Communication method, communication device, communication system, storage medium and program product
By generating and distributing new keys during cell handover, the problem of key updates during terminal movement is solved, ensuring the security of the communication system and the protocol layer.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- BEIJING XIAOMI MOBILE SOFTWARE CO LTD
- Filing Date
- 2025-01-03
- Publication Date
- 2026-07-09
AI Technical Summary
How to effectively update the key between the terminal and the access network equipment to ensure communication security during terminal movement?
By generating and distributing new keys during cell handover, the security of communication between the terminal and the access network equipment is ensured, including the generation, transmission, and updating of keys to accommodate the movement of the terminal.
It enables timely key updates during terminal movement, ensuring secure isolation and protection of communication and the security of the protocol layer, thereby improving the security of the communication system.
Smart Images

Figure CN2025070494_09072026_PF_FP_ABST
Abstract
Description
Communication methods, communication equipment, communication systems, storage media and software products Technical Field
[0001] This disclosure relates to the field of communication technology, and in particular to a communication method, communication device, communication system, storage medium, and program product. Background Technology
[0002] Access network equipment can include centralized units (CUs) and distributed units (DUs). Multiple DUs can be connected to the same CU, and CUs and DUs can be connected via an interface called F1. For security reasons, communication between the CU and the terminal, as well as communication between the DU and the terminal, requires secure key protection. Summary of the Invention
[0003] How to update the key between the terminal and the access network equipment during terminal movement is an urgent problem to be solved.
[0004] This disclosure provides a communication method, communication device, communication system, storage medium, and program product.
[0005] According to a first aspect of the present disclosure, a communication method is proposed, executed by a first node, the method comprising: sending a first key to a second node of a first cell, the first key being generated by the first node in response to cell handover, the first key being used to ensure the security of communication between the second node of the first cell and a terminal, wherein the second node of the first cell is controlled by the first node, and the first cell is the cell after the cell handover.
[0006] According to a second aspect of the present disclosure, a communication method is proposed, executed by a second node of a first cell, the second node of the first cell being controlled by a first node, the method comprising: receiving a first key sent by the first node, the first key being generated by the first node in response to cell handover, the first key being used for security of communication between the second node of the first cell and a terminal, the first cell being the cell after the cell handover.
[0007] According to a third aspect of the present disclosure, a communication method is proposed, executed by a second node of a second cell, the second node of the second cell being controlled by a first node. The method includes: receiving first information sent by the first node, the first information including at least one of the following: first indication information, an identifier of a first cell, a first count value, and second indication information; wherein the first indication information is used to indicate the processing method of an old first key; the identifier of the first cell is used to generate a first key, the first count value is used to generate a first key, the first key is generated by the first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and a terminal; the second indication information is used to instruct the terminal to generate the first key; the first key is derived based on a second key, and the second key is used for the security of communication between the first node and the terminal; the second cell is the cell before the cell handover, and the first cell is the cell after the cell handover.
[0008] According to a fourth aspect of the present disclosure, a communication method is proposed, executed by a terminal. The method includes: receiving fourth information sent by a second node of a second cell, the fourth information including at least one of the following: an identifier of a first cell, a first count value, and second indication information; wherein the identifier of the first cell is used to generate a first key, the first count value is used to generate the first key, the first key is generated by a first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and the terminal; the second indication information is used to instruct the terminal to generate the first key; the first key is derived based on the second key, the second key is used for the security of communication between the first node of the first cell and the terminal, the first cell is the cell after the cell handover, and the second cell is the cell before the cell handover.
[0009] According to a fifth aspect of the present disclosure, a first node is provided, comprising: a transceiver module configured to send a first key to a second node of a first cell, the first key being generated by the first node in response to cell handover, the first key being used for the security of communication between the second node of the first cell and a terminal, wherein the second node of the first cell is controlled by the first node, and the first cell is the cell after the cell handover.
[0010] According to a sixth aspect of the present disclosure, a second node of a first cell is provided, wherein the second node of the first cell is controlled by a first node, and the second node of the first cell includes: a transceiver module configured to receive a first key sent by the first node, the first key being generated by the first node in response to cell handover, the first key being used for the security of communication between the second node of the first cell and a terminal, wherein the first cell is the cell after the cell handover.
[0011] According to a seventh aspect of the present disclosure, a second node of a second cell is provided, the second node of the second cell being controlled by a first node. The second node of the second cell includes: a transceiver module configured to receive first information sent by the first node, the first information including at least one of the following: first indication information, an identifier of the first cell, a first count value, and second indication information; wherein, the first indication information is used to indicate the processing method of the old first key; the identifier of the first cell is used to generate the first key, the first count value is used to generate the first key, the first key is generated by the first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and a terminal; the second indication information is used to instruct the terminal to generate the first key; the first key is derived based on the second key, and the second key is used for the security of communication between the first node and the terminal; the second cell is the cell before the cell handover, and the first cell is the cell after the cell handover.
[0012] According to an eighth aspect of the present disclosure, a terminal is provided, comprising: a transceiver module configured to receive fourth information sent by a second node of a second cell, the fourth information including at least one of the following: an identifier of a first cell, a first count value, and second indication information; wherein the identifier of the first cell is used to generate a first key, the first count value is used to generate the first key, the first key is generated by a first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and the terminal; the second indication information is used to instruct the terminal to generate the first key; the first key is derived based on the second key, the second key is used for the security of communication between the first node of the first cell and the terminal, the first cell is the cell after the cell handover, and the second cell is the cell before the cell handover.
[0013] According to a ninth aspect of the present disclosure, a communication device is provided, comprising: one or more processors; wherein the communication device is configured to perform a communication method as described in any of the first to fourth aspects.
[0014] According to a tenth aspect of the present disclosure, a communication system is provided, including a first node, a second node, and a terminal; the first node is configured to implement the communication method as described in the first aspect, the second node is configured to implement the communication method as described in the second or third aspect, and the terminal is configured to implement the communication method as described in the fourth aspect.
[0015] According to an eleventh aspect of the present disclosure, a storage medium is provided that stores instructions, which, when executed on a communication device, cause the communication device to perform a communication method as described in any of the first to fourth aspects.
[0016] According to a twelfth aspect of the present disclosure, a computer program product is provided, including a computer program that, when executed by a processor, implements the communication method of any one of the first to fourth aspects.
[0017] According to a thirteenth aspect of the present disclosure, a computer program is provided that includes code, which, when executed by a processor, implements the communication method of any one of the first to fourth aspects.
[0018] According to a fourteenth aspect of the present disclosure, a chip or chip system is provided, the chip or chip system including processing circuitry configured to perform a communication method as described in any of the first to fourth aspects.
[0019] In this embodiment, the first node sends a first key generated in response to cell handover to a second node in the first cell. This first key is used for the security of communication between the second node in the first cell and the terminal. The second node in the first cell is controlled by the first node, and the first cell is the cell after the handover. Thus, on the one hand, the first node can continuously derive a new first key in response to cell handover; that is, whenever the cell accessed by the terminal is updated, the first key is also updated, thereby achieving secure isolation protection based on key updates during terminal movement. On the other hand, during cell handover, the first node can distribute the derived first key to the second node after the handover, ensuring the security of one or more protocol layers in the communication between the second node after the handover and the terminal. Attached Figure Description
[0020] To more clearly illustrate the technical solutions in the embodiments of this disclosure, the accompanying drawings required for the description of the embodiments are introduced below. The following drawings are only some embodiments of this disclosure and do not impose specific limitations on the protection scope of this disclosure.
[0021] Figure 1A is a schematic diagram of the architecture of a communication system according to an embodiment of the present disclosure.
[0022] Figure 1B is an exemplary schematic diagram of the NG-RAN architecture.
[0023] Figure 1C is an exemplary schematic diagram of a scenario employing a CU-DU separation architecture.
[0024] Figure 1D is an exemplary schematic diagram of the CU-DU split architecture.
[0025] Figure 1E is an exemplary schematic diagram of key hierarchy generation in a 5G system.
[0026] Figure 1F is an exemplary schematic diagram of the MAC security key derivation hierarchy.
[0027] Figure 1G is an exemplary schematic diagram of a MAC security key derivation hierarchy based on the QKD mechanism.
[0028] Figures 2A to 2C are interactive schematic diagrams illustrating a communication method according to embodiments of the present disclosure.
[0029] Figure 2D is an exemplary schematic diagram generated according to the key hierarchy structure provided in the embodiments of this disclosure.
[0030] Figure 3 is another interactive schematic diagram of a communication method according to an embodiment of the present disclosure.
[0031] Figure 4 is a schematic diagram of the structure of a communication device provided according to an embodiment of the present disclosure.
[0032] Figure 5 is a schematic diagram of a communication device provided according to an embodiment of the present disclosure.
[0033] Figure 6 is a schematic diagram of a chip structure provided according to an embodiment of the present disclosure. Detailed Implementation
[0034] This disclosure provides a communication method, communication device, communication system, storage medium, and program product.
[0035] In a first aspect, embodiments of this disclosure provide a communication method executed by a first node. The method includes: sending a first key to a second node of a first cell. The first key is generated by the first node in response to cell handover. The first key is used to ensure the security of communication between the second node of the first cell and a terminal. The second node of the first cell is controlled by the first node, and the first cell is the cell after cell handover.
[0036] In this embodiment, on the one hand, the first node can continuously derive a new first key in response to cell handover; that is, whenever the cell accessed by the terminal is updated, the first key is also updated, thereby achieving secure isolation protection based on key updates during terminal movement. On the other hand, during cell handover, the first node can distribute the derived first key to the second node after the cell handover, ensuring the security of one or more protocol layers of communication between the second node and the terminal after the cell handover during terminal movement.
[0037] In conjunction with some embodiments of the first aspect, in some embodiments, cell handover includes one of the following: cell handover between different second nodes controlled by the first node; cell handover between different cells covered by the second node; cell handover between different first nodes.
[0038] In conjunction with some embodiments of the first aspect, in some embodiments, the first key is carried in the first message, and the first message also includes first indication information, which is used to indicate the processing method of the old first key, and the second node of the first cell is also the second node of the second cell before the cell handover.
[0039] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes one of the following: in response to cell handover, generating a first key based on a second key and an identifier of a first cell; in response to cell handover, generating a first key based on a second key and a first count value; in response to cell handover, generating a first key based on a second key, an identifier of a first cell, and a first count value; wherein the second key is used for the security of communication between the first node and the terminal, and the first count value is different from the first count value before cell handover; in some embodiments, the first count value is an increment of the first count value before cell handover.
[0040] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes: sending first information, the first information including at least one of the following: first indication information, an identifier of a first cell, a first count value, and second indication information; wherein, the first indication information is used to indicate the processing method of the old first key; the identifier of the first cell is used to generate the first key, the first count value is used to generate the first key; and the second indication information is used to instruct the terminal to generate the first key.
[0041] In conjunction with some embodiments of the first aspect, in some embodiments, the first information is sent by the first node to the second node of the second cell, where the second cell is the cell before the cell handover.
[0042] In conjunction with some embodiments of the first aspect, in some embodiments, the first information is sent by the first node of the first cell to the first node of the second cell, the second cell being the cell before the cell handover, and the first information includes: a first count value and second indication information.
[0043] In conjunction with some embodiments of the first aspect, in some embodiments, the first node is a centralized unit (CU) in the access network device, and the second node is a distributed unit (DU) in the access network device.
[0044] Secondly, this disclosure provides a communication method executed by a second node of a first cell, the second node of the first cell being controlled by the first node. The method includes: receiving a first key sent by the first node, the first key being generated by the first node in response to cell handover, the first key being used for the security of communication between the second node of the first cell and a terminal, the first cell being the cell after cell handover.
[0045] In conjunction with some embodiments of the second aspect, in some embodiments, cell handover includes one of the following: cell handover between different second nodes controlled by the first node; cell handover between different cells covered by the second node; cell handover between the first nodes.
[0046] In conjunction with some embodiments of the second aspect, in some embodiments, the first key is carried in the first message, and the first message also includes first indication information, which is used to indicate the old first key processing method, and the second node of the first cell is also the second node of the second cell before the cell handover.
[0047] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes: obtaining second information based on the first key, the second information including at least one of the following: a secure connection association key CAK and a secure connection association key name CKN.
[0048] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes: processing an old first key based on first indication information; and sending third information to a first node, the third information being used to confirm the processing of the old first key.
[0049] In conjunction with some embodiments of the second aspect, in some embodiments, the second node of the first cell is also the second node of the second cell before cell handover, and the method further includes: receiving first information sent by the first node and sending fourth information to the terminal; wherein, the first information includes at least one of the following: first indication information, identifier of the first cell, first count value, and second indication information; the fourth information includes at least one of the following: identifier of the first cell, first count value, and second indication information; the first indication information is used to indicate the processing method of the old first key; the identifier of the first cell is used to generate the first key, the first count value is used to generate the first key; and the second indication information is used to instruct the terminal to generate the first key.
[0050] In conjunction with some embodiments of the second aspect, in some embodiments, the first node is a centralized unit (CU) in the access network device, and the second node is a distributed unit (DU) in the access network device.
[0051] Thirdly, embodiments of this disclosure provide a communication method executed by a second node of a second cell, the second node of the second cell being controlled by a first node. The method includes: receiving first information sent by the first node, the first information including at least one of the following: first indication information, an identifier of the first cell, a first count value, and second indication information; wherein, the first indication information is used to indicate the processing method of the old first key; the identifier of the first cell is used to generate the first key, the first count value is used to generate the first key, the first key is generated by the first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and the terminal; the second indication information is used to instruct the terminal to generate the first key; the first key is derived based on the second key, and the second key is used for the security of communication between the first node and the terminal; the second cell is the cell before cell handover, and the first cell is the cell after cell handover.
[0052] In conjunction with some embodiments of the third aspect, in some embodiments, cell handover includes one of the following: cell handover between different second nodes controlled by the first node; cell handover between different first nodes.
