Communication method, communication device, communication system, and storage medium

By sending the first message in the mobile communication system to determine the security protection requirements of the MAC CE, the configuration latency problem of the RRC layer is solved, and the security protection and efficient configuration of the MAC layer are realized.

WO2026143434A1PCT designated stage Publication Date: 2026-07-09BEIJING XIAOMI MOBILE SOFTWARE CO LTD

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
BEIJING XIAOMI MOBILE SOFTWARE CO LTD
Filing Date
2024-12-31
Publication Date
2026-07-09

AI Technical Summary

Technical Problem

In mobile communication systems, the parameter configuration delay of the RRC layer is relatively long, which affects communication security and efficiency.

Method used

The network device sends the first information to the terminal to identify the Media Access Control Layer (MAC) CE that needs security protection, including the association relationship and security protection parameters, thereby realizing the security protection of the MAC layer.

Benefits of technology

It effectively reduces MAC layer configuration latency and improves MAC layer security and configuration efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN2024144239_09072026_PF_FP_ABST
    Figure CN2024144239_09072026_PF_FP_ABST
Patent Text Reader

Abstract

The present disclosure relates to a communication method, a communication device, a communication system, and a storage medium. The method comprises: sending first information to a terminal, wherein the first information is used for determining a media access control control element (MAC CE) requiring security protection. In the method of the present disclosure, by sending first information, a network device indicates a security protection requirement of an MAC CE to a terminal. Therefore, when parameters are configured on the basis of an MAC layer, a configuration delay can be effectively reduced, and the configuration security of the MAC layer can also be improved on the basis of security protection.
Need to check novelty before this filing date? Find Prior Art

Description

Communication methods, communication equipment, communication systems and storage media Technical Field

[0001] This disclosure relates to the field of communication technology, and in particular to a communication method, communication device, communication system and storage medium. Background Technology

[0002] In mobile communication systems, security can be enhanced through security protection, which includes two types: ciphering protection and integrity protection. Cipher protection is used to prevent third parties other than the two communicating parties from viewing the information, while integrity protection is used to prevent third parties from tampering with the information. Summary of the Invention

[0003] In communication-related parameter configuration, parameters are generally configured through the Radio Resource Control (RRC) layer, which results in a long configuration delay.

[0004] This disclosure provides a communication method, a communication device, a communication system, and a storage medium.

[0005] In a first aspect, embodiments of this disclosure provide a communication method executed by a network device, the method comprising:

[0006] Send first information to the terminal, the first information being used to identify the Media Access Control Element (MAC CE) that requires security protection.

[0007] Secondly, embodiments of this disclosure provide a communication method executed by a terminal, the method comprising:

[0008] Receive first information sent by the network device, the first information being used to determine the Media Access Control Layer Control Unit (MAC CE) requiring security protection; or...

[0009] The method includes: identifying MAC CEs that require security protection.

[0010] Thirdly, embodiments of this disclosure provide a communication device, wherein the communication device is used to perform the method described in the first aspect or the second aspect.

[0011] Fourthly, embodiments of this disclosure provide a communication system, including a network device and a terminal, wherein,

[0012] The network device is configured to implement the method as described in the first aspect;

[0013] The terminal is configured to implement the method described in the second aspect.

[0014] Fifthly, embodiments of this disclosure provide a storage medium storing instructions, wherein...

[0015] When the instructions are executed on the communication device, the communication device causes the communication device to perform the method as described in the first aspect or the second aspect.

[0016] In a sixth aspect, an embodiment of this disclosure provides a program product comprising at least one of a program and instructions, wherein when the program and instructions are executed by a communication device, they implement the method described in the first aspect or the second aspect.

[0017] In this embodiment of the disclosure, the network device sends a first message to the terminal to indicate the security protection requirements of MAC CE, thereby effectively reducing configuration latency and improving the security of MAC layer configuration based on security protection when configuring parameters based on MAC layer. Attached Figure Description

[0018] To more clearly illustrate the technical solutions in the embodiments of this disclosure, the accompanying drawings required for the description of the embodiments are introduced below. The following drawings are only some embodiments of this disclosure and do not impose specific limitations on the protection scope of this disclosure.

[0019] Figure 1A is an exemplary schematic diagram of the architecture of a communication system provided according to an embodiment of the present disclosure;

[0020] Figure 1B is a schematic diagram of a protocol stack provided according to an embodiment of the present disclosure;

[0021] Figure 1C is a schematic diagram of the encryption process provided according to an embodiment of the present disclosure;

[0022] Figure 1D is a schematic diagram of the integrity protection process provided according to an embodiment of the present disclosure;

[0023] Figure 1E is a schematic diagram of a security protection process provided according to an embodiment of the present disclosure;

[0024] Figure 1F is a schematic diagram of the PDCP PDU structure provided according to an embodiment of the present disclosure;

[0025] Figure 2 is an exemplary interactive diagram of a method provided according to an embodiment of the present disclosure;

[0026] Figures 3A to 3C are exemplary interactive schematic diagrams of the method provided according to embodiments of the present disclosure;

[0027] Figure 4A is a schematic diagram of the structure of a network device according to an embodiment of the present disclosure;

[0028] Figure 4B is a schematic diagram of the structure of a terminal according to an embodiment of the present disclosure;

[0029] Figure 5A is a schematic diagram of a communication device according to an embodiment of the present disclosure;

[0030] Figure 5B is a schematic diagram of a communication device according to an embodiment of the present disclosure. Detailed Implementation

[0031] This disclosure provides a communication method, a communication device, a communication system, and a storage medium.

[0032] In a first aspect, embodiments of this disclosure provide a communication method executed by a network device, the method comprising:

[0033] Send first information to the terminal, the first information being used to identify the Media Access Control Layer Control Unit (MAC CE) that requires security protection.

[0034] In the above embodiments, the network device sends first information to the terminal to indicate the security protection requirements of MAC CE, thereby effectively reducing configuration latency and improving the security of MAC layer configuration based on security protection when configuring parameters based on MAC layer.

[0035] In conjunction with the embodiments of the first aspect, in some embodiments, the first information includes one of the following:

[0036] The association relationship includes the correspondence between different indexes and MAC CEs with different security protection requirements;

[0037] The first index in the association;

[0038] Identification information, which indicates at least one MAC CE that requires security protection.

[0039] In conjunction with the embodiments of the first aspect, in some embodiments, the identification information includes at least one of the following:

[0040] The logical channel identifier (LCID) of at least one MAC CE;

[0041] The extended logical channel identifier (eLCID) of the at least one MAC CE.

[0042] In conjunction with the embodiments of the first aspect, in some embodiments, the method further includes:

[0043] According to the security protection parameters, the first MAC CE is protected, wherein the first MAC CE includes one or more MAC CEs that require security protection;

[0044] Send the first MAC CE, which has been secured, to the terminal;

[0045] And / or, the method further includes: receiving a first MAC CE that has been secured by the terminal.

[0046] In conjunction with the embodiments of the first aspect, in some embodiments, the security protection parameters are determined based on at least one of the following:

[0047] The data includes the bearer (or bearer-related information), key, transmission direction, and counter value. The bearer is the component that carries the data. The transmission direction can be uplink (UL) or downlink (DL).

[0048] In conjunction with the embodiments of the first aspect, in some embodiments, the bearer is determined according to one of the following: the radio bearer RB identifier, the LCID of the first MAC CE, or the truncated LCID of the first MAC CE.

[0049] In conjunction with the embodiments of the first aspect, in some embodiments, the key is multiplexed from the key of the Radio Resource Control (RRC) signaling or the user plane key.

[0050] In conjunction with the embodiments of the first aspect, in some embodiments, the count value is determined based on the Hyper Frame Number (HFN) and / or the Sequence Number (SN);

[0051] The SN increments by 1 after each securely protected first MAC CE is sent.

[0052] In conjunction with the embodiments of the first aspect, in some embodiments, the count value satisfies at least one of the following:

[0053] One of the count values ​​is associated with the identifier of the virtual signaling radio bearer (SRB) corresponding to the first MAC CE;

[0054] One of the count values ​​is associated with the identifier of the virtual data radio bearer (DRB) corresponding to the first MAC CE;

[0055] One of the count values ​​is associated with the LCID of the first MAC CE;

[0056] One of the count values ​​is associated with the LCID of the truncated first MAC CE.

[0057] In conjunction with the embodiments of the first aspect, in some embodiments, the method further includes:

[0058] Send second information to the terminal, the second information being used for the virtual SRB identifier and / or virtual DRB identifier corresponding to the first MAC CE;

[0059] Alternatively, the virtual SRB identifier and / or virtual DRB identifier corresponding to the first MAC CE may be specified by protocol definition or network device.

[0060] In conjunction with the embodiments of the first aspect, in some embodiments, the method further includes:

[0061] Upon the occurrence of a first event, a third message is sent to the terminal, the third message indicating the updated key; and / or,

[0062] When the key is updated, the count value or SN is set to the initial value.

[0063] In conjunction with the embodiments of the first aspect, in some embodiments, the first event includes at least one of the following:

[0064] The count value rotates;

[0065] SN rotates;

[0066] The terminal sent a message requesting a key update.

[0067] In conjunction with the embodiments of the first aspect, in some embodiments, the method further includes:

[0068] The terminal sends a fourth message, which indicates that MAC CE security protection has failed.

[0069] In conjunction with the embodiments of the first aspect, in some embodiments, the method further includes:

[0070] Update the security protection key, or release the terminal to the RRC idle or inactive state.

[0071] In conjunction with the embodiments of the first aspect, in some embodiments, the fourth information is sent via RRC signaling or MAC CE.

[0072] In conjunction with the embodiments of the first aspect, in some embodiments, the method further includes:

[0073] The terminal sends a fifth message indicating the reason for re-initiating the RRC connection or the reason for rebuilding the RRC connection is a security protection failure.

[0074] In conjunction with the embodiments of the first aspect, in some embodiments, the fourth information includes at least one of the following:

[0075] The SN corresponding to the MAC CE that failed security protection;

[0076] Time-domain information corresponding to MAC CE that failed to protect security;

[0077] The MAC-I corresponding to the MAC CE that failed security protection is generated by the data sending end after performing integrity protection.

[0078] The MAC-X corresponding to the MAC CE that failed security protection is generated by the data receiving end after performing integrity protection verification.

