Communication method and communication apparatus
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- HUAWEI TECH CO LTD
- Filing Date
- 2025-11-29
- Publication Date
- 2026-07-02
Smart Images

Figure CN2025138795_02072026_PF_FP_ABST
Abstract
Description
Communication methods and communication devices
[0001] This application claims priority to Chinese Patent Application No. 202411944834.8, filed on December 24, 2024, entitled "Communication Method and Communication Device", the entire contents of which are incorporated herein by reference. Technical Field
[0002] This application relates to the field of communication technology, and in particular to a communication method and communication device. Background Technology
[0003] With the decrease in computing and storage costs, and the emergence of numerous low-latency services and local area applications, computing and storage, as well as the intelligent algorithms that rely on them, tend to be deployed closer to the network edge, closer to the data source, thus forming a data-centric network architecture. The basic function of mobile communication networks will also begin to shift from being a conduit for information transmission to a platform for data management. The network can perceive the massive amounts of data generated by sensing devices, including its own state, the surrounding environment, and user / device behavior. At the same time, it can use technologies such as artificial intelligence (AI) and digital twins for modeling analysis and automated decision-making to improve network operating efficiency, enhance system performance, or provide data services for intelligent applications.
[0004] In the network architecture described above, the generated data needs to be processed by appropriate nodes or network elements. Therefore, ensuring data security during network transmission is a critical issue that needs to be addressed. Summary of the Invention
[0005] This application provides a communication method and communication device that can ensure data security.
[0006] In a first aspect, embodiments of this application provide a communication method applied to a first data proxy network element. The first data proxy network element can be any network element with data acquisition capabilities; for example, it can be a terminal device, access network device, core network element, transmission network element, etc. The method includes:
[0007] The system collects the first data of the first data service; it sends the second data to the second data proxy network element. The second data is obtained by encrypting and / or protecting the integrity of the first data at the application layer with the first key. The second data proxy network element is used to process the data of the first data service.
[0008] In this embodiment, the data of the first data service collected by the first data proxy network element needs to be processed by the second data proxy network element. Before sending the first data to the second data proxy network element, the first data proxy network element encrypts and / or protects the integrity of the first data at the application layer using a first key, thereby ensuring the security of the data during transmission. For example, the second data needs to be forwarded through an intermediate node. The second data is obtained after the first data has been encrypted and / or protected for integrity at the application layer using the first key. Therefore, the intermediate node cannot read the first data and cannot steal or tamper with the data, thus ensuring the security of the first data.
[0009] In conjunction with the first aspect, in one possible implementation, the method further includes: receiving first information from a data control network element, the first information including at least one of the following: identification information of a second data proxy network element, a first encryption algorithm, a first integrity protection algorithm, a first salt value, and a first iteration number; and generating a first key based on the first information.
[0010] In this embodiment, the identification information of the second data agent network element may include the data agent identifier (DAID) of the second data agent network element. The first salt value is a random number generated by the data control network element. The data control network element can obtain relevant information about each data agent network element (such as capability information and business requirement information), and determines the parameters used to generate the first key (such as the corresponding algorithm, salt value, and number of iterations) to ensure that the first key meets the security requirements of the first data service. This simplifies the process by eliminating the need for back-and-forth negotiation between the first and second data agent network elements. For example, the first key can be determined by the identification information of the first and second data agent network elements, which increases the security of the first key.
[0011] In conjunction with the first aspect, in one possible implementation, the first information also includes the identification information of the first data service.
[0012] In this embodiment, the identification information of the first data service includes the data service identifier (DSID) of the first data service, and the first key is also generated based on the identification information of the first data service, which can improve the security of the first key.
[0013] In conjunction with the first aspect, in one possible implementation, the method further includes: sending first capability information to a data control network element, the first capability information including encryption algorithms and / or integrity protection algorithms supported by the first data proxy network element.
[0014] In this embodiment of the application, the first data agent network element can report first capability information to the data control network element so that the data control network element can select a suitable encryption algorithm and / or integrity protection algorithm based on the first capability information.
[0015] In conjunction with the first aspect, in one possible implementation, the method further includes:
[0016] The system receives a first message from a data control network element, the first message being a request to update a key, the first message including a second salt value and / or a second iteration number; generates a second key based on the second salt value and / or the second iteration number; sends a second message to the data control network element, the second message being a response to the first message; receives second information from the data control network element, the second information being used to trigger encryption and / or integrity protection of the data of the first data service using the second key; and sends third data to a second data agent network element, the third data being obtained after the data of the first data service has been encrypted and / or protected for integrity at the application layer using the second key.
[0017] In this embodiment, after receiving a key update request, the first data proxy network element generates a second key based on a second salt value and / or a second iteration number. Upon receiving second information, it activates the second key to encrypt and / or protect the integrity of the first data service data. Activating the updated key based on the instruction of the data control network element ensures the consistency of the keys used by the first and second data proxy network elements.
[0018] In conjunction with the first aspect, in one possible implementation, the first data proxy network element is a terminal device, the second data proxy network element is a first access network device, the terminal device is camped in a cell under the first access network device, and the method further includes:
[0019] The terminal device receives a handover message from a first access network device. The handover message triggers the terminal device to switch from the first access network device to a second access network device. The handover message includes at least one of the following: the identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number. Based on the handover message, a third key is generated. After the terminal device successfully switches from the first access network device to the second access network device, the terminal device sends fourth data to the second access network device. The fourth data is obtained by encrypting and / or protecting the integrity of the data of the first data service at the application layer using the third key.
[0020] In this embodiment, the third key is used to encrypt and / or protect the integrity of the data of the first data service transmitted between the terminal device and the second access network device at the application layer. The handover message, also known as a handover command or RRC reconfiguration message, carries parameters for generating the third key. This triggers the terminal device to switch from the first access network device to the second access network device, while simultaneously enabling the terminal device to generate the third key in advance. This allows the terminal device to directly use the third key to encrypt and / or protect the integrity of the first data service data after switching to the second access network device, thereby improving data transmission efficiency.
[0021] In conjunction with the first aspect, in one possible implementation, the first data proxy network element is a terminal device, the second data proxy network element is a first access network device, the terminal device is camped in a cell under the first access network device, and the method further includes:
[0022] After the terminal device successfully switches from the first access network device to the second access network device, it receives a third message from the second access network device. The third message includes at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number; it generates a third key based on the third message; and sends fourth data to the second access network device. The fourth data is obtained by encrypting and / or protecting the integrity of the data of the first data service at the application layer using the third key.
[0023] In this embodiment, after the terminal device switches to the second access network device, the second access network device sends information for generating the third key to the terminal device. The information for generating the third key does not need to go through the first access network device, which can improve the security of the third key.
[0024] In conjunction with the first aspect, in one possible implementation, the first data proxy network element is a terminal device, the second data proxy network element is a first access network device, the terminal device is camped in a cell under the first access network device, and the method further includes:
[0025] The system receives a fourth message from a data control network element. This fourth message is used for the terminal device to switch from a first access network device to a second access network device. The fourth message includes at least one of the following: identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number. The system generates a third key based on the fourth message. It also receives a switching message from the first access network device, which triggers the terminal device to switch from the first access network device to the second access network device. After the terminal device successfully switches from the first access network device to the second access network device, the system sends fourth data to the second access network device. This fourth data is obtained by encrypting and / or protecting the integrity of the first data service data at the application layer using the third key.
[0026] In this embodiment, after determining the parameters used to generate the third key, the data control network element sends the information carrying the parameters to the terminal device, thereby enabling the terminal device to generate the third key in advance before switching to the second access network device. After the terminal device switches to the second access network device, it can directly transmit data based on the third key, thereby improving the efficiency of data transmission.
[0027] In conjunction with the first aspect, in one possible implementation, the first data proxy network element is a terminal device, and the second data proxy network element is a data processing function (DPF).
[0028] In this embodiment, the data of the first data service collected by the terminal device needs to be processed by the DPF. Therefore, after collecting the data of the first data service, the terminal device sends the data of the first data service to the DPF. Data transmission between the terminal device and the DPF needs to be forwarded through the first access network device, which is the access network device where the terminal device is currently residing. The terminal device encrypts and / or protects the integrity of the data of the first data service at the application layer, which can prevent the first access network device from reading the plaintext data of the first data service, thereby ensuring the security of the data of the first data service.
[0029] In conjunction with the first aspect, in one possible implementation, the application layer includes the Data Forwarding Protocol Service (DFP-S) layer.
[0030] In this embodiment of the application, there is an equivalent DFP-S layer between the first data proxy network element and the second data proxy network element. The first data proxy network element can encrypt and / or protect the integrity of the data of the first data service at the DFP-S layer, thereby ensuring the security of the data of the first data service.
[0031] Secondly, embodiments of this application provide a communication method applied to the terminal side, such as a terminal or an encoding module within the terminal, or a circuit or chip in the terminal responsible for encoding functions (such as a modem chip, also known as a baseband chip, or a system-on-chip (SoC) chip or system-in-package (SIP) chip containing a modem core, etc.). The method includes:
[0032] The system receives first information from a data control network element, the first information including the identification information of a second data proxy network element, the second data proxy network element being used to process data of the first data service; generates a first key based on the identification information of the terminal device and the first information; collects the first data of the first data service; and sends second data to the second data proxy network element, the second data being obtained after the first data has been encrypted and / or protected for integrity at the application layer using the first key.
[0033] In this embodiment, the terminal device can act as a data proxy network element to collect data from the first data service. The terminal device's identification information may include its DAID. The terminal device can generate a first key based on its identification information and the identification information of the second data proxy network element. This increases the complexity of the first key, making it more difficult for the data of the first data service to be stolen or tampered with during transmission, thereby improving the security of the first data service data.
[0034] In conjunction with the second aspect, in one possible implementation, the first information further includes at least one of the following: a first encryption algorithm, a first integrity protection algorithm, a first salt value, and a first iteration number.
[0035] In conjunction with the second aspect, in one possible implementation, the first information also includes the identification information of the first data service.
[0036] In this embodiment, the identification information of the first data service includes the DSID of the first data service, and the first key is also generated based on the identification information of the first data service, which can increase the complexity of the first key and thus improve the security of the data of the first data service.
[0037] In conjunction with the second aspect, in one possible implementation, the method further includes: sending first capability information to the data control network element, the first capability information including encryption algorithms and / or integrity protection algorithms supported by the terminal equipment network element.
[0038] In conjunction with the second aspect, in one possible implementation, the method further includes:
[0039] The system receives a first message from a data control network element, the first message being a request to update a key, the first message including a second salt value and / or a second iteration number; generates a second key based on the second salt value and / or the second iteration number; sends a second message to the data control network element, the second message being a response to the first message; receives second information from the data control network element, the second information being used to trigger encryption and / or integrity protection of the data of the first data service using the second key; and sends third data to a second data agent network element, the third data being obtained after the data of the first data service has been encrypted and / or protected for integrity at the application layer using the second key.
[0040] In conjunction with the second aspect, in one possible implementation, the second data proxy network element is the first access network device, and the terminal device resides in a cell under the first access network device. The method further includes:
[0041] The terminal device receives a handover message from a first access network device. The handover message triggers the terminal device to switch from the first access network device to a second access network device. The handover message includes at least one of the following: the identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number. Based on the handover message, a third key is generated. After the terminal device successfully switches from the first access network device to the second access network device, the terminal device sends fourth data to the second access network device. The fourth data is obtained by encrypting and / or protecting the integrity of the data of the first data service at the application layer using the third key.
[0042] In conjunction with the second aspect, in one possible implementation, the second data proxy network element is the first access network device, and the terminal device resides in a cell under the first access network device. The method further includes:
[0043] After the terminal device successfully switches from the first access network device to the second access network device, it receives a third message from the second access network device. The third message includes at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number; it generates a third key based on the third message; and sends fourth data to the second access network device. The fourth data is obtained by encrypting and / or protecting the integrity of the data of the first data service at the application layer using the third key.
[0044] In conjunction with the first aspect, in one possible implementation, the second data proxy network element is the first access network device, and the terminal device resides in a cell under the first access network device. The method further includes:
[0045] The system receives a fourth message from a data control network element. This fourth message is used for the terminal device to switch from a first access network device to a second access network device. The fourth message includes at least one of the following: identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number. The system generates a third key based on the fourth message. It also receives a switching message from the first access network device, which triggers the terminal device to switch from the first access network device to the second access network device. After the terminal device successfully switches from the first access network device to the second access network device, the system sends fourth data to the second access network device. This fourth data is obtained by encrypting and / or protecting the integrity of the first data service data at the application layer using the third key.
[0046] In conjunction with the second aspect, in one possible implementation, the second data proxy network element is a DPF.
[0047] In conjunction with the second aspect, in one possible implementation, the application layer includes the Data Forwarding Protocol Service (DFP-S) layer.
[0048] Thirdly, embodiments of this application provide a communication method applied to a second data proxy network element. The second data proxy network element can be any network element with data processing capabilities; for example, it can be a terminal device, access network device, core network element, transmission network element, etc. The method includes:
[0049] The system receives second data from a first data proxy network element. The second data is obtained by encrypting and / or protecting the integrity of the first data service data at the application layer. The first data proxy network element is used to collect data from the first data service. The system decrypts and / or verifies the integrity of the second data at the application layer according to the first key to obtain the first data. The second data proxy network element is used to process the data from the first data service.
[0050] In this embodiment of the application, the data of the first data service transmitted between the first data proxy network element and the second data proxy network element is encrypted and / or protected for integrity at the application layer using the first key, which can ensure the security of the data of the first data service.
[0051] In conjunction with the third aspect, in one possible implementation, the method further includes:
[0052] Receive third information from the data control network element, the third information including at least one of the following: the identification information of the first data agent network element, the first encryption algorithm, the first integrity protection algorithm, the first salt value, and the first iteration number; generate the first key based on the third information.
[0053] In conjunction with the third aspect, in one possible implementation, the third information also includes the identification information of the first data service.
[0054] In conjunction with the third aspect, in one possible implementation, the processing includes one or more of the following: field extraction, format conversion, redundant data removal, noise reduction, averaging, compression, and fusion.
[0055] In conjunction with the third aspect, in one possible implementation, the method further includes:
[0056] Send second capability information to the data control network element, the second capability information including encryption algorithms and / or integrity protection algorithms supported by the second data agent network element.
[0057] In conjunction with the third aspect, in one possible implementation, the method further includes:
[0058] The system receives a fifth message from the data control network element, the fifth message being used to request a key update, the fifth message including a second salt value and / or a second iteration number; generates a second key based on the second salt value and / or the second iteration number; sends a sixth message to the data control network element, the sixth message being used to respond to the fifth message; and receives fourth information from the data control network element, the fourth information being used to trigger the second data proxy network element to use the second key to decrypt and / or perform integrity protection verification on the data of the first data service.
