Communication method and apparatus
By maintaining a counter value and defining its position in the data unit of the MAC layer, integrity verification of the MAC unit is achieved, solving the problem of low communication security and improving the security performance and processing speed of the MAC layer.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- HUAWEI TECH CO LTD
- Filing Date
- 2025-12-17
- Publication Date
- 2026-06-25
AI Technical Summary
In existing technologies, the communication security between terminal devices and access network devices is low. Unauthorized devices can tamper with or forge underlying signaling through man-in-the-middle attacks, affecting the service experience. Furthermore, it is difficult for terminal devices to detect the presence of unauthorized devices.
By maintaining a counter value and defining its location within the data unit of the MAC layer, the receiving end can obtain the counter value, thereby enabling integrity verification of the MAC unit and improving communication security. Specific measures include carrying the counter value within the MAC unit, defining the correspondence in the MAC header or MAC CE, and implementing secure processing at the MAC layer.
It improves the security performance of the MAC layer, reduces transmission overhead, and provides security protection at the PDCP layer to enhance the security and processing speed of MAC layer signaling, thereby improving the security and reliability of communication.
Smart Images

Figure CN2025143207_25062026_PF_FP_ABST
Abstract
Description
A communication method and apparatus
[0001] Cross-references to related applications
[0002] This application claims priority to Chinese Patent Application No. 202411912871.0, filed on December 20, 2024, entitled "A Communication Method and Apparatus", the entire contents of which are incorporated herein by reference. Technical Field
[0003] This application relates to the field of communication technology, and in particular to a communication method and apparatus. Background Technology
[0004] In wireless communication, communication security is a crucial factor. Currently, terminal devices and access network devices can communicate through security-related processes such as PDCP layer encryption and integrity protection.
[0005] However, security-related processes such as PDCP layer encryption and integrity protection can only achieve upper-layer encrypted signaling. Unauthorized devices can launch attacks through man-in-the-middle attacks, such as passing through upper-layer encrypted signaling but tampering with or forging lower-layer signaling such as the medium / media access control control element (MAC CE), or directly attacking by dropping packets, which affects the service experience of terminal devices. Terminal devices have difficulty detecting the presence of unauthorized devices through their own detection, resulting in low communication security. Summary of the Invention
[0006] This application provides a communication method and apparatus for improving communication security.
[0007] Firstly, a communication method is provided. The executing entity of this method can be a communication device or a chip, chip system, or circuit used in the communication device. The communication device can be a terminal device or a network device. This method can be implemented through the following steps: determining a first MAC unit and sending the first MAC unit. The first MAC unit includes verification information of a first MAC subunit, and the verification information of the first MAC subunit is determined based on a first count value corresponding to the first MAC subunit.
[0008] In this application, the transmitting end can perform secure processing on data units of the MAC layer. For example, the transmitting end calculates the verification information of the MAC subunit based on parameters such as the count value corresponding to the MAC subunit, and the receiving end verifies the MAC subunit based on parameters such as the count value corresponding to the MAC subunit. This application maintains a count value at the MAC subunit granularity in the MAC unit and defines the position carrying the count value in the MAC unit, enabling the receiving end to obtain the count value and thus realize integrity verification of the MAC subunit, which is beneficial to improving communication security performance. Furthermore, in this application, the count value is maintained at the MAC subunit granularity, which is beneficial to improving the security performance of the MAC layer.
[0009] Secondly, a communication method is provided. The execution subject of this method can be a communication device or a chip, chip system, or circuit used in the communication device. The communication device can be a terminal device or a network device. This method can be implemented through the following steps: receiving a first MAC unit, wherein the first MAC unit includes verification information of a first MAC subunit, the verification information of the first MAC subunit being determined based on a first count value corresponding to the first MAC subunit; and verifying the verification information of the first MAC subPDU based on the first count value.
[0010] In this application, the transmitting end can perform secure processing on data units of the MAC layer. For example, the transmitting end calculates the verification information of the MAC subunit based on parameters such as the count value corresponding to the MAC subunit, and the receiving end verifies the MAC subunit based on parameters such as the count value corresponding to the MAC subunit. This application maintains a count value at the MAC subunit granularity in the MAC unit and defines the position carrying the count value in the MAC unit, enabling the receiving end to obtain the count value and thus realize integrity verification of the MAC subunit, which is beneficial to improving communication security performance. Furthermore, in this application, the count value is maintained at the MAC subunit granularity, which is beneficial to improving the security performance of the MAC layer.
[0011] Based on the methods described in the first and second aspects above, the following design can be made:
[0012] In one possible design, the first MAC unit includes a first MAC subunit and a second MAC subunit. The first and second MAC subunits correspond to a first count value and belong to a first category. This approach reduces transmission overhead by having MAC subunits belonging to the same category maintain a single count value.
[0013] In one possible design, the first MAC unit further includes a third MAC subunit, wherein the third MAC subunit corresponds to the second count value and belongs to the second category. This design, by assigning different count values to MAC subunits belonging to different categories, helps to further enhance security.
[0014] In one possible design, the first count value is carried in the MAC packet header of the first MAC unit.
[0015] In one possible design, the MAC header indicates the correspondence between the first category and the first count value.
[0016] In one possible design, the first count value is carried in the first MAC CE of the first MAC unit.
[0017] In one possible design, the first MAC CE indicates the correspondence between the first category and the first count value.
[0018] In one possible design, the first count value is carried in a MAC sub-packet header belonging to a MAC sub-unit of the first category.
[0019] In one possible design, the MAC sub-packet header indicates the first category.
[0020] The above six designs enable the receiver to obtain the count value corresponding to the MAC subunit.
[0021] In one possible design, the first category is related to at least one of the following: the application scenario of the MAC subunit, or the purpose of the MAC subunit.
[0022] In one possible design, the first category is any one of the following: a MAC subunit for carrier aggregation scenarios, a MAC subunit for random access procedures, or a MAC subunit for energy-saving scenarios.
[0023] In one possible design, the first category is any one or more of the following: the MAC sub-unit corresponding to the MAC CE, the MAC sub-unit corresponding to the business data unit, or the MAC sub-unit corresponding to the fill field.
[0024] In one possible design, the first MAC unit includes a first MAC subunit and a second MAC subunit; the first MAC subunit corresponds to a first count value, and the second MAC subunit corresponds to a second count value. This design, by establishing a one-to-one correspondence between MAC subunits and count values, helps to further improve the security of MAC layer transmission. Furthermore, by maintaining a separate count value for each MAC subunit, the count value is incremented only when that MAC subunit transmits again; other MAC subunits do not need to increment the count value when transmitting, thereby reducing the influence between MAC subunits and increasing the number of times the count value can be used (or maintained) with the same counting capacity.
[0025] In one possible design, the first count value is carried in the MAC sub-header of the first MAC sub-unit. This design allows the receiving end to obtain the count value corresponding to the MAC sub-unit.
[0026] In one possible design, the first MAC unit includes a first MAC subunit group, and the first MAC subunit group includes first MAC subunits; the first count value corresponds to the MAC subunits included in the first MAC subunit group. This design reduces transmission overhead by having MAC subunits belonging to the same group maintain a single count value.
[0027] In one possible design, the first count value is carried in the MAC sub-header of a MAC sub-unit within the first MAC sub-unit group. This design allows the receiving end to obtain the count value corresponding to the MAC sub-unit.
[0028] In one possible design, the MAC sub-header indicates the MAC sub-units included in the first MAC sub-unit group. This design facilitates the receiver in obtaining the count value corresponding to the MAC sub-unit.
[0029] In one possible design, the MAC sub-header indicates the MAC sub-units included in the first MAC sub-unit group, including: the MAC sub-header indicates the number M of MAC sub-units included in the first MAC sub-unit group or the number M of MAC sub-units corresponding to (or multiplexing) the first count value, the first MAC sub-unit group includes a second MAC sub-unit and (M-1) MAC sub-units located after the second MAC sub-unit, the second MAC sub-unit being a MAC sub-unit carrying the first count value.
[0030] In one possible design, the MAC sub-header indicates the MAC sub-units included in the first MAC sub-unit group, including the MAC sub-header indicating at least one Logical Channel Identifier (LCID), and the first MAC sub-unit group includes at least one MAC sub-unit corresponding to the LCID.
[0031] In one possible design, the MAC sub-header indicates the MAC sub-units included in the first MAC sub-unit group, including: the MAC sub-header indicates the number N of MAC sub-units that multiplex the first count value, the first MAC sub-unit group includes a second MAC sub-unit and N MAC sub-units located after the second MAC sub-unit, the second MAC sub-unit being the MAC sub-unit carrying the first count value.
[0032] The above three designs enable the receiver to obtain the correspondence between the MAC subunit and the count value.
[0033] In one possible design, the MAC sub-header indicates at least one LCID, including: the MAC sub-header indicating the range of LCID values. This design can reduce transmission overhead.
[0034] In one possible design, the count value corresponding to at least one MAC subunit group is carried in the second MAC CE within the first MAC unit. This design allows the receiving end to obtain the count value corresponding to the MAC subunit.
[0035] In one possible design, the second MAC CE indicates the correspondence between at least one group of MAC subunits and the count value. This design allows the receiver to obtain the correspondence between MAC subunits and the count value.
[0036] In one possible design, the second MAC CE indicates the correspondence between at least one MAC subunit group and the count value, including: the second MAC CE indicating at least one LCID corresponding to the first count value, and the first MAC subunit group including at least one MAC subunit corresponding to the LCID. This design facilitates the receiver in obtaining the correspondence between MAC subunits and the count value.
[0037] In one possible design, the second MAC CE indicates at least one LCID corresponding to the first count value, including: the second MAC CE indicating the range of LCID values corresponding to the first count value. This design can reduce transmission overhead.
[0038] In one possible design, the MAC sub-units included in the first MAC unit all correspond to the first count value, and the first MAC unit includes the first MAC sub-units. Since a MAC unit is transmitted in the form of a transport block at the physical layer, and for communication security, it is necessary to ensure that at least one transport block corresponds to one count value, the above design reduces transmission overhead and implementation complexity by having the MAC sub-units included in the first MAC unit correspond to the same count value, thereby achieving secure communication.
[0039] In one possible design, the first count value is carried in the MAC header of the first MAC unit; or, the first count value is carried in the third MAC CE of the first MAC unit. This design allows the receiving end to obtain the count value corresponding to the MAC subunit.
[0040] Thirdly, a communication method is provided. The subject executing this method can be a communication device or a chip, chip system, or circuit used in the communication device. The communication device can be a terminal device or a network device. This method can be implemented through the following steps: generating first authentication information at the PDCP layer based on some or all of the information in the MAC CE; sending first information at the MAC layer, the first information carrying the MAC CE and the first authentication information.
[0041] This application provides security protection for part or all of the MAC CE content at the PDCP layer to improve the security of MAC layer signaling. Since the PDCP layer performs HAC security processing, it is faster than performing security processing at the MAC layer.
[0042] In one possible design, before generating the first verification information at the PDCP layer based on some or all of the information in the MAC CE, the method further includes generating the MAC CE at the MAC layer.
