which includes a baseband processor.
[0371] The baseband device 903 may include at least one baseband board, on which multiple chips are disposed, as shown in FIG14. One of the chips is, for example, a baseband processor, which is connected to the memory 905 via a bus interface to call the program in the memory 905 and execute the network device operation shown in the above method embodiment.
[0372] The network-side device may also include a network interface 906, such as a Common Public Radio Interface (CPRI).
[0373] Specifically, the network-side device 900 in this application embodiment further includes: instructions or programs stored in memory 905 and executable on processor 904. Processor 904 calls the instructions or programs in memory 905 to execute the methods executed by the modules shown in FIG9 or FIG10 and achieve the same technical effect. To avoid repetition, it will not be described in detail here.
[0374] Specifically, this application also provides a network-side device. As shown in FIG15, the network-side device 1000 includes a processor 1001, a network interface 1002, and a memory 1003. The network-side device may be the data processing device shown in FIG9 or FIG10. The network interface 1002 is, for example, a common public radio interface (CPRI).
[0375] Specifically, the network-side device 1000 in this application embodiment further includes: instructions or programs stored in memory 1003 and executable on processor 1001. Processor 1001 calls the instructions or programs in memory 1003 to execute the methods executed by the modules shown in FIG9 or FIG10 and achieve the same technical effect. To avoid repetition, it will not be described in detail here.
[0376] This application also provides a readable storage medium storing a program or instructions. When the program or instructions are executed by a processor, they implement the various processes of the above-described data processing method embodiments and achieve the same technical effects. To avoid repetition, they will not be described again here.
[0377] The processor mentioned above is the processor in the terminal or network-side device described in the above embodiments. The readable storage medium includes computer-readable storage media, such as computer read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk. In some examples, the readable storage medium may be a non-transient readable storage medium.
[0378] This application embodiment also provides a chip, which includes a processor and a communication interface. The communication interface is coupled to the processor. The processor is used to run programs or instructions to implement the various processes of the above data processing method embodiments and can achieve the same technical effect. To avoid repetition, it will not be described again here.
[0379] It should be understood that the chip mentioned in the embodiments of this application may also be referred to as a system-on-a-chip, system chip, chip system, or system-on-a-chip, etc.
[0380] This application also provides a computer program / program product, which is stored in a storage medium and executed by at least one processor to implement the various processes of the above-described data processing method embodiments, and can achieve the same technical effect. To avoid repetition, it will not be described again here.
[0381] This application also provides a wireless communication system, including: a terminal, a core network device, and an access network device. The terminal can be used to execute the steps of the data processing method applied to the terminal as described above. The core network device can be used to execute the steps of the data processing method applied to the core network device as described above. The access network device can be used to execute the steps of the data processing method applied to the access network device as described above.
[0382] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element. Furthermore, it should be noted that the scope of the methods and apparatuses in the embodiments of this application is not limited to performing functions in the order shown or discussed, but may also include performing functions substantially simultaneously or in the reverse order, depending on the functions involved. For example, the described methods may be performed in a different order than described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
[0383] From the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of computer software products plus necessary general-purpose hardware platforms, and of course, they can also be implemented by hardware. The computer software product is stored in a storage medium (such as ROM, RAM, magnetic disk, optical disk, etc.) and includes several instructions to cause the terminal or network-side device to execute the methods described in the various embodiments of this application.
[0384] The embodiments of this application have been described above with reference to the accompanying drawings. However, this application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other implementations under the guidance of this application without departing from the spirit and scope of the claims. All of these implementations are within the protection scope of this application.