[0059] In conjunction with the third aspect, in one possible implementation, the first data proxy network element is a terminal device, the second data proxy network element is a first access network device, the terminal device is camped in a cell under the first access network device, and the method further includes:
[0060] The system sends a handover request message to the data control network element, the handover request message being used to request the terminal device to be handed over from the first access network device to the second access network device, the handover request message including the identification information of the second access network device; receives a handover response message from the data control network element, the handover response message including at least one of the following: the identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number; and sends a handover message to the terminal device, the handover message being used to trigger the terminal device to hand over from the first access network device to the second access network device, the handover message including at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number.
[0061] Fourthly, embodiments of this application provide a communication method applied to a data control network element, the method comprising:
[0062] The system receives a data service request message, which requests a first data service. Based on the data service request message, it sends first information to a first data proxy network element and third information to a second data proxy network element. The first data proxy network element collects data from the first data service, and the second data proxy network element processes the data from the first data service. The first and third information are used to generate a first key, which is used at the application layer to encrypt and / or protect the integrity of the data from the first data service transmitted between the first and second data proxy network elements.
[0063] In this embodiment of the application, after receiving a data service request message, the data control network element can determine the first data proxy network element and the second data proxy network element based on the data service request message, and determine the parameters used to generate the first key. This enables the first data proxy network element and the second data proxy network element to encrypt and / or protect the integrity of the data of the first data service at the application layer based on the first key, thereby ensuring the security of the data of the first data service.
[0064] In conjunction with the fourth aspect, in one possible implementation, the first information includes at least one of the following: the identification information of the second data proxy network element, the first encryption algorithm, the first integrity protection algorithm, the first salt value, and the first iteration number; the third information includes at least one of the following: the identification information of the first data proxy network element, the first encryption algorithm, the first integrity protection algorithm, the first salt value, and the first iteration number.
[0065] In this embodiment of the application, the first data proxy network element and the second data proxy network element use the same algorithm, salt value and number of iterations to generate the first key through the first information and the third information, which can make the first key generated by the first data proxy network element and the second data proxy network element consistent.
[0066] In conjunction with the fourth aspect, in one possible implementation, the first information also includes the identification information of the first data service, and the third information also includes the identification information of the first data service.
[0067] In conjunction with the fourth aspect, in one possible implementation, the method further includes:
[0068] The first encryption algorithm is determined based on the encryption algorithm supported by the first data proxy network element, the encryption algorithm supported by the second data proxy network element, and the security level of the first data service; and / or, the first integrity protection algorithm is determined based on the integrity protection algorithm supported by the first data proxy network element, the integrity protection algorithm supported by the second data proxy network element, and the security level of the first data service.
[0069] In this embodiment, the data control network element determines the first encryption algorithm based on the encryption algorithm supported by the first data proxy network element, the encryption algorithm supported by the second data proxy network element, and the security level of the first data service. This enables both the first and second data proxy network elements to support the first encryption algorithm, and the first encryption algorithm can meet the security requirements of the first data service.
[0070] The data control network element determines the first integrity protection algorithm based on the integrity protection algorithm supported by the first data agent network element, the integrity protection algorithm supported by the second data agent network element, and the security level of the first data service. This ensures that both the first and second data agent network elements support the first integrity protection algorithm, and that the first integrity protection algorithm meets the security requirements of the first data service.
[0071] In conjunction with the fourth aspect, one possible implementation method also includes:
[0072] Receive first capability information from the first data agent network element, the first capability information including encryption algorithms and / or integrity protection algorithms supported by the first data agent network element.
[0073] In conjunction with the fourth aspect, one possible implementation method also includes:
[0074] Receive second capability information from the second data agent network element, the second capability information including encryption algorithms and / or integrity protection algorithms supported by the second data agent network element.
[0075] In conjunction with the fourth aspect, in one possible implementation, the data service request message includes the security level of the first data service.
[0076] In conjunction with the fourth aspect, in one possible implementation, the method further includes:
[0077] Based on the data service request message, the first data proxy network element and the second data proxy network element are determined.
[0078] In conjunction with the fourth aspect, in one possible implementation, the method further includes:
[0079] Send a first message to the first data agent network element, the first message being used to request a key update, the first message including a second salt value and / or a second iteration number; send a fifth message to the second data agent network element, the fifth message being used to request a key update, the fifth message including a second salt value and / or a second iteration number; receive a second message and a sixth message, wherein the second message is used to respond to the first message, and the sixth message is used to respond to the fifth message; send a second message and a fourth message according to the second message and the sixth message; the second message is used to trigger the first data agent network element to use the updated key to encrypt and / or protect the integrity of the data of the first data service, and the fourth message is used to trigger the second data agent network element to use the updated key to decrypt and / or verify the integrity of the data of the first data service.
[0080] In this embodiment, the data control network element simultaneously requests key updates from the first data agent network element and the second data agent network element. After receiving response messages from the first data agent network element and the second data agent network element, the first data agent network element and the second data agent network element are then triggered to use the updated key to encrypt and / or protect the integrity of the data of the first data service. This can align the timing of the first data agent network element and the second data agent network element using the updated key, and maintain the consistency of the key used by the first data agent network element and the second data agent network element.
[0081] In conjunction with the fourth aspect, in one possible implementation, the first data proxy network element is a terminal device, the second data proxy network element is a first access network device, and the terminal device resides in a cell under the first access network device. The method further includes:
[0082] The system receives a handover request message from a first access network device, which requests a handover from the first access network device to a second access network device. The handover request message includes the identification information of the second access network device. Based on the handover request message, the system sends fifth information to the second access network device. The fifth information is used to determine a third key, which is used at the application layer to encrypt and / or protect the integrity of data of the first data service transmitted between the terminal device and the second access network device. The fifth information includes at least one of the following: the identification information of the terminal device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number.
[0083] In this embodiment, when a terminal device needs to switch from a first access network device to a second access network device, the data control network element determines the parameters used to generate a third key and carries these parameters through fifth information, so that the second access network device can generate the third key based on the fifth information. The third key is used to encrypt and / or protect the integrity of the data of the first data service transmitted between the terminal device and the second access network device at the application layer, thereby ensuring the security of the first data service data.
[0084] In conjunction with the fourth aspect, in one possible implementation, the method further includes:
[0085] A handover response message is sent to the first access network device. The handover response message is used to respond to the handover request message and includes at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number.
[0086] In this embodiment of the application, the data control network element can carry parameters for generating a third key in the response message, and the first access network device can send these parameters to the terminal device, thereby enabling the terminal device to generate the third key in advance.
[0087] In conjunction with the fourth aspect, in one possible implementation, the method further includes:
[0088] A fourth message is sent to the terminal device. The fourth message is used for the terminal device to switch from the first access network device to the second access network device. The fourth message includes at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number.
[0089] In this embodiment of the application, after the data control network element determines the parameters used to generate the third key, it can send the parameters for generating the third key to the terminal device through a fourth message, so that the terminal device can generate the third key in advance to prepare for the handover from the first access network device to the second access network device.
[0090] Fifthly, embodiments of this application provide a communication method applied to a second access network device. This method can be executed by the second access network device, or by components within the second access network device, such as an encoding module, or a circuit or chip responsible for encoding functions within the second access network device (e.g., a modem chip, also known as a baseband chip, or a SoC chip or SIP chip containing a modem core, etc.). The method includes:
[0091] The system receives fifth information from a data control network element, the fifth information including at least one of the following: terminal device identification information, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration count; generates a third key based on the fifth information; after the terminal device successfully switches from the first access network device to the second access network device, sends a third message to the terminal device, the third message including at least one of the following: second access network device identification information, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration count; receives fourth data from the terminal device, the fourth data being obtained by encrypting and / or protecting the integrity of the first data service data at the application layer using the third key; decrypts and / or verifies the integrity of the fourth data at the application layer using the third key to obtain the first data service data; the second access network device is used to process the first data service data.
[0092] In this embodiment, after the terminal device switches from the first access network device to the second access network device, the second access network device sends the parameters used to generate the third key to the terminal device. These parameters do not pass through the first access network device, which can improve the security of the first key.
[0093] Sixthly, embodiments of this application provide a communication device for executing the methods in any one of the first to fifth aspects or any possible implementations thereof. The communication device includes a module having the capability to execute the methods in any one of the first to fifth aspects or any possible implementations thereof.
[0094] In a seventh aspect, embodiments of this application provide a communication device including a processor configured to execute the methods described in any one of the first to fifth aspects or any possible implementation thereof. The processor executes a program stored in a memory, and when the program is executed, the methods described in any one of the first to fifth aspects or any possible implementation thereof are executed.
[0095] In one possible implementation, the memory is located outside the aforementioned communication device.
[0096] In one possible implementation, the memory is located within the aforementioned communication device.
[0097] In this embodiment, the processor and memory can also be integrated into a single device, that is, the processor and memory can be integrated together. For example, the communication device can be a chip.
[0098] In one possible implementation, the communication device further includes a transceiver for receiving or sending information.
[0099] Eighthly, embodiments of this application provide a chip, the communication device including logic circuitry and an interface, the logic circuitry and the interface being coupled; the interface being used for inputting and / or outputting information, and the logic circuitry being used for performing the method described in any one of the first to fifth aspects or any possible implementation thereof.
[0100] Ninthly, embodiments of this application provide a computer-readable storage medium for storing a computer program that, when run on a computer, causes the methods shown in any of the first to fifth aspects or any possible implementation thereof to be executed.
[0101] In a tenth aspect, embodiments of this application provide a computer program product that, when run on a computer, causes the methods shown in any of the first to fifth aspects or any possible implementations described above to be executed.
[0102] Eleventhly, embodiments of this application provide a communication method, including at least two of the following: a first data proxy network element, a second data proxy network element, a data control network element, and a second access network device; wherein, the first data proxy network element is used to perform the method as shown in the first aspect or any possible implementation of the first aspect, the second data proxy network element is used to perform the method as shown in the third aspect or any possible implementation of the third aspect, the data control network element is used to perform the method as shown in the fourth aspect or any possible implementation of the fourth aspect, and the second access network device is used to perform the method as shown in the fifth aspect or any possible implementation of the fifth aspect. Attached Figure Description
[0103] Figure 1 is a schematic diagram of a communication system;
[0104] Figure 2 is a schematic diagram of a network architecture supporting the data plane provided in an embodiment of this application;
[0105] Figures 3A to 3F are schematic diagrams of the data plane protocol stack provided in the embodiments of this application;
[0106] Figure 4 is a flowchart illustrating a communication method provided in an embodiment of this application;
[0107] Figure 5 is a flowchart illustrating another communication method provided in an embodiment of this application;
[0108] Figure 6A is a flowchart illustrating another communication method provided in an embodiment of this application;
[0109] Figure 6B is a flowchart illustrating another communication method provided in an embodiment of this application;
[0110] Figure 7 is a flowchart illustrating another communication method provided in an embodiment of this application;
[0111] Figure 8 is a flowchart illustrating another communication method provided in an embodiment of this application;
[0112] Figure 9 is a flowchart illustrating another communication method provided in an embodiment of this application;
[0113] Figure 10 is a flowchart illustrating another communication method provided in an embodiment of this application;
[0114] Figure 11 is a schematic diagram of the structure of a communication device provided in an embodiment of this application;
[0115] Figure 12 is a schematic diagram of another communication device provided in an embodiment of this application;
[0116] Figure 13 is a schematic diagram of the structure of a chip provided in an embodiment of this application. Detailed Implementation
[0117] The terms "first" and "second," etc., used in the specification, claims, and drawings of this application are only used to distinguish different objects and not to limit the order, sequence, priority, or importance of multiple objects. In the embodiments of this application, "multiple" refers to two or more. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the listed steps or units, but may optionally include steps or units not listed, or may optionally include other steps or units inherent to these processes, methods, products, or devices. Additionally, the character " / ," unless otherwise specified, generally indicates that the preceding and following objects are in an "or" relationship.
[0118] The term "embodiment" as used herein means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of this application. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments.
[0119] It should be understood that in this application, "at least one (item)" means one or more, "more than one" means two or more, "at least two (items)" means two or three or more, and "and / or" is used to describe the relationship between related objects, indicating that there can be three relationships. For example, "A and / or B" can mean: only A exists, only B exists, and A and B exist simultaneously, where A and B can be singular or plural. The character " / " generally indicates that the related objects before and after are in an "or" relationship. "At least one (item) of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one (item) of a, b, or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", where a, b, and c can be single or multiple.
[0120] This application will present various aspects, embodiments, or features relating to systems that may include multiple devices, components, modules, etc. It should be understood and appreciated that individual systems may include additional devices, components, modules, etc., and / or may not include all the devices, components, modules, etc. discussed in conjunction with the accompanying drawings. Furthermore, combinations of these approaches are also possible.
[0121] In this application, "send" and "receive" indicate the direction of signal transmission. For example, "send information to XX" can be understood as the destination of the information being XX, which can include direct transmission via the air interface or indirect transmission via the air interface from other units or modules. "Receive information from YY" can be understood as the source of the information being YY, which can include direct reception from YY via the air interface or indirect reception from YY via the air interface from other units or modules. "Send" can also be understood as the "output" of a chip interface, and "receive" can also be understood as the "input" of a chip interface. In other words, sending and receiving can occur between devices, such as between network devices and terminal devices, or within a device, such as between components, modules, chips, software modules, or hardware modules within the device via buses, traces, or interfaces.
[0122] Furthermore, in the embodiments of this application, words such as "exemplarily" and "for example" are used to indicate examples, illustrations, or descriptions. Any embodiment or design scheme described as an "example" in this application should not be construed as being more preferred or advantageous than other embodiments or design schemes. Specifically, the use of the term "example" is intended to present concepts in a concrete manner. In the embodiments of this application, "of," "corresponding (relevant)," and "corresponding" may sometimes be used interchangeably, and it should be noted that their intended meanings are consistent unless their distinction is emphasized.
[0123] The communication systems and service scenarios described in the embodiments of this application are for the purpose of more clearly illustrating the technical solutions of the embodiments of this application, and do not constitute a limitation on the technical solutions provided in the embodiments of this application. As those skilled in the art will know, with the evolution of network architecture and the emergence of new service scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.
[0124] Figure 1 is a schematic diagram of a communication system. As shown in Figure 1, the communication system includes data control (DC) network elements and data agent (DA) network elements. The number of data control network elements and data agent network elements can be one or more.
[0125] Data control network elements are used to perform data service orchestration and control, receive data service requests, manage the lifecycle of data service tasks, translate service requests, select data agents (DAs), and orchestrate the functions of various data agent network elements.
[0126] For example, data control network elements can be deployed in any core network element, transfer network (TN) element, access network equipment, or other network elements (such as operation administration and maintenance (OAM) elements), or data orchestration network elements can be deployed independently. For instance, data orchestration network elements can be deployed hierarchically on the core network or access network equipment side. Data control network elements can be deployed in network service (NS) network elements. As another example, data control network elements can be deployed independently in the network as network functions (NFs) or network elements. In actual deployment, one or more NFs can form a single network element.