[0043] Fourthly, a communication method is provided. The execution subject of this method can be a communication device or a chip, chip system, or circuit used in the communication device. The communication device can be a terminal device or a network device. This method can be implemented through the following steps: receiving first information at the MAC layer, the first information carrying a MAC CE and first verification information; generating second verification information at the PDCP layer based on some or all of the information in the MAC CE; and verifying the MAC CE at the PDCP layer based on the first verification information and the second verification information.
[0044] This application provides security protection for part or all of the MAC CE content at the PDCP layer to improve the security of MAC layer signaling. Since the PDCP layer performs HAC security processing, it is faster than performing security processing at the MAC layer.
[0045] Based on the methods described in the third and fourth aspects above, the following design can be made:
[0046] In one possible design, the first information carries first authentication information, including: the first information carries a PDCP PDU, where the PDCP PDU includes some or all of the information in the MAC CE and the first authentication information. By transmitting some or all of the information in the MAC CE to the PDCP layer for encapsulation, secure processing can be achieved at the PDCP layer. This improves the speed of secure processing while ensuring the security of MAC layer signaling, and is more conducive to product design compatibility.
[0047] In one possible design, the first information carries a PDCP PDU, which includes RRC signaling and first authentication information. The RRC signaling includes some or all of the information in the MAC CE. By transmitting some or all of the information in the MAC CE to the RRC layer for encapsulation, the RRC signaling can be securely processed at the PDCP layer after transmission. This improves the security processing speed while ensuring the security of MAC layer signaling, and is more conducive to product design compatibility.
[0048] In one possible design, the RRC signaling includes some or all of the information in the MAC CE, including: the RRC signaling includes a first container, which includes some or all of the information in the MAC CE.
[0049] In one possible design, the PDCP PDU is a control plane PDCP PDU. This design facilitates consistency in communication behavior between the receiver and transmitter, thereby improving communication security.
[0050] In one possible design, the first information carries first indication information, which indicates that the first information requires security protection. This design helps to ensure consistency in communication behavior between the receiving and sending ends, thereby improving communication security performance.
[0051] In one possible design, the first information carries a first count value, the first count value is used to generate first verification information, and the first count value is used for the control plane PDCP PDU.
[0052] In one possible design, the first count value and the second count value are different parameters, with the second count value used for the user plane PDCP PDU; alternatively, the first count value reuses the count value of the user plane PDCP PDU; or, the first count value is set to a preset value. Maintaining the count value of the control plane PDCP PDU helps improve communication security.
[0053] In one possible design, the first information carries a first bearer identifier, which is used to generate the first verification information and is used for the control plane PDCP PDU.
[0054] In one possible design, the first bearer identifier and the second bearer identifier have different parameters, with the second bearer identifier used for the user plane PDCP PDU; alternatively, the first bearer identifier reuses the bearer identifier of the user plane PDCP PDU; or, the first bearer identifier is set to a preset value. Designing the bearer identifier of the control plane PDCP PDU is beneficial for improving communication security.
[0055] Fifthly, this application also provides a communication device, which is a communication equipment or a chip within a communication equipment. The communication equipment can also be a terminal device or a network device. This communication device has the function of implementing any of the methods provided in the first or third aspect above. This communication device can be implemented in hardware or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.
[0056] In one possible design, the communication device includes a processor configured to support the communication device in performing corresponding functions of the communication device described above. The communication device may also include a memory coupled to the processor, which stores necessary program instructions and data for the communication device. Optionally, the communication device further includes interface circuitry for supporting communication between the communication device and a receiving end, such as the transmission and reception of data or signals. Exemplarily, the communication interface may be a transceiver, circuit, bus, module, or other type of communication interface.
[0057] In one possible design, the communication device includes corresponding functional modules, each used to implement the steps in the above method. The functions can be implemented in hardware or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.
[0058] In one possible design, the communication device includes a processing unit (or processing module) and a communication unit (or communication module). These units can perform the corresponding functions in the above method examples, as described in the methods provided in the first or third aspects, and will not be repeated here.
[0059] Sixthly, this application also provides a communication device, which is a communication equipment or a chip within a communication equipment. The communication equipment can also be a terminal device or a network device. This communication device has the function of implementing any of the methods provided in the second or fourth aspect above. This communication device can be implemented in hardware or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.
[0060] In one possible design, the communication device includes a processor configured to support the communication device in performing corresponding functions of the communication device described above. The communication device may also include a memory coupled to the processor, which stores necessary program instructions and data for the communication device. Optionally, the communication device further includes interface circuitry for supporting communication between the communication device and a transmitting end, such as the transmission and reception of data or signals. Exemplarily, the communication interface may be a transceiver, circuit, bus, module, or other type of communication interface.
[0061] In one possible design, the communication device includes corresponding functional modules, each used to implement the steps in the above method. The functions can be implemented in hardware or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.
[0062] In one possible design, the communication device includes a processing unit (or processing module) and a communication unit (or communication module). These units can perform the corresponding functions in the above method examples, as described in the methods provided in the second or fourth aspects, and will not be repeated here.
[0063] In a seventh aspect, a communication device is provided, including a processor and an interface circuit. The interface circuit is configured to receive signals from other communication devices outside the communication device and transmit them to the processor, or to send signals from the processor to other communication devices outside the communication device. The processor is configured to implement the methods of the first or third aspect and any possible design described above through logic circuits or execution code instructions.
[0064] Eighthly, a communication device is provided, including a processor and an interface circuit. The interface circuit is configured to receive signals from other communication devices outside the communication device and transmit them to the processor, or to send signals from the processor to other communication devices outside the communication device. The processor is configured to implement the methods of the second or fourth aspect and any possible design described above through logic circuits or execution code instructions.
[0065] Ninth aspect, a computer-readable storage medium is provided that stores a computer program or instructions that, when executed by a processor, implement the methods of any one of the first to fourth aspects and any possible design.
[0066] In a tenth aspect, a computer program product storing instructions is provided, which, when executed by a processor, implements any of the first to fourth aspects and any possible design methods described above.
[0067] Eleventhly, a chip system is provided, comprising a processor and potentially a memory, for implementing the methods of any of the first to fourth aspects and any possible designs described above. The chip system may be composed of chips or may include chips and other discrete devices.
[0068] In a twelfth aspect, a communication system is provided, the system comprising the apparatus described in the first aspect and the apparatus described in the second aspect.
[0069] In a thirteenth aspect, a communication system is provided, the system comprising the apparatus described in the third aspect and the apparatus described in the fourth aspect.
[0070] The technical effects that can be achieved by any of the technical solutions in aspects 5 to 13 above can be described with reference to the technical effects that can be achieved by the technical solution in aspect 1 above, and the repeated parts will not be repeated. Attached Figure Description
[0071] Figure 1 is a schematic diagram of a user plane protocol stack provided in this application;
[0072] Figure 2 is a schematic diagram of the structure of a MAC PDU provided in this application;
[0073] Figure 3 is a schematic diagram of a terminal accessing a network provided in this application;
[0074] Figure 4 is a schematic diagram of an integrity protection / verification process provided in this application;
[0075] Figure 5 is a schematic diagram of an encryption / decryption process provided in this application;
[0076] Figure 6 is a structural schematic diagram of a fake base station provided in this application;
[0077] Figure 7 is a schematic diagram of a fake base station attack provided in this application;
[0078] Figure 8 is a schematic diagram of the structure of a communication system provided in this application;
[0079] Figure 9 is a schematic diagram of the architecture of an O-RAN system provided in this application;
[0080] Figure 10 is a flowchart illustrating a communication method provided in this application;
[0081] Figure 11 is a schematic diagram of the generation of verification information for a MAC subunit provided in this application;
[0082] Figure 12 is a schematic diagram of a MAC unit provided in this application;
[0083] Figure 13 is a schematic diagram of a MAC unit provided in this application;
[0084] Figure 14 is a schematic diagram of a MAC unit provided in this application;
[0085] Figure 15 is a schematic diagram of a MAC unit provided in this application;
[0086] Figure 16 is a schematic diagram of a MAC unit provided in this application;
[0087] Figure 17 is a schematic diagram of a MAC unit provided in this application;
[0088] Figure 18 is a flowchart illustrating a communication method provided in this application;
[0089] Figure 19 is a schematic diagram of a transmission method provided in this application;
[0090] Figure 20 is a schematic diagram of a transmission method provided in this application;
[0091] Figure 21 is a schematic diagram of a PDCP PDU provided in this application;
[0092] Figure 22 is a schematic diagram of a receiving method provided in this application;
[0093] Figure 23 is a schematic diagram of a receiving method provided in this application;
[0094] Figure 24 is a schematic diagram of the structure of a communication device provided in this application;
[0095] Figure 25 is a schematic diagram of the structure of a communication device provided in this application. Detailed Implementation
[0096] In the description of this application, unless otherwise stated, " / " indicates that the objects before and after are in an "or" relationship. For example, A / B can mean A or B. "And / or" in this application is merely a description of the relationship between the related objects, indicating that there can be three relationships. For example, A and / or B can mean: A exists alone, A and B exist simultaneously, and B exists alone. A and B can be singular or plural.
[0097] In the description of this application, unless otherwise stated, "multiple" means two or more. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of a single item or a plurality of items. For example, at least one of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple.
[0098] Furthermore, to facilitate a clear description of the technical solutions in the embodiments of this application, the terms "first" and "second" are used in the embodiments of this application to distinguish identical or similar items with substantially the same function and effect. Those skilled in the art will understand that the terms "first" and "second" do not limit the quantity or execution order, and the terms "first" and "second" are not necessarily different.
[0099] In the embodiments of this application, the terms "exemplary" or "for example" are used to indicate that something is an example, illustration, or description. Any embodiment or design that is described as "exemplary" or "for example" in the embodiments of this application should not be construed as being more preferred or advantageous than other embodiments or design. Specifically, the use of terms such as "exemplary" or "for example" is intended to present the relevant concepts in a specific manner to facilitate understanding.
[0100] It is understood that the term "embodiment" used throughout the specification means that a specific feature, structure, or characteristic related to an embodiment is included in at least one embodiment of this application. Therefore, various embodiments throughout the specification do not necessarily refer to the same embodiment. Furthermore, these specific features, structures, or characteristics can be combined in any suitable manner in one or more embodiments. It is understood that in the various embodiments of this application, the sequence number of each process does not imply the order of execution; the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.
[0101] It is understood that in this application, "...when" and "if" both refer to the corresponding processing that will be carried out under certain objective circumstances, and are not limited to a specific time, nor do they require a judgment action to be performed during implementation, nor do they imply any other limitations.
[0102] It is understood that some optional features in the embodiments of this application can be implemented independently in certain scenarios without relying on other features, such as the current solution on which they are based, to solve the corresponding technical problems and achieve the corresponding effects. Alternatively, they can be combined with other features as needed in certain scenarios. Correspondingly, the apparatus given in the embodiments of this application can also implement these features or functions, which will not be elaborated here.
[0103] In this application, unless otherwise specified, the same or similar parts between the various embodiments can be referred to each other. In the various implementation methods of this application, unless otherwise specified or there is a logical conflict, the terminology and / or descriptions between different implementation methods are consistent and can be mutually referenced. Technical features in different implementation methods can be combined to form new embodiments based on their inherent logical relationships. The following descriptions of the embodiments of this application do not constitute a limitation on the scope of protection of this application.