[0079] The location information of the terminal;

[0080] Therefore, the terminal's service cell list.

[0081] Secondly, embodiments of this disclosure provide a communication method executed by a terminal, the method comprising:

[0082] Receive first information sent by the network device, the first information being used to determine the Media Access Control Layer Control Unit (MAC CE) requiring security protection; or...

[0083] The method includes: identifying MAC CEs that require security protection.

[0084] In conjunction with the embodiments of the second aspect, in some embodiments, the first information includes at least one of the following:

[0085] The association relationship includes the correspondence between different indexes and MAC CEs with different security requirements;

[0086] The first index in the association;

[0087] Identification information, which indicates at least one MAC CE that requires security protection.

[0088] In conjunction with the embodiments of the second aspect, in some embodiments, the identification information includes at least one of the following:

[0089] The logical channel identifier (LCID) of the at least one MAC CE;

[0090] The extended logical channel identifier (eLCID) of the at least one MAC CE.

[0091] In conjunction with the embodiments of the second aspect, in some embodiments, the method further includes:

[0092] Receive a first MAC CE that has been secured and sent by the network device; wherein the first MAC CE includes one or more MAC CEs that require security protection;

[0093] And / or, the method further includes:

[0094] Based on the security protection parameters, the first MAC CE is protected.

[0095] Send a securely protected first MAC CE to the network device.

[0096] In conjunction with the embodiments of the second aspect, in some embodiments, the security protection parameters are determined based on at least one of the following:

[0097] Carrier (or carrier-related information), key, transmission direction, count value.

[0098] In conjunction with the embodiments of the second aspect, in some embodiments, the bearer is determined according to one of the following: the radio bearer RB identifier, the LCID of the first MAC CE, and the truncated LCID of the first MAC CE.

[0099] In conjunction with the embodiments of the second aspect, in some embodiments, the key is multiplexed from the key of the Radio Resource Control (RRC) signaling or the user plane key.

[0100] In conjunction with the embodiments of the second aspect, in some embodiments, the count value is determined based on the superframe number HFN and / or the packet sequence number SN;

[0101] The SN increments by 1 after each securely protected first MAC CE is sent.

[0102] In conjunction with the embodiments of the second aspect, in some embodiments, the count value satisfies at least one of the following:

[0103] One of the count values ​​is associated with the virtual signaling radio bearer (SRB) identifier corresponding to the first MAC CE;

[0104] One of the count values ​​is associated with the Virtual Data Radio Bearer (DRB) identifier corresponding to the first MAC CE;

[0105] One of the count values ​​is associated with the LCID of the first MAC CE;

[0106] A count value is associated with the LCID of the truncated first MAC CE.

[0107] In conjunction with the embodiments of the second aspect, in some embodiments, the method further includes:

[0108] The network device receives second information, which is used for the virtual SRB identifier and / or virtual DRB identifier corresponding to the first MAC CE; or, the virtual SRB identifier and / or virtual DRB identifier corresponding to the first MAC CE is defined by a protocol or specified by the network device.

[0109] In conjunction with the embodiments of the second aspect, in some embodiments, the method further includes:

[0110] Receive third information sent by the network device upon the occurrence of the first event, the third information indicating the updated key; and / or,

[0111] When the key is updated, the count value or SN is set to the initial value.

[0112] In conjunction with embodiments of the second aspect, in some embodiments, the first event includes at least one of the following:

[0113] The count value rotates;

[0114] SN rotates;

[0115] The terminal sent a message requesting a key update.

[0116] In conjunction with the embodiments of the second aspect, in some embodiments, the method further includes:

[0117] A fourth message is sent to the network device, the fourth message indicating that MAC CE security protection has failed.

[0118] In conjunction with the embodiments of the second aspect, in some embodiments, the fourth information is sent via RRC signaling or MAC CE.

[0119] In conjunction with the embodiments of the second aspect, in some embodiments, the method further includes:

[0120] A fifth message is sent to the network device, indicating the reason for re-initiating the RRC connection or the reason for rebuilding the RRC connection is a security protection failure.

[0121] In conjunction with the embodiments of the second aspect, in some embodiments, the fourth information includes at least one of the following:

[0122] The SN corresponding to the MAC CE that failed security protection;

[0123] Time-domain information corresponding to MAC CE that failed to protect security;

[0124] The MAC-I corresponding to the MAC CE that failed security protection is generated by the data sending end after performing integrity protection.

[0125] The MAC-X corresponding to the MAC CE that failed security protection is generated by the data receiving end after performing integrity protection verification.

[0126] The location information of the terminal;

[0127] Therefore, the terminal's service cell list.

[0128] Thirdly, embodiments of this disclosure provide a communication device, wherein the communication device is used to perform the method described in the first aspect or the second aspect.

[0129] Fourthly, embodiments of this disclosure provide a communication system, including a network device and a terminal, wherein,

[0130] The network device is configured to implement the method as described in the first aspect;

[0131] The terminal is configured to implement the method described in the second aspect.

[0132] Fifthly, embodiments of this disclosure provide a storage medium storing instructions, wherein...

[0133] When the instructions are executed on the communication device, the communication device causes the communication device to perform the method as described in the first aspect or the second aspect.

[0134] In a sixth aspect, an embodiment of this disclosure provides a program product comprising at least one of a program and instructions, wherein when the program and instructions are executed by a communication device, they implement the method described in the first aspect or the second aspect.

[0135] In a seventh aspect, embodiments of this disclosure provide a computer program that, when run on a computer, causes the computer to perform the methods described in alternative implementations of the first and second aspects.

[0136] Eighthly, embodiments of this disclosure provide a chip or chip system. The chip or chip system includes processing circuitry configured to perform the methods described according to optional implementations of the first and second aspects above.

[0137] It is understood that the aforementioned communication devices, communication systems, storage media, program products, computer programs, chips, or chip systems are all used to execute the methods proposed in the embodiments of this disclosure. Therefore, the beneficial effects they can achieve can be referred to the beneficial effects in the corresponding methods, and will not be repeated here.

[0138] This disclosure is not exhaustive, but merely illustrative of some embodiments, and is not intended to limit the scope of protection of this disclosure. Unless otherwise specified, each step in a particular embodiment can be implemented as an independent embodiment, and the steps can be arbitrarily combined. For example, a solution after removing some steps in a particular embodiment can also be implemented as an independent embodiment, and the order of the steps in a particular embodiment can be arbitrarily interchanged. Furthermore, the optional implementation methods in a particular embodiment can be arbitrarily combined; moreover, the embodiments can be arbitrarily combined, for example, some or all steps of different embodiments can be arbitrarily combined, and a particular embodiment can be arbitrarily combined with the optional implementation methods of other embodiments. In all embodiments of this disclosure, unless otherwise specified or logically conflicting, the terminology and / or descriptions between the embodiments are consistent and can be mutually referenced. Technical features in different embodiments can be combined to form new embodiments based on their inherent logical relationships.

[0139] The terminology used in the embodiments of this disclosure is for the purpose of describing particular embodiments only and is not intended to limit the scope of this disclosure.

[0140] In this embodiment of the disclosure, unless otherwise stated, elements expressed in the singular form, such as "a," "an," "the," "the," "the," "the," "the," "the," "this," etc., can mean "one and only one," or "one or more," "at least one," etc. For example, when using articles such as "a," "an," "the," etc. in translation, the noun following the article can be understood as either a singular expression or a plural expression.

[0141] In the embodiments disclosed herein, "multiple" refers to two or more.

[0142] In some embodiments, the terms "at least one of A or B, at least one of A and B", "one or more", "a plurality of", "multiple" and the like can be used interchangeably.

[0143] In some embodiments, the notation "at least one of A and B", "A and / or B", "A in one case, B in another", "in response to one case A, in response to another case B", etc., may include the following technical solutions depending on the situation: in some embodiments, A (execute A regardless of whether there is a branch B); in some embodiments, B (execute B regardless of whether there is a branch A); in some embodiments, execution is selected from A and B (A and B are selectively executed); in some embodiments, both A and B are executed. The same applies when there are more branches such as A, B, C, etc.

[0144] In some embodiments, the notation "A or B" may include the following technical solutions, depending on the situation: in some embodiments, A (execute A regardless of whether a branch B exists); in some embodiments, B (execute B regardless of whether a branch A exists); in some embodiments, execution is selected from A and B (A and B are selectively executed). The same applies when there are more branches such as A, B, and C.

[0145] The prefixes "first," "second," etc., used in the embodiments of this disclosure are merely for distinguishing different descriptive objects and do not impose restrictions on the position, order, priority, quantity, or content of the descriptive objects. The description of the descriptive objects is found in the claims or the context of the embodiments, and the use of prefixes should not constitute unnecessary restrictions. For example, if the descriptive object is a "field," the ordinal numbers preceding "field" in "first field" and "second field" do not restrict the position or order of the "fields." "First" and "second" do not restrict whether the "fields" they modify are in the same message, nor do they restrict the order of "first field" and "second field." Similarly, if the descriptive object is a "level," the ordinal numbers preceding "level" in "first level" and "second level" do not restrict the priority between "levels." Furthermore, the number of descriptive objects is not limited by ordinal numbers and can be one or more. For example, in "first device," the number of "devices" can be one or more. Furthermore, the objects modified by different prefixes can be the same or different. For example, if the object being described is "device", then "first device" and "second device" can be the same device or different devices, and their types can be the same or different. Similarly, if the object being described is "information", then "first information" and "second information" can be the same information or different information, and their content can be the same or different.

[0146] In some embodiments, “including A,” “containing A,” “for indicating A,” and “carrying A” can be interpreted as directly carrying A or indirectly indicating A.

[0147] In some embodiments, terms such as "time / frequency" and "time-frequency domain" refer to the time domain and / or frequency domain.

[0148] In some embodiments, terms such as “in response to…”, “in response to determining…”, “in the case of…”, “when…”, “when…”, “if…”, etc. can be used interchangeably. These descriptions all refer to the device making a corresponding action under certain objective circumstances. They do not necessarily limit the time, nor do they require the device to make a judgment action when implementing it, nor do they mean that there must be other limitations.

[0149] In some embodiments, the terms “greater than,” “greater than or equal to,” “not less than,” “more than,” “more than or equal to,” “not less than,” “higher than,” “higher than or equal to,” “not lower than,” and “above” can be used interchangeably, as can the terms “less than,” “less than or equal to,” “not greater than,” “less than,” “less than or equal to,” “not more than,” “lower than,” “lower than or equal to,” “not higher than,” and “below”.