[0127] Data proxy network elements are used to perform functions such as data acquisition, data preprocessing, data storage, data analysis, and data forwarding. Different data proxy network elements can have the same or different data service capabilities and can implement the same or different functions. Data proxy network elements can interact with data control network elements to obtain the relevant operations required to fulfill service requirements and execute those operations. Data proxy network elements can establish a logical network topology, forming a dynamic data pipeline (also called data flow, business logic, function chain, operation chain, etc.). This data pipeline consists of the functions corresponding to one or more data proxy network elements according to service requirements. The output of the previous function is the input of the next function, thereby realizing the responsive data service.
[0128] The aforementioned data proxy network element can be deployed in any core network element, transfer network (TN) element, terminal equipment, access network equipment, or other network elements (such as operation administration and maintenance (OAM) elements), or it can be deployed independently. For example, the data proxy network element can be deployed independently in the network as a network function (NF) or a network element.
[0129] For example, a data proxy network element can be evolved from any core network element, transmission network element, terminal equipment, access network equipment, or other network element. The data proxy network element can realize the functions that any core network element, transmission network element, terminal equipment, access network equipment, or other network element can realize. Alternatively, the functions of the data proxy network element provided in this application can be realized by any core network element, transmission network element, terminal equipment, access network equipment, or other network element.
[0130] For example, a data proxy network element can be evolved from a network data analysis function (NWDAF) network element, and can realize the functions of the NWDAF network element, as well as scenario use cases based on the NWDAF network element.
[0131] Optionally, based on the resources and / or capabilities of the network elements, the data proxy network element can be deployed in any core network element, transmission network element, terminal equipment, access network equipment or other network elements, which can realize cross-domain data collection, and thus realize cross-domain data management and collaboration.
[0132] When there are multiple data proxy network elements in a communication system, some of the data proxy network elements can be built into the network device (referring to any core network element, terminal device, access network device, or other network element, etc.), while the other data proxy network elements can be deployed independently; or, all of the multiple data proxy network elements can be built into the network device, or, all of the multiple data proxy network elements can be deployed independently. This application does not limit this.
[0133] It should be noted that the data control network element can be a logical entity or a physical entity, and the data agent network element can be a logical entity or a physical entity; this application does not limit this.
[0134] For example, data proxy network elements can be deployed centrally or in a distributed manner. Distributed deployment methods may include distributed hash table (DHT) methods, etc.
[0135] Data proxy network elements are distributed and deployed flexibly on demand, which can meet diverse and flexible data service needs and reduce the overhead of data collection.
[0136] Optionally, the communication system shown in Figure 1 also includes a data processing function (DPF) for data analysis and processing. A DPF can also be understood as a special type of DA. Exemplarily, the DPF can be deployed in any core network element, transport network element, access network device, or other network element (e.g., operation, OAM elements), or it can be deployed independently. For example, the DPF can be deployed on the core network or access network device side. Another example is that the DPF can be deployed in a network service (NS) network element. Yet another example is that the DPF can be deployed independently in the network as an NF or network element.
[0137] Optionally, the communication system shown in Figure 1 also includes a data storage function (DSF) for distributed data storage. This DSF can be deployed in any core network element, transport network element, access network device, or other network element (e.g., operation, OAM elements), or it can be deployed independently. For example, the DSF can be deployed on the core network or access network device side. Alternatively, the DSF can be deployed independently in the network as an NF or network element.
[0138] The aforementioned core network elements are located on the network side of the communication system and can be used to provide network services to access network equipment, terminal equipment, etc. Core network elements may include, but are not limited to, one or more of the following: access and mobility management function (AMF), session management function (SMF), user plane function (UPF), policy control function (PCF), network exposure function (NEF), application function (AF), NWDAF network element, and / or OAM network element.
[0139] With the reduction in computing and storage costs, and the emergence of numerous low-latency services and local area applications, computing and storage, as well as the intelligent algorithms that rely on them, tend to be deployed closer to the network edge, closer to the data source, thus forming a data-centric network architecture. The basic function of mobile communication networks will also begin to shift from information transmission conduits to data management platforms. Intrinsic sensing and intelligence are two major new capabilities for future networks. Intrinsic sensing generates massive amounts of data through sensing devices, perceiving the network's own state, surrounding environment, and user / device behavior. Intelligence uses technologies such as artificial intelligence (AI) and digital twins for modeling, analysis, and automated decision-making to improve network operational efficiency, enhance system performance, or provide data services for intelligent applications. Therefore, future networks will act as both data producers and providers, offering trusted data services to intelligent applications, and data consumers, leveraging data-driven intelligent applications to improve network performance and operational efficiency.
[0140] Table 1 shows the types of data services that the data architecture can provide, tailored to different application scenarios and needs:
[0141] Table 1
[0142] If future network data is carried through the user plane, the data's origin and termination can only occur at either end of a Protocol Data Unit (PDU) session, i.e., at the User Equipment (UE) or User Plane Function (UPF). This cannot meet the distributed management and control requirements for perceived data, AI data, network behavior, and state data. Therefore, future networks need to introduce an independent data plane to build a unified, reliable, and dynamically flexible data service framework at the architecture level. This framework should meet data regulatory requirements while improving data analysis and processing efficiency, enabling reliable data sharing across domains and vendors, and realizing the value of data through various intelligent applications. Data plane transmission consists of functions such as data acquisition, preprocessing, forwarding, storage, and analysis. The data processed by the data plane is produced and consumed by machines / algorithms. The data plane transmission network needs to implement in-path computing. In the data pipeline, data is transformed and optimized to achieve the state required for data analysis and intelligent applications. In the data pipeline, data packets are forwarded based on data services and data pipeline identifiers. Data forwarding in the data plane belongs to the application layer. Furthermore, the data plane supports arbitrary topologies (such as tree structures required for data distribution and data aggregation).
[0143] For example, Figure 2 illustrates a network architecture supporting the data plane according to an embodiment of this application. The deployment of the data control (DC) network element, data proxy (DA) network element, DPF, and DSF can be as shown in Figure 2. This network architecture may include, but is not limited to, one or more of the following: terminal device, access network device, AMF, SMF, NEF, PCF, charging function (CHF), unified data management (UDM) function, network repository function (NRF), UPF, DC, DPF, data network (DN), and DSF. Multiple DAs can be deployed in this network architecture, and these multiple DAs can be deployed in different devices or network elements. Figure 2 uses four DAs as an example; these four DAs are deployed in the UE, access network device 1, access network device 2, and AMF, respectively.
[0144] The following describes the functions or network elements involved in this network architecture:
[0145] AMF (Automatic Mobility Management) is primarily used for mobility management and access management. Its main functions include mobility management and access authentication / authorization. Additionally, the AMF can be responsible for transmitting user policies between the terminal and the PCF (Process Control Fund).
[0146] SMF (Service Context Management) is primarily used for session management (e.g., creation, deletion), maintaining session context and user plane forwarding pipeline information, allocating and managing Internet Protocol (IP) addresses for terminal devices, selecting endpoints for manageable user plane functions, policy control, and charging function interfaces, and downlink data notification. SMF can also be used for terminal IP address allocation, UPF selection, and charging and QoS policy control.
[0147] UPF: As the interface with the data network, it performs functions such as user plane data forwarding, session / flow-based billing and statistics, and bandwidth limiting. This includes packet routing and forwarding, as well as quality of service (QoS) processing for user plane data.
[0148] PCF: Includes user subscription data management functions, policy control functions, billing policy control functions, QoS control, etc. It is a unified policy framework used to guide network behavior and provide policy rule information to control plane function network elements (such as AMF, SMF, etc.).
[0149] NEF (Network Frame): This can be used to provide frameworks, authentication, and interfaces related to network capability openness, facilitating information exchange between 5G system network functions and other network functions. In 5G communication systems, NRF is primarily used to open up 3GPP network function services and capabilities to AF (Agent Function), while also allowing AF to provide information to 3GPP network functions.
[0150] UDM: Responsible for the management of user identification, subscription data, authentication data, and user service element registration management (such as the AMF and SMF currently providing services to the terminal; when a user switches to a different AMF, the UDM will also send a deregistration message to the old AMF, requesting the old AMF to delete the user's relevant information).
[0151] NRF (Network Functions Provider) is responsible for registering and monitoring the status of Network Function Services (NFs), enabling automated management, selection, and scalability of NFs, and allowing each NF to discover services provided by other NFs. It is used for NF registration, management, and status monitoring, achieving automated management of all NFs. Each NF must register with the NRF upon startup to provide services; registration information includes NF type, address, and service list.
[0152] The aforementioned access network equipment can also be called access devices or wireless access network equipment. Access network equipment can manage wireless resources, provide access services for terminal devices, and complete the forwarding of data between terminal devices and the core network. Access network equipment can also be understood as a base station in the network.
[0153] For example, the access network device in this application embodiment can be any kind of communication device with wireless transceiver function for communicating with terminal devices. The access network equipment includes, but is not limited to: evolved Node B (eNB), radio network controller (RNC), base station (Node B, NB), base station controller (BSC), base transceiver station (BTS), home evolved Node B (HeNB, or home Node B, HNB), baseband unit (BBU), access point (AP), wireless relay node, wireless backhaul node, transmission point (TP), or transmission and reception point (TRP) in a wireless fidelity (WIFI) system. It can also be a 5G system, such as a gNB or transmission point (TP) in an NR system, one or a group of antenna panels (including multiple antenna panels) of a base station in a 5G system, or a network node constituting a gNB or transmission point, such as a baseband unit (BBU) or a distributed unit (DU). It can also be a satellite or a drone.
[0154] In some deployments, a gNB may include a centralized unit (CU) and a dedicated unit (DU). The gNB may also include an active antenna unit (AAU). The CU implements some of the gNB's functions, and the DU implements others. For example, the CU handles non-real-time protocols and services, implementing radio resource control (RRC) and packet data convergence protocol (PDCP) layer functions. The DU handles physical layer protocols and real-time services, implementing radio link control (RLC), media access control (MAC), and physical (PHY) layer functions. The AAU implements some physical layer processing functions, radio frequency processing, and active antenna-related functions. RRC layer information is generated by the CU and is ultimately encapsulated by the DU's PHY layer to become PHY layer information, or it may be derived from PHY layer information. Therefore, in this architecture, higher-layer signaling, such as RRC layer signaling, can be considered as being sent by the DU, or by the DU+AAU. It is understood that access network equipment can be one or more of the following: CU nodes, DU nodes, and AAU nodes. Furthermore, a CU can be classified as an access network device in the radio access network (RAN) or as an access network device in the core network (CN); this application does not impose any limitations on this classification.
[0155] The aforementioned terminal equipment is a terminal that accesses a communication system and has wireless transceiver capabilities, or a chip or chip system that can be installed in the terminal. The terminal equipment in this application may also be referred to as a terminal, user equipment (UE), access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, wireless communication equipment, user agent, or user device. The terminals in the embodiments of this application may be mobile phones, tablets, drones, computers with wireless transceiver capabilities, customer premise equipment (CPE), virtual reality (VR) terminals, augmented reality (AR) terminals, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical care, wireless terminals in smart grids, wireless terminals in transportation safety, wireless terminals in smart cities, wireless terminals in smart homes, cellular phones, cordless phones, session initiation protocol (SIP) phones, wireless local loop (WLL) stations, personal digital assistants (PDAs), handheld devices with wireless communication capabilities, computing devices or other processing devices connected to a wireless modem, in-vehicle devices, wearable devices, terminals in 5G networks, or terminals in future evolved networks, etc.
[0156] For example, the terminal equipment in this application can be a delivery terminal in smart logistics (e.g., a device that can monitor the location of goods vehicles, a device that can monitor the temperature and humidity of goods, etc.), a wireless terminal in smart agriculture (e.g., a wearable device that can collect relevant data on poultry and livestock, etc.), a wireless terminal in smart buildings (e.g., smart elevators, fire monitoring equipment, and smart meters, etc.), a wireless terminal in smart healthcare (e.g., a wearable device that can monitor the physiological state of humans or animals), a wireless terminal in smart transportation (e.g., smart buses, smart vehicles, shared bicycles, charging pile monitoring equipment, smart traffic lights, and smart monitoring and smart parking equipment, etc.), and a wireless terminal in smart retail (e.g., vending machines, self-checkout machines, and unmanned convenience stores, etc.). For example, the terminal equipment in this application can be an on-board module, on-board unit, on-board component, on-board chip, or on-board unit built into a vehicle as one or more components or units. The vehicle can implement the methods provided in this application through the built-in on-board module, on-board unit, on-board component, on-board chip, or on-board unit. The terminal device in this application can be a smart internet of things (SIoT) terminal device or a non-SIoT terminal device, possessing certain computing and storage capabilities. Non-SIoT terminal devices can collect data through an IoT gateway; for example, a non-SIoT terminal device can be a terminal with limited computing power, such as a single-function sensor. Optionally, the SIoT terminal device can have a built-in data proxy network element, or the SIoT terminal device can implement the function of a data proxy network element.
[0157] In the network architecture described above, data collected by one data agent network element can be processed by other data agent network elements. For example, data collected by DA 1 can be processed by DA 2.
[0158] As an example, DA1 is deployed on the terminal device, and DA2 is deployed on the access network device. This means that data collected by the terminal device can be processed on the access network device. The access network device is the one where the terminal device currently resides. The data plane protocol stack between the terminal device and the access network device can be shown in Figure 3A. The peer-to-peer protocol layers between the terminal device and the access network device include: Data Forward Protocol-Service (DFP-S) layer, Packet Data Convergence Protocol (PDCP) layer, Radio Link Control (RLC) layer, Media Access Control (MAC) layer, and Physical Layer (PHY). The DFP-S layer is used for data acquisition, data processing and analysis, data encryption, and privacy protection.
[0159] As another example, DA1 is deployed on the terminal device, which currently resides on RAN 1. DA2 is deployed on DPF or RAN 2. Data collected on the terminal device is transparently transmitted through RAN 1 to RAN 2 or DPF. The corresponding data plane protocol stack is shown in Figure 3B. The protocol layers corresponding to the terminal device and RAN 1 include: PDCP layer, RLC layer, MAC layer, and PHY layer. The protocol layers corresponding to the terminal device and DPF or RAN 2 include: Transmission Control Protocol (TCP) / User Datagram Protocol (UDP) / Quick UDP Internet Connections (QUIC) layer, Internet Protocol (IP) layer, L2, and L1. The protocol layer corresponding to the terminal device and DPF or RAN 2 includes the DFP-S layer.
[0160] As another example, DA1 is deployed on the RAN and DA2 is deployed on the DPF. That is, the data collected by the RAN can be processed by the DPF. The corresponding data plane protocol stack is shown in Figure 3C. The equivalent protocol layers between the RAN and the DPF include: DFP-S layer, TCP / UDP / QUIC layer, IP layer, L2 and L1.