[0053] In conjunction with some embodiments of the third aspect, in some embodiments, the second node of the second cell is controlled by the same first node as the second node of the first cell, or by different first nodes.
[0054] In some embodiments, in conjunction with the third aspect, the method further includes: processing an old first key based on first indication information; and sending third information to a first node, the third information being used to confirm the processing of the old first key.
[0055] In conjunction with some embodiments of the third aspect, in some embodiments, the method further includes: sending fourth information to the terminal, the fourth information including at least one of the following: an identifier of the first cell, a first count value, and second indication information.
[0056] In conjunction with some embodiments of the third aspect, in some embodiments, the first node is a centralized unit (CU) in the access network device, and the second node is a distributed unit (DU) in the access network device.
[0057] Fourthly, embodiments of this disclosure provide a communication method executed by a terminal. The method includes: receiving fourth information sent by a second node of a second cell, the fourth information including at least one of the following: an identifier of a first cell, a first count value, and second indication information; wherein the identifier of the first cell is used to generate a first key, the first count value is used to generate the first key, the first key is generated by the first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and the terminal; the second indication information is used to instruct the terminal to generate the first key; the first key is derived based on the second key, the second key is used for the security of communication between the first node of the first cell and the terminal, the first cell is the cell after cell handover, and the second cell is the cell before cell handover.
[0058] In conjunction with some embodiments of the fourth aspect, in some embodiments, cell handover includes one of the following: cell handover between different second nodes controlled by the first node; cell handover between different cells covered by the second node; cell handover between different first nodes.
[0059] In conjunction with some embodiments of the fourth aspect, in some embodiments, the method further includes one of the following: generating a first key based on a second key and an identifier of a first cell; generating a first key based on a second key and a first count value; generating a first key based on a second key, an identifier of a first cell, and a first count value.
[0060] In conjunction with some embodiments of the fourth aspect, in some embodiments, the method further includes: obtaining second information based on the first key, the second information including at least one of the following: a secure connection association key CAK and a secure connection association key name CKN.
[0061] In conjunction with some embodiments of the fourth aspect, in some embodiments, the first node is a centralized unit (CU) in the access network device, and the second node is a distributed unit (DU) in the access network device.
[0062] Fifthly, this disclosure provides a first node, including: a transceiver module configured to send a first key to a second node of a first cell, the first key being generated by the first node in response to cell handover, the first key being used to ensure the security of communication between the second node of the first cell and a terminal, wherein the second node of the first cell is controlled by the first node, and the first cell is the cell after cell handover.
[0063] In conjunction with some embodiments of the fifth aspect, in some embodiments, cell handover includes one of the following: cell handover between different second nodes controlled by the first node; cell handover between different cells covered by the second node; cell handover between different first nodes.
[0064] In conjunction with some embodiments of the fifth aspect, in some embodiments, the first key is carried in the first message, and the first message also includes first indication information, which is used to indicate the processing method of the old first key, and the second node of the first cell is also the second node of the second cell before the cell handover.
[0065] In conjunction with some embodiments of the fifth aspect, in some embodiments, the first node further includes: a processing module configured to: generate a first key based on a second key and an identifier of a first cell in response to cell handover; generate a first key based on a second key and a first count value in response to cell handover; generate a first key based on a second key, an identifier of a first cell, and a first count value in response to cell handover; wherein the second key is used for the security of communication between the first node and the terminal, and the first count value is different from the first count value before cell handover; in some embodiments, the first count value is an increment of the first count value before cell handover.
[0066] In conjunction with some embodiments of the fifth aspect, in some embodiments, the transceiver module is further configured to send first information, the first information including at least one of the following: first indication information, identifier of a first cell, first count value, and second indication information; wherein, the first indication information is used to indicate the processing method of the old first key; the identifier of the first cell is used to generate the first key, the first count value is used to generate the first key; and the second indication information is used to instruct the terminal to generate the first key.
[0067] In conjunction with some embodiments of the fifth aspect, in some embodiments, the first information is sent by the first node to the second node of the second cell, and the second cell is the cell before the cell handover.
[0068] In conjunction with some embodiments of the fifth aspect, in some embodiments, the first information is sent by the first node of the first cell to the first node of the second cell, the second cell being the cell before the cell handover, and the first information includes: a first count value and second indication information.
[0069] In conjunction with some embodiments of the fifth aspect, in some embodiments, the first node is a centralized unit (CU) in the access network device, and the second node is a distributed unit (DU) in the access network device.
[0070] In a sixth aspect, embodiments of this disclosure provide a second node of a first cell, the second node of the first cell being controlled by the first node, the second node of the first cell including: a transceiver module configured to receive a first key sent by the first node, the first key being generated by the first node in response to cell handover, the first key being used for the security of communication between the second node of the first cell and the terminal, the first cell being the cell after cell handover.
[0071] In conjunction with some embodiments of the sixth aspect, in some embodiments, cell handover includes one of the following: cell handover between different second nodes controlled by the first node; cell handover between different cells covered by the second node; cell handover between the first nodes.
[0072] In conjunction with some embodiments of the sixth aspect, in some embodiments, the first key is carried in the first message, and the first message also includes first indication information, which is used to indicate the old first key processing method, and the second node of the first cell is also the second node of the second cell before the cell handover.
[0073] In conjunction with some embodiments of the sixth aspect, in some embodiments, the second node of the first cell further includes: a processing module configured to obtain second information based on a first key, the second information including at least one of the following: a secure connection association key CAK and a secure connection association key name CKN.
[0074] In conjunction with some embodiments of the sixth aspect, in some embodiments, the processing module is further configured to: process the old first key based on the first indication information; the transceiver module is further configured to: send third information to the first node, the third information being used to confirm the processing of the old first key.
[0075] In conjunction with some embodiments of the sixth aspect, in some embodiments, the second node of the first cell is also the second node of the second cell before cell handover, and the transceiver module is further configured to receive first information sent by the first node and send fourth information to the terminal; wherein, the first information includes at least one of the following: first indication information, identifier of the first cell, first count value, and second indication information; the fourth information includes at least one of the following: identifier of the first cell, first count value, and second indication information; the first indication information is used to indicate the processing method of the old first key; the identifier of the first cell is used to generate the first key, the first count value is used to generate the first key; and the second indication information is used to instruct the terminal to generate the first key.
[0076] In conjunction with some embodiments of the sixth aspect, in some embodiments, the first node is a centralized unit (CU) in the access network device, and the second node is a distributed unit (DU) in the access network device.
[0077] In a seventh aspect, embodiments of this disclosure provide a second node in a second cell, controlled by a first node. The second node includes a receiving module configured to receive first information sent by the first node. The first information includes at least one of the following: first indication information, an identifier of the first cell, a first count value, and second indication information. The first indication information indicates the processing method of the old first key. The identifier of the first cell is used to generate the first key, and the first count value is used to generate the first key. The first key is generated by the first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and a terminal. The second indication information instructs the terminal to generate the first key. The first key is derived based on the second key, and the second key is used for the security of communication between the first node and the terminal. The second cell is the cell before cell handover, and the first cell is the cell after cell handover.
[0078] In conjunction with some embodiments of the seventh aspect, in some embodiments, cell handover includes one of the following: cell handover between different second nodes controlled by the first node; cell handover between different first nodes.
[0079] In conjunction with some embodiments of the seventh aspect, in some embodiments, the second node of the second cell and the second node of the first cell are controlled by the same first node, or by different first nodes.
[0080] In conjunction with some embodiments of the seventh aspect, in some embodiments, the processing module is further configured to: process the old first key based on the first indication information; the transceiver module is further configured to: send third information to the first node, the third information being used to confirm the processing of the old first key.
[0081] In conjunction with some embodiments of the seventh aspect, in some embodiments, the transceiver module is further configured to: send fourth information to the terminal, the fourth information including at least one of the following: an identifier of the first cell, a first count value, and second indication information.
[0082] In conjunction with some embodiments of the seventh aspect, in some embodiments, the first node is a centralized unit (CU) in the access network device, and the second node is a distributed unit (DU) in the access network device.
[0083] Eighthly, this disclosure provides a terminal, including: a transceiver module configured to receive fourth information sent by a second node of a second cell, the fourth information including at least one of the following: an identifier of a first cell, a first count value, and second indication information; wherein the identifier of the first cell is used to generate a first key, the first count value is used to generate the first key, the first key is generated by the first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and the terminal; the second indication information is used to instruct the terminal to generate the first key; the first key is derived based on the second key, the second key is used for the security of communication between the first node of the first cell and the terminal, the first cell is the cell after cell handover, and the second cell is the cell before cell handover.
[0084] In conjunction with some embodiments of the eighth aspect, in some embodiments, cell handover includes one of the following: cell handover between different second nodes controlled by the first node; cell handover between different cells covered by the second node; cell handover between different first nodes.
[0085] In conjunction with some embodiments of the eighth aspect, in some embodiments, the terminal further includes: a processing module configured to: generate a first key based on a second key and an identifier of a first cell; generate a first key based on a second key and a first count value; generate a first key based on a second key, an identifier of a first cell, and a first count value.
[0086] In conjunction with some embodiments of the eighth aspect, in some embodiments, the processing module is further configured to: obtain second information based on the first key, the second information including at least one of the following: secure connection association key CAK, secure connection association key name CKN.
[0087] In conjunction with some embodiments of the eighth aspect, in some embodiments, the first node is a centralized unit (CU) in the access network device, and the second node is a distributed unit (DU) in the access network device.
[0088] Ninthly, embodiments of this disclosure provide a communication device, including: one or more processors; wherein the communication device is configured to perform the method as described in any of the first to fourth aspects and their embodiments.
[0089] In a tenth aspect, embodiments of this disclosure provide a communication system, including: a first node, a second node, and a terminal, wherein the first node is configured to implement the method as described in any of the first aspects and embodiments thereof; the second node is configured to implement the method as described in any of the second to third aspects and embodiments thereof; and the terminal is configured to implement the method as described in any of the fourth aspects and embodiments thereof.
[0090] Eleventhly, embodiments of this disclosure provide a storage medium storing instructions that, when executed on a communication device, cause the communication device to perform the method described in any of the first to fourth aspects and their embodiments.
[0091] In a twelfth aspect, embodiments of this disclosure provide a program product that, when executed by a communication device, causes the communication device to perform the method described in any of the first to fourth aspects and their embodiments.
[0092] In a thirteenth aspect, embodiments of this disclosure provide a computer program that, when run on a computer, causes the computer to perform the methods described in any of the first to fourth aspects and their embodiments.
[0093] In a fourteenth aspect, embodiments of this disclosure provide a chip or chip system. The chip or chip system includes processing circuitry configured to perform the methods described in any of the first to fourth aspects and their embodiments described above.
[0094] It is understood that the aforementioned communication devices, communication systems, storage media, program products, computer programs, chips, or chip systems are all used to execute the methods proposed in the embodiments of this disclosure. Therefore, the beneficial effects they can achieve can be referred to the beneficial effects in the corresponding methods, and will not be repeated here.
[0095] This disclosure provides a communication method, a communication device, a communication system, a storage medium, and a program product. In some embodiments, the terms "communication method," "key transmission method," "key update method," and "key generation method" can be used interchangeably, as can the terms "communication system," "key transmission system," "key update system," and "key generation system."
[0096] This disclosure is not exhaustive, but merely illustrative of some embodiments, and is not intended to limit the scope of protection of this disclosure. Unless otherwise specified, each step in a particular embodiment can be implemented as an independent embodiment, and the steps can be arbitrarily combined. For example, a solution after removing some steps in a particular embodiment can also be implemented as an independent embodiment, and the order of the steps in a particular embodiment can be arbitrarily interchanged. Furthermore, the optional implementation methods in a particular embodiment can be arbitrarily combined; moreover, the embodiments can be arbitrarily combined, for example, some or all steps of different embodiments can be arbitrarily combined, and a particular embodiment can be arbitrarily combined with the optional implementation methods of other embodiments.
[0097] In each of the disclosed embodiments, unless otherwise specified or in case of logical conflict, the terminology and / or descriptions of the embodiments are consistent and can be referenced by each other. Technical features in different embodiments can be combined to form new embodiments based on their inherent logical relationships.
[0098] The terminology used in the embodiments of this disclosure is for the purpose of describing particular embodiments only and is not intended to limit the scope of this disclosure.
[0099] In this embodiment of the disclosure, unless otherwise stated, elements expressed in the singular form, such as "a," "an," "the," "the," "the," "the," "the," "the," "this," etc., can mean "one and only one," or "one or more," "at least one," etc. For example, when using articles such as "a," "an," "the," etc. in translation, the noun following the article can be understood as either a singular expression or a plural expression.
[0100] In the embodiments disclosed herein, "multiple" refers to two or more.
[0101] In some embodiments, the terms “at least one of”, “one or more”, “a plurality of”, “multiple”, etc., may be used interchangeably.
[0102] In some embodiments, the notation "at least one of A and B", "A and / or B", "A in one case, B in another", "in response to one case A, in response to another case B", etc., may include the following technical solutions depending on the situation: in some embodiments, A (execute A regardless of B); in some embodiments, B (execute B regardless of A); in some embodiments, execution is selected from A and B (A and B are selectively executed); in some embodiments, A and B (both A and B are executed). The same applies when there are more branches such as A, B, C, etc.
[0103] In some embodiments, the notation "A or B" may include the following technical solutions, depending on the situation: in some embodiments, A (execution of A regardless of B); in some embodiments, B (execution of B regardless of A); in some embodiments, execution is selected from A and B (A and B are selectively executed). The same applies when there are more branches such as A, B, C, etc.