[0150] In some embodiments, devices, etc., may be interpreted as physical or virtual, and their names are not limited to those described in the embodiments. Terms such as “device,” “equipment,” “circuit,” “network element,” “network function,” “network device,” “function,” “node,” “unit,” “section,” “system,” “network,” “chip,” “chip system,” “entity,” and “subject” are interchangeable.

[0151] In some embodiments, "network" can be interpreted as devices included in a network (e.g., access network devices, core network devices, etc.).

[0152] In some embodiments, the terms "access network device (AN device)," "radio access network device (RAN device)," "base station (BS)," "radio base station," "fixed station," "node," "access point," "transmission point (TP)," "reception point (RP)," "transmission / reception point (TRP)," "panel," "antenna panel," "antenna array," "cell," "macro cell," "small cell," "femto cell," "pico cell," "sector," "cell group," "serving cell," "carrier," "component carrier," and "bandwidth part (BWP)" can be used interchangeably.

[0153] In some embodiments, the terms "terminal", "terminal device", "user equipment (UE)", "user terminal", "mobile station (MS)", "mobile terminal (MT)", "subscriber station", "mobile unit", "subscriber unit", "wireless unit", "remote unit", "mobile device", "wireless device", "wireless communication device", "remote device", "mobile subscriber station", "access terminal", "mobile terminal", "wireless terminal", "remote terminal", "handset", "user agent", "mobile client", and "client" can be used interchangeably.

[0154] In some embodiments, access network devices, core network devices, or network devices can be replaced by terminals. For example, embodiments of this disclosure can also be applied to structures where communication between access network devices, core network devices, or network devices and terminals is replaced by communication between multiple terminals (e.g., device-to-device (D2D), vehicle-to-everything (V2X), etc.). In this case, the structure can also be configured such that the terminal has all or part of the functions of the access network device. Furthermore, terms such as "uplink" and "downlink" can be replaced with terms corresponding to communication between terminals (e.g., "sidelink"). For example, uplink channel, downlink channel, etc., can be replaced with sidelink channel, and uplink link, downlink, etc., can be replaced with sidelink link.

[0155] In some embodiments, the terminal may be replaced by an access network device, a core network device, or a network device. In this case, the access network device, core network device, or network device may also be configured to have all or some of the functions of the terminal.

[0156] In some embodiments, the acquisition of data, information, etc., may comply with the laws and regulations of the country where the location is situated.

[0157] In some embodiments, data, information, etc., may be obtained with the user's consent.

[0158] Furthermore, each element, each row, or each column in the table of this disclosure can be implemented as an independent embodiment, and any combination of any element, any row, or any column can also be implemented as an independent embodiment.

[0159] Figure 1A is a schematic diagram of the architecture of a communication system according to an embodiment of the present disclosure.

[0160] As shown in Figure 1A, the communication system 100 includes a terminal 101 and a network device 102.

[0161] In some embodiments, terminal 101 includes, for example, at least one of the following: mobile phone, wearable device, Internet of Things device, car with communication function, smart car, tablet computer, computer with wireless transceiver function, virtual reality (VR) terminal device, augmented reality (AR) terminal device, wireless terminal device in industrial control, wireless terminal device in self-driving, wireless terminal device in remote medical surgery, wireless terminal device in smart grid, wireless terminal device in transportation safety, wireless terminal device in smart city, and wireless terminal device in smart home, but is not limited thereto.

[0162] In some embodiments, network device 102 may include at least one of access network device and core network device.

[0163] In some embodiments, the access network device is, for example, a node or device that connects a terminal to a wireless network. The access network device may include at least one of the following in a 5G communication system: evolved Node B (eNB), next-generation eNB (ng-eNB), next-generation Node B (gNB), node B (NB), home node B (HNB), home evolved node B (HeNB), radio backhaul device, radio network controller (RNC), base station controller (BSC), base transceiver station (BTS), base band unit (BBU), mobile switching center, base station in a 6G communication system, open RAN, cloud RAN, base station in other communication systems, and access node in a Wi-Fi system, but is not limited thereto.

[0164] In some embodiments, the technical solutions of this disclosure can be applied to the Open RAN architecture. In this case, the interfaces between or within access network devices involved in the embodiments of this disclosure can be transformed into internal interfaces of Open RAN. The processes and information interactions between these internal interfaces can be implemented by software or programs.

[0165] In some embodiments, the access network device may be composed of a central unit (CU) and a distributed unit (DU). The CU may also be called a control unit. The CU-DU structure can separate the protocol layer of the access network device. Some of the protocol layer functions are centrally controlled by the CU, while the remaining part or all of the protocol layer functions are distributed in the DU and centrally controlled by the CU. However, this is not the only possibility.

[0166] In some embodiments, a core network device may be a single device comprising one or more network elements, or it may be multiple devices or a group of devices, each comprising all or part of one or more network elements. Network elements may be virtual or physical. The core network may include, for example, at least one of the following: Evolved Packet Core (EPC), 5G Core Network (5GCN), and Next Generation Core (NGC).

[0167] In some embodiments, core network equipment includes network elements with specific functions, such as Access Management Function (AMF) and Service Management Function (SMF).

[0168] It is understood that the communication system described in this disclosure is for the purpose of more clearly illustrating the technical solutions of this disclosure, and does not constitute a limitation on the technical solutions proposed in this disclosure. As those skilled in the art will know, with the evolution of system architecture and the emergence of new business scenarios, the technical solutions proposed in this disclosure are also applicable to similar technical problems.

[0169] The following embodiments of this disclosure can be applied to the communication system 100 shown in FIG1A, or to some of the main bodies, but are not limited thereto. The main bodies shown in FIG1A are illustrative. The communication system may include all or some of the main bodies in FIG1A, or it may include other main bodies outside of FIG1A. The number and form of each main body are arbitrary. Each main body may be physical or virtual. The connection relationship between the main bodies is illustrative. The main bodies may not be connected or may be connected. The connection can be in any way, it can be a direct connection or an indirect connection, it can be a wired connection or a wireless connection.

[0170] The embodiments disclosed herein can be applied to Long Term Evolution (LTE), LTE-Advanced (LTE-A), LTE-Beyond (LTE-B), SUPER 3G, IMT-Advanced, 4th generation mobile communication system (4G), 5th generation mobile communication system (5G), 5G new radio (NR), Future Radio Access (FRA), New-Radio Access Technology (RAT), New Radio (NR), New radio access (NX), Future generation radio access (FX), Global System for Mobile communications (GSM), CDMA2000, Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), and IEEE 802.20, Ultra-Wideband (UWB), Bluetooth (a registered trademark), Public Land Mobile Network (PLMN) networks, Device-to-Device (D2D) systems, Machine-to-Machine (M2M) systems, Internet of Things (IoT) systems, Vehicle-to-Everything (V2X) systems, systems utilizing other communication methods, and next-generation systems built upon them, etc. Furthermore, multiple systems can be combined (e.g., a combination of LTE or LTE-A with 5G).

[0171] In some implementations, communication systems such as 5G communication systems employ a two-way authentication and a two-layer security mechanism. Two-way authentication involves the network verifying the legitimacy of the terminal, while the terminal also verifies the legitimacy of the network. The two-layer security mechanism arises because access network devices exist in a partially trusted zone, with security comprising two layers: Access Stratum (AS) security and Non-Access Stratum (NAS) security.

[0172] AS security refers to the security between the terminal and the access network equipment, mainly performing encryption and integrity protection of AS signaling, and encryption and integrity protection of the User Plane (UP). Referring to the protocol stack shown in Figure 1B, the entities performing AS security are the Packet Data Convergence Protocol (PDCP) layer of the terminal and the PDCP layer of the access network equipment. NAS security refers to the security between the terminal and the AMF, mainly performing encryption and integrity protection of NAS signaling. The entities performing NAS security are the NAS layer of the UE and the NAS layer of the AMF.

[0173] In some implementations, Figure 1C illustrates the encryption / decryption process and input parameters for encryption protection, and Figure 1D illustrates the encryption / decryption process and input parameters for integrity protection.

[0174] As shown in Figure 1C, the input parameters required for encryption protection include: key, count, bearer, transmission direction, and length. The sender obtains the encryption keystream (KeyStreamBlock) based on the input parameters and an encryption / decryption algorithm (such as NEA), uses the keystream to encrypt the plaintext block to obtain the ciphertext block, and sends it to the receiver. The receiver obtains the keystream in the same way and decrypts the ciphertext using it. The bearer value can be: Radio Bearer Identity (RB identity) - 1, and the key value can include K. RRCenc and K UPenc The transmission direction values ​​include: 1 for uplink and 1 for downlink. The count value can be: Hyper Frame Number (HFN) + PDCP packet sequence number (SN).

[0175] As shown in Figure 1D, the input parameters required for integrity protection include: key, counter value, message, transmission direction, and bearer. The data sender can obtain the integrity-protected information (MAC-I / NAS-MAC) based on the input parameters and an integrity algorithm (such as NIA) and send it to the data receiver. The receiver obtains the expected value (XMAC-I / XNAS-MAC) based on the same operation, compares the expected value with the integrity-protected information, and determines the integrity. The key value can include K. RRCint and K UPint For the values ​​of the remaining parameters, please refer to the description of encryption protection.

[0176] In some implementations, as shown in Figure 1E, in communication systems such as 5G communication systems, AS layer security is performed within PDCP. At the data sending end, security may involve performing integrity protection first, followed by encryption. At the data receiving end, the processing order is reversed. The PDCP header is not encrypted. As shown in Figure 1F, the PDCP data packet, such as a PDCP PDU, carries a 32-bit MAC-I portion generated after integrity protection. During integrity protection verification, the receiving end generates a MAC-X, compares it with the MAC-I, and determines whether it has been tampered with, thus verifying integrity.

[0177] In some implementations, in communication systems such as 5G communication systems, a significant security requirement is to support user plane integrity protection, such as Data Radio Bearer Integrity Protection (DRB IP). Tables 1-1 to 1-3 below illustrate the security requirements of 5G communication systems, where integrity protection is abbreviated as DRB.