[0161] As another example, DA1 can be deployed on a core network element, a transport network element, or another network element or function, or DA1 can be deployed independently. DA2 can be deployed on a different network element than DA1, or DA2 can be deployed independently. The data plane protocol stack between DA1 and DA2 can be as shown in Figure 3D, with equivalent DFP-S, QUIC, UDP, IP, L2, and L1 layers between DA1 and DA2. Alternatively, the data plane protocol stack between DA1 and DA2 can be as shown in Figure 3E, with equivalent DFP-S, HTTPS, TCP, IP, L2, and L1 layers between DA1 and DA2. Alternatively, the data plane protocol stack between DA1 and DA2 can be as shown in Figure 3F, with equivalent DFP-S, HTTP / 3, QUIC, UDP, IP, L2, and L1 layers between DA1 and DA2.
[0162] In the communication system shown in Figure 1 or Figure 2, data for data services needs to be transferred to appropriate nodes or network elements for processing within the network. Therefore, ensuring data security during network transmission is a pressing issue that needs to be addressed.
[0163] Therefore, embodiments of this application provide a communication method and a communication device that can ensure data security.
[0164] Please refer to Figure 4, which is a flowchart illustrating a communication method provided in an embodiment of this application. This communication method is applied to a first data proxy network element and a second data proxy network element. As shown in Figure 4, the method includes, but is not limited to, the following steps.
[0165] 401, The first data agent network element collects the first data of the first data service.
[0166] The first data proxy network element can be deployed in any core network element, transmission network element, terminal equipment, access network equipment, or other network element (such as operation, OAM network element, etc.). Alternatively, the first data proxy network element can also be an independently deployed network function or network element. The first data proxy network element is used to collect data for the first data service.
[0167] Specifically, after the first data agent network element collects the first data, it can use the first key at the application layer to encrypt and / or protect the integrity of the first data to obtain the second data. The first key can be used to encrypt and / or protect the integrity of the data in the first data service.
[0168] In one possible implementation, the first key may be generated based on the identifier of a first data proxy network element and / or the identifier of a second data proxy network element. For example, the first data proxy network element may generate the first key based on at least one of the DAID of the first data proxy network element and the DAID of the second data proxy network element.
[0169] The second data proxy network element can be used to process the data of the first data service, or in other words, the second data proxy network element is used to receive the second data, or in other words, the second data proxy network element is the next hop DA of the first data proxy network element in the data flow corresponding to the first data service, that is, the data flow of the first data service flows from the first data proxy network element to the second data proxy network element.
[0170] The identifier of the first data proxy network element may include the DAID, address, or name corresponding to the first data proxy network element, and the identifier of the second data proxy network element may include the DAID, address, or name corresponding to the second data proxy network element.
[0171] For example, the first data proxy network element can use the DAID corresponding to the first data proxy network element, the DAID corresponding to the second data proxy network element, the first salt value, and the first iteration number as input to a hash function (such as a secure hash algorithm (SHA)-256 or SHA-3). The hash function converts the DAID corresponding to the first data proxy network element and the DAID corresponding to the second data proxy network element into a fixed-length byte sequence. The first data proxy network element then uses the byte sequence output by the hash function as input to a key generation function, which outputs a first key. The key generation function may include a password-based key derivation function 2 (PBKDF2). PBKDF2 can convert the output of the hash function into a secure first key based on a preset number of iterations (such as the first iteration number) and a pseudo-random number (such as the first salt value, or generated by a cryptographically secure pseudo-random number generator).
[0172] In another possible implementation, the first key can be generated based on the identifier of the first data service (such as the DSID of the first data service). For example, the first data proxy network element can generate the first key based on the DAID of the first data proxy network element, the DAID of the second data proxy network element, and the DSID of the first data service.
[0173] Therefore, encrypting the data of the first data service based on the first key can improve the security of the data during transmission.
[0174] For example, the first data proxy network element can use the DAID corresponding to the first data proxy network element, the DAID corresponding to the second data proxy network element, the DSID of the first data service, the first iteration number, and the first salt value as input to a hash function (such as SHA-256 or SHA-3). The hash function converts the DAID corresponding to the first data proxy network element, the DAID corresponding to the second data proxy network element, and the DSID of the first data service into a fixed-length byte sequence. The first data proxy network element then uses the byte sequence output by the hash function as input to a key generation function, and outputs the first key through the key generation function.
[0175] In another possible implementation, the first key can be generated based on the first information. For example, the first data proxy network element generates the first key based on the first information.
[0176] The first information includes at least one of the following: identification information of the second data proxy network element, a first encryption algorithm, a first integrity protection algorithm, a first salt value, and a first iteration number. Optionally, the first information may also include identification information of the first data service; for example, the first information may also include the DSID of the first data service.
[0177] For example, the first data agent network element receives first information from the data control network element and generates a first key based on the first information.
[0178] For example, the identification information of the second data proxy network element includes the DAID of the second data proxy network element. When the first key is generated based on the identification of the second data proxy network element, the first information includes the identification information of the second data proxy network element. When the first key is not generated based on the identification of the second data proxy network element, the first information may not include the identification information of the second data proxy network element.
[0179] As an example, the first information includes a first encryption algorithm and a first key used to encrypt data of the first data service. The first data proxy network element can take at least one of the following: the DAID corresponding to the first data proxy network element, the DAID corresponding to the second data proxy network element, and the DSID of the first data service, along with a first iteration number and a first salt value, as input to a hash function (such as SHA-256 or SHA-3). The hash function outputs a fixed-length byte sequence. The first data proxy network element then takes the byte sequence output by the hash function, the first iteration number, and the first salt value as input to a key generation function, and outputs a first key through the key generation function.
[0180] As another example, the first information includes a first integrity protection algorithm, and a first key is used to protect the integrity of the data of the first data service. The first data proxy network element can take at least one of the following: the DAID corresponding to the first data proxy network element, the DAID corresponding to the second data proxy network element, and the DSID of the first data service, along with the first iteration number and the first salt value, as input to a hash function (such as SHA-256 or SHA-3). The hash function outputs a fixed-length byte sequence. The first data proxy network element then takes the byte sequence output by the hash function, the first iteration number, and the first salt value as input to a key generation function, and outputs the first key through the key generation function.
[0181] As another example, the first information includes a first encryption algorithm and a first integrity protection algorithm, and the first key is used to encrypt and protect the integrity of the data of the first data service. In this example, the first key may include two keys (such as key 1 and key 2), key 1 corresponding to the first encryption algorithm, used to encrypt the data of the first data service at the application layer; key 2 corresponding to the first integrity protection algorithm, used to protect the integrity of the data of the first data service at the application layer.
[0182] For example, key 1 and key 2 can correspond to the same salt value, where the first salt value includes a single value. For instance, key 1 can be determined based on the first salt value and a first constant, and key 2 can be determined based on the first salt value and a second constant. The first and second constants can be agreed upon by the first and second data proxy network elements, or they can be pre-configured by the first or second data proxy network element, the data control network element, or the OAM.
[0183] For example, the salt values corresponding to key 1 and key 2 are different. The first salt value mentioned above includes two salt values (such as salt value 1 and salt value 2), and salt value 1 and salt value 2 correspond to key 1 and key 2 respectively.
[0184] For example, key 1 and key 2 may correspond to the same number of iterations, where the first number of iterations includes a single number. Alternatively, key 1 and key 2 may correspond to different numbers of iterations, where the first number of iterations includes two numbers, one for key 1 and one for key 2.
[0185] The first data proxy network element can take at least one of the following as input to a hash function (such as SHA-256 or SHA-3): the DAID corresponding to the first data proxy network element, the DAID corresponding to the second data proxy network element, the DSID of the first data service, the iteration number corresponding to key 1, and the salt value corresponding to key 1. The hash function outputs a fixed-length byte sequence. The first data proxy network element then takes the byte sequence output by the hash function, the iteration number corresponding to key 1, and the salt value corresponding to key 1 as input to a key generation function, and outputs key 1 through the key generation function.
[0186] The first data proxy network element can take at least one of the following as input to a hash function (such as SHA-256 or SHA-3): the DAID of the first data proxy network element, the DAID of the second data proxy network element, the DSID of the first data service, the iteration number corresponding to key 2, and the salt value corresponding to key 2. The hash function outputs a fixed-length byte sequence. The first data proxy network element then takes the byte sequence output by the hash function, the iteration number corresponding to key 2, and the salt value corresponding to key 2 as input to a key generation function, and outputs key 2 through the key generation function.
[0187] For example, the first iteration number may be pre-configured, such as by OAM or the first data agent network element or the second data agent network element or the data control network element. In this case, the first information may not include the first iteration number.
[0188] For example, the aforementioned first information can be transmitted in an encrypted control plane to ensure its security.
[0189] The application layer may include the DPF-S layer and / or the data service protocol layer.
[0190] For example, the first data agent network element can use the first key at the DPF-S layer to encrypt and / or protect the integrity of the first data.
[0191] For example, the aforementioned first information may be carried in a data service control message or a data service request message. The data service control message is used to instruct the first data agent network element to collect information about the first data service, or the data service request message is used to request the first data service. The data service control message or the data service request message may also include the service type of the first data service and the data type of the first data. The first data agent network element collects the data of the first data service based on the data service control message or the data service request message.
[0192] In one possible implementation, before generating the first key, the first data proxy network element sends first capability information to the data control network element. This first capability information includes the encryption algorithms and / or integrity protection algorithms supported by the first data proxy network element, so that the data control network element can select appropriate encryption algorithms and / or integrity protection algorithms based on the capabilities of the first data proxy network element. The encryption algorithms supported by the first data proxy network element include the aforementioned first encryption algorithm, and the integrity protection algorithms supported by the first data proxy network element include the aforementioned first integrity protection algorithm.
[0193] 402, The first data agent network element sends the second data to the second data agent network element.
[0194] Correspondingly, the second data proxy network element receives the second data.
[0195] The second data is obtained by encrypting and / or protecting the integrity of the first data at the application layer using the first key.
[0196] The application layer can refer to the above descriptions and is not restricted.
[0197] The second data proxy network element can be used to process data from the first data service. For example, it can be used for data pre-processing and / or data analysis of the data from the first data service. Data pre-processing refers to operations performed on the collected raw data, such as cleaning, imputation, smoothing, merging, normalization, consistency checks, field extraction, format conversion, redundant data removal, compression, filtering, and / or fusion. These operations aim to improve data quality, lay the foundation for later processing (e.g., analysis), and eliminate potential problems in the raw data, such as missing data, data noise, data redundancy, and / or dataset imbalance. Data analysis includes AI training, AI inference, machine learning, and big data analysis.
[0198] Specifically, the second data proxy network element can be deployed in any core network element, transmission network element, terminal equipment, access network equipment or other network element (such as operation, OAM network element, etc.), or the second data proxy network element can also be an independently deployed network function or network element.
[0199] For example, the second data can be transmitted directly between the first data proxy network element and the second data proxy network element, or the second data can be forwarded through other devices or network elements, and this application does not impose any restrictions.
[0200] As an example, the first data proxy network element is a terminal device or a function deployed on a terminal device, and the second data proxy network element is an access network device or a function deployed on an access network device. The terminal device is currently residing on the access network device, and the second data can be transmitted from the first data proxy network element to the second data proxy network element through the air interface.
[0201] As another example, the first data proxy network element is a terminal device or a function deployed on a terminal device, and the second data proxy network element is an access network device or a function deployed on an access network device. However, this access network device is not the access network device currently hosted by the terminal device, and the second data is transmitted transparently through the access network device currently hosted by the terminal device. Since the second data is obtained after the first data has undergone application-layer encryption or integrity protection, the access network device currently hosted by the terminal device cannot obtain the first data, thereby improving the security of the first data.
[0202] As another example, the first data proxy network element is a terminal device or a function deployed on the terminal device, and the second data proxy network element is a DPF (Data Transfer Function). The second data is transparently transmitted through the access network device currently hosted by the terminal device. Since the second data is obtained after the first data has undergone application layer encryption or integrity protection, the access network device currently hosted by the terminal device cannot obtain the first data, thereby improving the security of the first data.
[0203] As another example, the first data proxy network element is the RAN or a function deployed on the RAN, and the second data proxy network element is the DPF. In this case, the second data can be transmitted directly between the RAN and the DPF, or the second data can be transmitted transparently by other network elements.
[0204] As another example, both the first data proxy network element and the second data proxy network element are DPFs, or the first data proxy network element and the second data proxy network element are NFs. The second data can be transmitted between the first data proxy network element and the second data proxy network element, or the second data can also be transparently transmitted by other network elements.
[0205] 403. The second data proxy network element decrypts and / or verifies the integrity of the second data at the application layer based on the first key to obtain the first data.
[0206] The first key is generated based on the identification information of the first data proxy network element and / or the identification information of the second data proxy network element. For example, the second data proxy network element generates the first key based on the identification information of the first data proxy network element and / or the identification information of the second data proxy network element.
[0207] In one possible implementation, the first key may be generated based on the identifier of a first data proxy network element and / or the identifier of a second data proxy network element. For example, the second data proxy network element may generate the first key based on at least one of the DAID of the first data proxy network element and the DAID of the second data proxy network element.
[0208] In another possible implementation, the first key can be generated based on the identifier of the first data service (such as the DSID of the first data service). For example, the second data proxy network element can generate the first key based on the DAID of the first data proxy network element, the DAID of the second data proxy network element, and the DSID of the first data service.
[0209] In another possible implementation, the first key can be generated based on third information. For example, the second data agent network element generates the first key based on the third information.
[0210] The third information includes at least one of the following: the identification information of the first data agent network element, the first encryption algorithm, the first integrity protection algorithm, the first salt value, and the first iteration number. Optionally, the third information may also include the identification information of the first data service; for example, the third information may also include the DSID of the first data service.
[0211] For example, the second data agent network element receives third information from the data control network element and generates a first key based on the third information.
[0212] For example, the identification information of the first data agent network element includes the DAID of the first data agent network element.
[0213] For example, the first key is generated based on the identifier of the first data proxy network element, but not based on the identifier of the second data proxy network element. The third information includes the identifier information of the first data proxy network element, but the first information may not include the identifier information of the second data proxy network element. For another example, the first key is generated based on the identifier of the second data proxy network element, but not based on the identifier of the first data proxy network element. The third information may not include the identifier information of the first data proxy network element, but the first information includes the identifier information of the second data proxy network element. For yet another example, the first key is generated based on both the identifier of the first data proxy network element and the identifier of the second data proxy network element. The third information includes the identifier information of the first data proxy network element, and the first information includes the identifier information of the second data proxy network element.
[0214] For example, when the first key is used to encrypt data for a first data service, the third information includes a first encryption algorithm. Also for example, when the first key is used to protect the integrity of data for a first data service, the third information includes a first integrity protection algorithm. Furthermore, for example, when the first key is used to both encrypt and protect the integrity of data for a first data service, the third information includes both a first encryption algorithm and a first integrity protection algorithm.