[0104] To facilitate understanding of the technical solutions of the embodiments of this application, a brief introduction to the relevant technologies of this application is given below.
[0105] 1. Layered protocol stack architecture:
[0106] In the 5th generation (5G) new radio (NR) communication system, the user plane communication protocol stack architecture is shown in Figure 1. It mainly includes the Service Data Adaptation Protocol (SDAP) layer (not shown in Figure 1), the Packet Data Convergence Protocol (PDCP) layer, the Radio Link Control (RLC) layer, the Media Access Control (MAC) layer, and the Physical (PHY) layer.
[0107] In uplink (UL) transmission, data transmission proceeds in the direction of the arrows shown in Figure 1. Referring to Figure 1, at the transmitting end, data passes through the SDAP layer to the PDCP layer, is processed by the PDCP layer, and then sequentially transmitted to the RLC layer, MAC layer, and finally sent from the physical layer. At the receiving end, processing occurs in the opposite direction to that at the transmitting end. In downlink (DL) transmission, data transmission proceeds in the opposite direction of the arrows shown in Figure 1.
[0108] When data in a radio bearer (RB) passes through various protocol layers, it needs to be processed by the corresponding functional entities of each protocol layer. For example, it is processed by the PDCP entity at the PDCP layer, by the RLC entity at the RLC layer, and by the MAC entity at the MAC layer.
[0109] Wireless communication data can be broadly categorized into control signaling and user plane data. Further, user plane data can be divided into user plane data protocol data units (PDUs) and user plane control PDUs. User plane data PDUs carry communication data, while user plane control PDUs carry control information that assists in the transmission of user plane data PDUs.
[0110] For example, user plane data PDUs include data PDUs of various protocol layers, such as SDAP data PDUs, PDCP data PDUs, RLC data PDUs, and MAC subPDUs that include MAC service data units (SDUs). User plane control PDUs include control PDUs of various protocol layers, such as SDAP control PDUs, PDCP control PDUs, RLC control PDUs, and MAC subPDUs that include MAC control elements (CEs).
[0111] Taking the MAC layer as an example, as shown in Figure 2, a complete MAC PDU may be composed of a MAC subPDU including a MAC SDU and a MAC subPDU including a MAC CE. The MAC SDU is the RLC PDU submitted by the RLC layer, and the MAC CE is the information generated by the MAC layer. Optionally, the MAC PDU may also include a MAC header, also known as a MAC packet header.
[0112] Furthermore, referring to Figure 2, the MAC subPDU includes a MAC subheader, also known as a MAC subpacket header. Here, R represents a reserved field, F represents the size of the length field in the subheader, L represents the length of the MAC CE or MAC SDU, and LCID is the logical channel identification (LCID) corresponding to the MAC CE or MAC SDU.
[0113] 2. Air interface security procedures:
[0114] For example, in an NR system, the initial access process of a terminal device is shown in Figure 3. When the terminal device transitions from the Radio Resource Control (RRC) Idle (RRC_IDLE) state to the RRC Connected (RRC_CONNECTED) state, it needs to complete random access and interact with the Access and Mobility Management Function (AMF) network element through non-access stratum (NAS) messages. For example, in step 6, the AMF network element sends the terminal device's context to the base station, such as the PDU session context, security key, the terminal device's radio capabilities, and the terminal device's security capabilities. After receiving the terminal device's context, the base station can initiate a secure mode, i.e., execute step 7, sending a secure mode command to the terminal device.
[0115] After activating secure mode, the terminal device and base station will perform secure processing on the data. Typically, secure processing includes encryption / decryption and integrity protection / integrity verification; that is, the sending end encrypts and / or protects the integrity of the data packets, and the receiving end decrypts and / or verifies the integrity of the data packets accordingly.
[0116] 1) Integrity protection / integrity verification:
[0117] The integrity protection and verification process may include: the sending end calculates parameter A based on the data packet and key parameters; the receiving end calculates parameter B based on the data packet and key parameters; if parameters A and B are consistent, the integrity verification is successful.
[0118] For example, as shown in Figure 4, in the air interface integrity protection mechanism, the sending end uses regularly changing parameters and data packets to perform calculations according to certain rules to obtain a message authentication code for integrity (MAC-I), and then sends the data packet and MAC-I together to the receiving end. At the receiving end, using the same parameters and the same rules, the expected message authentication code for integrity (XMAC-I) is calculated, and the MAC-I and XMAC-I are verified to determine whether the received data is complete, thereby achieving the purpose of protecting data integrity.
[0119] Referring to Figure 4, the input parameters used for integrity protection and authentication include the key, count, message, direction of transmission, and bearer identifier. Explanations of each parameter are shown in Table 1.
[0120] Table 1
[0121] 2) Encryption / Decryption:
[0122] The encryption and decryption process may include: the sending end converting the data packet into ciphertext through calculation based on parameters such as the key, and the receiving end converting the ciphertext into plaintext through inverse calculation based on parameters such as the key.
[0123] For example, as shown in Figure 5, in the air interface encryption / decryption mechanism, the sending end generates a keystream (KEYSTREAMBLOCK) based on the input parameters, and then XORs the keystream with the input plaintext (PLAINTEXTBLOCK) to obtain the ciphertext (CIPHERTEXTBLOCK). At the receiving end, the same keystream is generated using the same input parameters as the sending end, and then XORed with the ciphertext to obtain the plaintext. Here, NEA represents the NR encryption algorithm (NEA).
[0124] The input parameters include the encryption key (KEY), the counter (COUNT), the wireless bearer identifier (BEARER), the transmission direction (DIRECTION), and the length of the required key stream (LENGTH).
[0125] 3. Fake base station attacks:
[0126] A fake base station is an illegal base station, typically composed of simple wireless devices and dedicated open-source software. It can simulate a legitimate base station, sending signaling to a target terminal according to relevant protocols to obtain the target terminal's information.
[0127] For example, as shown in Figure 6 or Figure 7(a), a network attacker can place a fake base station within the coverage area of a target base station. This allows the fake base station to force nearby terminal devices to perform cell reselection, location updates, and handovers, thereby deceiving the terminal devices into providing incorrect information to achieve purposes such as spreading viruses or committing online fraud. Furthermore, fake base stations may also intercept communication between the base station and the terminal devices, thereby eavesdropping on users' private data.
[0128] Meanwhile, while launching deceptive attacks on terminal devices, fake base stations also interfere with normal communication between the network and the terminal devices, impacting network performance. For example, as shown in Figure 7(b), when a terminal device connects to a fake base station, it may use incorrect system messages provided by the fake base station, causing the terminal device to be unable to be paged by the network and thus unable to access the network normally. Furthermore, system messages may be intercepted and illegally modified by the fake base station, causing the terminal device to use incorrect paging parameters, which in turn prevents the terminal device from communicating normally with legitimate base stations, ultimately resulting in handover failures, dropped calls, and other issues.
[0129] Furthermore, as shown in Figure 7(c), after attracting terminal devices to camp on the fake base station, the fake base station can also use malicious terminals to relay encrypted data between legitimate terminals and the base station. For example, in the uplink, the fake base station receives communication data from the legitimate terminal and transmits it to the legitimate base station via the malicious terminal; in the downlink, the malicious terminal receives communication data from the legitimate base station and transmits it to the legitimate terminal via the fake base station. In this scenario, legitimate terminals and legitimate base stations are unlikely to detect the existence of the fake base station and the malicious terminal, thus the fake base station or the malicious terminal may launch a man-in-the-middle attack.
[0130] Currently, the aforementioned security measures are performed at the PDCP layer and are limited to user plane PDUs within the PDCP layer. No security measures are applied to other user plane PDUs. However, many other user plane PDUs besides data PDUs may carry important control information. If exploited by fake base stations or unauthorized terminals to forge or monitor these PDUs, it will pose significant security risks. For example, fake base stations can use man-in-the-middle attacks to transmit upper-layer encrypted data while tampering with or forging lower-layer signaling, or launch attacks by dropping packets, thereby impacting the user's service experience.
[0131] Based on this, this application provides a communication method and apparatus for integrity protection of data units in the lower protocol layer of the PDCP layer. The method and apparatus are based on the same concept, and since the principles by which the method and apparatus solve the problem are similar, their implementations can be referred to interchangeably, and repeated details will not be elaborated further.
[0132] The technical solutions of this application embodiment can be used in various communication systems, including third-generation partnership project (3GPP) communication systems, such as fourth-generation (4G) systems like long-term evolution (LTE), 5G systems like NR, LTE and 5G hybrid networking systems, non-terrestrial networks (NTN), or future communication systems. The communication system can also be a non-3GPP communication system; there is no limitation on this.
[0133] The communication systems described above are merely illustrative examples, and are not limited to those described herein. The communication systems provided in this application do not impose any limitations on the solutions described herein. This will be explained uniformly here and will not be repeated below.
[0134] Please refer to Figure 8, which illustrates a communication system applicable to an embodiment of this application. The communication system includes a wireless access network 100 and a core network 200. Optionally, the communication system may also include the Internet.
[0135] The wireless access network 100 may include at least one network device and at least one terminal device. For example, the wireless access network 100 includes two network devices, 110a and 110b, and terminal devices 120a to 120j. The network architecture shown in Figure 8 is only schematic; the number of terminal devices and / or network devices may be fewer or more. The communication system described in the embodiments of this application is for the purpose of more clearly illustrating the technical solutions of the embodiments of this application and does not constitute a limitation on the communication system to which the embodiments of this application are applicable. For example, the communication system may also include other devices, such as wireless relay devices and wireless backhaul devices, which are not shown in Figure 8. As those skilled in the art will know, with the evolution of network architecture, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems. When applying the technical solutions of the embodiments of this application to other communication systems, the devices, components, modules, etc. in the embodiments can be replaced with corresponding devices, components, modules in other communication systems without limitation.
[0136] In this embodiment, the network device refers to a radio access network (RAN) device. The RAN can be a 3GPP-related cellular system, such as a 5G / new radio (NR) mobile communication system, or a future-oriented evolution system (e.g., a 6G mobile communication system). The RAN can also be an open RAN (O-RAN or ORAN), a cloud radio access network (CRAN), or a virtualized RAN (vRAN), etc. The RAN can also be a communication system that integrates two or more of the above systems. The RAN device can also be referred to as a RAN node, RAN entity, or access node, etc.
[0137] In one possible scenario, a RAN node can be a base station, an evolved NodeB (eNodeB), an access point (AP), a transmission reception point (TRP), a next-generation NodeB (gNB), a next-generation network device in a 6G mobile communication system, or a network device in a future mobile communication system. A RAN node can be a macro network device, a micro network device, an indoor station, a relay node, a donor / host node, or a radio controller. RAN nodes can also be servers, wearable devices, vehicles, or in-vehicle equipment. For example, in V2X technology, a RAN node can be a roadside unit (RSU).