[0104] The prefixes "first," "second," etc., used in the embodiments of this disclosure are merely for distinguishing different descriptive objects and do not impose restrictions on the position, order, priority, quantity, or content of the descriptive objects. The description of the descriptive objects is found in the claims or the context of the embodiments, and the use of prefixes should not constitute unnecessary restrictions. For example, if the descriptive object is a "field," the ordinal numbers preceding "field" in "first field" and "second field" do not restrict the position or order of the "fields." "First" and "second" do not restrict whether the "fields" they modify are in the same message, nor do they restrict the order of "first field" and "second field." Similarly, if the descriptive object is a "level," the ordinal numbers preceding "level" in "first level" and "second level" do not restrict the priority between "levels." Furthermore, the number of descriptive objects is not limited by ordinal numbers and can be one or more. For example, in "first device," the number of "devices" can be one or more. Furthermore, the objects modified by different prefixes can be the same or different. For example, if the object being described is "device", then "first device" and "second device" can be the same device or different devices, and their types can be the same or different. Similarly, if the object being described is "information", then "first information" and "second information" can be the same information or different information, and their content can be the same or different.
[0105] In some embodiments, “including A,” “containing A,” “for indicating A,” and “carrying A” can be interpreted as directly carrying A or indirectly indicating A.
[0106] In some embodiments, the terms “in response to…”, “in response to determining…”, “in the case of…”, “when…”, “if…”, “if…”, etc., can be used interchangeably.
[0107] In some embodiments, the terms “greater than,” “greater than or equal to,” “not less than,” “more than,” “more than or equal to,” “not less than,” “higher than,” “higher than or equal to,” “not lower than,” and “above” can be used interchangeably, as can the terms “less than,” “less than or equal to,” “not greater than,” “less than,” “less than or equal to,” “not more than,” “lower than,” “lower than or equal to,” “not higher than,” and “below”.
[0108] In some embodiments, devices, etc., can be interpreted as physical or virtual, and their names are not limited to the names recorded in the embodiments. Terms such as “device”, “equipment”, “circuit”, “network element”, “node”, “function”, “unit”, “section”, “system”, “network”, “chip”, “chip system”, “entity”, and “subject” can be used interchangeably.
[0109] In some embodiments, "network" can be interpreted as devices included in a network (e.g., access network devices, core network devices, etc.).
[0110] In some embodiments, the terms "network devices", "access network device (AN device)", "radio access network device (RAN device)", "base station (BS)", "radio base station", "fixed station", "node", "access network node", "access point", "transmission point (TP)", "reception point (RP)", "transmission / reception point (TRP)", "panel", "antenna panel", "antenna array", "cell", "macro cell", "small cell", "femtocell", "pico cell", "sector", "cell group", "serving cell", "carrier", "component carrier", and "bandwidth part (BWP)" can be used interchangeably.
[0111] In some embodiments, the terms "terminal", "terminal device", "user equipment (UE)", "user terminal", "mobile station (MS)", "mobile terminal (MT)", "subscriber station", "mobile unit", "subscriber unit", "wireless unit", "remote unit", "mobile device", "wireless device", "wireless communication device", "remote device", "mobile subscriber station", "access terminal", "mobile terminal", "wireless terminal", "remote terminal", "handset", "user agent", "mobile client", and "client" can be used interchangeably.
[0112] In some embodiments, access network devices, core network devices, or network devices can be replaced by terminals. For example, embodiments of this disclosure can also be applied to structures where communication between access network devices, core network devices, or network devices and terminals is replaced by communication between multiple terminals (e.g., device-to-device (D2D), vehicle-to-everything (V2X), etc.). In this case, the structure can also be configured such that the terminal has all or part of the functions of the access network device. Furthermore, terms such as "uplink" and "downlink" can be replaced with terms corresponding to communication between terminals (e.g., "sidelink"). For example, uplink channel, downlink channel, etc., can be replaced with sidelink channel, and uplink link, downlink, etc., can be replaced with sidelink link.
[0113] In some embodiments, the terminal may be replaced by an access network device, a core network device, or a network device. In this case, the access network device, core network device, or network device may also be configured to have all or some of the functions of the terminal.
[0114] In some embodiments, the acquisition of data, information, etc., may comply with the laws and regulations of the country where the location is situated.
[0115] In some embodiments, data, information, etc., may be obtained with the user's consent.
[0116] Furthermore, each element, each row, or each column in the table of this disclosure can be implemented as an independent embodiment, and any combination of any element, any row, or any column can also be implemented as an independent embodiment.
[0117] Figure 1A is a schematic diagram of an architecture of a communication system according to an embodiment of the present disclosure. As shown in Figure 1A, the communication system 100 includes: a terminal 101, a first node 102, and a second node 103.
[0118] In some embodiments, terminal 101 includes, but is not limited to, at least one of the following: mobile phone, wearable device, Internet of Things device, car with communication function, smart car, tablet computer, computer with wireless transceiver function, virtual reality (VR) terminal device, augmented reality (AR) terminal device, wireless terminal device in industrial control, wireless terminal device in self-driving, wireless terminal device in remote medical surgery, wireless terminal device in smart grid, wireless terminal device in transportation safety, wireless terminal device in smart city, and wireless terminal device in smart home.
[0119] In some embodiments, the first node is used to establish a wireless connection with the terminal.
[0120] In some embodiments, the first node is responsible for data transmission between the terminal and the core network.
[0121] In some embodiments, the first node is used to control a plurality of second nodes.
[0122] In some embodiments, the first node is connected to the second node via the F1 interface.
[0123] In some embodiments, the second node is used to establish a wireless connection with the terminal.
[0124] In some embodiments, the second node is responsible for data transmission between the terminal and the core network.
[0125] In some embodiments, the first node supports the upper protocol layer, and the second node supports the lower protocol layer. The terms "upper layer" and "lower layer" are relative.
[0126] In some embodiments, the first node supports the radio resource control (RRC) layer. The second node supports at least one of the following protocol layers: Service Data Adaptation Protocol (SDAP) layer, Packet Data Convergence Protocol (PDCP) layer, Radio Link Control (RLC) layer, Media Access Control (MAC) layer, and Physical Layer (PHY).
[0127] In some embodiments, the first node supports at least one of the following protocol layers: RRC layer, SDAP layer. The second node supports at least one of the following protocol layers: PDCP layer, RLC layer, MAC layer, PHY.
[0128] In some embodiments, the first node supports at least one of the following protocol layers: RRC layer, SDAP layer, and PDCP layer. The second node supports at least one of the following protocol layers: RLC layer, MAC layer, and PHY layer.
[0129] In some embodiments, the first node supports at least one of the following protocol layers: RRC layer, SDAP layer, PDCP layer, and RLC layer. The second node supports at least one of the following protocol layers: MAC layer and PHY layer.
[0130] In some embodiments, the first node supports at least one of the following protocol layers: RRC layer, SDAP layer, PDCP layer, RLC layer, and MAC layer. The second node supports PHY.
[0131] In some embodiments, the first node is a CU in the access network device. The second node is a DU in the access network device.
[0132] In some embodiments, the access network device is, for example, a node or device that connects a terminal to a wireless network. The access network device may include at least one of the following: evolved NodeB (eNB), next-generation eNB (ng-eNB), next-generation NodeB (gNB), node B (NB), home node B (HNB), home evolved node B (HeNB), wireless backhaul device, radio network controller (RNC), base station controller (BSC), base transceiver station (BTS), base band unit (BBU), mobile switching center, base station in 6G communication system, open RAN, cloud RAN, base station in other communication systems, and access node in Wi-Fi system, but is not limited thereto.
[0133] In some embodiments, the technical solutions of this disclosure can be applied to the Open RAN architecture. In this case, the interfaces between or within network devices involved in the embodiments of this disclosure can be transformed into internal interfaces of Open RAN. The processes and information interactions between these internal interfaces can be implemented by software or programs.
[0134] In some embodiments, the core network equipment may be a single device including a first network element, or it may be multiple devices or a group of devices, each including a first network element. Network elements may be virtual or physical. The core network may include, for example, at least one of an Evolved Packet Core (EPC), a 5G Core Network (5GCN), or a Next Generation Core (NGC).
[0135] It is understood that the communication system described in this disclosure is for the purpose of more clearly illustrating the technical solutions of this disclosure, and does not constitute a limitation on the technical solutions provided in this disclosure. As those skilled in the art will know, with the evolution of system architecture and the emergence of new business scenarios, the technical solutions provided in this disclosure are also applicable to similar technical problems.
[0136] The following embodiments of this disclosure can be applied to the communication system 100 shown in FIG1A, or to some of the main bodies, but are not limited thereto. The main bodies shown in FIG1A are illustrative. The communication system may include all or some of the main bodies in FIG1A, or it may include other main bodies outside of FIG1A. The number and form of each main body are arbitrary. The connection relationship between the main bodies is illustrative. The main bodies may not be connected or may be connected. The connection can be in any way, it can be a direct connection or an indirect connection, it can be a wired connection or a wireless connection.
[0137] The embodiments disclosed herein can be applied to Long Term Evolution (LTE), LTE-Advanced (LTE-A), LTE-Beyond (LTE-B), SUPER 3G, IMT-Advanced, 4th generation mobile communication system (4G), 5th generation mobile communication system (5G), 5G new radio (NR), Future Radio Access (FRA), New-Radio Access Technology (RAT), New Radio (NR), New radio access (NX), Future generation radio access (FX), Global System for Mobile communications (GSM), CDMA2000, Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), and IEEE 802.20, Ultra-Wideband (UWB), Bluetooth (a registered trademark), Public Land Mobile Network (PLMN) networks, Device-to-Device (D2D) systems, Machine-to-Machine (M2M) systems, Internet of Things (IoT) systems, Vehicle-to-Everything (V2X) systems, systems utilizing other communication methods, and next-generation systems built upon them, etc. Furthermore, multiple systems can be combined (e.g., a combination of LTE or LTE-A with 5G).
[0138] With the rapid development of communication technologies, in order to overcome the explosive increase in traffic usage, communication systems such as 5G are using higher frequency bands than previous communication systems (e.g., LTE). Due to the inverse relationship between frequency and cell coverage, coverage becomes a challenge. Typically, for mobile users, smaller coverage cells lead to more frequent handovers, which can negatively impact experience quality without proper management. If the number of cells managed by each individual base station (e.g., gNB) can be increased, more handovers can be handled through intra-gNB mobility. Intra-gNB mobility has a significantly smaller impact compared to inter-gNB mobility because the anchor points of the equipment are the same. By separating this function from the DU and centralizing it in the CU, the number of cells managed by each CU can be increased, thus maximizing the ratio between intra-gNB and inter-gNB handovers.
[0139] Meanwhile, higher frequency bands also allow for the use of carriers with greater bandwidth, and gNBs therefore require significantly more traffic processing capacity than eNBs in LTE. When dual connectivity is widely used in 5G networks, devices can connect to two different gNBs, but only one of the two gNBs (the anchor DU) is responsible for processing the separated data streams (via the packet data convergence protocol, PDCP). Therefore, the PDCP load is concentrated on the PDCP anchor DU, leading to load imbalance and inefficient resource utilization between the PDCP anchor DU (overused) and non-anchor DUs (underused). To improve this load imbalance, PDCP aggregation needs to be off-loaded to CUs in a more centralized location, where pooling or resource sharing can efficiently handle the tasks.
[0140] In some embodiments, in the deployment of communication systems such as 5G, gNBs with an internal structure divided into CU and DU parts can provide better service. The CU and DU can be connected via a new interface called F1.
[0141] Figure 1B is an exemplary schematic diagram of the NG-RAN architecture. As shown in Figure 1B, in a 5G network, the 5G core network (5GC) can connect to the NG-RAN via the NG interface. The NG-RAN can include a series of gNBs. These gNBs are connected to the 5GC via the NG interface. In the NG-RAN, gNBs can be connected to each other via the Xn interface. In some embodiments, a gNB can include a gNB-CU (i.e., CU) and one or more gNB-DUs (i.e., DU). The gNB-CU and gNB-DU can be connected to each other via the F1 interface. In some embodiments, a gNB-DU can only be connected to one gNB-CU.
[0142] Figure 1C is an exemplary schematic diagram of a scenario employing a CU-DU separation architecture. As shown in Figure 1C, the access and mobility management function (AMF) and user plane function (UPF) network elements can reside in the core network, and the gNB can reside in the access network. The AMF and gNB communicate via the NG interface (e.g., NG-C) for control plane communication. The UPF and gNB communicate via the NG interface (e.g., NG-U) for user plane communication. The gNB can be divided into gNB-CU and gNB-DU. The gNB-CU can connect to multiple gNB-DUs via the F1 interface.
[0143] In some embodiments, the functionality of the gNB is separated into gNB-CU and gNB-DU. Some functions of the gNB can be implemented by gNB-CU, and some functions of the gNB can be implemented by gNB-DU. It is understood that there may or may not be overlap between the functions of gNB-CU and gNB-DU.
[0144] In some embodiments, the protocol stack defined in the RAN may include multiple layers. In some embodiments, the protocol stack may include, from top to bottom, the following layers: RRC layer, PDCP layer, RLC layer, MAC layer, PHY layer, and radio frequency (RF) layer.
[0145] In some embodiments, the functional split between the CU and DU can take several forms. In one example, the RRC can be located in the CU, while the PDCP, RLC, MAC, physical layer, and RF can be located in the DU. This approach is similar to the 1A architecture in dual-connectivity and can therefore be called 1A-type split. In another example, the RRC and PDCP can be located in the CU, while the RLC, MAC, physical layer, and RF can be located in the DU. This approach is similar to the 3C architecture in dual-connectivity and can therefore be called 3C-type split. In another example, the low RLC (i.e., part of the RLC functionality), MAC, physical layer, and RF can be located in the DU, while the PDCP and high RLC (i.e., the remaining RLC functionality) can be located in the CU. This approach can be called RLC-MAC split. In another example, the MAC, physical layer, and RF can be located in the DU, while the PDCP and RLC can be located in the CU. This approach can be called MAC-MAC split. In yet another example, the RF, physical layer, and a portion of the MAC layer (e.g., HARQ) can be located in the DU, while the remaining portions of the PDCP, RLC, and MAC layer can be located in the CU. This approach can be called MAC-internal split. In one example, the physical layer and RF can be located in the DU, while PDCP, RLC, and MAC can be located in the CU. This approach can be called MAC-PHY separation. In another example, a portion of the physical layer functionality and RF can be located in the DU, while PDCP, RLC, MAC, and other parts of the physical layer functionality can be located in the CU. This approach can be called intra-PHY separation. In yet another example, the RF functionality is located in the DU, while PDCP, RLC, MAC, and the physical layer can be located in the CU. This approach can be called PHY-RF separation.