[0178] Table 1-1

[0179] Table 1-2

[0180] Table 1-3

[0181] Note 1: The UE implements NIA0 to protect the integrity of NAS and Radio Resource Control (RRC) signaling. NIA0 is only permitted for unauthenticated emergency sessions.

[0182] Note 2: NIA0 cannot be used for integrity protection of user data between UE and gNB.

[0183] In some implementations, the user-plane security policy includes configuration information. For example, the configuration information may be used to configure the DRB IP and encryption requirements of a PDU session as {required, preferred, not needed}, where required indicates that the DRB IP and encryption requirements are necessary, preferred indicates that the DRB IP and encryption requirements are preferred, and not needed indicates that the DRB IP and encryption requirements are not necessary.

[0184] In some implementations, when a PDU session is established, the SMF sends a user plane security policy to the gNB on a per PDU session basis. All DRBs within that PDU session apply the same security policy. The user plane security policy can indicate whether user plane encryption and integrity protection are activated. The gNB can configure the encryption and integrity protection of the DRBs according to the user plane security policy; this configuration cannot be rewritten. If the gNB cannot satisfy the security policy, it should reject the establishment of the PDU session.

[0185] In some implementations, during the Xn interface (interface between access network devices) handover, the original base station sends security policy information to the target base station. If the target base station cannot satisfy the security policies of all PDU sessions, it notifies the AMF of the rejected PDU sessions via path-switch. Simultaneously, the target base station sends the security policy configuration from the original base station to the AMF via path-switch. If the AMF finds that the security policy information sent by the target base station does not match the stored security policy information, it can send the latest security policy information through the path-switch acknowledge procedure. If the target base station receives updated security policy information that does not match the currently configured DRB security policy information, it can initiate an RRC connection reconfiguration procedure to reconfigure the DRB.

[0186] In some implementations, during the handover process of the N2 interface (the interface between the access network equipment and the AMF), the AMF configures security policy information in the handover request. If the base station cannot receive all the security policy configurations for the PDU session, the base station should refuse to establish the PDU session.

[0187] In some implementations, only the Packet Data Convergence Protocol (PDCP) layer can perform the security protection process on the data. For RRC signaling, RRC signaling can perform encryption and integrity protection operations through PDCP as a PDCP Service Data Unit (SDU).

[0188] Among the security requirements, some configurations, such as RRC configurations, need to be protected. For example, DRB and SRB2 configurations need to be configured after AS security activation, RRM measurement results need to be sent under AS security protection, and AS security parameters, such as the next hop chaining counter (NCC), need to be protected.

[0189] In this implementation, the configuration at the RRC level requires a relatively long latency. Furthermore, if configuration parameters from other layers, such as the RRC layer, are used to configure the MAC layer, the lack of security protection at the MAC layer could lead to insecure configurations.

[0190] Figure 2 is an interactive schematic diagram of a communication method according to an embodiment of the present disclosure. As shown in Figure 2, this embodiment of the present disclosure relates to a communication method, which includes:

[0191] In step S2101, network device 102 sends first information to terminal 101.

[0192] In some embodiments, the first information is used to determine the MAC CE that requires security protection.

[0193] Optionally, the first information may indicate the security protection requirements of different MAC CEs, such as whether different MAC CEs need security protection, and what kind of security protection (encryption protection and / or integrity protection) is required.

[0194] Optionally, for different MAC CEs at the MAC layer, the first information can indicate whether a specific MAC CE needs security protection, or it can indicate whether each MAC CE needs security protection.

[0195] In some embodiments, the first information indicating the MAC CE requiring security protection may be applicable to both UL MAC CE and DL MAC CE.

[0196] Alternatively, separate indications can be made for UL MAC CE and DL MAC CE. For example, the first information may indicate whether one or more MAC CEs in the DL MAC CE require safety protection, or it may indicate whether one or more MAC CEs in the UL MAC CE require safety protection.

[0197] In some embodiments, when MAC CE requires security protection, it can refer to the security protection of the AS layer.

[0198] In some embodiments, the security protection includes at least one of the following:

[0199] Encryption protection;

[0200] Integrity protection.

[0201] Optionally, when the first information indicates that the MAC CE needs security protection, it may refer to the need for both encryption protection and integrity protection.

[0202] Optionally, the first information indicates whether the MAC CE requires encryption protection or integrity protection.

[0203] In one embodiment, the first information includes: association relationships and / or first indexes in the association relationships, wherein the association relationships include the correspondence between different indexes and MAC CEs with different security protection requirements.

[0204] In this embodiment, the first information may include association relationships. The terminal determines the security protection requirements of the MAC CE based on the association relationships.

[0205] Alternatively, in this embodiment, the first information includes a first index, and the association relationship can be predefined based on the protocol before sending the first information.

[0206] The relationships can be lists of different indexes and different MAC CE security requirements. For example, as shown in Table 2-1:

[0207] Table 2-1

[0208] Referring to the example in Table 2-1, the relationships or list can include multiple rows, each indicating different security requirements for each MAC CE. The security requirements for MAC CE can be defined independently by DL and UL, or jointly or uniformly. For example, the granularity of DL and UL can indicate whether to activate MAC CE security protection. Encryption protection and integrity protection within security protection can be defined independently or jointly.

[0209] In this embodiment, the network device 102 may carry one or more indexes, i.e., row numbers of a table, in the first information to indicate the security requirements of the MAC CE corresponding to the one or more indexes.

[0210] For example, if the first information indicates that the first index is index 0, then after receiving the first information, terminal 101 can encrypt and protect UL MAC CE1. For example, if the first information indicates that the first index is index 1, then after receiving the first information, terminal 101 can know that the received DL MAC CE2 has integrity protection, and terminal 101 can process the DL MAC CE2 according to the integrity verification method. For yet another example, if the first information indicates that the first index is index 3, then after receiving the first information, terminal 101 can know that UL MAC CE4 does not require security protection, such as encryption and integrity protection; and can also know that the received DL MAC CE4 is not securely protected and does not require decryption or integrity verification.

[0211] In this embodiment, network device 102 can use signaling to enable terminal 101 to know or use the association relationship.

[0212] In this embodiment, the first information can be sent via RRC dedicated signaling, which improves security.

[0213] In another embodiment, the first information includes: identification information, which is used to indicate at least one MAC CE that requires security protection.

[0214] In this embodiment, the first information may carry the identification information of the MAC CE that needs to be protected, so that the terminal 101 can determine the MAC CE that needs to be protected.

[0215] In this embodiment, the identification information includes at least one of the following:

[0216] At least one logical channel identifier (LCID) for a MAC CE;

[0217] At least one extended logical channel identifier (eLCID) for a MAC CE.

[0218] Optionally, the first information may carry an LCID or eLCID of the MAC CE, indicating that the MAC CE requires security protection.

[0219] Optionally, the first information may carry a list of LCIDs or an eLCID list, with each LCID or eLCID corresponding to a MAC CE, thereby indicating that multiple MAC CEs need to be protected.

[0220] In this embodiment, the first information can be sent via RRC dedicated signaling. For example, network device 102 can use RRC dedicated signaling to indicate the LCID list or eLCID list corresponding to the MAC CE that needs security protection.

[0221] In this embodiment, encryption protection and integrity protection in security protection can be defined independently or jointly. For example, it can indicate the LCID list or eLCID list corresponding to the MAC CE that needs encryption protection, the LCID list or eLCID list corresponding to the MAC CE that needs integrity protection, or the LCID list or eLCID list corresponding to the MAC CE that needs both encryption and integrity protection.

[0222] In this embodiment, the security requirements of MAC CE can be defined independently by DL and UL (DL MAC CE and UL MAC CE), or defined jointly or uniformly.

[0223] In some embodiments, terminal 101 receives first information.

[0224] Alternatively, step S2101 can be omitted, and terminal 101 can determine the security requirements of different MAC CEs independently based on the association relationships defined in the protocol. For example, based on the association relationships defined in the protocol, terminal 101 can determine the security requirements of the MAC CEs for different services within the association relationships. In this case, the network device does not need to send the first information.

[0225] Step S2102: Perform security protection on the first MAC CE according to the security protection parameters.

[0226] In some embodiments, the first MAC CE includes one or more MAC CEs that require security protection.

[0227] Optionally, the first MAC CE can be determined based on the first information, or it can be determined by the terminal or network device itself.

[0228] In some embodiments, for downlink transmission, the sending end is network device 102 and the receiving end is terminal 101. This step may refer to network device 102 performing security protection on the first MAC CE. For example, this step S2102 includes: network device 102 performing security protection on the first MAC CE according to security protection parameters. The schematic diagram in Figure 2 uses this embodiment as an example.

[0229] In some embodiments, for uplink transmission, the sending end is terminal 101 and the receiving end is network device 102. This step may refer to terminal 101 performing security protection on the first MAC CE. For example, this step S2102 includes: terminal 101 performing security protection on the first MAC CE according to security protection parameters.

[0230] In some embodiments, the security protection parameters include at least one of the following, or the security protection parameters are determined based on at least one of the following:

[0231] Bearer (or bearer-related information), key, transmission direction (UL or DL), count value.

[0232] Optionally, as shown in Figures 1C to 1D, the security protection parameters are the input parameters of the encryption algorithm or integrity algorithm.

[0233] In this embodiment, it is necessary to determine the values ​​of each parameter in order to select appropriate input parameters.

[0234] In this embodiment, the bearer is determined based on the radio bearer RB identity, or in other words, the value of the bearer is determined based on the RB identity. For example, bearer = RB identity - 1.

[0235] Alternatively, the bearer can be determined based on the LCID of the first MAC CE, or in other words, the bearer value can be determined based on the LCID. For example, the bearer might be this LCID.

[0236] Alternatively, the bearer can be determined based on the truncated LCID of the first MAC CE, or in other words, the bearer value can be determined based on the truncated LCID of the first MAC CE. Here, the first MAC CE refers to the MAC CE that requires security protection, and the bearer can be the LCID corresponding to the first MAC CE. Or, if the LCID corresponding to the first MAC CE is 6 bits, and the bearer requires, for example, 5 bits, the bearer can be either the truncated high-order 5 bits or the truncated low-order 5 bits of the LCID corresponding to the first MAC CE.

[0237] In this embodiment, the key can be a reused key for Radio Resource Control (RRC) signaling, such as K. RRCint and K RRCenc Alternatively, the key can be reused from the user-plane key, such as K. UPenc and K UPint .