[0138] In another possible scenario, a RAN node can be a module or unit that performs some functions of a network device; or multiple RAN nodes can collaborate to assist terminal devices in achieving wireless access, with different RAN nodes each performing some functions of the network device. For example, a RAN node can be a central unit (CU), a distributed unit (DU), or a radio unit (RU). The function of a CU can be implemented by a single entity or by different entities. For example, the function of a CU can be further divided, that is, the control plane and the user plane can be separated and implemented by different entities, namely the control plane CU entity (i.e., CU-control plane (CP) entity) and the user plane CU entity (i.e., CU-user plane (UP) entity). The CU-CP entity and the CU-UP entity can be coupled with the DU to jointly complete the function of the RAN node. The CU and DU can be set up separately or included in the same network element, such as in the baseband unit (BBU). Any of the units among the CU (or CU-CP, CU-UP), DU, and RU in this application can be implemented by software modules, hardware modules, or a combination of software modules and hardware modules.
[0139] In different systems, CU (or CU-CP and CU-UP), DU, or RU may have different names, but those skilled in the art will understand their meaning. For example, in an ORAN system, CU can also be called O-CU (open CU), DU can also be called O-DU, CU-CP can also be called O-CU-CP, CU-UP can also be called O-CU-UP, and RU can also be called O-RU. For ease of description, this application uses CU, CU-CP, CU-UP, DU, and RU as examples.
[0140] The CU and DU can be configured according to the protocol layer functions of the wireless network they implement: for example, the CU can be configured to implement the functions of the Packet Data Convergence Protocol (PDCP) layer and above (such as the Radio Resource Control (RRC) layer and / or the Service Data Adaptation Protocol (SDAP) layer); the DU can be configured to implement the functions of the protocol layers below the PDCP layer (such as the Radio Link Control (RLC) layer, the Media Access Control (MAC) layer, and / or the Physical (PHY) layer). For specific descriptions of the above protocol layers, please refer to the relevant 3GPP technical specifications or the technical specifications of other applicable communication protocols.
[0141] In one implementation, the network device is divided into CU and DU. The CU is configured to implement the functions of the PDCP layer and above (e.g., RRC layer and / or SDAP layer); the DU is configured to implement the functions of the protocol layers below the PDCP layer (e.g., RLC layer, MAC layer, and / or PHY layer). The CU and DU communicate via the F1 interface. In another implementation, the network device is divided into CU and DU. The CU includes CU-CP and CU-UP. CU-CP implements the control plane functions of the CU, and CU-UP implements the user plane functions of the CU. CU-CP and CU-UP can communicate via the E1 interface. CU-CP and DU communicate via the F1 interface (also called F1-C) supporting the control plane, and CU-UP and DU communicate via the F1 interface (also called F1-U) supporting the user plane. CU-CP is configured to implement the control plane and RRC layer functions of the PDCP layer, and CU-UP is configured to implement the user plane and SDAP layer functions of the PDCP layer. The DU is configured to implement the functions of protocol layers below the PDCP layer (such as the RLC layer, MAC layer, and / or PHY layer).
[0142] The above division of the processing functions of CU and DU according to protocol layers is merely an example; other division methods are also possible, and this application does not limit this. For example, in one design, CU or DU can be further divided into processing functions with protocol layers. In one design, some functions of the RLC layer and the functions of the protocol layer above the RLC layer are located in the CU, while the remaining functions of the RLC layer and the functions of the protocol layer below the RLC layer are located in the DU.
[0143] In another possible design, the DU and RU collaborate to implement the PHY layer functionality, or, more specifically, a portion of the PHY layer functionality of the DU can be moved to the RU. A DU can be connected to one or more RUs. The functions of the DU and RU can be configured in various ways depending on the design. For example, the DU may be configured to implement baseband functions, and the RU may be configured to implement mid-RF functions. Alternatively, the DU may be configured to implement higher-level functions in the PHY layer, and the RU may be configured to implement lower-level functions in the PHY layer, or both lower-level and RF functions. Higher-level functions in the physical layer may include a portion of the physical layer's functionality closer to the MAC layer, and lower-level functions may include another portion of the physical layer's functionality closer to the mid-RF side. This application does not limit the specific functions of the DU and RU. The interface between the DU and RU can be called a fronthaul interface. In one design, the CU may not have a PDCP layer; for example, the CU may only include an RRC layer. The CU-CP may not have PDCP-C. The CU-UP may not have PDCP-U, or may not have a CU-UP. In one design, the DU may not have an RLC layer; for example, the DU may only have a MAC and a higher PHY layer.
[0144] When the RAN is O-RAN, it can also have artificial intelligence (AI) capabilities. For example, O-RAN includes an intelligent controller. The intelligent controller can be a non-real-time RAN intelligent controller (RIC / non-RT RIC / NRT RIC) or a near-real-time RAN intelligent controller (RIC / near-RT RIC / nRT RIC). A non-real-time RIC can be used to implement non-real-time intelligent management of RAN functions, enabling workflows including model training and model updates, and guiding applications / functions in the nRT RIC based on policies. A near-real-time RIC can be used to implement near-real-time intelligent management of the RAN. Through data collection and related operations on the E2 interface, near-real-time control and optimization of O-RAN modules and resources are achieved.
[0145] In the embodiments of this application, the means for implementing the functions of the network device can be the network device itself, or it can be a means that supports the network device in implementing the functions, such as a chip system or a combination of devices or components that can implement the functions of the network device. This means can be installed in the network device. The embodiments of this application do not limit the specific technology or specific device form used in the network device.
[0146] In this application embodiment, any device capable of data communication with network devices can be considered a terminal device. Terminal devices are also called terminals, terminal equipment, user equipment (UE), user devices, mobile stations, or mobile terminals, etc. Terminal devices can be widely used in various scenarios. For example, terminal devices can be: mobile phones, computers, mobile internet devices (MID), wearable devices, virtual reality (VR) devices, augmented reality (AR) devices, stations (STA), robotic arms, cameras, robots, vehicles, drones, helicopters, airplanes, ships, or smart home devices (such as televisions, air conditioners, robot vacuums, speakers, set-top boxes), relays, customer premises equipment (CPE), etc.
[0147] Furthermore, in this embodiment, the terminal device can also be a terminal device in an IoT system, such as a water meter or electricity meter. IoT is an important component of future information technology development. Its main technical characteristic is connecting objects to networks through communication technology, thereby realizing an intelligent network that enables human-machine interconnection and object-to-object interconnection.
[0148] When the terminal device is applied to V2X, it can also be called a V2X device, such as a smart car, digital car, unmanned car, driverless car, pilotless car, autonomous car, pure electric vehicle, hybrid electric vehicle (HEV), range-extended electric vehicle (REEV), plug-in hybrid electric vehicle (PHEV), new energy vehicle, and RSU.
[0149] The various terminal devices described above, if located on a vehicle (e.g., placed / installed inside the vehicle), can all be considered in-vehicle terminal devices. In-vehicle terminal devices can be built into a vehicle's in-vehicle module, in-vehicle component, in-vehicle chip, or in-vehicle unit as one or more components or units. The vehicle can implement the methods of this application through the built-in in-vehicle module, in-vehicle component, in-vehicle chip, or in-vehicle unit. In-vehicle terminal devices can be vehicle equipment, in-vehicle modules, vehicles, in-vehicle units (on-board units, OBUs), remote sensing units (RSUs), in-vehicle infotainment systems (or in-vehicle transmission units) (telematics boxes, T-boxes), chips, or systems on a chip (SOCs), etc. These chips or SOCs can be installed in the vehicle, OBU, RSU, or T-box.
[0150] In the embodiments of this application, the device for implementing the functions of the terminal device can be the terminal device itself, or a device capable of supporting the terminal device in implementing the functions, such as a chip system or a combination of devices or components capable of implementing the functions of the terminal device. This device can be installed in the terminal device. The embodiments of this application do not limit the specific technology or specific device form used in the terminal device.
[0151] Figure 9 illustrates an example of an O-RAN system, with network devices serving as the access network device in the example. It should be understood that the O-RAN system may also include components other than those shown in Figure 9, without specific limitations. As shown in Figure 9, the access network device can communicate with the core network (CN) via a backhaul link and with terminal devices via an air interface. For example, the access network device may include a baseband unit (BBU) and a radio unit (RU). The BBU includes at least one core unit (CU) and at least one dual unit (DU), which can communicate via at least one midhaul link. The RU can implement lower physical layer (PHY) and radio frequency (RF) functions. In some examples, the RU may be a 3GPP transmission reception point (TRP), a remote radio head (RRH), or other similar entities. In some examples, Low-PHY may include PHY processing functions such as Fast Fourier Transform (FFT), Inverse Fast Fourier Transform (IFFT), digital beamforming, and filtering. The BBU can communicate with the CN via a backhaul link, and the RU can communicate with at least one terminal device via an air interface. The BBU can also communicate with at least one RU via a fronthaul link. The BBU and RU may or may not be co-located.
[0152] The network architecture and business scenarios described in the embodiments of this application are for the purpose of more clearly illustrating the technical solutions of the embodiments of this application, and do not constitute a limitation on the technical solutions provided in the embodiments of this application. As those skilled in the art will know, with the evolution of network architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.
[0153] The technical features involved in the embodiments of this application are described below.
[0154] In this application, the count value can also be described as a sequence number (SN), etc.
[0155] In this application, the verification information may also be referred to as verification code, verification information, MAC-I, authentication code, authentication information, etc., or may be named as something else; no specific limitation is made here.
[0156] Figure 10 shows a flowchart of a communication method provided in an embodiment of this application. In this method, the sending end can perform secure processing on data units of the MAC layer. For example, the sending end calculates the verification information of the MAC subunit based on parameters such as the count value corresponding to the MAC subunit, and the receiving end verifies the MAC subunit based on parameters such as the count value corresponding to the MAC subunit. This application maintains a count value at the MAC subunit granularity in the MAC unit and defines the position carrying the count value in the MAC unit, enabling the receiving end to obtain the count value, thereby achieving integrity verification of the MAC subunit and improving communication security performance. Furthermore, in this application, the count value is maintained at the MAC subunit granularity, which is beneficial to improving the security performance of the MAC layer.
[0157] The method includes:
[0158] S1001, the first communication device determines the first MAC unit.
[0159] For example, the first communication device can be understood as a transmitting end. The first communication device can be a terminal device in the communication system shown in FIG8, or a component of the terminal device (e.g., a processor, circuit, chip, or chip system), or a logic module or software that can implement all or part of the functions of the terminal device; or, the first communication device can be a network device in the communication system shown in FIG8, or a component of the network device (e.g., a processor, circuit, chip, or chip system), or a logic module or software that can implement all or part of the functions of the network device.
[0160] In the following text, the second communication device can be understood as a receiving end. The second communication device can be a terminal device in the communication system shown in Figure 8, or a component of the terminal device (e.g., a processor, circuit, chip, or chip system), or a logic module or software that can realize all or part of the functions of the terminal device; or, the second communication device can be a network device in the communication system shown in Figure 8, or a component of the network device (e.g., a processor, circuit, chip, or chip system), or a logic module or software that can realize all or part of the functions of the network device.
[0161] In this application, the first MAC unit may include verification information for at least one MAC subunit. This verification information may be generated based on verification information corresponding to each of the at least one MAC subunit; for example, the verification information corresponding to each of the at least one MAC subunit may be XORed. Alternatively, the verification information may include verification information corresponding to each of the at least one MAC subunit, and this verification information is used to perform integrity verification on the at least one MAC subunit, or, as described, the verification information is used to verify the integrity of the at least one MAC subunit.