[0215] It is understandable that the specific implementation of the second data proxy network element generating the first key can be referred to in step 401, which will not be repeated here.
[0216] For example, the first iteration number can be pre-configured, such as by OAM, the first data agent network element, the second data agent network element, or the data control network element. In this case, the third information may not include the first iteration number.
[0217] For example, the aforementioned third information can be carried in a data service control message or a data service request message. The data service control message instructs the second data proxy network element to process the data of the first data service, or the data service request message requests the second data proxy network element to process the first data service. The data service control message or data service request message may also include at least one of the following: the service type of the first data service, the processing method of the data of the first data service by the second data proxy network element, and the next-hop DA of the data flow of the first data service. The second data proxy network element processes the first data based on the processing method indicated by the data service control message or data service request message to obtain processed data. The second data proxy network element may also send the processed data to the next-hop DA. When sending the processed data, the processed first data may also be encrypted at the application layer.
[0218] For example, the application layer includes a DPF-S layer, and the second data proxy network element can use the first key to decrypt and / or verify the integrity of the first data at the DPF-S layer.
[0219] In this embodiment, the first data proxy network element encrypts the first data at the application layer, thereby providing security for the data transmission process of the first data service. For example, intermediate nodes used to forward data between the first and second data proxy network elements cannot read the data, thus improving data security.
[0220] In one possible implementation of the above embodiments, the second data proxy network element sends second capability information to the data control network element before generating the first key.
[0221] The second capability information may include encryption algorithms and / or integrity protection algorithms supported by the second data agent network element.
[0222] Furthermore, the data control network element can select the encryption algorithm (i.e., the first encryption algorithm) and / or the integrity protection algorithm (i.e., the first integrity protection algorithm) used to generate the first key based on the capabilities of the second data agent network element. For example, the data control network element selects an encryption algorithm supported by both the first and second data agent network elements as the first encryption algorithm. Similarly, the data control network element selects an integrity protection algorithm supported by both the first and second data agent network elements as the first integrity protection algorithm.
[0223] The encryption algorithm supported by the second data agent network element may include the first encryption algorithm mentioned above, and the integrity protection algorithm supported by the second data agent network element may include the first integrity protection algorithm mentioned above.
[0224] In one possible implementation of the above embodiments, after obtaining the first data, the second data proxy network element can process the first data. For example, the second data proxy network element may perform one or more of the following processes on the first data: field extraction, format conversion, redundant data removal, noise reduction, averaging, compression, and fusion. It is understood that processing the first data by the second data proxy network element refers to processing the data itself to cause changes, rather than simply decrypting, encapsulating, or decapsulating. The processing of the first data by the second data proxy network element can be performed at the application layer or at other layers (such as the transport layer or physical layer), and this application does not impose any limitations.
[0225] Figure 5 is a flowchart illustrating another communication method provided in an embodiment of this application. This method can be applied to a first data proxy network element, a second data proxy network element, and a data control network element. As shown in Figure 5, the method includes, but is not limited to, the following steps.
[0226] 501, the service request network element sends a data service request message to the data control network element.
[0227] Correspondingly, the data control network element receives data service request messages.
[0228] This data service request message is used to request the first data service.
[0229] The data service request message may include at least one of the following: the service type of the first data service, the region corresponding to the first data service, the time corresponding to the first data service, and the security level of the first data service.
[0230] The service requesting network element can be any core network element, transmission network element, access network element, or terminal device. For example, the service requesting network element can be an AF (Automatic Data Center). Based on its own service needs, the service requesting network element can send a data service message to the data control network element to obtain the first data service.
[0231] In one possible implementation, the data control network element determines the first data proxy network element and the second data proxy network element based on the data service request message.
[0232] Among them, the first data agent network element is used to collect data for the first data service. The first data agent network element can also be called the data collector, data collection terminal, or data collection network element of the first data service.
[0233] The second data agent network element is used to process the data of the first data service. The second data agent network element can also be called the data processor, data processing terminal, or data processing network element of the first data service.
[0234] The aforementioned data service request messages enable the data control network element to select appropriate data collectors and data processors.
[0235] For example, the data service request message includes at least one of the following: the service type of the first data service, the region corresponding to the first data service, the time corresponding to the first data service, and the security level of the first data service. The data control network element can determine the first data proxy network element and the second data proxy network element based on at least one of the following: the service type of the first data service, the region corresponding to the first data service, and the time corresponding to the first data service.
[0236] For example, the data control network element selects a data agent network element that supports the service type of the first data service from the available data agent network elements as the data acquisition end (i.e., the first data agent network element) and the data processing end (i.e., the second data agent network element) of the first data service. The service types supported by the first data agent network element and the second data agent network element include the service type of the first data service.
[0237] For example, the data control network element selects a data agent network element located in the area corresponding to the first data service from the available data agent network elements as the data acquisition end (i.e., the first data agent network element) and the data processing end (i.e., the second data agent network element) of the first data service. The first data agent network element and / or the second data agent network element are located in the area corresponding to the first data service.
[0238] For example, the data control network element selects from available data proxy network elements a data proxy network element that can provide service within the time corresponding to the first data service as the data acquisition end (i.e., the first data proxy network element) and the data processing end (i.e., the second data proxy network element) for the first data service. For instance, within the time corresponding to the first data service, the first data proxy network element can collect the data of the first data service, and the second data proxy network element can process the data of the first data service.
[0239] 502, the data control network element sends the first message.
[0240] Correspondingly, the first data agent network element receives the first information.
[0241] The first information can be used to generate a first key, which is used at the application layer to encrypt and / or protect the integrity of the data of the first data service transmitted between the first data proxy network element and the second data proxy network element.
[0242] For example, the first information includes at least one of the following: the identification information of the second data agent network element, the first encryption algorithm, the first integrity protection algorithm, the first salt value, and the first iteration number.
[0243] Optionally, the first information may also include the identification information of the first data service.
[0244] 503, the data control network element sends third information.
[0245] Correspondingly, the second data agent network element receives the third information.
[0246] The third piece of information can be used to generate the first key. The first key is used at the application layer to encrypt and / or protect the integrity of data of the first data service transmitted between the first data proxy network element and the second data proxy network element.
[0247] For example, the third information includes at least one of the following: the identification information of the first data agent network element, the first encryption algorithm, the first integrity protection algorithm, the first salt value, and the first iteration number.
[0248] Optionally, the third information may also include the identification information of the first data service.
[0249] It is understood that for further details regarding the first and third information, please refer to the relevant descriptions in the method described in Figure 4, which will not be elaborated here.
[0250] For example, the first salt value can be randomly generated by the data control network element. The first iteration number can be related to the security level of the first data service, and the data control network element can determine the first iteration number based on the security level of the first data service. For example, the higher the security level of the first data service, the greater the first iteration number.
[0251] For example, the data control network element can determine whether to enable encryption and / or integrity protection for the data of the first data service, thereby determining whether to perform encryption and / or integrity protection on the data of the first data service at the application layer. If it is determined that encryption and / or integrity protection is enabled for the data of the first data service, the data control network element determines to perform encryption and / or integrity protection on the data of the first data service at the application layer.
[0252] Specifically, the data control network element can determine whether to enable encryption and / or integrity protection for the data of the first data service based on the security level of the first data service. For example, if the security level of the first data service is low, the data control network element may determine whether to enable encryption or integrity protection for the data of the first data service. Conversely, if the security level of the first data service is high, the data control network element may determine whether to enable both encryption and integrity protection for the data of the first data service.
[0253] As an example, when encryption is enabled for the data of the first data service, the data control network element can determine the first encryption algorithm based on the encryption algorithms supported by the first data proxy network element, the second data proxy network element, and the security level of the first data service. This first encryption algorithm is used to generate a first key, which is used to encrypt the data of the first data service transmitted between the first and second data proxy network elements at the application layer.
[0254] For example, the first encryption algorithm is an encryption algorithm supported by both the first data proxy network element and the second data proxy network element, and the first encryption algorithm matches the security level of the first data service. The data control network element can select the first encryption algorithm that matches the security level of the first data service from the encryption algorithms supported by both the first data proxy network element and the second data proxy network element.
[0255] For example, the data control network element can classify encryption algorithms into multiple different priorities. For instance, the encryption algorithm priorities include priority 1, priority 2, and priority 3. For example, priority 1 encryption algorithms include Advanced Encryption Standard (AES)_128, priority 2 encryption algorithms include Snow 3G_128, and priority 3 encryption algorithms include ZUC_128. Here, 128 indicates a key length of 128 bits. The data control network element can determine the first encryption algorithm based on the correspondence between the security level of the data service and the priority of the encryption algorithm. For example, the security level of the data service can include security level 1, security level 2, and security level 3, where priority 1 corresponds to security level 1, priority 2 corresponds to security level 2, and priority 3 corresponds to security level 3. When the security level of the first data service is security level 1, the data control network element selects the encryption algorithm with priority 1, that is, the first encryption algorithm is the encryption algorithm with priority 1 (such as AES_128).
[0256] As another example, when integrity protection is enabled for the data of the first data service, the data control network element can determine the first integrity protection algorithm based on the integrity protection algorithms supported by the first data proxy network element, the second data proxy network element, and the security level of the first data service. This first integrity protection algorithm is used to generate a first key, which is used at the application layer to perform integrity protection on the data of the first data service transmitted between the first and second data proxy network elements.
[0257] For example, the first integrity protection algorithm is an integrity protection algorithm supported by both the first data proxy network element and the second data proxy network element, and the first integrity protection algorithm matches the security level of the first data service. The data control network element can select the first integrity protection algorithm that matches the security level of the first data service from the integrity protection algorithms supported by both the first data proxy network element and the second data proxy network element.
[0258] For example, the data control network element can classify integrity protection algorithms into multiple different priorities. For instance, the priorities of integrity protection algorithms include priority A, priority B, and priority C. For example, priority A might include AES_128, priority B might include Snow 3g_128, and priority C might include ZUC_128. The data control network element can determine the first integrity protection algorithm based on the correspondence between the security level of the data service and the priority of the integrity protection algorithm. For example, the security level of the data service might include security level 1, security level 2, and security level 3, where priority A corresponds to security level 1, priority B corresponds to security level 2, and priority C corresponds to security level 3. When the security level of the first data service is security level 1, the data control network element selects the integrity protection algorithm of priority A, that is, the first integrity protection algorithm is the integrity protection algorithm of priority A (such as AES_128).
[0259] As another example, when encryption and integrity protection are enabled for the data of the first data service, the data control network element determines the first encryption algorithm based on the encryption algorithms supported by the first data proxy network element, the second data proxy network element, and the security level of the first data service; and determines the first integrity protection algorithm based on the integrity protection algorithms supported by the first data proxy network element, the second data proxy network element, and the security level of the first data service. The first key is generated by the first encryption algorithm and the first integrity protection algorithm.
[0260] In one possible implementation, the data control network element receives first capability information from a first data agent network element. This first capability information includes encryption algorithms and / or integrity protection algorithms supported by the first data agent network element. Based on this first capability information, the data control network element can determine the encryption algorithms and / or integrity protection algorithms supported by the first data agent network element, thereby selecting appropriate encryption algorithms and / or integrity algorithms.
[0261] In one possible implementation, the data control network element receives second capability information from the second data agent network element. This second capability information includes encryption algorithms and / or integrity protection algorithms supported by the second data agent network element. Based on this second capability information, the data control network element can determine the encryption algorithms and / or integrity protection algorithms supported by the second data agent network element, thereby selecting appropriate encryption algorithms and / or integrity algorithms.
[0262] 504, the first data agent network element sends the second data to the second data agent network element.
[0263] Accordingly, the second data proxy network element receives the second data. This second data is obtained by encrypting and / or protecting the integrity of the first data at the application layer using the first key.
[0264] It is understandable that the specific implementation of step 504 can be referred to the specific implementation of step 402 in Figure 4, which will not be detailed here.
[0265] In this embodiment, the data control network element can select appropriate data acquisition terminals and data processing terminals based on data service request messages, and send information for generating a first key to the data acquisition terminals and data processing terminals, so that the data acquisition terminals and data processing terminals can encrypt and / or protect the integrity of the first data service at the application layer based on the first key, thereby ensuring the security of the data of the first data service during transmission.
[0266] The methods shown in Figures 4 and 5 can be applied to the data encryption and / or integrity protection process for data services between terminal devices and access network devices, between terminal devices and DPFs, between access network devices, between DPFs, or between NFs. For example, the first data proxy network element mentioned above can be a terminal device, and the second data proxy network element can be a DPF. The process of the data encryption and / or integrity protection method for data services between the terminal device and the DPF can be as shown in Figure 6A, and the method includes, but is not limited to, the following steps.
[0267] 601. The service requesting network element sends a data service request message, and the corresponding data control network element receives the data service request message.
[0268] For details on the specific implementation of step 601, please refer to the relevant description of step 501 in Figure 5, which will not be elaborated here.
[0269] 602. The data control network element sends the first information based on the data service request message.
[0270] Accordingly, the terminal device receives the first information.
[0271] The first information includes the DPF's identification information. For example, the first information includes the DPF's DAID. The terminal device can generate a first key based on the terminal device's DAID and the DPF's DAID.
[0272] Optionally, the first information may also include at least one of the following: a first encryption algorithm, a first integrity protection algorithm, a first salt value, and a first iteration number.
[0273] 603. The data control network element sends third information based on the data service request message.
[0274] Correspondingly, the DPF receives third information.
[0275] The third information includes the terminal device's identification information, specifically the terminal device's DAID. The DPF generates the first key based on the terminal device's DAID and the DPF's DAID.
[0276] For example, the third information may also include at least one of the following: a first encryption algorithm, a first integrity protection algorithm, a first salt value, and a first iteration number.
[0277] For a detailed explanation of the first and third pieces of information mentioned above, please refer to the relevant descriptions in Figure 4, which will not be elaborated here.
[0278] 604, the terminal device collected the first data.
[0279] 605, the terminal device sends the second data to the DPF, and the second data is transparently transmitted from the first access network device to the DPF.
[0280] In this embodiment of the application, when the terminal device and the DPF transmit the data of the first data service, the data of the first data service is encrypted and / or protected for integrity at the application layer using the first key, so that the first access network device cannot read the data when forwarding the data, thereby improving the security of the data.
[0281] In the data transmission scenario between the terminal device and the first access network device, the first data proxy network element can be the terminal device, and the second data proxy network element can be the first access network device. The terminal device resides in a cell under the first access network device. The flow of the data encryption and / or integrity protection method for data services between the terminal device and the first access network device can be shown in Figure 6B. This method includes, but is not limited to, the following steps.
[0282] 611, Service Request Network Element sends data service request message.
[0283] Correspondingly, the data control network element receives data service request messages.