[0146] Figure 1D is an exemplary schematic diagram of a CU-DU separation architecture. As shown in Figure 1D, the gNB-CU and gNB-DU can be separated in a 3C-type manner. In this case, RRC and PDCP can be located in the gNB-CU, while RLC, MAC, physical layer, and RF can be located in the gNB-DU.
[0147] In some embodiments, within the RAN security architecture, access stratum (AS) security terminates at and is handled by the PDCP layer of the gNB. In most decoupled configurations, since only the CU portion of the gNB supports the PDCP layer, AS security can only terminate at the CU portion, making the DU portion transparent to security protection. That is, protocol layers supported by the DU portion, such as RLC, MAC, and physical layer, are irrelevant to security-related processing.
[0148] In some embodiments, for layer 1 / layer 2 triggered mobility (LTM), media access control element (MAC CE) messages can be used to carry security-related parameters. MAC CE messages carry radio-related information but are not protected. The protection of MAC CE messages, especially when carrying security-related information, is an important and unavoidable issue.
[0149] In some embodiments, one function of the DU portion of the gNB is to support lower layers in the protocol stack. It is understood that lower and higher layers (or lower and upper layers) can be relative. In some embodiments, one or more layers implemented in the DU portion of the protocol stack can be referred to as lower layers, and one or more layers implemented in the CU portion can be referred to as higher layers. For example, in a Class 1A separation approach, higher layers may include RRC, and lower layers may include PDCP, RLC, MAC, physical layer, and RF. For example, in a Class 3C separation approach, higher layers may include RRC and PDCP, and lower layers may include RLC, MAC, physical layer, and RF. For example, in an RLC-MAC separation approach, higher layers may include RRC, PDCP, and RLC, and lower layers may include MAC, physical layer, and RF.
[0150] In some embodiments, when a gNB supports higher-level security in the CU and lower-level security in the DU, the correlation between higher-level and lower-level security within a single gNB needs to be considered. For example, when a gNB supports PDCP layer security in the CU and MAC layer security in the DU, the correlation between PDCP layer security and MAC layer security within a single gNB needs to be considered.
[0151] In some embodiments, how to achieve low-level security in a DU is a problem that urgently needs to be solved.
[0152] In some embodiments, how the CU in the access network device distributes the derived key to the DU in the access network device, and how to distribute the key-derived input data to the UE, are problems that urgently need to be solved.
[0153] In some embodiments, considering the mobility of the terminal, how to update the key between the terminal and the access network device during the terminal's movement is also an urgent problem to be solved.
[0154] Here, important concepts and terms involved in the embodiments of this disclosure are explained.
[0155] 1. Key hierarchy
[0156] The key hierarchy in a 5G system consists of multiple keys. These keys can be used for authentication, encryption, and integrity protection.
[0157] Figure 1E is an exemplary schematic diagram of key hierarchy generation in a 5G system. As shown in Figure 1E, the key hierarchy may include multiple keys, such as K AUSF K SEAF K AMF K N3IWF K NASint K NASenc K gNB K RRCint K RRCenc K UPint and K UPenc These keys are involved in authentication, non-access stratum (NAS) signaling protection, access stratum (AS) signaling protection, and user plane traffic protection. The arrows in the diagram indicate the direction of key generation. For example, based on K... AUSF K can be deduced SEAF For example, based on K SEAF K can be deduced AMF For example, based on K AMF K can be deduced N3IWF K NASint K NASenc K gNB For example, based on K gNB K can be deduced RRCint K RRCenc K Upint K UPenc .
[0158] In some embodiments, K serves as a key for NG-RAN. gNB It is composed of mobile entity (ME) and AMF from K AMF The derived key. In some embodiments, K gNB It can be further derived from ME and source gNB.
[0159] In some embodiments, K serves as a key for user plane traffic. UPenc It is from K by ME and gNB gNB The derived key. In one example, K UPenc It can be used solely for the protection of user plane traffic that uses specific encryption algorithms.
[0160] In some embodiments, K serves as a key for user plane traffic. UPintIt is from K by ME and gNB gNB The derived key. In one example, K Upint It can be used solely for the protection of user plane traffic between ME and gNB using a specific integrity algorithm.
[0161] In some embodiments, K serves as the key for RRC signaling. RRCint It is from K by ME and gNB gNB The derived key. In one example, K RRCint It can be used solely for the protection of RRC signaling that employs a specific integrity algorithm.
[0162] In some embodiments, K serves as the key for RRC signaling. RRCenc It is from K by ME and gNB gNB The derived key. In one example, K RRCenc It can be used solely for the protection of RRC signaling that uses a specific encryption algorithm.
[0163] K gNB K RRCint K RRCenc K UPint and K UPenc These are parameters for AS security processed at the PDCP layer. K RRCint and K RRCenc It is the key used to protect RRC messages on the control plane. K UPint and K UPenc It is a key used to protect SDAP messages and / or Session Description Protocol (SDP) messages on the user plane. RRC messages and SDAP / SDP messages are both messages above the PDCP layer, so the security of these messages can be handled at the PDCP layer.
[0164] 2. MAC Security (MACsec)
[0165] MAC security is a secure communication method used to ensure the security protection between devices on an Ethernet link. MAC security can be based on IEEE 802.1AE and IEEE 802.1X standards. MAC security provides functions such as data encryption, integrity checks, and replay protection.
[0166] MAC security operates at the client's data link layer, which is the Ethernet MAC layer, and is used for end-to-end links between the interfaces of two devices, such as the gNB-DU and UE. The gNB-DU and UE can use the MAC security key to encrypt and decrypt data packets. The MACsec key agreement (MKA) protocol provides key negotiation, as well as the establishment and management of secure channels. A long-lived connectivity association key (CAK) along with its corresponding connectivity association key name (CKN) is configured on the device.
[0167] Figure 1F is an exemplary schematic diagram of the MAC security key derivation hierarchy. As shown in Figure 1F, based on CAK and CKN, a secure association key (SAK), a key encryption key (KEK), and an integrity check key (ICK) can be obtained. In some embodiments, CAK can be used to generate a short-lived SAK to protect data transferred between devices. Data encryption is performed based on the SAK. The SAK can be updated regularly based on the number of data packets sent to make communication more secure. MAC security not only encrypts data but also provides integrity through an integrity check value (ICV). ICV is a cryptographic digest function that depends on the data and the SAK.
[0168] 3. Quantum key distribution (QKD)
[0169] Quantum key distribution (QKD) is a secure communication protocol based on the principles of quantum mechanics. QKD allows two users to create and share a secure key over an insecure communication channel. This key can then be used to encrypt and decrypt information to ensure the confidentiality of the communication.
[0170] Figure 1G is an exemplary schematic diagram of a MAC security key derivation hierarchy based on the QKD mechanism. As shown in Figure 1G, user 1 and user 2 can distribute keys through the QKD mechanism. In some embodiments, the QKD between user 1 and user 2 can be implemented using continuous variable (CV) QKD protocol, discrete variable (DV) QKD protocol, satellite QKD, etc. The key distributed to user 1 and user 2 through QKD can serve as the MSK in MAC security. Based on the MSK, other keys, such as CAK and CKN in MAC security, can be obtained through key derivation functions (KDF), and further, ICK, SAK, KEK, etc. can be obtained.
[0171] In some embodiments, the KDF used for key derivation in Figure 1G may conform to the NIST 800-108 standard, formally known as "Recommendation for Key Derivation Using Pseudorandom Functions," which provides technical specifications for deriving additional key material from a secret key using pseudorandom functions. These KDFs can be used to derive additional keys from an established cryptographic key.
[0172] It is understood that the KDF used in the MAC security key derivation hierarchy can also be other KDFs, and this disclosure does not specifically limit this.
[0173] This disclosure provides a communication method, communication device, communication system, storage medium, and program product. A first node sends a first key generated in response to cell handover to a second node in a first cell. The first key is used for the security of communication between the second node in the first cell and the terminal. The second node in the first cell is controlled by the first node, and the first cell is the cell after the cell handover. Thus, on the one hand, the first node can continuously derive a new first key in response to cell handover; that is, whenever the cell accessed by the terminal is updated, the first key is also updated, thereby achieving secure isolation protection based on key updates during terminal movement. On the other hand, during cell handover, the first node can distribute the derived first key to the second node after the cell handover, ensuring the security of one or more protocol layers in the communication between the second node and the terminal.
[0174] In some embodiments, cell handover includes at least one of the following:
[0175] Case 1: Cell handover between different second nodes controlled by the first node.
[0176] Scenario 2: Cell handover between different cells covered by the second node.
[0177] Scenario 3: Cell handover between different first nodes.
[0178] In some embodiments, a first node controls multiple second nodes, where the first node is a CU in the access network device and the second node is a DU in the access network device.
[0179] In some embodiments, Case 1 can be understood as cell handover between different DUs controlled by the same CU, or as the first cell after the handover and the second cell before the handover belonging to different DUs under the same CU. In this case, the DUs of the first cell and the second cell are different, and the DUs of the first cell and the second cell are controlled by the same CU.
[0180] In some embodiments, for case 2, it can be understood as cell handover between different cells covered by the same DU, meaning that the first cell after the handover and the second cell before the handover belong to the same DU. In this case, the DU of the first cell and the DU of the second cell are the same.
[0181] In some embodiments, case 3 can be understood as cell handover between different CUs, or as the first cell after the handover and the second cell before the handover belonging to different DUs under different CUs. In this case, the DU of the first cell and the DU of the second cell are different, and the DU of the first cell and the DU of the second cell are controlled by different CUs.
[0182] The following example, using CU as the first node and DU as the second node, illustrates the key update and distribution process during cell handover.
[0183] Figure 2A is an interactive schematic diagram of a communication method provided according to an embodiment of the present disclosure. As shown in Figure 2A, the present disclosure relates to a communication method. Executed by a communication system 100, the communication method includes steps S2101 to S2111.
[0184] In this embodiment of the disclosure, the cell handover process is Case 1, namely, cell handover between different DUs controlled by the same CU. In this case, the communication system includes a terminal, a CU, a DU of the second cell (denoted as the source DU), and a DU of the first cell (denoted as the target DU). Both the source DU and the target DU are controlled by the CU.
[0185] In step S2101, the terminal sends a measurement report.
[0186] In some embodiments, the source DU receives a measurement report.
[0187] In some embodiments, the CU receives measurement reports via the source DU.
[0188] In some embodiments, the measurement report is carried in an uplink RRC message transfer message. In some embodiments, the source DU receives the measurement report sent by the terminal and sends an uplink RRC message transfer message carrying the measurement report to the CU.
[0189] In some embodiments, the measurement report is used by the CU to determine at least one of the following: a first cell, a target DU, and a target CU.
[0190] In some embodiments, the measurement report includes at least: the measurement results of the second cell and the measurement results of the neighboring cells of the second cell. The second cell is the terminal's current serving cell, i.e., the cell before the terminal performs cell handover. The neighboring cells of the second cell include the first cell, which is the target cell for the terminal to handover to, i.e., the cell after the terminal performs cell handover.
[0191] In step S2102, the CU determines the target DU based on the measurement report.
[0192] In some embodiments, the CU can determine the target DU from a plurality of DUs controlled by the CU based on a measurement report.
[0193] In some embodiments, the target DU supports secure communication between the target DU and the terminal. In some embodiments, the target DU supports RLC layer security. In some embodiments, the target DU supports MAC layer security. In some embodiments, the target DU supports PHY layer security.
[0194] In some embodiments, the CU can determine the first cell from the neighboring cells of the second cell based on the measurement report.
[0195] In step S2103, the CU generates a first key in response to cell handover.
[0196] In some embodiments, the CU generates a first key based on a second key in response to cell handover. In some embodiments, the second key can be input into the KDF. The KDF can derive the first key based on the input second key.
[0197] Figure 2D is an exemplary schematic diagram generated according to the key hierarchy structure provided in the embodiments of this disclosure. As shown in Figure 2D, the first key for the target DU may include K. DU K DU It can be a key for a DU in an access network device. K DU It can be based on K gNB It was deduced.
[0198] In some embodiments, the CU generates a first key in response to cell handover, based on a second key, a KDF, and key derivation input data. In some embodiments, the key derivation input data includes at least one of the following: an identifier of the first cell and a first count value.
[0199] In some embodiments, the CU generates a first key based on a second key and an identifier of the first cell in response to cell handover. In some embodiments, the second key and the identifier of the first cell can be used as inputs to a KDF (Key-Definition Calculation), and the CU can use the KDF to derive the first key based on the identifier of the first cell and the second key.
[0200] In some embodiments, the CU generates a first key based on a second key and a first count value in response to cell handover. In some embodiments, the second key and the first count value can be used as inputs to a KDF (Key-Definition Calculation), and the CU can use the KDF to derive the first key based on the first count value and the second key.
[0201] In some embodiments, the CU generates a first key based on a second key, an identifier of the first cell, and a first count value in response to cell handover. In some embodiments, the second key, the identifier of the first cell, and the first count value can all be used as inputs to a KDF (Key-Definition Calculation), and the CU can use a KDF to derive the first key based on the identifier of the first cell, the first count value, and the second key.