[0162] The verification information corresponding to a MAC subunit is used to verify the integrity of the MAC subunit, or in other words, the verification information corresponding to a MAC subunit is used to verify the integrity of the MAC subunit.
[0163] Optionally, taking the first MAC subunit in the at least one MAC subunit as an example, the verification information corresponding to the first MAC subunit can be determined based on the first count value corresponding to the first MAC subunit. For example, the verification information corresponding to the first MAC subunit can be obtained based on the first count value and at least one of the following: the key, the first MAC subunit, the transmission direction of the first MAC unit, and the LCID corresponding to the first MAC subunit, as shown in Figure 11. It should be understood that Figure 11 is only an example and does not specifically limit the input information of the verification information.
[0164] For example, the first MAC unit can be a MAC data unit, such as a MAC PDU. The MAC subunit can be a MAC subPDU, etc.
[0165] As mentioned above, the verification information of the MAC subunit is determined based on the count value corresponding to the MAC subunit. In order for the receiving end to obtain the count value corresponding to the MAC subunit and thus realize the integrity verification of the MAC subunit, this application also provides a scheme for maintaining the count value corresponding to the MAC subunit and a scheme for the MAC unit to indicate the count value corresponding to the MAC subunit. The specific schemes will be described in detail below.
[0166] S1002, the first communication device sends the first MAC unit. Correspondingly, the second communication device receives the first MAC unit.
[0167] S1003, the second communication device verifies the verification information of the first MAC subunit based on the first count value.
[0168] In one possible implementation, the second communication device can generate verification information for the first MAC sub-unit based on a first count value, and verify the first MAC sub-unit based on its own generated verification information and the verification information generated by the first communication device. For example, if the verification information generated by the second communication device is the same as that generated by the first communication device, the first MAC sub-unit is verified successfully. If the verification information generated by the second communication device is different from that generated by the first communication device, the first MAC sub-unit fails verification.
[0169] The method by which the second communication device generates the verification information of the first MAC subunit is the same as the method by which the first communication device generates the verification information of the first MAC subunit, and the duplicates will not be described again.
[0170] Optionally, as described in S1001, the verification information included in the first MAC unit may be generated based on the verification information corresponding to each of the at least one MAC sub-unit. In this method, after receiving the first MAC unit, the second communication device can determine the verification information corresponding to each of the at least one MAC sub-unit based on the verification information carried by the first MAC unit. Alternatively, the second communication device may also generate the verification information corresponding to each of the at least one MAC sub-unit, generate verification information based on the verification information corresponding to each of the at least one MAC sub-unit, and then verify the verification information with the verification information carried by the MAC unit.
[0171] In this application, the transmitting end can perform secure processing on data units of the MAC layer. For example, the transmitting end calculates the verification information of the MAC subunit based on parameters such as the count value corresponding to the MAC subunit, and the receiving end verifies the MAC subunit based on parameters such as the count value corresponding to the MAC subunit. This application maintains a count value at the MAC subunit granularity in the MAC unit and defines the position carrying the count value in the MAC unit, enabling the receiving end to obtain the count value and thus realize integrity verification of the MAC subunit, which is beneficial to improving communication security performance. Furthermore, in this application, the count value is maintained at the MAC subunit granularity, which is beneficial to improving the security performance of the MAC layer.
[0172] The following describes four ways to maintain the counter value.
[0173] Method 1: MAC sub-units belonging to the same category maintain a single count value, or, in other words, MAC sub-units belonging to the same category share (or correspond to or reuse) a single count value. In one exemplary description, MAC sub-units belonging to the same category correspond to the same count value, and MAC sub-units belonging to different categories correspond to different count values. Here, "corresponding to the same count value" can be understood as corresponding to the same count value parameter or field, and "corresponding to different count values" can be understood as corresponding to different count value parameters or fields.
[0174] For example, a first MAC unit includes at least one MAC subunit belonging to a first category (including the first MAC subunit), and each of the at least one MAC subunit belonging to the first category corresponds to a first count value. For instance, a first MAC unit includes a first MAC subunit and a second MAC subunit. The first MAC subunit and the second MAC subunit correspond to the first count value, and both the first MAC subunit and the second MAC subunit belong to the first category.
[0175] Optionally, if the first MAC unit further includes at least one MAC sub-unit belonging to the second category, the at least one MAC sub-unit belonging to the second category may correspond to the second count value, and the first count value and the second count value may correspond to different fields. For example, the first MAC unit may also include a third MAC sub-unit, the third MAC sub-unit corresponding to the second count value, and the third MAC sub-unit belonging to the second category.
[0176] In one implementation, Method 1 can be categorized according to at least one of the following: the application scenario of the MAC subunit (e.g., carrier aggregation (CA) scenario, random access procedure, energy-saving scenario, etc.), the purpose of the MAC subunit (for CA, for random access procedure, for energy saving, etc.), or the information included in the MAC subunit. For example, the first or second category mentioned above can be related to at least one of the following: the application scenario of the MAC subunit, the purpose of the MAC subunit, and the information included in the MAC subunit.
[0177] For example, either Category 1 or Category 2 can be any of the following: a MAC subunit for CA scenarios, a MAC subunit for random access procedures, or a MAC subunit for energy-saving scenarios. Alternatively, either Category 1 or Category 2 can be any of the following: a MAC CE for CA scenarios, a MAC CE for random access procedures, or a MAC CE for energy-saving scenarios.
[0178] Taking the MAC CEs shown in Table 2 as an example, the first category is MAC CEs used in CA scenarios. This can also be understood as MAC CEs used in CA scenarios maintaining a count value. For example, MAC CEs used in CA scenarios include the MAC CE corresponding to LCID 57 and the MAC CE corresponding to LCID 58. Therefore, the MAC CE corresponding to LCID 57 and the MAC CE corresponding to LCID 58 maintain a count value, or it can be described as sharing a field or parameter of a count value.
[0179] The first category is MAC CEs used for energy-saving scenarios. This can also be understood as MAC CEs used for energy-saving scenarios maintaining a count value. For example, MAC CEs used for energy-saving scenarios include MAC CEs corresponding to LCID 59 and LCID 60. Therefore, the MAC CEs corresponding to LCID 59 and LCID 60 maintain a count value, or they can be described as sharing a field or parameter of a count value.
[0180] Table 2
[0181] In another implementation, Method 1 can also categorize MAC subunits according to the information they contain. For example, the first or second category could be any one of the following: the MAC subunit corresponding to the MAC CE (or described as a MAC subunit including the MAC CE), the MAC subunit corresponding to the SDU (or described as a MAC subunit including the SDU), or the MAC subunit corresponding to the padding field (or described as a MAC subunit including the padding field). Taking MAC CE as the first category, this method can also be understood as maintaining a count value for all MAC CEs in the first MAC unit.
[0182] Based on method one, three methods for indicating count values are introduced here.
[0183] In method 1-1, the first count value can be carried in the MAC header of the MAC unit. Optionally, the MAC header can also indicate the correspondence between the first category and the first count value. Thus, the second communication device can determine that the MAC sub-unit belonging to the first category generates verification information based on the first count value.
[0184] Optionally, if the first MAC unit also includes MAC sub-units belonging to other categories, the MAC header also includes the count values corresponding to the MAC sub-units of other categories, and the MAC header can also indicate the correspondence between other categories and their corresponding count values. Taking the first category and the second category as examples, the MAC header can include a first count value and a second count value, and the MAC header indicates the correspondence between the first count value and the first category, as well as the correspondence between the second count value and the second category.
[0185] For ease of description, MAC subunits belonging to a certain category will be referred to as MAC subunits corresponding to that category. That is, MAC subunits belonging to the first category will be referred to as MAC subunits corresponding to the first category, MAC subunits belonging to the second category will be referred to as MAC subunits corresponding to the second category, and so on.
[0186] For example, suppose the first MAC unit includes MAC sub-units corresponding to n categories. The MAC header of the first MAC unit may include n fields, where the n fields are used to carry the count values corresponding to the n categories, and the n fields correspond one-to-one with the n categories.
[0187] Taking MAC CE as the first category and SDU as the second category as an example, assuming the first and second sub-MAC units include MAC CE, and the third sub-MAC unit includes SDU. The MAC header of the first MAC unit can include two fields: field 1 corresponds to the first category and carries the first count value; field 2 corresponds to the second category and carries the second count value, as shown in Figure 12.
[0188] Another example is that, assuming the first MAC unit includes MAC sub-units corresponding to n categories, the MAC header of the first MAC unit may include n count values and the identification information of the n categories, wherein the n count values and the identification information of the n categories correspond one-to-one, for example, they correspond one-to-one in a preset order.
[0189] Of course, the MAC header can also indicate the count value and the correspondence between the count value and the category in other ways, which are not specifically limited here.
[0190] In methods 1-2, the first count value can be carried in the first MAC CE of the MAC unit. Optionally, the first MAC CE can also indicate the correspondence between the first category and the first count value. Thus, the second communication device can determine that the MAC subunit belonging to the first category generates verification information based on the first count value.
[0191] Optionally, if the first MAC unit further includes MAC sub-units belonging to other categories, the first MAC CE also includes the count values corresponding to the MAC sub-units of other categories, and the first MAC CE can also indicate the correspondence between other categories and their corresponding count values. Taking the first category and the second category as examples, the first MAC CE can include a first count value and a second count value, and the first MAC CE indicates the correspondence between the first count value and the first category, as well as the correspondence between the second count value and the second category.
[0192] In Method 1-2, the way the first count value is carried in the first MAC CE is similar to the way the first count value is carried in the MAC header. The way the correspondence between the count value and the category is indicated in the first MAC CE is similar to the way the correspondence between the count value and the category is indicated in the MAC header. For details, please refer to the relevant description in Method 1-1. Repeated descriptions will not be repeated.
[0193] In methods 1-3, the first count value can be carried in the MAC sub-header of a MAC sub-unit belonging to the first category. For example, the first count value can be carried in the MAC sub-header of the first MAC sub-unit, the MAC sub-header of the second MAC sub-unit, or the MAC sub-header of other MAC sub-units belonging to the first category. Optionally, the MAC sub-header of the MAC sub-unit can indicate the first category, such as including identification information of the first category. Thus, the second communication device can determine that the MAC sub-unit belonging to the first category generates verification information based on the first count value.
[0194] Optionally, if the first MAC unit also includes MAC subunits belonging to other categories, a count value corresponding to that category can be carried in the MAC packet header of a MAC subunit belonging to that category. Optionally, the MAC sub-packet header of that MAC subunit can indicate a second category, for example, including identification information of the second category. Thus, the second communication device can determine that the MAC subunit belonging to the second category generates verification information based on the second count value.
[0195] Taking MAC CE as the first category and SDU as the second category as an example, assume that the first and second sub-MAC units include MAC CE, and the third sub-MAC unit includes SDU. The MAC sub-header of the first sub-MAC unit includes a first count value and information about the first category, etc. The MAC sub-header of the third sub-MAC unit includes a second count value and information about the second category, etc., as shown in Figure 13.