[0284] 612. The data control network element sends the first information based on the data service request message.
[0285] Accordingly, the terminal device receives the first information.
[0286] The first information may include the identification information of the first access network device.
[0287] Optionally, the first information may also include at least one of the following: a first encryption algorithm, a first integrity protection algorithm, a first salt value, and a first iteration number.
[0288] 613. The data control network element sends third information based on the data service request message.
[0289] Correspondingly, the first access network device receives the third information.
[0290] The third information includes the identification information of the terminal device; for example, the first information includes the DAID of the terminal device.
[0291] Furthermore, the first access network device can generate a first key based on the DAID of the terminal device and the DAID of the first access network device, as described in step 401.
[0292] For example, the third information may also include at least one of the following: a first encryption algorithm, a first integrity protection algorithm, a first salt value, and a first iteration number.
[0293] For a detailed explanation of the first and third pieces of information mentioned above, please refer to the relevant descriptions in Figure 4, which will not be elaborated here.
[0294] 614, The terminal device collects the first data.
[0295] 615, The terminal device sends the second data to the first access network device.
[0296] Correspondingly, the first access network device receives the second data.
[0297] For details on the implementation of steps 614 and 615, please refer to the relevant descriptions of steps 401 and 402 in Figure 4, which will not be elaborated here.
[0298] In this embodiment of the application, when transmitting data of the first data service between the terminal device and the first access network device, the data of the first data service is encrypted and / or protected for integrity at the application layer using the first key, thereby improving the security of the data.
[0299] Figure 7 is a flowchart illustrating another communication method provided in an embodiment of this application. As shown in Figure 7, the method includes, but is not limited to, the following steps.
[0300] 701, The data control network element sends the first message to the first data agent network element.
[0301] Accordingly, the first data agent network element receives the first message.
[0302] The first message is used to request a key update, and the first message includes the second salt value and / or the second iteration number.
[0303] For example, the first message may also include the DSID of the first data service.
[0304] For example, the first message can be called a key update request message, which is used to request the first data agent network element to update the key, or in other words, the key update request message is used to request the first data agent network element to update the key used by the data of the first data service.
[0305] 702, the data control network element sends the fifth message to the second data agent network element.
[0306] Correspondingly, the second data agent network element receives the fifth message.
[0307] The fifth message can be used to request a key update, and may include a second salt value and / or a second iteration number.
[0308] For example, the fifth message may also include the DSID of the first data service.
[0309] For example, the fifth message can be called a key update request message, which is used to request the second data agent network element to update the key, or in other words, the key update request message is used to request the second data agent network element to update the key used by the data of the first data service.
[0310] As an example, the data control network element can periodically initiate key update requests. For instance, when the usage time of the first key exceeds a preset duration, the data control network element can initiate a key update request, that is, the data control network element sends a first message and a fifth message to ensure the timeliness (or freshness) of the key, reduce the risk of key leakage, and improve key security.
[0311] As another example, when the parameters of the first data service are adjusted, the data control network element initiates a key update request. For instance, if the region, time, or security level of the first data service changes, the data control network element determines a second salt value or a second iteration number based on the changed region, time, or security level, and initiates a key update request to the first data agent network element and the second data agent network element to update the key used by the first data service.
[0312] 703. The first data agent network element generates a second key based on the second salt value and / or the second iteration number.
[0313] For example, the first message includes a second salt value, and the first data proxy network element generates a second key based on the second salt value and a first iteration number. For instance, the first data proxy network element generates the second key based on its own identification information, the identification information of a second data proxy network element, a first encryption algorithm and / or a first integrity protection algorithm, the second salt value, and the first iteration number.
[0314] For example, the first message includes a second iteration number, and the first data proxy element generates a second key based on the first salt value and the second iteration number. For instance, the first data proxy element can generate the second key based on the identification information of the first data proxy element, the identification information of the second data proxy element, the first encryption algorithm and / or the first integrity protection algorithm, the first salt value, and the second iteration number.
[0315] For example, the first message includes a second salt value and a second iteration number, and the first data proxy network element generates a second key based on the second salt value and the second iteration number. For instance, the first data proxy network element can generate the second key based on the identification information of the first data proxy network element, the identification information of the second data proxy network element, a first encryption algorithm and / or a first integrity protection algorithm, the second salt value, and the second iteration number.
[0316] 704. The second data agent network element generates a second key based on the second salt value and / or the second iteration number.
[0317] The specific implementation of the second key generation by the second data proxy network element can refer to the specific implementation of the second key generation by the first data proxy network element, which will not be detailed here.
[0318] 705, the first data agent network element sends a second message to the data control network element.
[0319] Correspondingly, the data control network element receives the second message.
[0320] The second message is used in response to the first message. For example, the second message is used to indicate that the first data agent network element has completed the key update.
[0321] 706, the second data agent network element sends the sixth message to the data control network element.
[0322] Correspondingly, the data control network element receives the sixth message.
[0323] The sixth message is used in response to the fifth message. For example, the sixth message is used to indicate that the second data agent network element has completed the key update.
[0324] 707, The data control network element sends the second information to the first data agent network element.
[0325] Correspondingly, the first data agent network element receives the second information.
[0326] The second information is used to trigger the first data agent network element to use the updated key to encrypt and / or protect the integrity of the data of the first data service. In other words, the second information is used to trigger the first data agent network element to use the second key to encrypt and / or protect the integrity of the data of the first data service.
[0327] 708, the data control network element sends the fourth information to the second data agent network element.
[0328] Correspondingly, the second data agent network element receives the fourth information.
[0329] The fourth information is used to trigger the second data agent network element to use the updated key to decrypt and / or verify the integrity of the data of the first data service. In other words, the fourth information is used to trigger the second data agent network element to use the second key to decrypt and / or verify the integrity of the data of the first data service.
[0330] 709, The first data agent network element sends the third data to the second data agent network element.
[0331] Correspondingly, the second data proxy network element receives the third data.
[0332] The third data is obtained by encrypting and / or protecting the integrity of the data from the first data service at the application layer using the second key. After receiving the third data, the second data proxy network element uses the second key to decrypt or verify the integrity of the third data at the application layer.
[0333] In this embodiment of the application, during the key update process, after receiving the second message and the sixth message, the data control network element sends the second information and the fourth information to trigger the first data proxy network element and the second data proxy network element to use the updated key to encrypt, decrypt and / or protect the data of the first data service, thereby ensuring that the keys used by the first data proxy network element and the second data proxy network element are consistent.
[0334] The method shown in Figure 7 can be combined with the method shown in Figure 4, Figure 5, Figure 6A, or Figure 6B. For example, the first data proxy network element, the second data proxy network element, and the data control network element can transmit the data of the first data service based on the method shown in Figure 4, Figure 5, Figure 6A, or Figure 6B, and perform key updates based on the method shown in Figure 7.
[0335] Figure 8 is a flowchart illustrating another communication method provided in an embodiment of this application. This method is applied to a terminal device, a first access network device, a second access network device, and a data control network element. The terminal device resides in a cell under the first access network device, and the second access network device is the target access network device for cell handover by the terminal device. As shown in Figure 8, the method includes, but is not limited to, the following steps.
[0336] 801, The first access network device sends a handover request message.
[0337] Correspondingly, the data control network element receives the handover request message.
[0338] The handover request message is used to request the terminal device to be switched from the first access network device to the second access network device. The handover request message includes the identification information of the second access network device.
[0339] After receiving the handover request message, the data control network element can determine the relevant parameters for generating a third key. This third key is used to encrypt and / or protect the integrity of the data of the first data service transmitted between the terminal device and the second access network device at the application layer. For example, the data control network element determines at least one of the following: a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third number of iterations.
[0340] For example, the handover request message may also include the DSID of the first data service and the DAID of the terminal device. The first access network device is the access network device on which the terminal device is currently camped. When the terminal device is camped on the first access network device, the terminal device acts as a DA to collect data from the first data service, and the first access network device acts as another DA to process the data from the first data service.
[0341] When a terminal device needs to switch from the first access network device to the second access network device, the data processing network element corresponding to the first data service also needs to switch from the first access network device to the second access network device. Therefore, the first access network device can request the data control network element to determine the relevant parameters of the third key (such as the corresponding encryption algorithm, integrity protection algorithm, salt value, number of iterations, etc.) through a switch request message.
[0342] 802, the data control network element sends the fifth information to the second access network device.
[0343] Correspondingly, the second access network device receives the fifth information.
[0344] The fifth information is used to determine the third key, and the fifth information includes at least one of the following: the identification information of the terminal device (such as the DAID of the terminal device), the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number.
[0345] After receiving the fifth information, the second access network device can generate a third key based on the fifth information.
[0346] For example, the fifth piece of information may also include the DSID of the first data service.
[0347] For example, the fifth piece of information may be included in a data service initiation request message or a data service control message. This data service initiation request message or data service control message may further include at least one of the following: the service type of the first data service, the data processing function configuration, and the next-hop DA. The data processing function configuration indicates the processing method by which the second access network device processes the data of the first data service, and the next-hop DA indicates that the second access network device will transmit the processed data to the next-hop DA.
[0348] For example, after receiving a data service initiation request message or a data service control message, the second access network device can also reply with a corresponding response message (such as a data service request response message) to the data control network element.
[0349] 803, the data control network element sends a handover response message to the first access network device.
[0350] Accordingly, the first access network device receives the handover response message.
[0351] This handover response message is used to respond to the handover request message.
[0352] For example, the handover response message includes at least one of the following: identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number.
[0353] 804, the first access network device sends a handover message to the terminal device.
[0354] Accordingly, the terminal device receives the handover message.
[0355] The handover message is used to trigger the terminal device to switch from the first access network device to the second access network device. The handover message can also be a handover command, or it can be an RRC reconfiguration message.
[0356] The handover message includes at least one of the following: identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number.
[0357] 805, The terminal device generates a third key based on the handover message.
[0358] It is understandable that the specific implementation method for the terminal device to generate the third key can be referred to the specific implementation method for the first data proxy network element to generate the first key in Figure 4, which will not be repeated here.
[0359] 806, The terminal device sends the fourth data to the second access network device.
[0360] Correspondingly, the second access network device receives the fourth data.
[0361] The fourth data is obtained by encrypting and / or protecting the integrity of the data from the first data service at the application layer using a third key.
[0362] After the terminal device switches from the first access network device to the second access network device, it uses the third key to encrypt and / or protect the integrity of the first data service data at the application layer, obtaining the fourth data. Upon receiving the fourth data, the second access network device uses the third key to decrypt and / or verify the integrity of the fourth data.
[0363] In this embodiment, the data control network element can carry parameters for generating a third key in the handover response message. The first access network device carries these parameters in the handover message, thereby enabling the terminal device to generate the third key in advance. After switching to the second access network device, the terminal device can directly use the third key to encrypt and / or verify the integrity of the data of the first data service, thereby improving the efficiency of data transmission.
[0364] The method shown in Figure 8 can be combined with the methods shown in Figures 4-7. For example, the terminal device can be the first data proxy network element described above, and the first access network device can be the second data proxy network element described above. Data transmission between the terminal device and the first access network device can be performed based on the method shown in Figure 4, Figure 5, or Figure 6B, and the access network device where the terminal device resides can be switched using the method shown in Figure 8. Optionally, the terminal device and the first access network device can also perform key updates using the method shown in Figure 7.
[0365] Figure 9 is a flowchart illustrating another communication method provided in an embodiment of this application. As shown in Figure 9, the method includes, but is not limited to, the following steps.
[0366] 901, The first access network device sends a handover request message.
[0367] Correspondingly, the data control network element receives the handover request message.
[0368] For a detailed explanation of the switching request message, please refer to the relevant description in step 801 of Figure 8, which will not be elaborated here.
[0369] 902, the data control network element sends the fifth information to the second access network device.
[0370] Correspondingly, the second access network device receives the fifth information.
[0371] For a detailed explanation of the fifth piece of information, please refer to the relevant description in step 802 of Figure 8, which will not be elaborated here.
[0372] 903, the data control network element sends a handover response message to the first access network device, and the first access network device receives the handover response message accordingly.
[0373] This handover response message is used to respond to the handover request message.
[0374] 904, the first access network device sends a handover message to the terminal device.
[0375] Accordingly, the terminal device receives the handover message.
[0376] The handover message is used to trigger a terminal device to switch from the first access network device to the second access network device. After receiving the handover message, the terminal device switches from the first access network device to the second access network device.
[0377] 905, the second access network device sends a third message.
[0378] Correspondingly, the terminal device receives a third message.
[0379] The third message includes at least one of the following: identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number.
[0380] After the terminal device switches from the first access network device to the second access network device, the second access network device sends a third message to the terminal device to inform the terminal device of the parameters for generating the third key.
[0381] 906, The terminal device generates a third key based on the third message.
[0382] The terminal device can generate a third key based on the terminal device's identification information, the second access network device's identification information, the second encryption algorithm and / or the second integrity algorithm, the third salt value, and the third iteration number.
[0383] It is understandable that the specific implementation method for the terminal device to generate the third key can be referred to in Figure 4, which shows the specific implementation method for the first data proxy network element to generate the third key, and will not be repeated here.
[0384] 907, The terminal device sends the fourth data to the second access network device.
[0385] Correspondingly, the second access network device receives the fourth data.
[0386] The fourth data is obtained by encrypting and / or protecting the integrity of the data from the first data service at the application layer using a third key.
[0387] In this embodiment, after the terminal device switches from the first access network device to the second access network device, the second access network device sends the information for generating the third key to the terminal device. This information does not pass through the first access network device, which can improve the security of the third key.
[0388] The method shown in Figure 9 can be combined with the methods shown in Figures 4-7. For example, the terminal device can be the first data proxy network element described above, and the first access network device can be the second data proxy network element described above. Data transmission between the terminal device and the first access network device can be performed based on the method shown in Figure 4, Figure 5, or Figure 6B, and the access network device where the terminal device resides can be switched using the method shown in Figure 9. Optionally, the terminal device and the first access network device can also perform key updates using the method shown in Figure 7.
[0389] Figure 10 is a flowchart illustrating another communication method provided in an embodiment of this application. As shown in Figure 10, the method includes, but is not limited to, the following steps.
[0390] 1001, The first access network device sends a handover request message.
[0391] Correspondingly, the data control network element receives the handover request message.
[0392] For details on the specific implementation of step 1001, please refer to the specific implementation of step 801 in Figure 8, which will not be elaborated here.
[0393] 1002, the data control network element sends the fifth information to the second access network device.
[0394] Correspondingly, the second access network device receives the fifth information.
[0395] For details on the specific implementation of step 1001, please refer to the specific implementation of step 801 in Figure 8, which will not be elaborated here.
[0396] 1003, the data control network element sends the fourth message to the terminal device.
[0397] Correspondingly, the terminal device receives the fourth message.