[0202] In some embodiments, the first key may be a key for the DU. In some embodiments, the first key may be used for the security of communication between the target DU and the terminal.
[0203] In some embodiments, the second key may be a key for the access network device. In some embodiments, the second key may be used for the security of communication between the access network device and the terminal. In some embodiments, the second key may be a key for the CU. In some embodiments, the second key may be used for the security of communication between the CU and the terminal. In some embodiments, the second key may be used for the security of upper-layer communication.
[0204] In some embodiments, the second key can be used for the security of upper-layer communication, and the first key is used for the security of lower-layer communication. Upper-layer and lower-layer are relative terms.
[0205] In some embodiments, the second key can be used for the security of the RRC layer, and the first key can be used for the security of at least one of the PDCP layer, RLC layer, MAC layer, PHY layer, and RF layer.
[0206] In some embodiments, the second key can be used for the security of at least one of the RRC layer and the PDCP layer, and the first key can be used for the security of at least one of the RLC layer, the MAC layer, the PHY layer, and the RF layer.
[0207] In some embodiments, the second key can be used for the security of at least one of the RRC layer, PDCP layer, and RLC layer, and the first key can be used for the security of at least one of the MAC layer, PHY layer, and RF layer.
[0208] In some embodiments, the first key may be K DU The second key can be K CU In some embodiments, the CU is the CU of the access network device gNB, and the second key may be K. gNB In one example, the second key could be a 256-bit K. gNB In some embodiments, the access network device can be other types of access network devices, such as an eNB. In this case, the second key can be K. eNB .
[0209] In some embodiments, the second key is determined by the CU. In some embodiments, the second key is obtained by the CU from other nodes. In one example, the CU obtains the second key from the AMF, and the second key is determined by the AMF based on K. AMF This can be deduced.
[0210] In some embodiments, if the second key is not updated, the CU generates a first key based on the updated second key. If the second key has been updated, the CU generates a first key based on the new second key. In some embodiments, the CU may update the second key during each inter-base station handover or intra-base station handover.
[0211] In some embodiments, the identifier of the first cell may be the ID of the first cell.
[0212] In some embodiments, the first count value may be a count value of the terminal's movement across DUs in the access network equipment.
[0213] In some embodiments, a terminal may move between DUs within an access network device. For example, a terminal may initially access one DU of the access network device. For example, a terminal may move from one DU to another within the access network device. Such inter-DU movement causes a change in a first count value. For example, the first count value may change each time an inter-DU migration occurs. In some embodiments, the first count value may be a positive integer.
[0214] In some embodiments, the first count value may also be referred to as the DU counter.
[0215] In some embodiments, the first count value may fall within a first count range. In some embodiments, the first count range may be determined based on the configuration of the DU in the access network device. In some embodiments, the first count range may be determined based on the configuration of the DU in the CU.
[0216] In some embodiments, the first counting range may also be referred to as the counter pool.
[0217] In some embodiments, the first counting range may be configured for a CU. In some embodiments, all DUs under a CU may share the first counting range. In one example, the first counting range may be an integer from 1 to N1, where N1 is a positive integer.
[0218] In some embodiments, the first counting range can be configured for a DU. In some embodiments, each DU under a CU can have an independent first counting range. In some embodiments, different DUs under a CU can have the same or different first counting ranges. For example, all DUs under a CU can have the same first counting range. For example, the first counting range of all DUs can be an integer from 1 to N2, where N2 is a positive integer. In some embodiments, at least two DUs under a CU can have different first counting ranges. For example, the first counting range of one DU can be an integer from 1 to N2, and the first counting range of another DU can be an integer from 1 to N3, where N3 is a positive integer and N3 is not equal to N2.
[0219] In some embodiments, the first count value may change sequentially as the terminal moves between DUs in the access network equipment. In one example, the first count value may be incremented by 1 each time the terminal moves from one DU to another. In another example, the first count value may be decremented by 1 each time the terminal moves from one DU to another.
[0220] In some embodiments, the first count value can be determined by random generation as the terminal moves between DUs in the access network equipment. In one example, the first count value can be randomly generated whenever the terminal moves from one DU to another.
[0221] In some embodiments, the same first count value is not reused as the terminal moves. In some embodiments, the terminal may leave a DU and return to the DU after one or more moves. In this case, the first count value determined for the DU on two separate occasions may be different. In some embodiments, the first count value determined for different DUs may be different.
[0222] In some embodiments, the first count value may be determined by the CU. In some embodiments, the first count value is different from the first count value before cell handover; in some embodiments, the first count value is an increment of the first count value before cell handover.
[0223] In step S2104, the CU sends the first key.
[0224] In some embodiments, the target DU receives a first key.
[0225] In some embodiments, the CU sends a first key to the target DU via a first message. The first message is used to request the establishment of context information for the terminal. For example, the first message is a UE context setup request message.
[0226] In some embodiments, through step S2104, the CU can distribute the derived first key to the target DU.
[0227] In some embodiments, each time the CU derives the first key, the CU can send the obtained first key to the target DU.
[0228] In some embodiments, the target DU may store a first key.
[0229] In step S2105, the target DU obtains the second information based on the first key.
[0230] In some embodiments, the second information is used for the security of communication between the target DU and the terminal.
[0231] In some embodiments, the second information is used for the MACsec of the target DU.
[0232] In some embodiments, the second information includes at least one of the following: secure connectivity association key (CAK), secure connectivity association key name (CKN), secure association key (SAK), and master session key (MSK).
[0233] In some embodiments, the target DU can generate CAK based on the first key. The target DU can also generate CKN based on the first key. The target DU can also generate SAK based on the first key. The target DU can also generate MSK based on the first key.
[0234] In some embodiments, the target DU can use the first key as CAK, i.e., the first key is the same as CAK. In some embodiments, the target DU can use the first key as SAK, i.e., the first key is the same as SAK. In some embodiments, the target DU can use the first key as MSK, i.e., the first key is the same as MSK. In some embodiments, the target DU determines CAK and CKN based on MSK. In some embodiments, if the target DU supports QKD-based KDF, the first key can be used as MSK in the QKD mechanism.
[0235] In some embodiments, the target DU may use the input data of the key derivation associated with the first key as the CKN. In some embodiments, the target DU may use the identifier of the first cell as the CKN. In some embodiments, the target DU may use the first count value as the CKN.
[0236] In some embodiments, whenever the target DU receives a new first key, the target DU can obtain new second information based on the new first key. This ensures that the key in the security key derivation is updated, avoiding conflicts caused by the new first key and the old first key.
[0237] In some embodiments, if both the target DU and the terminal support using the second information as the encryption key for communication between the target DU and the terminal, the target DU performs step S2105.
[0238] In some embodiments, if the target DU does not support using the second information as a security key for communication between the target DU and the terminal, or if the terminal does not support using the second information as a security key for communication between the terminal and the target DU, step S2105 can be omitted. In this case, the first key is used between the terminal and the target DU to protect the security of communication.
[0239] In some embodiments, after obtaining the second information, the target DU may also send a second message to the CU to notify the CU that the target DU has received the first key and obtained the second information. In some embodiments, the second message is a response message to the first message. In one example, the second message is a UE context setup response message.
[0240] In some embodiments, if step S2105 is omitted, the target DU may also send a second message to the CU to notify the CU that the target DU has received the first key.
[0241] In step S2106, the CU sends the first information.
[0242] In some embodiments, the source DU receives first information.
[0243] In some embodiments, the first information is used to indicate how the old first key was processed.
[0244] In some embodiments, the first information is used to instruct the terminal to generate a first key.
[0245] In some embodiments, the first information is used to instruct the terminal to generate the first key according to the method of generating the first key for the target DU by the CU.
[0246] In some embodiments, the first information is used to instruct the terminal to derive a first key and derive second information based on the first key.
[0247] In some embodiments, the first information includes at least one of the following: first indication information, identifier of the first cell, first count value, and second indication information.
[0248] In some embodiments, the first indication information is used to indicate how the old first key should be handled. In some embodiments, the first indication information is used to indicate the deletion of the old first key. In some embodiments, the first indication information is used to indicate that the old first key is invalid. In some embodiments, the first indication information is used to indicate that the old first key is unavailable.
[0249] In some embodiments, the second indication information is used to instruct the terminal to generate a first key. In some embodiments, the second indication information is used to instruct the terminal to update the first key. In some embodiments, the second indication information is used to instruct the terminal to derive the first key and derive second information based on the first key. In some embodiments, the second indication information is used to instruct the terminal to generate the first key according to the method of generating the first key for the target DU using the CU.
[0250] In some embodiments, the CU can send the first information to the source DU via a third message, which is used to request modification of the terminal's context information. In one example, the third message is a UE context modification request message.
[0251] In some embodiments, the third message includes first indication information and RRC reconfiguration information, wherein the RRC reconfiguration information includes at least one of the following: the identifier of the first cell, a first count value, and second indication information.
[0252] In step S2107, the source DU processes the old first key.
[0253] In some embodiments, the source DU processes the old first key based on the received first information.
[0254] In some embodiments, if the first information received by the source DU includes first indication information, the source DU processes the old first key based on the first indication information. In one example, the source DU deletes the old first key based on the first indication information. In another example, the source DU determines that the old first key is invalid based on the first indication information.
[0255] In some embodiments, if the first information received by the source DU does not contain the first indication information, the source DU may not process the old first key, that is, step S2107 may be omitted.
[0256] In some embodiments, if the first information received by the source DU does not contain the first indication information, the source DU may process the old first key based on a strategy specified by the protocol or pre-configured by the CU.
[0257] In step S2108, the source DU sends the fourth information.
[0258] In some embodiments, the terminal receives fourth information.
[0259] In some embodiments, the fourth information is used to trigger the terminal to generate the first key.
[0260] In some embodiments, the fourth information is used to instruct the terminal to generate the first key.
[0261] In some embodiments, the fourth information is used to instruct the terminal to generate the first key according to the method of generating the first key for the target DU by the CU.
[0262] In some embodiments, the fourth information is used to instruct the terminal to derive the first key and derive the second information based on the first key.
[0263] In some embodiments, the fourth information includes at least one of the following: the identifier of the first cell, the first count value, and the second indication information.
[0264] In some embodiments, the source DU sends fourth information based on the received first information. In one example, the source DU obtains RRC reconfiguration information from the UE context modification request message and sends the RRC reconfiguration information to the terminal.
[0265] In some embodiments, steps S2107 and S2108 may be executed simultaneously. In some embodiments, steps S2107 and S2108 may be executed in an alternate order.
[0266] In step S2109, the source DU sends third information.
[0267] In some embodiments, the CU receives third information.
[0268] In some embodiments, after the source DU processes the old first key, the source DU may send third information to the CU, which is used by the CU to confirm the processing of the old first key.
[0269] In some embodiments, the source DU can send third information to the CU via a fourth message, which is a response message to the third message and is used to respond to the terminal's context information modification request. In one example, the fourth message is a UE context modification response message. In one example, the UE context modification response message includes the third information, which is used by the CU to acknowledge the UE context modification of the old first key.
[0270] In some embodiments, steps S2108 and S2109 may be executed simultaneously or in reverse order.
[0271] In step S2110, the terminal generates a first key based on the fourth information.
[0272] In some embodiments, the terminal may generate the first key based on the fourth information. The terminal may also deduce the first key based on the fourth information.
[0273] In some embodiments, if the fourth information received by the terminal includes second indication information, the terminal generates a first key based on the second key.
[0274] In some embodiments, if the fourth information received by the terminal includes a first count value, the terminal generates a first key based on the second key and the first count value.
[0275] In some embodiments, if the fourth information received by the terminal includes the second indication information and the identifier of the first cell, the terminal generates the first key based on the second key and the identifier of the first cell.
[0276] In some embodiments, when the fourth information received by the terminal includes a first count value and an identifier of the first cell, the terminal may generate a first key based on a second key and the identifier of the first cell, or it may generate a first key based on a second key and a first count value, or it may generate a first key based on a second key, the identifier of the first cell, and the first count value.
[0277] In some embodiments, when the fourth information received by the terminal includes the second indication information, the identifier of the first cell, and the first count value, the terminal may generate the first key based on the second key and the identifier of the first cell, or it may generate the first key based on the second key and the first count value, or it may generate the first key based on the second key, the identifier of the first cell, and the first count value.
[0278] In some embodiments, if the second key is not updated, the terminal can obtain its own stored second key and deduce the first key based on the second key. In some embodiments, if the second key is updated, the terminal can deduce a new second key and deduce the first key based on the new second key.
[0279] In some embodiments, the method by which the terminal generates the first key can be the same as the method by which the CU generates the first key, and can be referred to step S2103, which will not be repeated here.
[0280] In step S2111, the terminal obtains the second information based on the first key.
[0281] In some embodiments, the method by which the terminal obtains the second information and the method by which the target DU obtains the second information may be the same, and step S2105 can be referred to, which will not be repeated here.
[0282] The communication method involved in the embodiments of this disclosure may include at least one of steps S2101 to S2111. For example, step S2101 may be implemented as a standalone embodiment. For example, step S2102 may be implemented as a standalone embodiment. For example, step S2103 may be implemented as a standalone embodiment. For example, step S2104 may be implemented as a standalone embodiment. For example, step S2105 may be implemented as a standalone embodiment. For example, step S2106 may be implemented as a standalone embodiment. For example, step S2107 may be implemented as a standalone embodiment. For example, step S2108 may be implemented as a standalone embodiment. For example, step S2109 may be implemented as a standalone embodiment. For example, step S2110 may be implemented as a standalone embodiment. For example, step S2111 may be implemented as a standalone embodiment. For example, steps S2103 and S2104 may be combined as a standalone embodiment. For example, steps S2104 and S2105 may be combined as a standalone embodiment. For example, steps S2103, S2104, and S2105 can be combined as independent embodiments. For example, steps S2104 and S2106 can be combined as independent embodiments. For example, steps S2106 and S2107 can be combined as independent embodiments. For example, steps S2106, S2107, and S2109 can be combined as independent embodiments. For example, steps S2104, S2106, and S2107 can be combined as independent embodiments. For example, steps S2104, S2106, S2107, and S2109 can be combined as independent embodiments. For example, steps S2108 and S2110 can be combined as independent embodiments. For example, steps S2110 and S2111 can be combined as independent embodiments. For example, steps S2108, S2110, and S2111 can be combined as independent embodiments.