Claims
A data processing method, wherein, include: The access network device receives a first key sent by the core network device, and the first key is used for data plane transmission. The access network device uses the first key to decrypt the encrypted data sent by the terminal, and the encrypted data is obtained by encrypting it with the second key, wherein the first key and the second key are matched. The method of claim 1, wherein, The method further includes: The access network device performs data preprocessing on the decrypted data to obtain the first data; The access network device sends the first data to the core network device. The method according to claim 1 or 2, wherein The method further includes: The access network device receives the first information sent by the core network device; The first information includes at least one of the following: Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; information used by the terminal to perform the data acquisition task. The method of any one of claims 1-3, wherein, The first key is a first data plane key, which is used for decrypting data plane transmissions between the core network device and the terminal; or, The first key is a key generated based on the first data plane key; or, The first key is a key generated based on the task information of the data acquisition task. The method of claim 4, wherein, The task information for the data acquisition task includes at least one of the following: Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task. The method of any one of claims 1-5, wherein, The method further includes at least one of the following: The access network device receives the second information and stops performing the data preprocessing based on the second information, wherein the second information is used to indicate the cessation of data preprocessing. The access network device stops performing the data preprocessing based on information used to indicate the data preprocessing time. A data processing method, wherein, include: The core network equipment sends a first key to the access network equipment, and the first key is used for data plane transmission. The core network device sends second information to the terminal, the second information being used to obtain a second key, wherein the first key matches the second key. The method of claim 7, wherein, The method further includes: The core network device receives the first data sent by the access network device; The first data is the data obtained by decrypting the encrypted data sent by the terminal using the first key and then preprocessing the decrypted data. The method according to claim 7 or 8, wherein The method further includes: The core network device sends first information to the access network device; The first information includes at least one of the following: Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; information used by the terminal to perform the data acquisition task. The method of any one of claims 7-9, wherein, The first key is a first data plane key, which is used for decrypting data plane transmissions between the core network device and the terminal; or, The first key is a key generated based on the first data plane key; or, The first key is a key generated based on the task information of the data acquisition task. The method of claim 10, wherein, The task information for the data acquisition task includes at least one of the following: Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task. The method of any one of claims 7-11, wherein, The method further includes: The core network device sends a second message to the access network device, the second message being used to instruct the cessation of data preprocessing. The method of claim 10, wherein, When the first key is the first data plane key, the method further includes: If the access network device stops performing data preprocessing, the core network device initiates a key update process, which is used to update the key for data plane transmission between the core network device and the terminal. A data processing method, wherein, include: The terminal receives the second information sent by the core network device and obtains the second key based on the second information; The terminal uses the second key to encrypt the collected data, thus obtaining encrypted data; The terminal sends the encrypted data to the access network device. The method of claim 14, wherein, The second key is a second data plane key, which is used for encryption of data plane transmission between the core network device and the terminal; or, The second key is a key generated based on the second data plane key; or, The second key is a key generated based on the task information of the data acquisition task. The method of claim 15, wherein, The task information for the data acquisition task includes at least one of the following: Task identifier; task start time; task objective; information about the terminal used to perform the data acquisition task. The method of any one of claims 14-16, wherein, The method further includes: If the access network device is determined to have stopped performing data preprocessing, the terminal stops using the second key. A data processing apparatus, wherein, include: The receiving module is used to receive the first key sent by the core network equipment, and the first key is used for data plane transmission; The processing module is used to decrypt the encrypted data sent by the terminal using the first key, wherein the encrypted data is obtained by encrypting it using a second key, and the first key matches the second key. The apparatus of claim 18, wherein The processing module is also used to: preprocess the decrypted data to obtain first data; The device further includes a sending module, which is used to send the first data to the core network equipment. The apparatus of claim 18 or 19, wherein, The receiving module is also configured to: receive first information sent by the core network device; The first information includes at least one of the following: Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; Information about the terminal used to perform data acquisition tasks. A data processing apparatus, wherein, include: The sending module is used to send a first key to the access network device, the first key being used for data plane transmission; The sending module is further configured to: send second information to the terminal, the second information being used to obtain a second key, wherein the first key matches the second key. The apparatus of claim 21, wherein The device further includes: A receiving module is used to receive the first data sent by the access network device; The first data is the data obtained by decrypting the encrypted data sent by the terminal using the first key and then preprocessing the decrypted data. The apparatus of claim 21 or 22, wherein, The sending module is further configured to: send first information to the access network device; The first information includes at least one of the following: Information used to indicate the data preprocessing method; information used to indicate the data preprocessing time; data preprocessing trigger events; information used to indicate the start or end of data preprocessing; Information about the terminal used to perform data acquisition tasks. A data processing apparatus, wherein, include: The receiving module is used to receive the second information sent by the core network device and obtain the second key based on the second information; The processing module is used to encrypt the collected data using the second key to obtain encrypted data; The sending module is used to send the encrypted data to the access network device. The apparatus of claim 24, wherein The second key is a second data plane key, which is used for encryption of data plane transmission between the core network device and the terminal; or, The second key is a key generated based on the second data plane key; or, The second key is a key generated based on the task information of the data acquisition task. A communication device, wherein, The method includes a processor and a memory, the memory storing a program or instructions that can run on the processor, the program or instructions being executed by the processor to implement the steps of the data processing method as described in any one of claims 1-6, or the steps of the data processing method as described in any one of claims 7-13, or the steps of the data processing method as described in any one of claims 14-17. A readable storage medium, wherein, The readable storage medium stores a program or instructions that, when executed by a processor, implement the steps of the data processing method as described in any one of claims 1-6, or the steps of the data processing method as described in any one of claims 7-13, or the steps of the data processing method as described in any one of claims 14-17. A computer program / product, wherein, When the computer program / program product is executed by at least one processor, it implements the steps of the data processing method as described in any one of claims 1-6, or the steps of the data processing method as described in any one of claims 7-13, or the steps of the data processing method as described in any one of claims 14-17.