[0238] In this embodiment, the count value is determined based on the superframe number HFN and / or the data packet sequence number SN, or in other words, the count value is determined based on HFN and / or SN. SN increments by 1 after each securely protected first MAC CE is transmitted.

[0239] For example, the counter value could be a serial number (SN) maintained by the MAC entity at the sending end. Each time a securely protected MAC CE is sent, the SN number increments by 1. During SN wrap-around, the high-frequency homing number (HFN) can increment by 1, and the counter value = HFN + SN. The sending and receiving ends can maintain HFN separately, or HFN can be fixed as either all 0s or all 1s.

[0240] In this embodiment, the value is 0 when the transmission direction is UL and 1 when the transmission direction is DL.

[0241] In some embodiments, one or more of the above-mentioned bearer, transmission direction and count value can be set to a fixed value set by the system, such as all 0s or all 1s, or a known 0-1 sequence.

[0242] In some embodiments, after determining the values ​​of the bearer, key, transmission direction, and counter value, referring to FIG1C or FIG1D, one or more of these values ​​can be input into the encryption protection algorithm or integrity protection algorithm for security protection.

[0243] Optionally, the above parameter values ​​are examples. In other embodiments, the values ​​of one or more security protection parameters may be determined based on some encoding or other processing of the LCID.

[0244] In some embodiments, the count value satisfies one of the following:

[0245] A count value is associated with the virtual signaling radio bearer (SRB) identifier corresponding to the first MAC CE;

[0246] A counter value is associated with the Virtual Data Radio Bearer (DRB) identifier corresponding to the first MAC CE;

[0247] A count value is associated with the LCID of the first MAC CE;

[0248] A count value is associated with the LCID of the truncated first MAC CE.

[0249] In this embodiment, based on the above correlation, the count value corresponding to the first MAC CE can be determined. Thus, during the process of protecting the first MAC CE, the count value in the encryption protection and / or integrity protection process can be determined, which is one of the input parameters of the encryption algorithm or integrity algorithm.

[0250] In this embodiment, the MAC CE generated by the MAC entity can be virtualized into an SRB, and a count value can be associated with the virtual SRB identifier.

[0251] Optionally, the virtual SRB identifier corresponding to the first MAC CE can be defined by the protocol or specified by the system, or configured by the network device.

[0252] For example, network device 102 sends second information to terminal 101, the second information indicating the virtual SRB identifier corresponding to the first MAC CE. Network device 102 configures the virtual SRB identifier through the second information. The value range of the relevant SRB identifier is (1..3), and in this embodiment, the value of the virtual SRB identifier can be extended to (4, 5).

[0253] In this embodiment, the MAC CE generated by the MAC entity can be virtualized into a DRB, and a count value can be associated with the virtual SRB identifier.

[0254] Optionally, the virtual DRB identifier corresponding to the first MAC CE can be defined by the protocol or specified or configured by the communication system such as network equipment.

[0255] For example, network device 102 sends second information to terminal 101, which indicates the virtual DRB identifier corresponding to the first MAC CE. Network device 102 configures the virtual DRB identifier through the second information. The value range of the DRB identifier is (1..32), where the protocol defaults to the maximum value of 32, which is reserved for use by the MAC layer.

[0256] In this embodiment, for a MAC CE requiring security protection, such as the first MAC CE, each associated LCID or partial LCID can be associated with a count value. Alternatively, in this embodiment, the DL or UL directions of the MAC entity can share a single count value.

[0257] In some embodiments, the format of the securely protected first MAC CE may include: first MAC CE content (e.g., encrypted content), packet header, and MAC-I.

[0258] The packet header may include the serial number (SN); the MAC-I may be a 32-bit MAC-I or a truncated 16-bit MAC-I.

[0259] In some embodiments, one or more of the above security protection parameters can be indicated by association.

[0260] Step S2103: Send the first MAC CE, which is protected by security.

[0261] In some embodiments, for downlink transmission, the sending end is network device 102 and the receiving end is terminal 101. This step may involve network device 102 sending a securely protected first MAC CE to terminal 101. The schematic diagram in Figure 2 uses this embodiment as an example.

[0262] In some embodiments, for uplink transmission, the sending end is terminal 101 and the receiving end is network device 102. This step may refer to terminal 101 sending a first MAC CE with security protection to network device 102.

[0263] In some embodiments, the receiver receives a first MAC CE that has been securely protected.

[0264] For example, based on the first information, the terminal learns the security protection requirements of the first MAC CE. Upon receiving the first MAC CE with security protection, it can process it in conjunction with the first information, such as decrypting the first MAC CE with encryption protection, and / or verifying the integrity of the first MAC CE with integrity protection.

[0265] In step S2104, network device 102 sends third information to terminal 101.

[0266] In some embodiments, when a first event occurs, network device 102 sends third information to terminal 101.

[0267] In some embodiments, the third information is used to indicate the updated key.

[0268] In some embodiments, the first event includes at least one of the following:

[0269] The count value rotates;

[0270] SN rotates;

[0271] Received information from the terminal requesting a key update.

[0272] Here, rotation refers to the count value or SN returning to its initial value, such as 0.

[0273] In this embodiment, if the count value rotates, the network device 102 determines that the key needs to be updated and can send third information to the terminal.

[0274] In this embodiment, network device 102 can be configured with a serial number (SN) length, or the communication system can have a fixed SN length. If the SN rotates, terminal 101 can request a key change from network device 102, such as by sending a request message, a key update request, or other information requesting a key change. Upon receiving the request, network device 102 can send third-party information to the terminal.

[0275] In this embodiment, network device 102 can determine whether a first event has occurred, such as whether an SN rotation has occurred, based on the SN number carried in the received MAC CE, and then determine whether to update the key, thereby determining whether to send third information.

[0276] In some embodiments, if the key is updated, network device 102 or terminal 101 can set the counter value or SN to the initial value.

[0277] For example, if the key associated with the MAC CE security protection is updated, the counter value is initialized to 0 or the SN is initialized to 0.

[0278] In step S2105, terminal 101 sends fourth information to network device 102.

[0279] In some embodiments, the fourth information is used to indicate that MAC CE security protection has failed.

[0280] In some embodiments, the MAC layer of the receiving end monitors whether a security protection failure has occurred in the MAC CE. The embodiment corresponding to step S2105 is described using a network device 102 as the sending end and a terminal 101 as the receiving end. When the receiving end is network device 102, the description method of this embodiment can be referred to.

[0281] In the first embodiment, the fourth information is sent via RRC signaling.

[0282] In this embodiment, if the MAC layer of terminal 101 detects a failure in MAC CE security protection, it can notify a higher layer, such as the RRC layer. Terminal 101 then sends fourth information to network device 102 via RRC signaling from the RRC layer to report the failure.

[0283] In the second embodiment, the fourth information is sent via MAC CE.

[0284] In this embodiment, if the MAC layer of terminal 101 detects that the MAC CE security protection has failed, it can send the fourth information to network device 102 through the MAC CE of the MAC layer to report the failure.

[0285] In the third embodiment, the fourth information can be reported through RRC connection reconstruction reason, or the terminal 101 can directly execute step S2107 to send the fifth information, while omitting the fourth information in step S2105.

[0286] In this embodiment, if the MAC layer of terminal 101 detects a failure in MAC CE security protection, it can notify a higher layer, such as the RRC layer. The RRC layer will then trigger terminal 101 to perform an RRC connection reconstruction process. During the RRC connection reconstruction process, the failure of MAC layer integrity protection verification is indicated in the RRC connection reconstruction reason.

[0287] Alternatively, in conjunction with step S2107, terminal 101 indicates through the fifth information that the reason for the RRC connection reconstruction is a security protection failure, implicitly sending the fourth information.

[0288] In some embodiments, when terminal 101 detects a MAC CE security protection failure, it may record one or more of the following:

[0289] The SN corresponding to the MAC CE that failed security protection;

[0290] Time-domain information corresponding to the MAC CE that failed to protect security; for example, the system frame number (SFN) of the data transmission, the slot number, and the terminal's local absolute time;

[0291] The MAC-I corresponding to the MAC CE that failed to protect security is generated by the data sender after integrity protection is performed.

[0292] The MAC-X corresponding to the MAC CE that failed security protection is generated by the data receiving end after performing integrity protection verification.

[0293] Terminal location information;

[0294] The terminal can also report a list of serving cells (if carrier aggregation (CA) is configured), and further, a list of active serving cells.

[0295] In this embodiment, terminal 101 may also record the DRB ID and / or PDCP SN corresponding to the security protection failure.

[0296] In this embodiment, terminal 101 may carry one or more of the above information in the fourth information.

[0297] In some embodiments, network device 102 receives fourth information.

[0298] Step S2106, network device 102 releases terminal 101 to RRC idle state or inactive state.

[0299] In some embodiments, when the network device 102 receives the fourth information and determines that the security protection has failed, it can release the terminal 101 to the RRC idle state or inactive state.

[0300] In this embodiment, the network device 102 releases the terminal 101 to the RRC idle state or inactive state, which can be applied to the first and second embodiments in step S2105.

[0301] In some embodiments, when the network device 102 receives the fourth information and determines that the security protection has failed, it can also update the security protection key, as described in step S2104.

[0302] In step S2107, terminal 101 sends the fifth information to network device 102.

[0303] In some embodiments, the fifth information is used to indicate the reason for re-initiating the RRC connection or the reason for rebuilding the RRC connection is a security protection failure.

[0304] In some embodiments, for the first and second embodiments in step S2105, after the terminal 101 is released to the RRC idle state, it can re-initiate an RRC connection or re-enter an RRC connection. The MSG3 or MSG5 in the RRC connection carries fifth information indicating that the reason for re-establishment is a security vulnerability attack.

[0305] In some embodiments, for the third embodiment in step S2105, during the RRC connection reconstruction process, terminal 101 carries fifth information via MSG3 or MSG5, indicating that the reason for the RRC connection reconstruction is a failure of MAC layer integrity protection verification or a security vulnerability attack. In this case, step S2107 can replace step S2105.

[0306] In some embodiments, the names of information, etc., are not limited to the names described in the embodiments. Terms such as "information", "message", "signal", "signaling", "report", "configuration", "indication", "instruction", "command", "channel", "parameter", "domain", "field", "symbol", "symbol", "codebook", "codeword", "codepoint", "bit", "data", "program", and "chip" can be used interchangeably.