[0283] In some embodiments, steps S2105 and S2107 are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0284] In some embodiments, steps S2107 and S2108 may be executed simultaneously or in an alternate order, and this disclosure does not specifically limit this.
[0285] In some embodiments, steps S2108 and S2109 may be executed simultaneously or in an alternate order, and this disclosure does not specifically limit this.
[0286] In this embodiment, the CU can continuously derive a new first key in response to cell handover. That is, whenever the cell accessed by the terminal is updated, the first key is also updated, thereby achieving secure isolation protection based on key updates during terminal movement. On the other hand, during cell handover, the CU can distribute the derived first key to the target DU after the cell handover, ensuring the security of one or more protocol layers of communication between the target DU and the terminal.
[0287] Figure 2B is an interactive schematic diagram of a communication method provided according to an embodiment of the present disclosure. As shown in Figure 2B, the present disclosure relates to a communication method. Executed by a communication system 100, the communication method includes steps S2201 to S2211.
[0288] In this embodiment of the disclosure, the cell handover process is Case 2, namely, cell handover between different cells covered by the same DU. In this case, the communication system includes a terminal, a CU, and a DU controlled by the CU.
[0289] In step S2201, the terminal sends a measurement report.
[0290] In some embodiments, the DU receives measurement reports.
[0291] In some embodiments, the CU receives measurement reports via the DU.
[0292] Optional implementations of step S2201 can also be found in optional implementations of step S2101 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0293] In step S2202, the CU determines the first cell based on the measurement report.
[0294] Optional implementations of step S2202 can also be found in optional implementations of step S2102 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0295] In step S2203, the CU generates a first key in response to cell handover.
[0296] Optional implementations of step S2203 can also be found in optional implementations of step S2103 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0297] In step S2204, the CU sends the first key.
[0298] In some embodiments, the DU receives a first key.
[0299] In some embodiments, the CU sends a first key to the DU via a first message. The first message is used to request modification of the terminal's context information. In one example, the first message is a UE context modification request message.
[0300] In some embodiments, the CU may send a first indication message to the DU simultaneously with sending the first key, so as to distribute the new first key to the DU while instructing the DU to process the old first key, thereby avoiding a conflict between the old and new first keys. In some embodiments, the CU sends a first message to the DU, which carries the first key and the first indication message. In one example, the CU sends a UE context modification request message to the DU, which includes the first key and the first indication message.
[0301] Optional implementations of step S2204 can also be found in optional implementations of step S2104 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0302] In step S2205, DU obtains the second information based on the first key.
[0303] In some embodiments, if both the DU and the terminal support using the second information as the encryption key for communication between the target DU and the terminal, the DU performs step S2205.
[0304] In some embodiments, if the DU does not support using the second information as the encryption key for communication between the DU and the terminal, or if the terminal does not support using the second information as the encryption key for communication between the terminal and the DU, step S2205 can be omitted. In this case, the terminal and the DU use the first key to protect the security of communication.
[0305] In some embodiments, after obtaining the second information, the DU may also send a second message to the CU to notify the CU that the DU has received the first key and obtained the second information. In some embodiments, the second message is a response message to the first message. In one example, the second message is a UE context modification response message.
[0306] In some embodiments, if step S2105 is omitted, DU may also send a second message to CU to notify CU that DU has received the first key.
[0307] Optional implementations of step S2205 can also be found in optional implementations of step S2105 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0308] In step S2206, the CU sends the first information.
[0309] In some embodiments, the DU receives first information.
[0310] In some embodiments, the first information includes at least one of the following: first indication information, identifier of the first cell, first count value, and second indication information.
[0311] In some embodiments, if the CU sends a first key and a first indication information to the DU simultaneously in step S2204, the first information sent by the CU in step S2206 may not include the first indication information.
[0312] In some embodiments, the CU sends first information to the DU via a downlink RRC message transfer (DL RRC message transfer) message. In some embodiments, the downlink RRC message transfer message includes RRC reconfiguration information, which includes at least one of the following: an identifier of the first cell, a first count value, and second indication information.
[0313] Optional implementations of step S2206 can also be found in optional implementations of step S2106 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0314] In step S2207, DU processes the old first key.
[0315] In some embodiments, when the CU simultaneously sends the first key and the first indication information, step S2207 can be performed after step S2204 and before step S2206.
[0316] Optional implementations of step S2207 can also be found in optional implementations of step S2107 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0317] In step S2208, DU sends the fourth message.
[0318] In some embodiments, the terminal receives fourth information.
[0319] Optional implementations of step S2208 can also be found in optional implementations of step S2108 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0320] In step S2209, DU sends third information.
[0321] In some embodiments, the CU receives third information.
[0322] In some embodiments, after step S2207, the second message sent by the DU to the CU can also be used to confirm the processing of the old first key. In one example, the UE context modification response message includes third information used to confirm the UE context modification of the old first key.
[0323] In some embodiments, steps S2209 and S2208 may be executed simultaneously or in reverse order.
[0324] Optional implementations of step S2209 can also be found in optional implementations of step S2109 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0325] In step S2210, the terminal generates a first key based on the fourth information.
[0326] Optional implementations of step S2210 can also be found in optional implementations of step S2110 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0327] In step S2211, the terminal obtains the second information based on the first key.
[0328] Optional implementations of step S2211 can also be found in the optional implementations of step S2111 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0329] The communication method involved in the embodiments of this disclosure may include at least one of steps S2201 to S2211. For example, step S2201 may be implemented as a standalone embodiment. For example, step S2202 may be implemented as a standalone embodiment. For example, step S2203 may be implemented as a standalone embodiment. For example, step S2204 may be implemented as a standalone embodiment. For example, step S2205 may be implemented as a standalone embodiment. For example, step S2206 may be implemented as a standalone embodiment. For example, step S2207 may be implemented as a standalone embodiment. For example, step S2208 may be implemented as a standalone embodiment. For example, step S2209 may be implemented as a standalone embodiment. For example, step S2210 may be implemented as a standalone embodiment. For example, step S2211 may be implemented as a standalone embodiment. For example, steps S2203 and S2204 may be combined as a standalone embodiment. For example, steps S2204 and S2205 may be combined as a standalone embodiment. For example, steps S2203, S2204, and S2205 can be combined as independent embodiments. For example, steps S2204 and S2206 can be combined as independent embodiments. For example, steps S2206 and S2207 can be combined as independent embodiments. For example, steps S2206, S2207, and S2209 can be combined as independent embodiments. For example, steps S2204, S2206, and S2207 can be combined as independent embodiments. For example, steps S2204, S2206, S2207, and S2209 can be combined as independent embodiments. For example, steps S2208 and S2210 can be combined as independent embodiments. For example, steps S2210 and S2211 can be combined as independent embodiments. For example, steps S2208, S2210 and S2211 can be combined as independent embodiments.
[0330] In some embodiments, steps S2205 and S2207 are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0331] In some embodiments, steps S2207 and S2208 may be executed simultaneously or in an alternate order, and this disclosure does not specifically limit this.
[0332] In some embodiments, steps S2208 and S2209 may be executed simultaneously or in an alternate order, and this disclosure does not specifically limit this.
[0333] In some embodiments, if the CU also sends first indication information in step S2204, step S2207 can be executed after step S2204 and before step S2206.
[0334] In this embodiment, the CU can continuously derive a new first key in response to cell handover. That is, whenever the cell accessed by the terminal is updated, the first key is also updated, thereby achieving secure isolation protection based on key updates during terminal movement. On the other hand, during cell handover, the CU can distribute the derived first key to the DU after the cell handover, ensuring the security of one or more protocol layers of communication between the DU and the terminal.
[0335] Figure 2C is an interactive schematic diagram of a communication method provided according to an embodiment of the present disclosure. As shown in Figure 2C, the present disclosure relates to a communication method. Executed by a communication system 100, the communication method includes steps S2301 to S2312.
[0336] In this embodiment of the disclosure, the cell handover process is Case 3, namely, cell handover between different CUs. In this case, the communication system includes a terminal, a CU of the second cell (denoted as the source CU), a DU of the second cell (denoted as the source DU), a CU of the first cell (denoted as the target CU), and a DU of the first cell (denoted as the target DU). Among them, the source DU is controlled by the source CU, and the target DU is controlled by the target CU.
[0337] In step S2301, the terminal sends a measurement report.
[0338] In some embodiments, the source DU receives a measurement report.
[0339] In some embodiments, the source CU receives measurement reports via the source DU.
[0340] Optional implementations of step S2301 can also be found in optional implementations of step S2101 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0341] In step S2302, the source CU determines the target CU based on the measurement report and generates a second key.
[0342] In some embodiments, the second key is used for the security of communication between the target CU and the terminal.
[0343] In some embodiments, the source CU generates a second key based on the Next Chain Counter (NCC) value.
[0344] Optional implementations of step S2302 can also be found in optional implementations of step S2102 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0345] In step S2303, the source CU sends the second key.
[0346] In some embodiments, the target CU receives a second key.
[0347] In some embodiments, the source CU can send a second key via a fifth message, which is used to request a handover. In one example, the fifth message is a handover request message.
[0348] In some embodiments, the source CU may send an NCC value along with the second key. In some embodiments, the source CU sends a fifth message to the target CU, the fifth message carrying the second key and the NCC value. In some embodiments, the NCC value is used to generate the second key.
[0349] In step S2304, the target CU generates a first key in response to cell handover.
[0350] In some embodiments, the target CU generates a first key based on the received second key.
[0351] The alternative implementation of step S2304 can also be found in the alternative implementation of step S2103 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0352] In step S2305, the target CU sends the first key.
[0353] In some embodiments, the target DU receives a first key.
[0354] Optional implementations of step S2305 can also be found in optional implementations of step S2104 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0355] In step S2306, the target DU obtains the second information based on the first key.
[0356] Optional implementations of step S2306 can also be found in optional implementations of step S2105 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0357] In step S2307, the target CU sends the first information.
[0358] In some embodiments, the source CU receives first information.
[0359] In some embodiments, the source DU receives the first information via the source CU.
[0360] In some embodiments, the target CU sends first information to the source CU via a sixth message, which is a response to the fifth message. In one example, the sixth message is a handover request confirmation (UE context setup response) message.
[0361] In some embodiments, the first information includes at least one of the following: first indication information, identifier of the first cell, first count value, second indication information, and third indication information.
[0362] In some embodiments, the third indication information is used to indicate how the old second key should be processed. The source CU can process the old second key based on the third indication information.
[0363] Optional implementations of step S2307 can also be found in optional implementations of step S2106 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0364] In step S2308, the source DU processes the old first key.
[0365] Optional implementations of step S2308 can also be found in optional implementations of step S2107 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0366] In step S2309, the source DU sends the fourth information.
[0367] In some embodiments, the terminal receives fourth information.
[0368] Optional implementations of step S2309 can also be found in optional implementations of step S2108 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0369] In step S2310, the source DU sends third information.
[0370] In some embodiments, the source CU receives third information.
[0371] Optional implementations of step S2310 can also be found in optional implementations of step S2109 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0372] In step S2311, the terminal generates a first key based on the fourth information.
[0373] In some embodiments, during the process of the terminal generating the first key based on the fourth information, the terminal may first generate the second key based on the fourth information, and then generate the first key based on the second key.
[0374] In some embodiments, the terminal generates a second key based on the NCC value contained in the fourth information, and generates a first key based on the derived second key.
[0375] The alternative implementation of step S2311 can also be found in the alternative implementation of step S2110 in Figure 2A, and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0376] In step S2312, the terminal obtains the second information based on the first key.
[0377] The optional implementation of step S2312 can also be found in the optional implementation of step S2111 in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0378] The communication method involved in the embodiments of this disclosure may include at least one of steps S2301 to S2312. For example, step S2301 may be implemented as a standalone embodiment. For example, step S2302 may be implemented as a standalone embodiment. For example, step S2303 may be implemented as a standalone embodiment. For example, step S2304 may be implemented as a standalone embodiment. For example, step S2305 may be implemented as a standalone embodiment. For example, step S2306 may be implemented as a standalone embodiment. For example, step S2307 may be implemented as a standalone embodiment. For example, step S2308 may be implemented as a standalone embodiment. For example, step S2309 may be implemented as a standalone embodiment. For example, step S2310 may be implemented as a standalone embodiment. For example, step S2311 may be implemented as a standalone embodiment. For example, step S2312 may be implemented as a standalone embodiment. For example, steps S2304 and S2305 may be combined as a standalone embodiment. For example, steps S2305 and S2306 can be combined as independent embodiments. For example, steps S2304, S2305, and S2306 can be combined as independent embodiments. For example, steps S2305 and S2307 can be combined as independent embodiments. For example, steps S2307 and S2308 can be combined as independent embodiments. For example, steps S2308 and S2310 can be combined as independent embodiments. For example, steps S2307, S2308, and S2310 can be combined as independent embodiments. For example, steps S2305, S2307, and S2308 can be combined as independent embodiments. For example, steps S2309 and S2311 can be combined as independent embodiments. For example, steps S2311 and S2312 can be combined as independent embodiments. For example, steps S2309, S2311 and S2312 can be combined as independent embodiments.
[0379] In some embodiments, steps S2306 and S2308 are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0380] In some embodiments, steps S2308 and S2309 may be executed simultaneously or in an alternate order, and this disclosure does not specifically limit this.