[0398] The fourth message is used for handover of the terminal device from the first access network device to the second access network device, or in other words, the fourth message is used for handover preparation of the terminal device from the first access network device to the second access network device. The fourth message includes at least one of the following: identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number.
[0399] 1004, The terminal device generates the third key based on the fourth message.
[0400] After the terminal device generates the third key, it saves the third key so that after switching to the second access network device, the third key can be used to encrypt and / or protect the data of the first data service at the application layer.
[0401] It is understandable that the specific implementation method for the terminal device to generate the third key can be referred to in Figure 4, which shows the specific implementation method for the first data proxy network element to generate the third key, and will not be repeated here.
[0402] 1005, the data control network element sends a handover response message to the first access network device.
[0403] Accordingly, the first access network device receives the handover response message.
[0404] 1006, the first access network device sends a handover message to the terminal device, and the terminal device receives the handover message accordingly.
[0405] The handover message is used to trigger a terminal device to hand over from a first access network device to a second access network device. After receiving the handover message, the terminal device performs a cell handover, switching from a cell under the first access network device to a cell under the second access network device.
[0406] 1007, The terminal device sends the fourth data to the second access network device.
[0407] Correspondingly, the second access network device receives the fourth data.
[0408] The fourth data is obtained by encrypting and / or protecting the integrity of the data from the first data service at the application layer using a third key.
[0409] In this embodiment, after determining the parameters used to generate the third key, the data control network element sends the information carrying the parameters to the terminal device and the second access network device respectively. This enables the terminal device and the second access network device to generate the third key in advance before the terminal device completes the handover. After the terminal device switches to the second access network device, data transmission can be performed more quickly based on the third key, thus improving the efficiency of data transmission.
[0410] The method shown in Figure 10 can be combined with the methods shown in Figures 4-7. For example, the terminal device can be the first data proxy network element described above, and the first access network device can be the second data proxy network element described above. Data transmission between the terminal device and the first access network device can be performed based on the method shown in Figure 4, Figure 5, or Figure 6B, and the access network device where the terminal device resides can be switched using the method shown in Figure 10. Optionally, the terminal device and the first access network device can also perform key updates using the method shown in Figure 7.
[0411] The following describes the communication device provided in the embodiments of this application.
[0412] This application divides the communication device into functional modules according to the above method embodiments. For example, each function can be divided into its own functional modules, or two or more functions can be integrated into one processing module. The integrated modules can be implemented in hardware or as software functional modules. It should be noted that the module division in this application is illustrative and only represents one logical functional division; other division methods may be used in actual implementation. The communication device of the embodiments of this application will be described in detail below with reference to Figures 11 to 13.
[0413] Figure 11 is a schematic diagram of a communication device provided in an embodiment of this application. As shown in Figure 11, the communication device includes a processing module 1101 and a transceiver module 1102. The transceiver module 1102 can implement corresponding communication functions, and the processing module 1101 is used to implement corresponding processing functions. The transceiver module 1102 can also be referred to as an interface, a communication interface, or a communication module, etc.
[0414] In some embodiments of this application, the communication device can be used to perform the actions performed by the first data proxy network element in the above method embodiments. In this case, the communication device can be the first data proxy network element itself or a chip or functional module that can be configured in the first data proxy network element. The transceiver module 1102 is used to perform the transceiver-related operations of the first data proxy network element in the above method embodiments, and the processing module 1101 is used to perform the processing-related operations of the first data proxy network element in the above method embodiments.
[0415] The processing module 1101 is used to collect the first data; the transceiver module 1102 is used to send or output the second data.
[0416] Optionally, the transceiver module 1102 is also used to receive or input first information; the processing module 1101 is also used to generate a first key.
[0417] Optionally, the transceiver module 1102 is also used to send or output first capability information.
[0418] Optionally, the transceiver module 1102 is also used to receive or input a first message; the processing module 1101 is also used to generate a second key; the transceiver module 1102 is also used to send or output a second message, receive or input second information, and send or output third data.
[0419] Optionally, the transceiver module 1102 is also used to receive or input switching messages; the processing module 1101 is also used to generate a third key; and the transceiver module 1102 is also used to send or output fourth data.
[0420] Optionally, the transceiver module 1102 is also used to receive or input a third message; the processing module 1101 is also used to generate a third key; and the transceiver module 1102 is also used to send or output fourth data.
[0421] Optionally, the transceiver module 1102 is also used to receive or input a fourth message; the processing module 1101 is also used to generate a third key; and the transceiver module 1102 is also used to receive or input a switching message and send or output fourth data.
[0422] For detailed explanations of the first data, second data, third data, fourth data, first information, second information, first capability information, first message, second message, third message, fourth message, switching message, first key, second key, and third key, please refer to the above text, which will not be elaborated here.
[0423] Reusing Figure 11, in some other embodiments of this application, the communication device can be used to perform the actions performed by the second data proxy network element in the above method embodiments. In this case, the communication device can be the second data proxy network element itself or a chip or functional module configurable in the second data proxy network element. The transceiver module 1102 is used to perform the transceiver-related operations of the second data proxy network element in the above method embodiments, and the processing module 1101 is used to perform the processing-related operations of the second data proxy network element in the above method embodiments.
[0424] The transceiver module 1102 is used to receive or input second data; the processing module 1101 is used to decrypt and / or perform integrity protection verification on the second data at the application layer according to the first key.
[0425] Optionally, the transceiver module 1102 is also used to receive or input third information; the processing module 1101 is also used to generate a first key.
[0426] Optionally, the transceiver module 1102 is also used to send or output second capability information.
[0427] Optionally, the transceiver module 1102 is also used to receive or input a fifth message; the processing module 1101 is also used to generate a second key; and the transceiver module 1102 is also used to send or output a sixth message and receive or input fourth information.
[0428] Optionally, the transceiver module 1102 is also used to send or output a switching request message and to receive or input a switching message.
[0429] For detailed explanations of the first data, second data, third information, fourth information, first key, second key, second capability information, switch request message, switch message, fifth message, and sixth message, please refer to the above text, which will not be elaborated here.
[0430] Reusing Figure 11, in some other embodiments of this application, the communication device can be used to perform the actions performed by the data control network element in the above method embodiments. In this case, the communication device can be the data control network element itself or a chip or functional module configurable in the data control network element. The transceiver module 1102 is used to perform the transceiver-related operations of the data control network element in the above method embodiments, and the processing module 1101 is used to perform the processing-related operations of the data control network element in the above method embodiments.
[0431] The transceiver module 1102 is used to receive or input data service request messages; the processing module 1101 is used to determine the first data proxy network element and the second data proxy network element; the transceiver module 1102 is also used to send or output first information and third information.
[0432] Optionally, the processing module 1101 is also used to determine a first encryption algorithm and / or a first integrity protection algorithm.
[0433] Optionally, the transceiver module 1102 is also used to receive or input first capability information.
[0434] Optionally, the transceiver module 1102 is also used to receive or input second capability information.
[0435] Optionally, the transceiver module 1102 is also used to send or output the first message and the fifth message, receive or input the second message and the sixth message, and send or output the second information and the fourth information.
[0436] Optionally, the transceiver module 1102 is also used to receive or input switching request messages, and to send or output fifth information.
[0437] Optionally, the transceiver module 1102 is also used to send or output a switching response message.
[0438] Optionally, the transceiver module 1102 is also used to send or output a fourth message.
[0439] For detailed explanations of the first information, second information, third information, fourth information, fifth information, first capability information, second capability information, first message, second message, fifth message, sixth message, fourth message, data service request message, handover request message, handover response message, etc., please refer to the above text, and will not be elaborated here.
[0440] Reusing Figure 11, in some other embodiments of this application, the communication device can be used to perform the actions performed by the second access network device in the above method embodiments. In this case, the communication device can be the second access network device itself or a chip or functional module configurable in the second access network device. The transceiver module 1102 is used to perform the transceiver-related operations of the second access network device in the above method embodiments, and the processing module 1101 is used to perform the processing-related operations of the second access network device in the above method embodiments.
[0441] The transceiver module 1102 is used to receive or input fifth information; the processing module 1101 is used to generate a third key; the transceiver module 1102 is also used to send or output a third message and receive or input fourth data; the processing module 1101 is also used to decrypt and / or perform integrity protection verification on the fourth data at the application layer based on the third key.
[0442] For detailed explanations of the fifth information, the third key, the third message, the fourth data, etc., please refer to the above text, which will not be elaborated here.
[0443] Optionally, in the above embodiments, the communication device may further include a storage module, which can be used to store instructions and / or data. The processing module 1101 can read the instructions and / or data in the storage module to enable the communication device to implement the aforementioned method embodiments. For example, the storage module may store subcarrier planning, etc., as shown above.
[0444] For details regarding the specific explanations of each term, noun, or step in the above embodiments, please refer to the descriptions in the above method embodiments; they will not be detailed here.
[0445] The specific descriptions of the transceiver module and processing module shown in the above embodiments are merely examples. For the specific functions or execution steps of the transceiver module and processing module, please refer to the above method embodiments, which will not be described in detail here.
[0446] The communication device according to the embodiments of this application has been described above. The following describes possible product forms of the communication device. Any product possessing the functions of the communication device described in FIG11 above falls within the protection scope of the embodiments of this application. The following description is merely illustrative and does not limit the product form of the communication device according to the embodiments of this application to this extent.
[0447] In one possible implementation, in the communication device shown in FIG11, the processing module 1101 may be one or more processors, and the transceiver module 1102 may be a transceiver, or the transceiver module 1102 may also be a transmitting module and a receiving module. The transmitting module may be a transmitter, and the receiving module may be a receiver. The transmitting module and the receiving module are integrated into one device, such as a transceiver. In the embodiments of this application, the processor and the transceiver may be coupled, etc., and the connection method of the processor and the transceiver is not limited in the embodiments of this application. In the process of executing the above method, the process of sending information in the above method may be the process of the processor outputting the above information. When outputting the above information, the processor outputs the above information to the transceiver so that the transceiver can transmit it. After the above information is output by the processor, it may need to undergo other processing before reaching the transceiver. Similarly, the process of receiving information in the above method may be the process of the processor receiving the input above information. When the processor receives the input information, the transceiver receives the above information and inputs it into the processor. Furthermore, after the transceiver receives the aforementioned information, the information may need to undergo further processing before being input into the processor.
[0448] As shown in Figure 12, the communication device 120 includes one or more processors 1220 and transceivers 1210.
[0449] In some embodiments of this application, the communication device can be used to execute the steps, methods, or functions performed by the first data proxy network element described above. For example, the processor 1220 can be used to execute the functions or steps implemented by the processing module 1101 shown in FIG. 11, and the transceiver 1210 can be used to execute the functions or steps implemented by the transceiver module 1102 shown in FIG. 11. Detailed descriptions of the processor 1220 and the transceiver 1210 can be found in FIG. 11 or the method embodiments shown above, and will not be elaborated further here.
[0450] In other embodiments of this application, the communication device is used to execute the steps, methods, or functions performed by the second data proxy network element described above. For example, the processor 1220 can be used to execute the functions or steps implemented by the processing module 1101 shown in FIG. 11, and the transceiver 1210 can be used to execute the functions or steps implemented by the transceiver module 1102 shown in FIG. 11. Detailed descriptions of the processor 1220 and the transceiver 1210 can be found in FIG. 11 or the method embodiments shown above, and will not be elaborated further here.
[0451] In some other embodiments of this application, the communication device is used to execute the steps, methods, or functions performed by the data control network element described above. For example, the processor 1220 can be used to execute the functions or steps implemented by the processing module 1101 shown in FIG. 11, and the transceiver 1210 can be used to execute the functions or steps implemented by the transceiver module 1102 shown in FIG. 11. Detailed descriptions of the processor 1220 and the transceiver 1210 can be found in FIG. 11 or the method embodiments shown above, and will not be elaborated further here.
[0452] In some other embodiments of this application, the communication device is used to execute the steps, methods, or functions performed by the second access network device described above. For example, the processor 1220 can be used to execute the functions or steps implemented by the processing module 1101 shown in FIG. 11, and the transceiver 1210 can be used to execute the functions or steps implemented by the transceiver module 1102 shown in FIG. 11. Detailed descriptions of the processor 1220 and the transceiver 1210 can be found in FIG. 11 or the method embodiments shown above, and will not be elaborated further here.
[0453] In various implementations of the communication device shown in Figure 12, the transceiver may include a receiver for performing a receiving function (or operation) and a transmitter for performing a transmitting function (or operation). The transceiver is also used to communicate with other devices / appliances via a transmission medium.
[0454] Optionally, the communication device 120 may further include one or more memories 1230 for storing program instructions and / or data. The memory 1230 is coupled to the processor 1220. The coupling in this embodiment is an indirect coupling or communication connection between communication devices, units, or modules, and can be electrical, mechanical, or other forms, used for information exchange between the communication devices, units, or modules. The processor 1220 may operate in conjunction with the memory 1230. The processor 1220 may execute program instructions stored in the memory 1230. Optionally, at least one of the above-mentioned memories may be included in the processor.
[0455] This embodiment does not limit the specific connection medium between the transceiver 1210, processor 1220, and memory 1230. In Figure 12, the memory 1230, processor 1220, and transceiver 1210 are connected via a bus 1240, indicated by a thick line. The connection methods between other components are merely illustrative and not intended to be limiting. The bus can be categorized as an address bus, data bus, control bus, etc. For ease of illustration, only one thick line is used in Figure 12, but this does not imply that there is only one bus or one type of bus.
[0456] In the embodiments of this application, the processor may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., and can implement or execute the various methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of this application can be directly manifested as being executed by a hardware processor, or being executed by a combination of hardware and software modules within the processor.
[0457] In this application embodiment, the memory may include, but is not limited to, non-volatile memory such as hard disk drive (HDD) or solid-state drive (SSD), random access memory (RAM), erasable programmable read-only memory (EPROM), read-only memory (ROM), or compact disc read-only memory (CD-ROM), etc. Memory is any storage medium capable of carrying or storing program code having instruction or data structure forms, and capable of being read and / or written by a computer (such as the communication device shown in this application), but is not limited to this. The memory in this application embodiment may also be a circuit or any other device capable of implementing storage functions, used to store program instructions and / or data.
[0458] The processor 1220 is mainly used to process communication protocols and communication data, control the entire communication device, execute software programs, and process the data of the software programs. The memory 1230 is mainly used to store software programs and data. The transceiver 1210 may include control circuitry and an antenna. The control circuitry is mainly used for converting baseband signals to radio frequency signals and processing radio frequency signals. The antenna is mainly used for transmitting and receiving radio frequency signals in the form of electromagnetic waves. Input / output devices, such as touchscreens, displays, and keyboards, are mainly used to receive user input data and output data to the user.