[0307] In some embodiments, the terms "uplink", "uplink", and "physical uplink" can be used interchangeably, as can the terms "downlink", "downlink", and "physical downlink", as well as the terms "sidelink", "sidelink", "sidelink communication", "sidelink communication", "direct connection", "direct link", "direct communication", and "direct link communication".

[0308] In some embodiments, the terms “downlink control information (DCI),” “downlink (DL) assignment,” “DL DCI,” “uplink (UL) grant,” and “UL DCI” can be used interchangeably.

[0309] In some embodiments, terms such as "physical downlink shared channel (PDSCH)" and "DL data" can be used interchangeably, as can terms such as "physical uplink shared channel (PUSCH)" and "UL data".

[0310] In some embodiments, the terms “radio”, “wireless”, “radio access network (RAN)”, “access network (AN)”, and “RAN-based” can be used interchangeably.

[0311] In some embodiments, terms such as “moment,” “point in time,” “time,” and “time location” can be used interchangeably, as can terms such as “duration,” “segment,” “time window,” “window,” and “time.”

[0312] In some embodiments, the terms “frame”, “radio frame”, “subframe”, “slot”, “sub-slot”, “mini-slot”, “symbol”, “symbol”, and “transmission time interval (TTI)” can be used interchangeably.

[0313] In some embodiments, "acquire," "get," "obtain," "receive," "transmit," "bidirectional transmission," and "send and / or receive" can be used interchangeably and can be interpreted as receiving from other entities, acquiring from protocols, acquiring from higher layers, obtaining through self-processing, or autonomous implementation. Protocols include, for example, at least one of the 3GPP protocol, Wi-Fi protocol, and audio and / or video protocols.

[0314] In some embodiments, terms such as “send,” “transmit,” “report,” “distribute,” “transfer,” “bidirectional transmission,” “send and / or receive” can be used interchangeably.

[0315] In some embodiments, terms such as "certain," "preset," "default," "set," "indicated," "a certain," "any," and "first" can be used interchangeably. "Certain A," "preset A," "default A," "set A," "indicated A," "a certain A," "any A," and "first A" can be interpreted as A pre-defined in a protocol or the like, or as A obtained through setting, configuration, or instruction, or as specific A, a certain A, any A, or first A, but are not limited thereto.

[0316] In some embodiments, the determination or judgment can be made by a value represented by 1 bit (0 or 1), or by a true or false value (boolean), or by a comparison of numerical values ​​(e.g., a comparison with a predetermined value), but is not limited thereto.

[0317] In some embodiments, if an arrow in the interaction diagram representing the sending of information, signaling, etc. from one subject to another passes through other subjects, it can be interpreted as the information being forwarded from one subject to another via other subjects, or it can be interpreted as the information being sent from one subject to another without passing through other subjects.

[0318] The communication method involved in the embodiments of this disclosure may include at least one of steps S2101 to S2107, wherein each step may be implemented as an independent embodiment, or two or more steps may be combined as an independent embodiment. For example, step S2101 may be implemented as an independent embodiment, and steps S2101 to S2102 may be implemented as independent embodiments, but are not limited thereto.

[0319] In some embodiments, at least one of steps S2102, S2103, and S2104 is optional; in different embodiments, one of these steps may be selected for execution, or one or more of these steps may be omitted or substituted in different embodiments. For example, the method includes step S2101, or S2101 and S2105.

[0320] In some embodiments, steps S2105 and S2107 may be performed selectively. For example, the method may include steps S2101, S2102, S2103, and S2105, or the method may include steps S2101, S2102, S2103, and S2107. For example, the method may include steps S2105 and S2106.

[0321] In some embodiments, step S2106 is optional.

[0322] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.

[0323] Figure 3A is an interactive schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3A, this embodiment of the present disclosure relates to a communication method, which includes:

[0324] In step S3101, network device 102 sends first information to terminal 101.

[0325] In some embodiments, the implementation of step S3101 can be referred to the implementation of step S2101 in FIG2, and will not be repeated here.

[0326] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.

[0327] Figure 3B is an interactive schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3B, this embodiment of the present disclosure relates to a communication method, which includes:

[0328] In step S3201, network device 102 sends first information to terminal 101.

[0329] In some embodiments, the implementation of step S3201 can be referred to the implementation of step S2101 in FIG2, and will not be repeated here.

[0330] In step S3202, terminal 101 performs security protection on the first MAC CE according to the security protection parameters.

[0331] In some embodiments, the implementation of step S3202 can be referred to the implementation of step S2102 in FIG2, and will not be repeated here.

[0332] In step S3203, terminal 101 sends a first MAC CE with security protection to network device 102.

[0333] In some embodiments, the implementation of step S3203 can be referred to the implementation of step S2103 in FIG2, and will not be repeated here.

[0334] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.

[0335] Figure 3C is an interactive schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3C, this embodiment of the present disclosure relates to a communication method, which includes:

[0336] In step S3301, network device 102 sends first information to terminal 101.

[0337] In some embodiments, the implementation of step S3201 can be referred to the implementation of step S2101 in FIG2, and will not be repeated here.

[0338] In step S3302, network device 102 performs security protection on the first MAC CE according to the security protection parameters.

[0339] In some embodiments, the implementation of step S3302 can be referred to the implementation of step S2102 in FIG2, and will not be repeated here.

[0340] In step S3303, network device 102 sends a first MAC CE with security protection to terminal 101.

[0341] In some embodiments, the implementation of step S3303 can be referred to the implementation of step S2103 in FIG2, and will not be repeated here.

[0342] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.

[0343] The method in this disclosure embodiment can perform AS layer security protection on the MAC CE. When configuration parameters at the RRC layer are pushed down to the MAC layer, such as being sent to the UE via Layer 2 (L2) commands to the MAC CE, for example, through NCC in L1 / L2 Triggered Mobility (LTM) triggered at the lower layer, the MAC CE configuration parameters can be made secure and reliable. Some embodiments are listed below:

[0344] Example 1: MAC CE Security Protection Decision

[0345] Example 1-1: AS layer security for each MAC CE in DL MAC CE and UL MAC CE, including encryption and integrity protection requirements. For example, the protocol defines a table that records whether each MAC CE requires encryption, integrity protection, etc. Furthermore, the UE can be notified whether to enable the use of this table based on network-side configuration.

[0346] Furthermore, this table can contain multiple rows, each indicating different security requirements for each MAC CE. The network side uses RRC dedicated signaling to indicate the selected security index, i.e., the row number in the table above, to indicate the UE's security requirements for MAC CE. DL and UL can be defined separately. Encryption requirements and integrity protection requirements can be defined independently or jointly.

[0347] Optionally, the network side can also indicate whether to activate MAC CE security based on the granularity of DL and UL. Encryption and integrity protection can be indicated independently or jointly.

[0348] Examples 1-2: The network side uses RRC dedicated signaling to indicate the list of LCIDs (or eLCIDs) corresponding to the MAC CEs that need encryption, and / or the list of LCIDs (or eLCIDs) corresponding to the MAC CEs that need integrity protection, and / or the list of LCIDs (or eLCIDs) corresponding to the MAC CEs that need security protection. DL MAC CEs and UL MAC CEs can be configured independently.

[0349] This embodiment illustrates a method for selecting security protections for the MAC CE.

[0350] Example 2: MAC CE Security Key and Input Parameter Selection

[0351] Example 2-1: The security key used by MAC CE can be a reused K key. RRCint and K RRCenc ;

[0352] The input parameter setting conventions are as follows:

[0353] BEARER: RB identity–1, or the LCID of the MAC CE that performs security protection, or the truncated high 5-bit LCID, or the truncated low 5-bit LCID.

[0354] Key: K RRCint and K RRCenc

[0355] DIRECTION: Uplink: 0; Downlink: 1

[0356] COUNT: A number maintained by the originating MAC entity; the SN number increments by 1 after each secure MAC CE is sent.

[0357] In some embodiments, the MAC CE generated by the MAC entity is virtualized as an SRB, and the network side configures the ID of the virtual SRB. The value range of the SRB ID is (1..3), which can be extended to 4 and 5.

[0358] In some embodiments, if a MAC CE associated with a security-protected LCID or a subset of LCIDs is used, then each LCID is associated with a COUNT, or the DL or UL directions of the MAC entity share a COUNT.

[0359] Optionally, the BEARER, and / or DIRECTION, and / or COUNT settings mentioned above are fixed values ​​set by the system, such as all 0s or all 1s, or a known 0-1 sequence.

[0360] Example 2-2: The security key used by MAC CE can be a reused K key. UPenc and K UPint ;

[0361] The input parameter setting conventions are as follows:

[0362] BEARER: RB identity – 1 or the LCID of the MAC CE that performs security protection or the truncated high 5 bits of the LCID or the truncated low 5 bits of the LCID.

[0363] Key: K UPenc and K UPint

[0364] DIRECTION: Uplink: 0; Downlink: 1

[0365] COUNT: A number SN maintained by the sending MAC entity; after each secure MAC CE is sent, the SN number is incremented by 1. COUNT equals HFN + SN. The sending and receiving ends can maintain HFN, or HFN can be fixed as all 0s or all 1s.

[0366] In some embodiments, the MAC CE generated by the MAC entity is virtualized as a DRB, and the network side configures the ID of the virtual DRB. The DRB ID ranges from 1 to 32, or the default maximum value of 32 is reserved for the MAC layer.

[0367] In some embodiments, if a MAC CE associated with a security-protected LCID or a subset of LCIDs is used, then each LCID is associated with a COUNT, or the DL or UL directions of the MAC entity share a COUNT.

[0368] Optionally, the BEARER, and / or DIRECTION, and / or COUNT settings mentioned above are fixed values ​​set by the system, such as all 0s or all 1s, or a known 0-1 sequence.

[0369] The secure MAC CE format includes MAC CE content, such as encrypted content, packet header, and MAC-I.

[0370] The package header includes the serial number (SN).

[0371] MAC-I can be a 32-bit MAC-I or a truncated 16-bit MAC-I.

[0372] This embodiment illustrates how the MAC CE performs secure key selection and secure execution input parameter determination.

[0373] Example 3: Key Update and COUNT Wrap Round

[0374] If the MAC CE security protection associated key is updated, then COUNT is initialized to 0 or SN is initialized to 0.