[0381] In this embodiment, the target CU can continuously derive a new first key in response to cell handover. That is, whenever the cell accessed by the terminal is updated, the first key is also updated, thereby achieving secure isolation protection based on key updates during terminal movement. On the other hand, during cell handover, the target CU can distribute the derived first key to the target DU after the cell handover, ensuring the security of one or more protocol layers of communication between the target DU and the terminal.
[0382] In some embodiments, terms such as “derivation,” “inference,” “derive,” and “generate” can be used interchangeably.
[0383] In some embodiments, terms such as "first node," "centralized unit," and "control unit" can be used interchangeably.
[0384] In some embodiments, terms such as "second node" and "distribution unit" can be used interchangeably.
[0385] In some embodiments, terms such as "first node of the first cell", "first node of the target cell", "first node after cell handover", "centralized unit of the target cell", and "centralized unit after cell handover" can be used interchangeably.
[0386] In some embodiments, terms such as "first node of the second cell", "first node of the source cell", "first node before cell handover", "centralized unit of the source cell", and "centralized unit before cell handover" can be used interchangeably.
[0387] In some embodiments, terms such as "second node of the first cell", "second node of the target cell", "second node after cell handover", "distribution unit of the target cell", and "distribution unit after cell handover" can be used interchangeably.
[0388] In some embodiments, terms such as "second node of the second cell", "second node of the source cell", "second node before cell handover", "distribution unit of the source cell", and "distribution unit before cell handover" can be used interchangeably.
[0389] In some embodiments, terms such as "identifier of the first cell", "identifier of the target cell", "ID of the target cell", and "ID of the cell after handover" can be used interchangeably.
[0390] In some embodiments, terms such as "second cell," "source cell," and "cell before cell handover" can be used interchangeably.
[0391] In some embodiments, the names of information, etc., are not limited to the names described in the embodiments. Terms such as "information", "message", "signal", "signaling", "report", "configuration", "indication", "instruction", "command", "channel", "parameter", "domain", "field", "symbol", "symbol", "codebook", "codeword", "codepoint", "bit", "data", "program", and "chip" can be used interchangeably.
[0392] In some embodiments, the terms “radio”, “wireless”, “radio access network (RAN)”, “access network (AN)”, and “RAN-based” can be used interchangeably.
[0393] In some embodiments, terms such as “moment,” “point in time,” “time,” and “time location” can be used interchangeably, as can terms such as “duration,” “segment,” “time window,” “window,” and “time.”
[0394] In some embodiments, "acquire," "get," "obtain," "receive," "transmit," "bidirectional transmission," and "send and / or receive" can be used interchangeably and can be interpreted as receiving from other entities, acquiring from protocols, acquiring from higher layers, obtaining through self-processing, or autonomous implementation. Protocols include, for example, at least one of the 3GPP protocol, Wi-Fi protocol, and audio and / or video protocols.
[0395] In some embodiments, terms such as “send,” “transmit,” “report,” “distribute,” “transfer,” “bidirectional transmission,” “send and / or receive” can be used interchangeably.
[0396] In some embodiments, terms such as "certain," "preset," "default," "set," "indicated," "a certain," "any," and "first" can be used interchangeably. "Certain A," "preset A," "default A," "set A," "indicated A," "a certain A," "any A," and "first A" can be interpreted as A pre-defined in a protocol or the like, or as A obtained through setting, configuration, or instruction, or as specific A, a certain A, any A, or first A, but are not limited thereto.
[0397] In some embodiments, if an arrow in the interaction diagram representing the sending of information, signaling, etc. from one subject to another passes through other subjects, it can be interpreted as the information being forwarded from one subject to another via other subjects, or it can be interpreted as the information being sent from one subject to another without passing through other subjects.
[0398] Figure 3 is another interactive schematic diagram of the communication method provided according to an embodiment of the present disclosure. The communication method involved in the embodiment of the present disclosure can be applied to a terminal, a first node, and a second node in a communication system 100. As shown in Figure 3, the communication method of the embodiment of the present disclosure includes steps S3101 to S3103.
[0399] In step S3101, the first node sends the first key to the second node of the first cell.
[0400] Optional implementations of step S3101 can also be found in optional implementations of step S2104 in Figure 2A, optional implementations of step S2204 in Figure 2B, optional implementations of step S2305 in Figure 2C, other related parts in the embodiments involved in Figure 2A, other related parts in the embodiments involved in Figure 2B, and other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0401] In step S3102, the first node sends the first information to the second node of the second cell.
[0402] Optional implementations of step S3102 can also be found in optional implementations of step S2106 in Figure 2A, optional implementations of step S2206 in Figure 2B, optional implementations of step S2307 in Figure 2C, other related parts in the embodiments involved in Figure 2A, other related parts in the embodiments involved in Figure 2B, and other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0403] In step S3103, the second node of the second cell sends the fourth information to the terminal.
[0404] Optional implementations of step S3103 can also be found in optional implementations of step S2108 in Figure 2A, optional implementations of step S2208 in Figure 2B, optional implementations of step S2309 in Figure 2C, other related parts in the embodiments involved in Figure 2A, other related parts in the embodiments involved in Figure 2B, and other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0405] The communication method involved in the embodiments of this disclosure may include at least one of steps S3101 to S3103. For example, step S3101 may be implemented as a standalone embodiment. For example, step S3102 may be implemented as a standalone embodiment. For example, step S3103 may be implemented as a standalone embodiment.
[0406] In the following, the technical solutions of the embodiments of this disclosure will be described by way of specific implementation.
[0407] In some embodiments, the first key (K) DU The key is generated by the CU and needs to be distributed to the DU. Furthermore, the input data for key derivation (e.g., C-RNTI, DU counter) also needs to be available in both the UE and the CU to derive K. DU At the same time, the UE needs to be notified to trigger K in the same way. DU The generation of K is so that it can be shared between the UE and DU. DU K DU The distribution of input data for key derivation needs to be performed in various processes along with the UE's movement in the network.
[0408] In some embodiments, when the UE moves from one DU to another within the same CU, K DU The distribution of input data for key derivation is shown in Figure 2A.
[0409] In some embodiments, as shown in FIG2A, in step S2101, the UE sends a measurement report message to the source gNB-DU. The source gNB-DU sends a UL RRC message transmission message to the gNB-CU to convey the received measurement report message.
[0410] In some embodiments, as shown in FIG2A, in steps S2102 and S2103, the gNB-CU selects a target gNB-DU in its controlled gNB-DUs based on the measurement report. Once the target gNB-DU is selected, if the target gNB-DU needs to support lower-level security (e.g., based on local policies), the gNB-CU determines to use a second key (K). gNB Export new K DUFor the key-derived input, the gNB-CU uses the target cell ID and sequentially selects another DU counter from the DU counter pool.
[0411] In some embodiments, as shown in FIG2A, in step S2104, the gNB-CU sends a UE context establishment request message to the target gNB-DU to create a UE context and establish one or more data bearers. In addition to handover preparation information, the UE context establishment request message also includes a new K derived for the target gNB-DU. DU .
[0412] In some embodiments, as shown in FIG2A, in step S2105, the target gNB-DU retrieves K from the UE context establishment request message. DU In some embodiments, the target gNB-DU can be derived from K. DU Export CAK / CKN, or in this step, export K. DU Designated as CAK. In some embodiments, the target gNB-DU is from K. DU Export CAK / CKN, or export K before lower-level security establishment is triggered by the target gNB-DU in a later step. DU Specify CAK. In some embodiments, the target gNB-DU responds to the gNB-CU with a UE context establishment response message.
[0413] In some embodiments, as shown in FIG2A, in step S2106, the gNB-CU sends a UE context modification request message to the source gNB-DU, which includes a generated RRC reconfiguration message. The target cell ID is included in the RRC reconfiguration message. In some embodiments, if the gNB-CU needs to notify the source gNB-DU to remove lower-layer security parameters from the UE context (e.g., based on local policies), the gNB-CU also includes first indication information in the UE context modification request message. In some embodiments, if the target gNB-CU derives a new K... DU Then the gNB-CU also includes the DU counter and / or second indication information selected by the gNB-CU in the RRCReconfiguration message.
[0414] In some embodiments, as shown in FIG2A, in steps S2107 and S2109, the source gNB-DU responds to the gNB-CU with a UE context modification response message. The source gNB-DU may include confirmation of UE context modification for security parameter disposal (e.g., old KDU deletion) in the UE context modification response message.
[0415] In some embodiments, as shown in FIG2A, in step S2108, the source gNB-DU forwards the received RRC reconfiguration message to the UE.
[0416] In some embodiments, as shown in FIG2A, in step S2110, if the UE retrieves the DU counter and / or second indication information from the RRC reconfiguration message, the UE determines that from K gNB Export new K DU The UE uses the target cell ID and DU counter included in the RRC reconfiguration message to perform K... DU Derivation.
[0417] In some embodiments, as shown in FIG2A, in step S2111, the UE can access K DU Export CAK / CKN or K DU Designated as CAK. In some embodiments, when the UE receives a lower-layer security establishment request from the target gNB-DU in a later step, it selects CAK. DU Export CAK / CKN or specify KDU as CAK.
[0418] In some embodiments, the UE responds to the target gNB-DU with an RRC reconfiguration complete message. In some embodiments, the target gNB-DU sends a UL RRC message transmission message to the gNB-CU to indicate receipt of the RRC reconfiguration complete message. In some embodiments, the UE context release procedure with the source gNB-DU is triggered by the gNB-CU.
[0419] In some embodiments, when a UE moves from one cell to another within the same DU, there is no key update and no key distribution is required.
[0420] In some embodiments, when a UE moves from one cell to another within the same DU, K DU The distribution of input data for key derivation is shown in Figure 2B. This process is supported by the UE context modification procedure initiated by the CU.
[0421] In some embodiments, as shown in FIG2B, in step S2201, the UE sends a measurement report message containing measurements of neighboring cells to the gNB-DU. The gNB-DU sends a UL RRC message transmission message to the gNB-CU to transmit the received measurement report message.
[0422] In some embodiments, as shown in FIG2B, in steps S2202 and S2203, based on the measurement report, the gNB-CU selects a target cell supported by the gNB-DU. Once a target cell is selected, if the target cell needs to support lower-layer security (e.g., based on gNB-CU's local policies), the gNB-CU determines to use K. gNB Export a new KDU. For the input of the key export, gNB-CU uses the target cell ID and selects another DU counter from the DU counter pool in sequence.
[0423] In some embodiments, as shown in FIG2B, in step S2204, the gNB-CU sends a UE context modification request message to the gNB-DU. This message indicates the target cell via the target cell ID. The UE context modification request message also includes a new K derived for the target cell. DU .
[0424] In some embodiments, if the gNB-CU needs to notify the gNB-DU to remove older lower-layer security parameters (e.g., older KDUs) from the UE context (e.g., based on local policies), the gNB-CU also includes first indication information in the UE context modification request message.
[0425] In some embodiments, as shown in FIG2B, in step S2205, gNB-DU retrieves K from the UE context modification request message. DU In some embodiments, the target gNB-DU can be derived from K. DU Export CAK / CKN, or in this step, export K. DU Designated as CAK. In some embodiments, the target gNB-DU is from K. DU Export CAK / CKN, or export K before lower-level security establishment is triggered by the target gNB-DU in a later step. DU Specify CAK.
[0426] In some embodiments, as shown in FIG2B, in step S2206, gNB-CU sends a DL RRC message transmission message to gNB-DU, which includes a generated RRC reconfiguration message. The target cell ID is included in the RRC reconfiguration message. In some embodiments, if a new K is derived for the target cell... DU Then the gNB-CU also includes the DU counter and / or key indicator selected by the gNB-CU in the RRC reconfiguration message.
[0427] In some embodiments, as shown in FIG2B, in steps S2207 and S2209, the gNB-DU responds to the gNB-CU with a UE context modification response message. The gNB-DU may include the handling of security parameters (e.g., old K) in the UE context modification response message. DU Confirmation of UE context modification (deleted).
[0428] In some embodiments, as shown in FIG2B, in step S2208, gNB-DU forwards the received RRC reconfiguration message to the UE.
[0429] In some embodiments, as shown in FIG2B, in step S2210, if the UE retrieves the DU counter and / or key indicator from the RRC reconfiguration message, the UE determines from K gNB Export new K DU The UE uses the target cell ID and DU counter included in the RRC reconfiguration message to perform K... DU Derivation.
[0430] In some embodiments, as shown in FIG2B, in step S2211, the UE can export CAK / CKN from KDU or export K DU Designated as CAK. In some embodiments, when the UE receives a low-layer security establishment request for the target cell from the gNB-DU in a later step, it selects CAK. DU Export CAK / CKN or K DU Designated as CAK. In some embodiments, the UE responds to the gNB-DU with an RRC reconfiguration complete message. In some embodiments, the gNB-DU forwards the RRC reconfiguration complete message to the gNB-CU via a UL RRC message transmission message.
[0431] In some embodiments, when the UE moves from one CU to another, K DU The distribution of input data for key derivation is shown in Figure 2C.
[0432] In some embodiments, as shown in FIG2C, in step S2301, the UE sends a measurement report message to the source gNB-DU. In some embodiments, the source gNB-DU sends a UL RRC message transmission message to the source gNB-CU to convey the received measurement report message.
[0433] In some embodiments, as shown in FIG2C, in step S2302, the source gNB-CU selects the target gNB-CU based on the measurement report and sends the derived K to the target gNB-CU. NG-RAN* and used for K NG-RAN* A request to switch exported NCC values.
[0434] In some embodiments, as shown in FIG2C, in steps S2303 and S2304, the target gNB-CU will K NG-RAN* As K gNB If the target gNB-DU needs to support lower-level security (e.g., based on local policies), then the target gNB-CU determines to derive a new K using KgNB. DU For the input of key derivation, the target gNB-CU uses the target cell ID to generate a DU counter pool and selects an initial DU counter to derive K. DU .