[0459] When the communication device is powered on, the processor 1220 can read the software program in the memory 1230, interpret and execute the instructions of the software program, and process the data of the software program. When data needs to be transmitted wirelessly, the processor 1220 performs baseband processing on the data to be transmitted and outputs the baseband signal to the radio frequency (RF) circuit. The RF circuit processes the baseband signal and transmits the RF signal outward in the form of electromagnetic waves through the antenna. When data is sent to the communication device, the RF circuit receives the RF signal through the antenna, converts the RF signal into a baseband signal, and outputs the baseband signal to the processor 1220. The processor 1220 converts the baseband signal into data and processes the data.
[0460] In another implementation, the radio frequency circuitry and antenna can be set up independently of the processor performing baseband processing. For example, in a distributed scenario, the radio frequency circuitry and antenna can be arranged remotely, independent of the communication device.
[0461] The communication device shown in this application embodiment may also have more components than those in Figure 12, and this application embodiment does not limit this. The methods executed by the processor and transceiver shown above are only examples, and the specific steps executed by the processor and transceiver can be referred to the methods described above.
[0462] In another possible implementation, in the communication device shown in FIG11, the processing module 1101 can be one or more logic circuits, and the transceiver module 1102 can be an input / output interface, or a communication interface, or an interface circuit, or an interface, etc. Alternatively, the transceiver module 1102 can also be a transmitting module and a receiving module. The transmitting module can be an output interface, and the receiving module can be an input interface. The transmitting module and the receiving module are integrated into one module, such as an input / output interface. As shown in FIG13, the communication device shown in FIG13 includes a logic circuit 1301 and an interface 1302. That is, the above-mentioned processing module 1101 can be implemented using the logic circuit 1301, and the transceiver module 1102 can be implemented using the interface 1302. Among them, the logic circuit 1301 can be a chip, a processing circuit, an integrated circuit, or a system on chip (SoC) chip, etc., and the interface 1302 can be a communication interface, an input / output interface, pins, etc. For example, FIG13 illustrates the above-mentioned communication device as a chip, which includes a logic circuit 1301 and an interface 1302.
[0463] In this embodiment, the logic circuit and the interface can also be coupled to each other. The specific connection method of the logic circuit and the interface is not limited in this embodiment. For example, the logic circuit 1301 can be used to execute the functions or steps implemented by the processing module 1101 shown in FIG. 11, and the interface 1302 can be used to execute the functions or steps implemented by the transceiver module 1102 shown in FIG. 11. For a detailed description of the logic circuit 1301 and the interface 1302, please refer to FIG. 11 or the method embodiment shown above, which will not be detailed here.
[0464] The communication device shown in the embodiments of this application can implement the method provided in the embodiments of this application in hardware form, or it can implement the method provided in the embodiments of this application in software form, etc., and the embodiments of this application do not limit it in this way.
[0465] Furthermore, this application also provides a communication system, which includes at least two of the following: a first data proxy network element, a second data proxy network element, a data control network element, and a second access network device. The first data proxy network element, the second data proxy network element, the data control network element, and the second access network device can be used to execute the methods in any of the foregoing embodiments.
[0466] This application also provides a computer program for implementing the operations and / or processes performed by the first data agent network element, the second data agent network element, the data control network element, or the second access network device in the method provided in this application.
[0467] This application also provides a computer-readable storage medium storing computer code that, when executed on a computer, causes the computer to perform the operations and / or processes performed by the first data agent network element, the second data agent network element, the data control network element, or the second access network device in the method provided in this application.
[0468] This application also provides a computer program product, which includes computer code or a computer program that, when run on a computer, causes the operations and / or processes performed by the first data agent network element, the second data agent network element, the data control network element, or the second access network device in the method provided in this application to be executed.
[0469] In the embodiments provided in this application, it should be understood that the disclosed systems, communication devices, and methods can be implemented in other ways. For example, the communication device embodiments described above are merely illustrative. For instance, the division of modules is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be indirect coupling or communication connection through some interfaces, communication devices, or modules, or it may be an electrical, mechanical, or other form of connection.
[0470] The modules described as separate components may or may not be physically separate. The components shown as modules may or may not be physical modules; that is, they may be located in one place or distributed across multiple network modules. Some or all of the modules can be selected according to actual needs to achieve the technical effects of the solutions provided in the embodiments of this application.
[0471] Furthermore, the functional modules in the various embodiments of this application can be integrated into one processing module, or each module can exist physically separately, or two or more modules can be integrated into one module. The integrated modules described above can be implemented in hardware or as software functional modules.
[0472] If the integrated module is implemented as a software functional module and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a readable storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned readable storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0473] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A communication method, characterized in that, Applied to a first data proxy network element, the method includes: Collect the first data from the first data service; The second data is sent to the second data proxy network element. The second data is obtained by encrypting and / or protecting the integrity of the first data at the application layer with the first key. The second data proxy network element is used to process the data of the first data service.
2. The method according to claim 1, characterized in that, The method further includes: Receive first information from a data control network element, the first information including at least one of the following: identification information of the second data proxy network element, a first encryption algorithm, a first integrity protection algorithm, a first salt value, a first iteration number, and identification information of the first data service; Based on the first information, the first key is generated.
3. The method according to claim 1 or 2, characterized in that, The method further includes: Send first capability information to the data control network element, the first capability information including encryption algorithms and / or integrity protection algorithms supported by the first data proxy network element.
4. The method according to any one of claims 1-3, characterized in that, The method further includes: Receive a first message from a data control network element, the first message being used to request a key update, the first message including a second salt value and / or a second iteration number; A second key is generated based on the second salt value and / or the second iteration number; Send a second message to the data control network element, the second message being used in response to the first message; Receive second information from the data control network element, the second information being used to trigger encryption and / or integrity protection of the data of the first data service using the second key; Send third data to the second data proxy network element. The third data is obtained by encrypting and / or protecting the integrity of the data of the first data service at the application layer using the second key.
5. The method according to any one of claims 1-4, characterized in that, The first data proxy network element is a terminal device, the second data proxy network element is a first access network device, the terminal device is camped in a cell under the first access network device, and the method further includes: The terminal device receives a handover message from the first access network device, the handover message being used to trigger the terminal device to handover from the first access network device to the second access network device, the handover message including at least one of the following: the identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number; Generate a third key based on the switching message; After the terminal device successfully switches from the first access network device to the second access network device, it sends fourth data to the second access network device. The fourth data is obtained by encrypting and / or protecting the integrity of the data of the first data service at the application layer using the third key.
6. The method according to any one of claims 1-4, characterized in that, The first data proxy network element is a terminal device, the second data proxy network element is a first access network device, the terminal device is camped in a cell under the first access network device, and the method further includes: After the terminal device successfully switches from the first access network device to the second access network device, it receives a third message from the second access network device. The third message includes at least one of the following: the identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number. Generate a third key based on the third message; Send fourth data to the second access network device. The fourth data is obtained by encrypting and / or protecting the integrity of the data of the first data service at the application layer using the third key.
7. The method according to any one of claims 1-4, characterized in that, The first data proxy network element is a terminal device, the second data proxy network element is a first access network device, the terminal device is camped in a cell under the first access network device, and the method further includes: The terminal device receives a fourth message from a data control network element. The fourth message is used for the terminal device to switch from the first access network device to the second access network device. The fourth message includes at least one of the following: the identification information of the second access network device, a second encryption algorithm, a second integrity protection algorithm, a third salt value, and a third iteration number. Generate a third key based on the fourth message; Receive a handover message from the first access network device, the handover message being used to trigger the terminal device to hand over from the first access network device to the second access network device; After the terminal device successfully switches from the first access network device to the second access network device, it sends the fourth data to the second access network device. The fourth data is obtained by encrypting and / or protecting the integrity of the data of the first data service at the application layer using the third key.
8. The method according to any one of claims 1-4, characterized in that, The first data proxy network element is a terminal device, and the second data proxy network element is a data processing function (DPF).
9. The method according to any one of claims 1-8, characterized in that, The application layer includes the Data Forwarding Protocol Service (DFP-S) layer.
10. A communication method, characterized in that, Applied to a second data proxy network element, the method includes: The first data proxy network element receives second data from the first data proxy network element. The second data is obtained by encrypting and / or protecting the integrity of the first data service at the application layer. The first data proxy network element is used to collect the data of the first data service. The first data is obtained by decrypting and / or verifying the integrity of the second data at the application layer using the first key; the second data proxy network element is used to process the data of the first data service.
11. The method according to claim 10, characterized in that, The method further includes: Receive third information from the data control network element, the third information including at least one of the following: the identification information of the first data proxy network element, the first encryption algorithm, the first integrity protection algorithm, the first salt value, the first iteration number, and the identification information of the first data service; The first key is generated based on the third information.
12. The method according to claim 10 or 11, characterized in that, The processing includes one or more of the following: field extraction, format conversion, redundant data removal, noise reduction, averaging, compression, and fusion.
13. The method according to any one of claims 10-12, characterized in that, The method further includes: Send second capability information to the data control network element, the second capability information including encryption algorithms and / or integrity protection algorithms supported by the second data agent network element.
14. The method according to any one of claims 10-13, characterized in that, The method further includes: Receive a fifth message from the data control network element, the fifth message being used to request an update to the key, the fifth message including a second salt value and / or a second iteration number; A second key is generated based on the second salt value and / or the second iteration number; A sixth message is sent to the data control network element, the sixth message being used in response to the fifth message; The system receives fourth information from the data control network element, which triggers the second data proxy network element to use the second key to decrypt and / or verify the integrity of the data in the first data service.
15. The method according to any one of claims 10-14, characterized in that, The first data proxy network element is a terminal device, the second data proxy network element is a first access network device, the terminal device is camped in a cell under the first access network device, and the method further includes: Send a handover request message to the data control network element. The handover request message is used to request the terminal device to be switched from the first access network device to the second access network device. The handover request message includes the identification information of the second access network device. The system receives a handover response message from the data control network element, the handover response message including at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number; A handover message is sent to the terminal device, the handover message being used to trigger the terminal device to hand over from the first access network device to the second access network device, the handover message including at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number.
16. A communication method, characterized in that, Applied to data control network elements, the method includes: Receive a data service request message, the data service request message being used to request a first data service; According to the data service request message, send first information to the first data proxy network element and send third information to the second data proxy network element; Wherein, the first data proxy network element is used to collect data of the first data service, and the second data proxy network element is used to process the data of the first data service; the first information and the third information are used to generate a first key, and the first key is used to encrypt and / or protect the integrity of the data of the first data service transmitted between the first data proxy network element and the second data proxy network element at the application layer.
17. The method according to claim 16, characterized in that, The first information includes at least one of the following: the identification information of the second data proxy network element, the first encryption algorithm, the first integrity protection algorithm, the first salt value, the first iteration number, and the identification information of the first data service; The third information includes at least one of the following: the identification information of the first data proxy network element, the first encryption algorithm, the first integrity protection algorithm, the first salt value, the first iteration number, and the identification information of the first data service.
18. The method according to claim 17, characterized in that, The method further includes: The first encryption algorithm is determined based on the encryption algorithms supported by the first data proxy network element, the encryption algorithms supported by the second data proxy network element, and the security level of the first data service; and / or, The first integrity protection algorithm is determined based on the integrity protection algorithm supported by the first data proxy network element, the integrity protection algorithm supported by the second data proxy network element, and the security level of the first data service.
19. The method according to claim 18, characterized in that, The method further includes: Receive first capability information from the first data proxy network element, the first capability information including encryption algorithms and / or integrity protection algorithms supported by the first data proxy network element.
20. The method according to claim 18 or 19, characterized in that, The method further includes: Receive second capability information from the second data proxy network element, the second capability information including encryption algorithms and / or integrity protection algorithms supported by the second data proxy network element.
21. The method according to any one of claims 18-20, characterized in that, The data service request message includes the security level of the first data service.
22. The method according to any one of claims 16-21, characterized in that, The method further includes: Based on the data service request message, the first data proxy network element and the second data proxy network element are determined.
23. The method according to any one of claims 16-22, characterized in that, The method further includes: Send a first message to the first data proxy network element. The first message is used to request a key update. The first message includes a second salt value and / or a second iteration number. Send a fifth message to the second data proxy network element, the fifth message being used to request a key update, the fifth message including the second salt value and / or the second iteration number; Receive a second message and a sixth message, wherein the second message is used in response to the first message, and the sixth message is used in response to the fifth message; According to the second message and the sixth message, send the second information and the fourth information; the second information is used to trigger the first data proxy network element to encrypt and / or protect the data of the first data service using the updated key, and the fourth information is used to trigger the second data proxy network element to decrypt and / or verify the integrity protection of the data of the first data service using the updated key.
24. The method according to any one of claims 16-23, characterized in that, The first data proxy network element is a terminal device, the second data proxy network element is a first access network device, the terminal device is camped in a cell under the first access network device, and the method further includes: Receive a handover request message from the first access network device, the handover request message being used to request the terminal device to be switched from the first access network device to the second access network device, the handover request message including the identification information of the second access network device; The fifth information is sent to the second access network device according to the handover request message. The fifth information is used to determine the third key. The third key is used to encrypt and / or protect the integrity of the data of the first data service transmitted between the terminal device and the second access network device at the application layer. The fifth information includes at least one of the following: the identification information of the terminal device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number.
25. The method according to claim 24, characterized in that, The method further includes: A handover response message is sent to the first access network device. The handover response message is used to respond to the handover request message. The handover response message includes at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number.
26. The method according to claim 24, characterized in that, The method further includes: A fourth message is sent to the terminal device, the fourth message being used for the terminal device to switch from the first access network device to the second access network device, the fourth message including at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number.
27. A communication method, characterized in that, Applied to a second access network device, the method includes: The fifth information received from the data control network element includes at least one of the following: the identification information of the terminal device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number; A third key is generated based on the fifth information; After the terminal device successfully switches from the first access network device to the second access network device, a third message is sent to the terminal device. The third message includes at least one of the following: the identification information of the second access network device, the second encryption algorithm, the second integrity protection algorithm, the third salt value, and the third iteration number. Receive fourth data from the terminal device, the fourth data being obtained by encrypting and / or protecting the integrity of the data of the first data service at the application layer using the third key; The fourth data is decrypted and / or its integrity is verified at the application layer using the third key to obtain the data of the first data service; the second access network device is used to process the data of the first data service.
28. A communication device, characterized in that, The device includes at least one processor, which is configured to enable the communication device to implement the method as described in any one of claims 1-27.
29. A computer-readable storage medium, characterized in that, The computer-readable storage medium is used to store a computer program, which, when executed by a computer, performs the method as described in any one of claims 1-27.
30. A communication system, characterized in that, It includes at least two of the following: a first data proxy network element, a second data proxy network element, a data control network element, and a second access network device, wherein the first data proxy network element is used to perform the method as described in any one of claims 1-9, and the second data proxy network element is used to perform the method as described in any one of claims 10-15; or, the data control network element is used to perform the method as described in any one of claims 16-26, and the second access network device is used to perform the method as described in claim 27.