[0375] The network side can configure an appropriate SN length, or the system can fix the SN length. If the SN or COUNT is wrapped around, the UE requests the base station to change the key, or the network determines whether to update the key based on the SN number carried in the received MAC CE.

[0376] This embodiment illustrates the key update and SN flipping processing method.

[0377] Example 4: Handling MAC CE Integrity Protection Verification Failure

[0378] If the MAC layer receiver detects a failure in the integrity protection verification of a certain MAC CE, then:

[0379] Example 4-1: Notify the upper layer, i.e., the RRC layer, of the failure of MAC CE integrity protection verification during MAC monitoring. The UE records the following information and reports it to the network side via RRC signaling. The network can update the key or release the UE to RRC_idle or RRC_INACTIVE.

[0380] The DRB ID, PDCP SN, SFN, slot number, UE local absolute time, MAC-X and MAC-I, UE location information, UE's current serving cell list (if CA is configured), and further, the active serving cell list.

[0381] Optionally, if the UE re-enters the RRC connection after entering idle mode, MSG3 or MSG5 will indicate that the reason for re-establishing the connection is a security vulnerability attack.

[0382] Example 4-2: The UE records the following information and reports it to the network side via MAC CE signaling. The network can update the key or release the UE to RRC_idle or RRC_INACTIVE.

[0383] The DRB ID, PDCP SN, SFN, slot number, UE local absolute time, MAC-X and MAC-I, UE location information, UE's current serving cell list (if CA is configured), and further, the active serving cell list.

[0384] Optionally, if the UE re-enters the RRC connection after entering idle mode, MSG3 or MSG5 will indicate that the reason for re-establishing the connection is a security vulnerability attack.

[0385] Example 4-3: The upper layer, i.e., the RRC layer, is notified that the MAC CE integrity protection verification failed during MAC monitoring, and the RRC layer triggers the RRC connection reconstruction process. The reason for RRC connection reconstruction indicates that the MAC layer integrity protection verification failed. The reason for RRC connection reconstruction is carried in the RRC connection reconstruction request (MSG3) or RRC connection reconstruction completed (MSG5).

[0386] In this embodiment, after the integrity protection verification fails, the information is reported to the network side to handle the security risks or to notify the upper layer to perform RRC connection reconstruction.

[0387] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.

[0388] This disclosure also proposes an apparatus (also referred to as a communication device, etc.) for implementing any of the above methods. For example, an apparatus is proposed that includes units or modules for implementing the steps performed by the terminal in any of the above methods. Furthermore, another apparatus is proposed that includes units or modules for implementing the steps performed by a network device (e.g., an access network device, a core network functional node, a core network device, etc.) in any of the above methods.

[0389] It should be understood that the division of units or modules in the above device is only a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, the units or modules in the device can be implemented by a processor calling software: for example, the device includes a processor connected to a memory containing instructions. The processor calls the instructions stored in the memory to implement any of the above methods or to implement the functions of the units or modules in the above device. The processor can be, for example, a general-purpose processor, such as a Central Processing Unit (CPU) or a microprocessor, and the memory can be internal or external to the device. Alternatively, the units or modules in the device can be implemented in the form of hardware circuits. The functionality of some or all of the units or modules can be achieved through the design of these hardware circuits, which can be understood as one or more processors. For example, in one implementation, the hardware circuit is an application-specific integrated circuit (ASIC). The functionality of some or all of the units or modules is achieved through the design of the logical relationships between the components within the circuit. In another implementation, the hardware circuit can be implemented using a programmable logic device (PLD). Taking a field-programmable gate array (FPGA) as an example, it can include a large number of logic gates. The connection relationships between the logic gates are configured through configuration files, thereby achieving the functionality of some or all of the units or modules. All units or modules of the above device can be implemented entirely through processor-called software, entirely through hardware circuits, or partially through processor-called software with the remaining parts implemented through hardware circuits.

[0390] In this embodiment, the processor is a circuit with signal processing capabilities. In one implementation, the processor can be a circuit with instruction read and execute capabilities, such as a Central Processing Unit (CPU), a microprocessor, a graphics processing unit (GPU) (which can be understood as a microprocessor), or a digital signal processor (DSP). In another implementation, the processor can implement certain functions through the logical relationships of hardware circuits. The logical relationships of the aforementioned hardware circuits are fixed or reconfigurable. For example, the processor is a hardware circuit implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD), such as an FPGA. In a reconfigurable hardware circuit, the process of the processor loading a configuration document and configuring the hardware circuit can be understood as the process of the processor loading instructions to implement the functions of some or all of the above units or modules. Furthermore, it can also be a hardware circuit designed for artificial intelligence, which can be understood as an ASIC, such as a Neural Network Processing Unit (NPU), a Tensor Processing Unit (TPU), or a Deep Learning Processing Unit (DPU).

[0391] Figure 4A is a schematic diagram of a network device according to an embodiment of this disclosure. The network device 4100 is used to perform any of the above methods. In some embodiments, as shown in Figure 4A, the network device 4100 may include at least one of a transceiver module 4101, a processing module 4102, etc. In some embodiments, the transceiver module 4101 is used to send first information to a terminal, the first information being used to determine a Media Access Control Layer Control Unit (MAC CE) requiring security protection.

[0392] Optionally, the transceiver module 4101 is used to perform at least one of the communication steps such as sending and / or receiving performed by the network device 102 in any of the above methods, which will not be described in detail here. Optionally, the processing module 4102 is used to perform at least one of the other steps performed by the network device 102 in any of the above methods, which will not be described in detail here.

[0393] Figure 4B is a schematic diagram of the terminal structure proposed in an embodiment of this disclosure. Terminal 4200 is used to execute any of the above methods. In some embodiments, as shown in Figure 4B, terminal 4200 may include at least one of a transceiver module 4201, a processing module 4202, etc. In some embodiments, the transceiver module 4201 is used to receive first information sent by a network device, the first information being used to determine a Media Access Control Layer Control Unit (MAC CE) requiring security protection. Alternatively, the processing module 4202 is used to determine a MAC CE requiring security protection.

[0394] Optionally, the transceiver module 4201 is used to perform at least one of the communication steps such as sending and / or receiving performed by the terminal in any of the above methods, which will not be described in detail here. Optionally, the processing module 4202 is used to perform at least one of the other steps performed by the terminal in any of the above methods, which will not be described in detail here.

[0395] In some embodiments, the transceiver module may include a transmitting module and / or a receiving module, which may be separate or integrated. Optionally, the transceiver module may be interchangeable with a transceiver.

[0396] In some embodiments, the processing module may be a single module or may include multiple sub-modules. Optionally, the multiple sub-modules may each perform all or part of the steps required by the processing module.

[0397] In some embodiments, the processing module can be replaced by the processor, and the transceiver module can be replaced by the transceiver.

[0398] Figure 5A is a schematic diagram of the structure of the communication device 5100 proposed in an embodiment of this disclosure. The communication device 5100 can be a network device (e.g., access network device, core network device, etc.), a terminal (e.g., user equipment, etc.), a chip, chip system, or processor that supports the network device in implementing any of the above methods, or a chip, chip system, or processor that supports the terminal in implementing any of the above methods. The communication device 5100 can be used to implement the methods described in the above method embodiments; for details, please refer to the descriptions in the above method embodiments.

[0399] As shown in Figure 5A, the communication device 5100 is used to execute any of the above methods. In some embodiments, the communication device 5100 includes one or more processors 5101. The processor 5101 may be a general-purpose processor or a special-purpose processor, such as a baseband processor or a central processing unit. The baseband processor may be used to process communication protocols and communication data, and the central processing unit may be used to control communication devices (e.g., base stations, baseband chips, terminal devices, terminal device chips, DUs or CUs, etc.), execute programs, and process program data. Optionally, the communication device 5100 is used to execute any of the above methods. Optionally, one or more processors 5101 are used to invoke instructions to cause the communication device 5100 to execute any of the above methods.

[0400] In some embodiments, the communication device 5100 further includes one or more transceivers 5102. When the communication device 5100 includes one or more transceivers 5102, the transceiver 5102 performs at least one of the communication steps such as sending and / or receiving in the above-described method, and the processor 5101 performs at least one of the other steps. In optional embodiments, the transceiver may include a receiver and / or a transmitter, which may be separate or integrated. Optionally, the terms transceiver, transceiver unit, transceiver, transceiver circuit, interface circuit, interface, etc., can be used interchangeably; the terms transmitter, transmitting unit, transmitter, transmitting circuit, etc., can be used interchangeably; the terms receiver, receiving unit, receiver, receiving circuit, etc., can be used interchangeably.

[0401] In some embodiments, the communication device 5100 further includes one or more memories 5103 for storing data and / or instructions. Optionally, one or more processors 5101 are used to invoke instructions stored in the memory 5103 to cause the communication device 5100 to perform any of the above methods. Optionally, all or part of the memory 5103 may also be located outside the communication device 5100. In an optional embodiment, the communication device 5100 may include one or more interface circuits 5104. Optionally, the interface circuit 5104 is connected to the memory 5103 and can be used to receive data and / or instructions from the memory 5103 or other devices, and can be used to send data and / or instructions to the memory 5103 or other devices. For example, the interface circuit 5104 can read data and / or instructions stored in the memory 5103 and can be used to send data and / or instructions to the memory 5103 or other devices. For example, the interface circuit 5104 can read data and / or instructions stored in the memory 5103 and send the data and / or instructions to the processor 5101.

[0402] The communication device 5100 described in the above embodiments may be a network device or a terminal, but the scope of the communication device 5100 described in this disclosure is not limited thereto, and the structure of the communication device 5100 may not be limited by FIG. 5A. The communication device may be a standalone device or a part of a larger device. For example, the communication device may be: (1) a standalone integrated circuit IC, or chip, or chip system or subsystem; (2) a collection of one or more ICs, optionally, the IC collection may also include storage components for storing data, programs and / or instructions; (3) an ASIC, such as a modem; (4) a module that can be embedded in other devices; (5) a receiver, terminal device, smart terminal device, cellular phone, wireless device, handheld device, mobile unit, vehicle device, network device, cloud device, artificial intelligence device, etc.; (6) others, etc.