[0196] Method 2: One MAC subunit maintains one count value, or as described, one MAC subunit corresponds to one count value. In one exemplary description, one MAC subunit corresponds to one count value, and different MAC subunits correspond to different count values. Here, "corresponding to the same count value" can be understood as corresponding to the same count value parameter or field, and "corresponding to different count values" can be understood as corresponding to different count value parameters or fields.
[0197] For example, the first MAC unit includes a first MAC subunit and a second MAC subunit; the first MAC subunit corresponds to a first count value, and the second MAC subunit corresponds to a second count value.
[0198] In one possible implementation, the first MAC unit includes at least one MAC CE, each MAC CE maintaining (or corresponding to) a count value.
[0199] Optionally, based on method two, the method for indicating the count value can be: carrying the count value corresponding to the MAC sub-unit in the MAC sub-packet header of the MAC sub-unit. For example, taking the first MAC sub-unit as an example, the first count value is carried in the first MAC sub-packet header.
[0200] For example, suppose the first MAC unit includes n MAC sub-units. The MAC sub-header of each MAC sub-unit can contain a field that carries the count value corresponding to that MAC sub-unit.
[0201] Taking the first MAC subunit and the second subunit mentioned above as examples, the MAC sub-header of the first MAC subunit may include a first count value, and the MAC sub-header of the second MAC subunit may include a second count value, as shown in Figure 14.
[0202] Method 3: MAC subunits belonging to the same group maintain a single count value, or, in other words, MAC subunits belonging to the same group share (or correspond to or reuse) a single count value. In one exemplary embodiment, MAC subunits belonging to the same group correspond to the same count value, and MAC subunits belonging to different groups correspond to different count values. Here, "corresponding to the same count value" can be understood as corresponding to the same count value parameter or field, and "corresponding to different count values" can be understood as corresponding to different count value parameters or fields.
[0203] For example, a first MAC unit includes a first MAC sub-unit group (which includes a first MAC sub-unit), and the first MAC sub-unit group corresponds to a first count value. That is, all MAC sub-unit groups included in the first MAC sub-unit group correspond to the first count value. For instance, a first MAC unit includes a first MAC sub-unit and a second MAC sub-unit. The first MAC sub-unit and the second MAC sub-unit correspond to the first count value, and the first MAC sub-unit and the second MAC sub-unit belong to the first MAC sub-unit group.
[0204] Optionally, if the first MAC unit further includes a second MAC sub-unit group, the second MAC sub-unit group may correspond to the second count value; that is, all MAC sub-unit groups included in the second MAC sub-unit group correspond to the second count value. The first count value and the second count value correspond to different fields. For example, the first MAC unit may also include a third MAC sub-unit, the third MAC sub-unit corresponding to the second count value, and the third MAC sub-unit belongs to the second MAC sub-unit group.
[0205] Based on method three, three ways to indicate the count value are introduced here.
[0206] In method 3-1, the first count value can be carried in the MAC header of the MAC unit. Optionally, the MAC header can also indicate the correspondence between the first MAC sub-unit group and the first count value. Thus, the second communication device can determine that the MAC sub-unit belonging to the first MAC sub-unit group generates verification information based on the first count value.
[0207] Optionally, if the first MAC unit also includes other MAC subunit groups, the MAC header also includes the count values corresponding to the other MAC subunit groups, and the MAC header can also indicate the correspondence between the other MAC subunit groups and their corresponding count values. Taking the first MAC subunit group and the second MAC subunit group as examples, the MAC header can include a first count value and a second count value, and the MAC header indicates the correspondence between the first count value and the first MAC subunit group, as well as the correspondence between the second count value and the second MAC subunit group.
[0208] In one possible implementation, the MAC header can indicate the correspondence between MAC subunit groups and corresponding count values in the following way: the MAC header can indicate at least one LCID corresponding to the count value. For example, taking a first count value as an example, the MAC header can include the first count value and indicate at least one LCID corresponding to the first count value, and the first MAC subunit group includes the MAC subunit corresponding to the at least one LCID.
[0209] In one example, the MAC header can indicate at least one LCID through the LCID value range. For instance, taking a first count value as an example, the MAC header can include the first count value and indicate the LCID value range corresponding to the first count value, etc.
[0210] For example, suppose the first MAC unit includes n MAC sub-unit groups. The MAC header of the first MAC unit may include n fields, where the n fields are used to carry the count values corresponding to the n MAC sub-unit groups, and the n fields correspond one-to-one with the n MAC sub-unit groups.
[0211] Taking the first to third MAC subunits mentioned above as examples, the MAC header of the first MAC unit can include two fields. Field 1 corresponds to the first MAC subunit group and carries the first count value. Field 2 corresponds to the second MAC subunit group and carries the second count value, as shown in Figure 15.
[0212] Of course, the MAC header can also indicate the count value and the correspondence between the count value and the MAC subgroup in other ways, which are not specifically limited here.
[0213] In method 3-2, the first count value can be carried in the second MAC CE of the MAC unit. Optionally, the second MAC CE can also indicate the correspondence between the first MAC sub-unit group and the first count value. Thus, the second communication device can determine that the MAC sub-unit belonging to the first MAC sub-unit group generates verification information based on the first count value.
[0214] Optionally, if the first MAC unit also includes other MAC subunit groups, the second MAC CE also includes count values corresponding to the other MAC subunit groups, and the second MAC CE can also indicate the correspondence between the other MAC subunit groups and their corresponding count values. Taking the first MAC subunit group and the second MAC subunit group mentioned above as examples, the second MAC CE can include a first count value and a second count value, and the second MAC CE indicates the correspondence between the first count value and the first MAC subunit group, as well as the correspondence between the second count value and the second MAC subunit group.
[0215] In Method 3-2, the way the first count value is carried in the second MAC CE is similar to the way the first count value is carried in the MAC header. The way the correspondence between the count value and the MAC sub-unit group is indicated in the second MAC CE is similar to the way the correspondence between the count value and the MAC sub-unit group is indicated in the MAC header. For details, please refer to the relevant description in Method 3-1. Repeated parts will not be repeated.
[0216] In step 3-3, the first count value can be carried in the MAC sub-packet header of a MAC sub-unit in the first MAC sub-unit group. Optionally, the MAC sub-packet header of this MAC sub-unit can indicate the first MAC sub-unit group, such as the LCID of the MAC sub-units included in the first MAC sub-unit group. Thus, the second communication device can determine that the MAC sub-unit in the first MAC sub-unit group generates verification information based on the first count value.
[0217] Optionally, if the first MAC unit also includes other MAC subunit groups, the count value corresponding to the MAC subunit group can be carried in the MAC packet header of one of the MAC subunits in that MAC subunit group. Optionally, the MAC subpacket header of that MAC subunit can indicate the second MAC subunit group, such as the LCID of the MAC subunits included in the second MAC subunit group. Thus, the second communication device can determine that the MAC subunits in the second MAC subunit group generate verification information based on the second count value.
[0218] In one possible implementation, the MAC sub-header can indicate the correspondence between MAC sub-unit groups and corresponding count values in the following way: the MAC sub-header can indicate at least one LCID corresponding to the count value. For example, taking a first count value as an example, the MAC sub-header of a MAC sub-unit in a first MAC sub-unit group can include the first count value and indicate at least one LCID corresponding to the first count value. The first MAC sub-unit group includes the MAC sub-unit corresponding to the at least one LCID.
[0219] In one example, the MAC sub-packet header can indicate at least one LCID through the LCID value range. For instance, taking a first count value as an example, the MAC sub-packet header of a MAC sub-unit in the first MAC sub-unit group can include the first count value and indicate the LCID value range corresponding to the first count value.
[0220] In another possible implementation, the MAC sub-header can indicate the correspondence between MAC sub-unit groups and their corresponding count values in the following way: the MAC sub-header can indicate the number M of MAC sub-units included in the MAC sub-unit group. Here, the MAC sub-unit group includes the MAC sub-unit containing the MAC sub-header and (M-1) MAC sub-units following it. That is, the MAC sub-unit and the following (M-1) MAC sub-units share (or correspond to or reuse) a count value. For example, taking the first count value as an example, the MAC sub-header of MAC sub-unit a includes the first count value and indicates the number M of MAC sub-units, meaning that MAC sub-unit a and the (M-1) MAC sub-units following it all correspond to the first count value. In this example, the first MAC sub-unit can be MAC sub-unit a or one of the (M-1) MAC sub-units following it.
[0221] In another possible implementation, the MAC sub-header can indicate the correspondence between MAC sub-unit groups and their corresponding count values in the following way: the MAC sub-header can indicate the number N of MAC sub-units. Here, the MAC sub-unit group includes the MAC sub-unit containing the MAC sub-header and the N MAC sub-units following it. That is, the N MAC sub-units following the MAC sub-header can reuse the count value corresponding to the MAC sub-unit. For example, taking the first count value as an example, the MAC sub-header of MAC sub-unit a includes the first count value and indicates the number N of MAC sub-units, indicating that MAC sub-unit a corresponds to the first count value, and the N MAC sub-units following MAC sub-unit a can reuse the count value corresponding to MAC sub-unit a, i.e., the first count value. In this example, the first MAC sub-unit can be MAC sub-unit a or one of the N MAC sub-units following MAC sub-unit a.
[0222] Taking the first MAC unit as an example, which is composed of the aforementioned first MAC sub-units to the third MAC sub-unit cascaded together, as shown in Figure 16, the MAC sub-packet header of the first sub-MAC unit may include a first count value and indicate that the number of MAC sub-units is 1. Therefore, the first sub-MAC unit corresponds to the first count value, and the next MAC sub-unit (i.e., the second MAC sub-unit) can reuse the count value corresponding to the first sub-MAC unit, i.e., the first count value. The MAC sub-packet header of the third sub-MAC unit may include a second count value and indicate that the number of MAC sub-units is 0. Therefore, the third sub-MAC unit corresponds to the second count value, and no MAC sub-unit reuses the count value corresponding to the third sub-MAC unit, i.e., the second count value.
[0223] Method 4: The MAC unit includes MAC sub-units that maintain a count value, or it can be described as the MAC unit including MAC sub-units sharing (or corresponding to or reusing) a count value. Here, "corresponding to the same count value" can be understood as corresponding to the same count value parameter or field, and "corresponding to different count values" can be understood as corresponding to different count value parameters or fields.
[0224] For example, the MAC sub-units included in the first MAC unit all correspond to the first count value. Since the first MAC unit includes the first MAC sub-units, the first MAC sub-units correspond to the first count value.
[0225] Optionally, based on method four, the first count value can be carried in the MAC header of the first MAC unit, or it can be carried in the third MAC CE of the first MAC unit. As shown in Figure 17, Figure 17 illustrates an example of the first count value being carried in the MAC header.
[0226] Of the four methods above, methods one, three, and four reuse a single count value across multiple MAC subunits, which helps reduce transmission overhead. Method two, however, establishes a one-to-one correspondence between MAC subunits and count values, which further enhances the security of MAC layer transmission.
[0227] In one exemplary description, since a MAC unit is transmitted in the form of a transport block at the physical layer, Method 4 can also be described as one MAC unit corresponding to one count value, one transport block corresponding to one count value, etc. Method 4 reduces transmission overhead and implementation complexity by having the MAC sub-units included in the first MAC unit correspond to the same count value, while ensuring secure communication.