[0403] Figure 5B is a schematic diagram of the structure of chip 5200 according to an embodiment of this disclosure. For cases where the communication device 5100 can be a chip or a chip system, please refer to the schematic diagram of chip 5200 shown in Figure 5B, but it is not limited thereto.

[0404] Chip 5200 includes one or more processors 5201. Chip 5200 is used to perform any of the methods described above.

[0405] In some embodiments, chip 5200 further includes one or more interface circuits 5202. Optionally, terms such as interface circuit, interface, and transceiver pin can be used interchangeably. In some embodiments, chip 5200 further includes one or more memories 5203 for storing data and / or instructions. Optionally, all or part of the memories 5203 may be located outside of chip 5200. Optionally, the interface circuit 5202 is connected to the memories 5203, and the interface circuit 5202 can be used to receive data and / or instructions from the memories 5203 or other devices, and the interface circuit 5202 can be used to send data and / or instructions to the memories 5203 or other devices. For example, the interface circuit 5202 can read data and / or instructions stored in the memories 5203 and send the data and / or instructions to the processor 5201.

[0406] In some embodiments, the interface circuit 5202 performs at least one of the communication steps, such as sending and / or receiving, in the above-described method. For example, the interface circuit 5202 performing the communication steps, such as sending and / or receiving, in the above-described method means that the interface circuit 5202 performs data and / or instruction interaction between the processor 5201, the chip 5200, the memory 5203, or the transceiver device. In some embodiments, the processor 5201 performs at least one of the other steps.

[0407] The modules and / or devices described in the various embodiments, such as virtual devices, physical devices, and chips, can be combined or separated arbitrarily as needed. Optionally, some or all steps can also be performed collaboratively by multiple modules and / or devices, which is not limited here.

[0408] This disclosure also proposes a storage medium storing instructions that, when executed on the communication device 5100, cause the communication device 5100 to perform any of the above methods. Optionally, the storage medium is an electronic storage medium. Optionally, the storage medium is a computer-readable storage medium, but not limited thereto; it may also be a storage medium readable by other devices. Optionally, the storage medium may be a non-transitory storage medium, but not limited thereto; it may also be a temporary storage medium.

[0409] This disclosure also proposes a program product, including a program and / or instructions, which, when executed by the communication device 5100, cause the communication device 5100 to perform any of the above methods. Optionally, the program product is a computer program product. Optionally, the program product is stored on the storage medium.

[0410] This disclosure also proposes a computer program that, when run on a computer, causes the computer to perform any of the above methods. Industrial applicability

[0411] By sending the first message, the network device indicates the security protection requirements of MAC CE to the terminal. This can effectively reduce configuration latency and improve the security of MAC layer configuration based on security protection when configuring parameters based on MAC layer.

Claims

1. A communication method performed by a network device, the method comprising: Send first information to the terminal, the first information being used to identify the Media Access Control Layer Control Unit (MAC CE) that requires security protection.

2. The method as described in claim 1, wherein, The first information includes at least one of the following: The association relationship includes the correspondence between different indexes and MAC CEs with different security protection requirements; The first index in the association; Identification information, which indicates at least one MAC CE that requires security protection.

3. The method as described in claim 2, wherein, The identification information includes at least one of the following: The logical channel identifier (LCID) of the at least one MAC CE; The extended logical channel identifier (eLCID) of the at least one MAC CE.

4. The method as described in any one of claims 1 to 3, wherein, The method further includes: According to the security protection parameters, the first MAC CE is protected, wherein the first MAC CE includes one or more MAC CEs that require security protection; the first MAC CE that has been protected is sent to the terminal; And / or, the method further includes: Receive the first MAC CE that has been securely protected from the terminal.

5. The method of claim 4, wherein, The security protection parameters are determined based on at least one of the following: Bearer, key, transmission direction, count value.

6. The method of claim 5, wherein, The bearer is determined based on one of the following: the radio bearer RB identifier, the LCID of the first MAC CE, or the truncated LCID of the first MAC CE.

7. The method of claim 5, wherein, The key reuses the key for Radio Resource Control (RRC) signaling or the user plane key.

8. The method of claim 5, wherein, The count value is determined based on the superframe number HFN and / or the data packet sequence number SN; The SN increments by 1 after each securely protected first MAC CE is sent.

9. The method of claim 5 or 8, wherein, The count value satisfies at least one of the following: One of the count values ​​is associated with the virtual signaling radio bearer (SRB) identifier corresponding to the first MAC CE; One of the count values ​​is associated with the Virtual Data Radio Bearer (DRB) identifier corresponding to the first MAC CE; One of the count values ​​is associated with the LCID of the first MAC CE; One of the count values ​​is associated with the LCID of the truncated first MAC CE.

10. The method of claim 9, wherein, The method further includes: sending second information to the terminal, the second information indicating the virtual SRB identifier and / or virtual DRB identifier corresponding to the first MAC CE; Alternatively, the virtual SRB identifier and / or virtual DRB identifier corresponding to the first MAC CE may be defined by the protocol or specified by the network device.

11. The method as claimed in any one of claims 5 to 10, wherein, The method further includes: Upon the occurrence of a first event, a third message is sent to the terminal, the third message indicating the updated key; and / or, When the key is updated, the count value or SN is set to the initial value.

12. The method of claim 11, wherein, The first event includes at least one of the following: The count value rotates; SN rotates; The terminal sent a message requesting a key update.

13. The method as claimed in any one of claims 1 to 12, wherein, The method further includes: The terminal sends a fourth message, which indicates that MAC CE security protection has failed.

14. The method of claim 13, wherein, The method further includes: Update the security protection key, or release the terminal to the RRC idle or inactive state.

15. The method as claimed in any one of claims 13 to 14, wherein, The method further includes: The terminal sends a fifth message indicating the reason for re-initiating the RRC connection or the reason for rebuilding the RRC connection is a security protection failure.

16. The method as claimed in any one of claims 13 to 14, wherein, The fourth piece of information includes at least one of the following: The SN corresponding to the MAC CE that failed security protection; Time-domain information corresponding to MAC CE that failed to protect security; The MAC-I corresponding to the MAC CE that failed security protection is generated by the data sending end after performing integrity protection. The MAC-X corresponding to the MAC CE that failed security protection is generated by the data receiving end after performing integrity protection verification. The location information of the terminal; Therefore, the terminal's service cell list.

17. A communication method executed by a terminal, the method comprising: Receive first information sent by a network device, the first information being used to determine the Media Access Control Layer Control Unit (MAC CE) that requires security protection; or, The method includes: identifying MAC CEs that require security protection.

18. The method of claim 17, wherein, The first information includes at least one of the following: The association relationship includes the correspondence between different indexes and MAC CEs with different security protection requirements; The first index in the association; Identification information, which indicates at least one MAC CE that requires security protection.

19. The method of claim 18, wherein, The identification information includes at least one of the following: The logical channel identifier (LCID) of the at least one MAC CE; The extended logical channel identifier (eLCID) of the at least one MAC CE.

20. The method of any one of claims 17 to 19, wherein, The method further includes: Receive a first MAC CE that has been secured and sent by the network device; wherein the first MAC CE includes one or more MAC CEs that require security protection; And / or, the method further includes: Based on the security protection parameters, the first MAC CE is protected. Send a securely protected first MAC CE to the network device.

21. The method of claim 20, wherein, The security protection parameters are determined based on at least one of the following: Bearer, key, transmission direction, count value.

22. The method of claim 21, wherein, The bearer is determined based on one of the following: the radio bearer RB identifier, the LCID of the first MAC CE, or the truncated LCID of the first MAC CE.

23. The method of claim 21, wherein, The key reuses the key for Radio Resource Control (RRC) signaling or the user plane key.

24. The method of claim 21, wherein, The count value is determined based on the superframe number HFN and / or the data packet sequence number SN; The SN increments by 1 after each securely protected first MAC CE is sent.

25. The method of claim 21 or 24, wherein, The count value satisfies at least one of the following: One of the count values ​​is associated with the virtual signaling radio bearer (SRB) identifier corresponding to the first MAC CE; One of the count values ​​is associated with the Virtual Data Radio Bearer (DRB) identifier corresponding to the first MAC CE; One of the count values ​​is associated with the LCID of the first MAC CE; One of the count values ​​is associated with the LCID of the truncated first MAC CE.

26. The method of claim 25, wherein, The method further includes: The network device receives a second message indicating the virtual SRB identifier and / or virtual DRB identifier corresponding to the first MAC CE; or, the virtual SRB identifier and / or virtual DRB identifier corresponding to the first MAC CE is defined by a protocol or specified by the network device.

27. The method according to any one of claims 21 to 26, wherein, The method further includes: Receive third information sent by the network device upon the occurrence of the first event, the third information indicating the updated key; and / or, When the key is updated, the count value or SN is set to the initial value.

28. The method of claim 27, wherein, The first event includes at least one of the following: The count value rotates; SN rotates; The terminal sent a message requesting a key update.

29. The method of any one of claims 17 to 28, wherein, The method further includes: A fourth message is sent to the network device, the fourth message indicating that MAC CE security protection has failed.

30. The method of claim 29, wherein, The method further includes: A fifth message is sent to the network device, indicating the reason for re-initiating the RRC connection or the reason for rebuilding the RRC connection is a security protection failure.

31. The method of claim 29, wherein, The fourth piece of information includes at least one of the following: The SN corresponding to the MAC CE that failed security protection; Time-domain information corresponding to MAC CE that failed to protect security; The MAC-I corresponding to the MAC CE that failed security protection is generated by the data sending end after performing integrity protection. The MAC-X corresponding to the MAC CE that failed security protection is generated by the data receiving end after performing integrity protection verification. The location information of the terminal; Therefore, the terminal's service cell list.

32. A communication device, wherein, The communication device is used to perform the method according to any one of claims 1 to 16 or any one of claims 17 to 31.

33. A communication system comprising network equipment and a terminal, wherein, The network device is configured to implement the method as described in any one of claims 1 to 16; The terminal is configured to implement the method as described in any one of claims 17 to 31.

34. A storage medium storing instructions, wherein, When the instructions are executed on the communication device, the communication device performs the method as described in any one of claims 1 to 16 or any one of claims 17 to 31.

35. A program product comprising at least one of a program and instructions, wherein, When at least one of the programs or instructions is executed by a communication device, it implements the method as described in any one of claims 1 to 16 or any one of claims 17 to 31.