[0228] Compared to maintaining the count value at the PDCP layer, the four methods described above reduce overhead by maintaining the count value at the MAC layer. For example, at the PDCP layer, each PDCP PDU maintains at least one count value, while a MAC unit may include multiple PDCP PDUs. Therefore, maintaining the count value at the MAC layer is more beneficial for reducing overhead than maintaining it at the PDCP layer.
[0229] Furthermore, since a MAC unit physical layer transmits data in the form of transport blocks, and for communication security, it is necessary to ensure that at least one transport block corresponds to one count value, the above four methods can all meet the requirement that one transport block corresponds to at least one count value, thus facilitating secure communication.
[0230] In this application, the transmitting end can perform secure processing on data units of the MAC layer. For example, the transmitting end calculates the verification information of the MAC subunit based on parameters such as the count value corresponding to the MAC subunit, and the receiving end verifies the MAC subunit based on parameters such as the count value corresponding to the MAC subunit. This application maintains a count value at the MAC subunit granularity in the MAC unit and defines the position carrying the count value in the MAC unit, enabling the receiving end to obtain the count value and thus realize integrity verification of the MAC subunit, which is beneficial to improving communication security performance. Furthermore, in this application, the count value is maintained at the MAC subunit granularity, which is beneficial to improving the security performance of the MAC layer.
[0231] Furthermore, this application allows a single count value to be multiplexed across multiple MAC subunits, which helps reduce transmission overhead.
[0232] This application can also correspond one-to-one with the count value through the MAC subunit, which is conducive to further improving the security of MAC layer transmission.
[0233] The method described in Figure 10 enhances MAC layer security by generating verification information at the MAC layer. If the MAC layer does not employ a hardware accelerate controller (HAC) for security, performing security processing at the MAC layer may result in slow processing speeds. An alternative method is provided below: by providing security protection for part or all of the MAC CE at the PDCP layer, the security of MAC layer signaling can be improved, thereby increasing processing speed.
[0234] Figure 18 is a flowchart illustrating a communication method provided in an embodiment of this application.
[0235] S1801, the first communication device generates first verification information in the PDCP layer based on some or all of the information in the MAC CE.
[0236] For example, the first communication device can be understood as a transmitting end. The first communication device can be a terminal device in the communication system shown in FIG8, or a component of the terminal device (e.g., a processor, circuit, chip, or chip system), or a logic module or software that can implement all or part of the functions of the terminal device; or, the first communication device can be a network device in the communication system shown in FIG8, or a component of the network device (e.g., a processor, circuit, chip, or chip system), or a logic module or software that can implement all or part of the functions of the network device.
[0237] In the following text, the second communication device can be understood as a receiving end. The second communication device can be a terminal device in the communication system shown in Figure 8, or a component of the terminal device (e.g., a processor, circuit, chip, or chip system), or a logic module or software that can realize all or part of the functions of the terminal device; or, the second communication device can be a network device in the communication system shown in Figure 8, or a component of the network device (e.g., a processor, circuit, chip, or chip system), or a logic module or software that can realize all or part of the functions of the network device.
[0238] Optionally, the first communication device may generate the MAC CE at the MAC layer before generating the first verification information at the PDCP layer based on some or all of the information in the MAC CE.
[0239] The following describes two implementation methods of S1801.
[0240] Implementation Method 1: As shown in Figure 19, after generating a MAC CE at the MAC layer, the first communication device can use the key in the access stratum (AS) security context to perform integrity protection on part or all of the information of the MAC CE in the form of a PDCP PDU at the PDCP layer, and add first authentication information. That is, after generating a MAC CE at the MAC layer, the first communication device can transmit part or all of the information of the MAC CE to the PDCP layer, encapsulate it into a PDCP PDU at the PDCP layer, and add first authentication information to the PDCP PDU.
[0241] The first communication device can transmit the PDCP PDU to the MAC layer for encapsulation to obtain the first information in S1802. Optionally, the first communication device can transparently transmit the PDCP PDU to the MAC layer for encapsulation without requiring RLC layer processing.
[0242] For example, the first information may carry the first verification information in the following manner: the first information carries a PDCP PDU, which includes some or all of the information in the MAC CE and the first verification information.
[0243] Implementation Method 2: As shown in Figure 20, after the first communication device generates a MAC CE at the MAC layer, it can transmit some or all of the MAC CE information to the RRC layer. At the RRC layer, an RRC signaling message including some or all of the MAC CE information is constructed. For example, some or all of the MAC CE information can be encapsulated into a first container of the RRC signaling message. Then, the RRC signaling message is transmitted to the PDCP layer and encapsulated into a PDCP PDU, and first authentication information is added to the PDCP PDU.
[0244] The first communication device can transmit the PDCP PDU to the MAC layer for encapsulation to obtain the first information in S1802. Optionally, the first communication device can transparently transmit the PDCP PDU to the MAC layer for encapsulation without requiring RLC layer processing.
[0245] For example, the first information may carry the first authentication information in the following manner: the first information carries a PDCP PDU. The PDCP PDU includes RRC signaling and the first authentication information. The RRC signaling includes some or all of the information in the MAC CE; for example, the RRC signaling includes a first container, which includes some or all of the information in the MAC CE.
[0246] Optionally, in the two embodiments described above, the PDCP PDU can be a control plane PDCP PDU. That is, after the first communication device generates a MAC CE at the MAC layer, it can encapsulate some or all of the information of the MAC CE into a control plane PDCP PDU at the PDCP layer.
[0247] Since there is currently no secure processing procedure for the control plane PDCP PDU, in order for the receiving end (i.e., the second communication device) to perform secure processing on the control plane PDCP PDU after receiving it, a first indication information can be carried in the first information. The first indication information is used to indicate that the first information needs security protection. For example, the first indication information can indicate that the PDCP PDU carried in the first information is a control plane PDU that needs secure processing.
[0248] In one possible implementation, the first count value and / or the first bearer identifier can be used as input parameters when generating the first verification information, or the first verification information can be generated based on the first count value and / or the first bearer identifier. The method for generating the first verification information can be referred to the method described in Figure 4 of the terminology introduction 2 above. The specific process can be referred to the relevant description in the terminology introduction 2 above, and will not be repeated here.
[0249] Optionally, the first information may also carry a first count value for generating the first verification information. For example, the first information may include a PDCP PDU that carries the first count value for generating the first verification information. In the method of encapsulating part or all of the MAC CE information into a control plane PDCP PDU in the PDCP layer, the first count value may be a parameter designed or maintained for the control plane PDCP PDU, that is, the first count value is used for the control plane PDCP PDU.
[0250] For example, the count value of the control plane PDCP PDU and the count value of the user plane PDCP PDU are different parameters; that is, the count values of the control plane PDCP PDU and the user plane PDCP PDU are maintained independently. Alternatively, the control plane PDCP PDU can reuse the count value of the user plane PDCP PDU, that is, the first count value reuses the count value of the user plane PDCP PDU. Or, the count value of the control plane PDCP PDU can be a preset value, such as 1, that is, the first count value is set to a preset value.
[0251] Optionally, the first information may also carry a first bearer identifier for generating the first verification information. For example, the first information may include a PDCP PDU that carries a first bearer identifier for generating the first verification information. In the method of encapsulating part or all of the MAC CE information into a control plane PDCP PDU at the PDCP layer, the first bearer identifier may be a parameter designed or maintained for the control plane PDCP PDU; that is, the first bearer identifier is used for the control plane PDCP PDU.
[0252] For example, the bearer identifier of the control plane PDCP PDU and the bearer identifier of the user plane PDCP PDU are different parameters, meaning that the bearer identifiers of the control plane PDCP PDU and the user plane PDCP PDU are maintained independently. Alternatively, the control plane PDCP PDU can reuse the bearer identifier of the user plane PDCP PDU, that is, the first bearer identifier reuses the bearer identifier of the user plane PDCP PDU. Or, the bearer identifier of the control plane PDCP PDU can be a preset value, such as 1, that is, the first bearer identifier is set to a preset value.
[0253] In another possible implementation, the first count value and / or the first bearer identifier may not be used as input parameters when generating the first verification information. The specific generation method is similar to the method described in Figure 4 of the terminology introduction 2 above. The difference is that the input parameters for generating the verification information in the method described in Figure 4 include the count value and the bearer identifier, while in this implementation, the input parameters for generating the first verification information do not include the first count value and / or the first bearer identifier.
[0254] For example, the aforementioned bearer identifier can also be referred to as a wireless bearer identifier.
[0255] As an example, the format of a PDCP PDU can be shown in Figure 21. It should be noted that Figure 21 only illustrates the information included in the PDCP PDU and does not limit the position / order of the information in the PDCP PDU.
[0256] S1802, the first communication device sends the first information at the MAC layer. Correspondingly, the second communication device receives the first information at the MAC layer.
[0257] The first information carries the MAC CE and the first verification information.
[0258] S1803, the second communication device generates second verification information at the PDCP layer based on some or all of the information in the MAC CE.
[0259] The second communication device generates the second verification information in the same way as the first communication device generates the first verification information, and the duplicate parts will not be described again.
[0260] As shown in Figure 22, based on the first embodiment described above, after receiving the first information, the second communication device can transmit part or all of the MAC CE information in the first information to the PDCP layer to generate second verification information. The specific method is similar to the method by which the first communication device generates the first verification information, and can be referred to the relevant description in S1801 above. Repeated descriptions will not be repeated here. Furthermore, after receiving the first information, the first communication device can parse the MAC CE in the first information at the MAC layer to obtain the instruction corresponding to the MAC CE.
[0261] As shown in Figure 23, based on the above-described Embodiment 2, after receiving the first information, the second communication device can transmit part or all of the MAC CE information in the first information to the RRC layer. At the RRC layer, an RRC signaling message including part or all of the MAC CE information can be constructed. For example, part or all of the MAC CE information can be encapsulated into a first container of the RRC signaling message. Then, the RRC signaling message is transmitted to the PDCP layer to generate the second verification information. Furthermore, after receiving the first information, the first communication device can parse the MAC CE information in the first information at the MAC layer to obtain the instruction corresponding to the MAC CE.
[0262] S1804, the second communication device verifies the MAC CE at the PDCP layer based on the first verification information and the second verification information.
[0263] For example, the second communication device can transmit the first verification information to the PDCP layer, and verify the MAC CE at the PDCP layer based on the first verification information and the second verification information.
[0264] Optionally, if the second verification information is the same as the first verification information, then MAC CE verification passes. If the second verification information is different from the first verification information, then MAC CE verification fails.
[0265] In one implementation, if the verification passes, the instructions corresponding to MAC CE can be executed; if the verification fails, the instructions corresponding to MAC CE can be left unexecuted.
[0266] This application enhances the security of MAC layer signaling by providing security protection for part or all of the MAC CE content at the PDCP layer. Because the PDCP layer performs HAC (Hardware-Available Control) processing for security, it is faster than performing security processing at the MAC layer. Furthermore, in this application, the receiving end can process MAC CE parsing and MAC CE verification in parallel, which effectively reduces signaling processing latency compared to parsing MAC CE only after verification.
[0267] Based on the same inventive concept as the method embodiment, this application provides a communication device, the structure of which can be as shown in FIG24, including a communication unit 701 and a processing unit 702.
[0268] In one embodiment, the communication device can specifically be used to implement the method executed by the first communication device in the embodiment of FIG10. The device can be the first communication device itself, or a chip or chipset within the first communication device, or a part of a chip used to execute the relevant method function. Specifically, the processing unit 702 is used to determine a first MAC unit, the first MAC unit including verification information of a first MAC subunit, the verification information of the first MAC subunit being determined based on a first count value corresponding to the first MAC subunit. The communication unit 701 is used to transmit the first MAC unit.
[0269] In one embodiment, the communication device can specifically be used to implement the method executed by the second communication device in the embodiment of FIG10. This device can be the second communication device itself, or a chip or chipset within the second communication device, or a part of a chip used to execute the relevant method function. Specifically, the communication unit 701 is used to receive a first MAC unit, wherein the first MAC unit includes verification information of a first MAC subunit, and the verification information of the first MAC subunit is determined based on a first count value corresponding to the first MAC subunit. The processing unit 702 is used to verify the verification information of the first MAC sub-PDU based on the first count value.
[0270] In one embodiment, the communication device can specifically be used to implement the method executed by the first communication device in the embodiment of FIG18. This device can be the first communication device itself, or a chip or chipset within the first communication device, or a part of a chip used to execute the relevant method function. Specifically, the processing unit 702 is used to generate first verification information at the PDCP layer based on some or all of the information in the MAC CE; the communication unit 701 is used to send first information at the MAC layer, the first information carrying the MAC CE and the first verification information.
[0271] Optionally, the processing unit 702 is further configured to: generate the MAC CE at the MAC layer before generating the first verification information at the PDCP layer based on some or all of the information in the MAC CE.
[0272] In one embodiment, the communication device can specifically be used to implement the method executed by the second communication device in the embodiment of FIG18. This device can be the second communication device itself, or a chip or chipset within the second communication device, or a part of a chip used to execute related method functions. Specifically, the communication unit 701 is used to receive first information at the MAC layer, the first information carrying a MAC CE and first verification information. The processing unit 702 is used to generate second verification information at the PDCP layer based on some or all of the information in the MAC CE; and to verify the MAC CE at the PDCP layer based on the first verification information and the second verification information.
[0273] The module division in this application embodiment is illustrative and represents only one logical functional division. In actual implementation, other division methods may be used. Furthermore, the functional modules in the various embodiments of this application can be integrated into a single processor, exist as separate physical entities, or be integrated into a single module. The integrated modules described above can be implemented in hardware or as software functional modules. It is understood that the functions or implementations of the modules in the embodiments of this application can be further described in the relevant descriptions of the method embodiments.
[0274] In one possible embodiment, the communication device can be as shown in FIG25. This device can be a communication equipment or a chip within a communication equipment, wherein the communication equipment can be the terminal device or the network device described in the above embodiments. The device includes a processor 801 and a communication interface 802, and may also include a memory 803. The processing unit 702 can be the processor 801. The communication unit 701 can be the communication interface 802. Optionally, the processor 801 and the memory 803 can also be integrated together.
[0275] The processor 801 can be a CPU, a digital processing unit, or something similar. The communication interface 802 can be a transceiver, an interface circuit such as a transceiver circuit, or a transceiver chip, etc. The device also includes a memory 803 for storing the program executed by the processor 801. The memory 803 can be non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), or it can be volatile memory, such as random-access memory (RAM). The memory 803 can be any other medium capable of carrying or storing desired program code in the form of instructions or data structures that can be accessed by a computer, but is not limited to this.
[0276] The processor 801 is used to execute the program code stored in the memory 803, specifically to perform the actions of the aforementioned processing unit 702, which will not be described in detail here. The communication interface 802 is specifically used to perform the actions of the aforementioned communication unit 701, which will not be described in detail here.
[0277] This application embodiment does not limit the specific connection medium between the communication interface 802, processor 801, and memory 803. In Figure 25, the memory 803, processor 801, and communication interface 802 are connected via a bus 804, which is represented by a thick line. The connection methods between other components are only illustrative and not intended to be limiting. Buses can be categorized as address buses, data buses, control buses, etc. For ease of illustration, only one thick line is used in Figure 25, but this does not indicate that there is only one bus or one type of bus.
[0278] This application also provides a computer-readable storage medium for storing computer software instructions required to execute the processor, including a program required to execute the processor.
[0279] This application also provides a communication system, including a first communication device for implementing the embodiment of FIG10 and a second communication device for implementing the embodiment of FIG10.
[0280] This application also provides a communication system, including a first communication device for implementing the embodiment of FIG18 and a second communication device for implementing the embodiment of FIG18.
[0281] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0282] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in one or more blocks of the flowchart illustrations and / or one or more blocks of the block diagrams.
[0283] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means that implement the functions specified in one or more flowcharts and / or one or more block diagrams.
[0284] These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process, such that the instructions, which execute on the computer or other programmable apparatus, provide steps for implementing the functions specified in one or more flowcharts and / or one or more block diagrams.
[0285] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.
Claims
1. A communication method, characterized in that, include: A first media access control (MAC) unit is identified. The first MAC unit includes verification information of a first MAC subunit. The verification information of the first MAC subunit is determined based on a first count value corresponding to the first MAC subunit. Send the first MAC unit.
2. A communication method, characterized in that, include: The system receives a first media access control (MAC) unit, wherein the first MAC unit includes verification information of a first MAC subunit, and the verification information of the first MAC subunit is determined based on a first count value corresponding to the first MAC subunit. The verification information of the first MAC sub-PDU is verified based on the first count value.
3. The method as described in claim 1 or 2, characterized in that, The first MAC unit includes a first MAC subunit and a second MAC subunit, wherein the first MAC subunit and the second MAC subunit correspond to the first count value, and the first MAC subunit and the second MAC subunit belong to a first category.
4. The method as described in claim 3, characterized in that, The first MAC unit further includes a third MAC subunit, wherein the third MAC subunit corresponds to the second count value and belongs to the second category.
5. The method as described in claim 4, characterized in that, The first count value is carried in the MAC packet header of the first MAC unit; Alternatively, the first count value may be carried in the first MAC control element CE of the first MAC unit; Alternatively, the first count value may be carried in a MAC sub-packet header belonging to a MAC sub-unit of the first category.
6. The method as described in claim 5, characterized in that, The MAC header indicates the correspondence between the first category and the first count value.
7. The method as described in claim 5, characterized in that, The first MAC CE indicates the correspondence between the first category and the first count value.
8. The method as described in claim 5, characterized in that, The MAC sub-header indicates the first category.
9. The method according to any one of claims 3-8, characterized in that, The first category is related to at least one of the following: the application scenario of the MAC subunit, or the purpose of the MAC subunit.
10. The method according to any one of claims 3-9, characterized in that, The first category is any one of the following: a MAC subunit for carrier aggregation (CA) scenarios, a MAC subunit for random access procedures, or a MAC subunit for energy-saving scenarios.
11. The method according to any one of claims 3-10, characterized in that, The first category is any one or less of the following: MAC sub-unit corresponding to MAC CE, MAC sub-unit corresponding to business data unit SDU, or MAC sub-unit corresponding to fill field.
12. The method as described in claim 1 or 2, characterized in that, The first MAC unit includes a first MAC subunit and a second MAC subunit; The first MAC subunit corresponds to the first count value, and the second MAC subunit corresponds to the second count value.
13. The method as described in claim 12, characterized in that, The first count value is carried in the MAC sub-packet header of the first MAC sub-unit.
14. A communication method, characterized in that, include: The first verification information is generated at the Packet Data Convergence Protocol (PDCP) layer based on some or all of the information in the Media Access Control (MAC) control element CE. Send first information at the MAC layer, the first information carrying the MAC CE and the first authentication information.
15. The method as described in claim 14, characterized in that, Before generating the first verification information at the PDCP layer based on some or all of the information in the MAC CE, the method further includes: The MAC CE is generated at the MAC layer.
16. A communication method, characterized in that, include: Receive first information at the MAC layer, the first information carrying a Media Access Control Element (MAC CE) and first authentication information; Based on some or all of the information in the MAC CE, a second verification message is generated at the Packet Data Convergence Protocol (PDCP) layer. The MAC CE is verified at the PDCP layer based on the first verification information and the second verification information.
17. The method according to any one of claims 14-16, characterized in that, The first information carries the first verification information, including: The first information carries a PDCP protocol data unit (PDU), which includes some or all of the information in the MAC CE and the first verification information. Alternatively, the first information carries a PDCP protocol data unit (PDU), the PDCP PDU including RRC signaling and first authentication information, the RRC signaling including some or all of the information in the MAC CE.
18. The method as described in claim 17, characterized in that, The RRC signaling includes some or all of the information in the MAC CE, including: The RRC signaling includes a first container, which includes some or all of the information in the MAC CE.
19. The method as described in claim 17 or 18, characterized in that, The PDCP PDU is the control plane PDCP PDU.
20. The method according to any one of claims 14-19, characterized in that, The first information carries first indication information, which is used to indicate that the first information needs security protection.
21. The method according to any one of claims 14-20, characterized in that, The first information carries a first count value, which is used to generate the first verification information and is used in the control plane PDCP PDU.
22. The method as described in claim 21, characterized in that, The first count value and the second count value are different parameters, and the second count value is used for the user plane PDCP PDU; Alternatively, the first count value can be reused as the count value of the user plane PDCP PDU; Alternatively, the first count value can be set to a preset value.
23. The method according to any one of claims 14-22, characterized in that, The first information carries a first bearer identifier, which is used to generate the first verification information and is used for the control plane PDCP PDU.
24. The method as described in claim 23, characterized in that, The first bearer identifier and the second bearer identifier are different parameters, and the second bearer identifier is used for the user plane PDCP PDU; Alternatively, the first bearer identifier may reuse the bearer identifier of the user plane PDCP PDU; Alternatively, the first bearer identifier can be set to a preset value.
25. A communication device, characterized in that, It includes units or modules for performing the method as described in any one of claims 1, 3-13, or units or modules for performing the method as described in any one of claims 14-15, 17-24.
26. A communication device, characterized in that, It includes units or modules for performing the method as described in any one of claims 2-13, or units or modules for performing the method as described in any one of claims 16-24.
27. A communication device, characterized in that, It includes a processor and a memory, the memory being used to store program instructions, the processor causing the method as described in any one of claims 1, 3-13, or the method as described in any one of claims 14-15, 17-24, to be executed when executing the program instructions.
28. A communication device, characterized in that, It includes a processor and a memory, the memory being used to store program instructions, the processor causing the method as described in any one of claims 2-13, or the method as described in any one of claims 16-24, to be executed when the program instructions are executed.
29. A computer-readable storage medium, characterized in that, The computer storage medium stores computer-readable instructions that, when executed on a communication device, cause the method as described in any one of claims 1, 3-13 to be executed, or the method as described in any one of claims 2-13 to be executed, or the method as described in any one of claims 14-15, 17-24 to be executed, or the method as described in any one of claims 16-24 to be executed.
30. A computer program product, characterized in that, When the computer program product is run on the device, it causes the device to perform the method of any one of claims 1, 3-13, or any one of claims 2-13, or any one of claims 14-15, 17-24, or any one of claims 16-24.