[0435] In some embodiments, as shown in FIG2C, in step S2305, the target gNB-CU sends a UE context establishment request message to the target gNB-DU to create a UE context and establish one or more data bearers. In addition to handover preparation information, the UE context establishment request message also includes a new K derived for the target gNB-DU. DU .
[0436] In some embodiments, as shown in FIG2C, in step S2306, the target gNB-DU retrieves K from the UE context establishment request message. DU In some embodiments, the target gNB-DU can be derived from K. DU Export the CAK / CKN, or specify the KDU as CAK in this step. In some embodiments, the target gNB-DU is derived from K. DU Export CAK / CKN, or export K before lower-level security establishment is triggered by the target gNB-DU in a later step. DU Specify CAK. In some embodiments, the target gNB-DU responds to the target gNB-CU with a UE context establishment response message.
[0437] In some embodiments, as shown in FIG2C, in step S2307, the target gNB-CU responds to the source gNB-CU with a handover request confirmation message, which includes a DU counter and / or key indicator selected by the target gNB-CU. In some embodiments, the source gNB-CU sends a UE context modification request message to the source gNB-DU, which includes a generated RRC reconfiguration message. The target cell ID is included in the RRC reconfiguration message. In some embodiments, if the source gNB-CU needs to notify the source gNB-DU to remove lower-layer security parameters from the UE context (e.g., based on local policies), the source gNB-CU also includes first indication information in the UE context modification request message. In some embodiments, if a DU counter and / or key indicator are received in the handover request confirmation, the source gNB-CU also includes the selected received DU counter and / or second indication information sent from the target gNB-CU in the RRCReconfiguration message.
[0438] In some embodiments, as shown in FIG2C, in steps S2308 and S2310, the source gNB-DU responds to the source gNB-CU with a UE context modification response message. The source gNB-DU may include confirmation of UE context modification for security parameter disposal (e.g., old KDU deletion) in the UE context modification response message.
[0439] In some embodiments, as shown in FIG2C, in step S2309, the source gNB-DU forwards the received RRC reconfiguration message to the UE.
[0440] In some embodiments, as shown in FIG2C, in step S2311, the UE first derives K based on the NCC value in the received RRCReconfiguration message. NG-RAN* and K NG-RAN* As the new K gNB In some embodiments, if the UE retrieves the DU counter and / or key indicator from the RRCReconfiguration message, the UE determines the new K... gNB Export new K DU The UE uses the target cell ID and DU counter included in the RRCReconfiguration message to perform K... DU Derivation.
[0441] In some embodiments, as shown in FIG2C, in step S2312, the UE can access K DUExport CAK / CKN or designate KDU as CAK. In some embodiments, when the UE receives a lower-layer security establishment request from the target gNB-DU in a later step, it exports CAK / CKN or designates KDU as CAK. DU Export CAK / CKN or K DU Designated as CAK. In some embodiments, the UE responds to the target gNB-DU with an RRC reconfiguration complete message. In some embodiments, the target gNB-DU sends a UL RRC message to the target gNB-CU to convey the received RRC reconfiguration complete message. In some embodiments, after a successful path handover procedure with the AMF, the target gNB-CU sends a UE context release message to notify the source gNB-CU of a successful handover. In some embodiments, the source gNB-CU and the source gNB-DU trigger a UE context release procedure.
[0442] This disclosure also proposes an apparatus for implementing any of the above methods. For example, a terminal is proposed, which includes units or modules for implementing the steps performed by the terminal in any of the above methods. Furthermore, another network device is proposed, including units or modules for implementing the steps performed by the network device (e.g., access network device, core network functional node, core network device, etc.) in any of the above methods.
[0443] It should be understood that the division of units or modules in the above device is only a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, the units or modules in the device can be implemented by a processor calling software: for example, the device includes a processor connected to a memory containing instructions. The processor calls the instructions stored in the memory to implement any of the above methods or to implement the functions of the units or modules in the above device. The processor can be, for example, a general-purpose processor, such as a Central Processing Unit (CPU) or a microprocessor, and the memory can be internal or external to the device. Alternatively, the units or modules in the device can be implemented in the form of hardware circuits. The functionality of some or all of the units or modules can be achieved through the design of these hardware circuits, which can be understood as one or more processors. For example, in one implementation, the hardware circuit is an application-specific integrated circuit (ASIC). The functionality of some or all of the units or modules is achieved through the design of the logical relationships between the components within the circuit. In another implementation, the hardware circuit can be implemented using a programmable logic device (PLD). Taking a field-programmable gate array (FPGA) as an example, it can include a large number of logic gates. The connection relationships between the logic gates are configured through configuration files, thereby achieving the functionality of some or all of the units or modules. All units or modules of the above device can be implemented entirely through processor-called software, entirely through hardware circuits, or partially through processor-called software with the remaining parts implemented through hardware circuits.
[0444] In this embodiment, the processor is a circuit with signal processing capabilities. In one implementation, the processor can be a circuit with instruction read and execute capabilities, such as a Central Processing Unit (CPU), a microprocessor, a graphics processing unit (GPU) (which can be understood as a microprocessor), or a digital signal processor (DSP). In another implementation, the processor can implement certain functions through the logical relationships of hardware circuits. The logical relationships of the aforementioned hardware circuits are fixed or reconfigurable. For example, the processor is a hardware circuit implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD), such as an FPGA. In a reconfigurable hardware circuit, the process of the processor loading a configuration document and configuring the hardware circuit can be understood as the process of the processor loading instructions to implement the functions of some or all of the above units or modules. In addition, it can also be hardware circuits designed for artificial intelligence, which can be understood as ASICs, such as Neural Network Processing Units (NPUs), Tensor Processing Units (TPUs), and Deep Learning Processing Units (DPUs).
[0445] Figure 4 is a schematic diagram of the structure of the communication device proposed in an embodiment of this disclosure. The communication device can be a terminal, a first node, or a second node.
[0446] In some embodiments, the communication device is a first node. As shown in FIG4, the communication device 4100 may include a transceiver module 4101, which is configured to send a first key KDU to a second node of a first cell. The first key is generated by the first node in response to cell handover and is used for the security of communication between the second node of the first cell and the terminal. The second node of the first cell is controlled by the first node, and the first cell is the cell after the cell handover.
[0447] In some embodiments, the communication device is a second node of a first cell. As shown in FIG4, the communication device 4100 may include a transceiver module 4101, which is configured to receive a first key sent by the first node. The first key is generated by the first node in response to cell handover. The first key is used for the security of communication between the second node of the first cell and the terminal. The first cell is the cell after the cell handover.
[0448] In some embodiments, the communication device is a second node of a second cell. As shown in FIG4, the communication device 4100 may include: a transceiver module 4101, which is configured to receive first information sent by the first node. The first information includes at least one of the following: first indication information, an identifier of a first cell, a first count value, and second indication information. The first indication information is used to indicate the processing method of the old first key. The identifier of the first cell is used to generate a first key, and the first count value is used to generate a first key. The first key is generated by the first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and the terminal. The second indication information is used to instruct the terminal to generate the first key, and the second key is used for the security of communication between the first node and the terminal. The second cell is the cell before the cell handover, and the first cell is the cell after the cell handover.
[0449] In some embodiments, the communication device is a terminal. As shown in FIG4, the communication device 4100 may include: a transceiver module 4101, which is configured to receive fourth information sent by a second node of a second cell. The fourth information includes at least one of the following: an identifier of a first cell, a first count value, and second indication information; wherein, the identifier of the first cell is used to generate a first key, the first count value is used to generate the first key, the first key is generated by a first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and the terminal; the second indication information is used to instruct the terminal to generate the first key, the second key is used for the security of communication between the first node of the first cell and the terminal, the first cell is the cell after the cell handover, and the second cell is the cell before the cell handover.
[0450] Figure 5 is a schematic diagram of the structure of a communication device provided according to an embodiment of this disclosure. The communication device 5100 can be a terminal or a network device, or it can be a chip, chip system, or processor that supports the terminal or network device in implementing any of the above methods. The communication device 5100 can be used to implement the methods described in the above method embodiments; for details, please refer to the descriptions in the above method embodiments.
[0451] As shown in Figure 5, the communication device 5100 includes one or more processors 5101. The processor 5101 can be a general-purpose processor or a dedicated processor, such as a baseband processor or a central processing unit (CPU). The baseband processor can be used to process communication protocols and communication data, while the CPU can be used to control communication devices (e.g., base stations, baseband chips, terminal devices, terminal device chips, DUs or CUs, etc.), execute programs, and process program data. Optionally, the communication device 5100 can be used to execute any of the above methods. Optionally, one or more processors 5101 can be used to invoke instructions to cause the communication device 5100 to execute any of the above methods.
[0452] In some embodiments, the communication device 5100 further includes one or more transceivers 5102. When the communication device 5100 includes one or more transceivers 5102, the transceiver 5102 performs at least one of the communication steps such as sending and / or receiving in the above method (e.g., steps S2104, S2204, and S2305, but not limited thereto), and the processor 5101 performs at least one of other steps (e.g., steps S2105, S2205, and S2206, but not limited thereto). In optional embodiments, the transceiver 5102 may include a receiver and / or a transmitter, which may be separate or integrated. Optionally, the terms transceiver, transceiver unit, transceiver, transceiver circuit, interface circuit, and interface can be used interchangeably; the terms transmitter, transmitting unit, transmitter, and transmitting circuit can be used interchangeably; and the terms receiver, receiving unit, receiver, and receiving circuit can be used interchangeably.
[0453] In some embodiments, the communication device 5100 further includes one or more memories 5103 for storing data. Optionally, all or part of the memories 5103 may be located outside the communication device 5100. In optional embodiments, the communication device 5100 may include one or more interface circuits 5104. Optionally, the interface circuits 5104 are connected to the memories 5103 and can be used to receive data from the memories 5103 or other devices, and to send data to the memories 5103 or other devices. For example, the interface circuits 5104 can read data stored in the memories 5103 and send the data to the processor 5101.
[0454] The communication device 5100 described in the above embodiments may be a network device or a terminal, but the scope of the communication device 5100 described in this disclosure is not limited thereto, and the structure of the communication device 5100 may not be limited by FIG. 5. The communication device may be a standalone device or a part of a larger device. For example, the communication device may be: (1) a standalone integrated circuit IC, or chip, or chip system or subsystem; (2) a collection of one or more ICs, optionally, the IC collection may also include storage components for storing data and programs; (3) an ASIC, such as a modem; (4) a module that can be embedded in other devices; (5) a receiver, terminal device, smart terminal device, cellular phone, wireless device, handheld device, mobile unit, vehicle device, network device, cloud device, artificial intelligence device, etc.; (6) others, etc.
[0455] Figure 6 is a schematic diagram of the structure of a chip provided according to an embodiment of the present disclosure. For cases where the communication device 5100 can be a chip or a chip system, please refer to the schematic diagram of the chip 6100 shown in Figure 6, but it is not limited thereto.
[0456] Chip 6100 includes one or more processors 6101. Chip 6100 is used to perform any of the above methods.
[0457] In some embodiments, chip 6100 further includes one or more interface circuits 6102. Optionally, terms such as interface circuit, interface, and transceiver pin can be used interchangeably. In some embodiments, chip 6100 further includes one or more memories 6103 for storing data. Optionally, all or part of the memories 6103 may be located outside chip 6100. Optionally, interface circuit 6102 is connected to memory 6103, and interface circuit 6102 can be used to receive data from memory 6103 or other devices, and interface circuit 6102 can be used to send data to memory 6103 or other devices. For example, interface circuit 6102 can read data stored in memory 6103 and send the data to processor 6101.
[0458] In some embodiments, the interface circuit 6102 performs at least one of the communication steps such as sending and / or receiving in the above-described method (e.g., steps S2104, S2204, and S2305, but not limited thereto). The interface circuit 6102 performing the communication steps such as sending and / or receiving in the above-described method refers, for example, to the interface circuit 6102 performing data interaction between the processor 6101, the chip 6100, the memory 6103, or the transceiver device. In some embodiments, the processor 6101 performs at least one of other steps (e.g., steps S2105, S2205, and S2306, but not limited thereto).
[0459] The modules and / or devices described in the various embodiments, such as virtual devices, physical devices, and chips, can be combined or separated arbitrarily as needed. Optionally, some or all steps can also be performed collaboratively by multiple modules and / or devices, which is not limited here.
[0460] This disclosure also proposes a storage medium storing instructions that, when executed on a communication device 5100, cause the communication device 5100 to perform any of the methods described above. Optionally, the storage medium is an electronic storage medium. Optionally, the storage medium is a computer-readable storage medium, but not limited thereto; it may also be a storage medium readable by other devices. Optionally, the storage medium may be a non-transitory storage medium, but not limited thereto; it may also be a temporary storage medium.
[0461] This disclosure also proposes a program product that, when executed by a communication device 5100, causes the communication device 5100 to perform any of the above methods. Optionally, the program product is a computer program product.
[0462] This disclosure also proposes a computer program that, when run on a computer, causes the computer to perform any of the above methods.
[0463] Other embodiments of the invention will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the invention that follow the general principles of the invention and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of the invention are indicated by the following claims.
[0464] It should be understood that the present invention is not limited to the precise structure described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of the invention is limited only by the appended claims.
Claims
1. A communication method, executed by a first node, the method comprising: A first key is sent to a second node in the first cell. The first key is generated by the first node in response to cell handover. The first key is used to ensure the security of communication between the second node in the first cell and the terminal. The second node in the first cell is controlled by the first node. The first cell is the cell after the cell handover.
2. The method according to claim 1, wherein, The cell handover includes one of the following: Cell handover between different second nodes controlled by the first node; Cell handover between different cells covered by the second node; Cell handover between different first nodes.
3. The method according to claim 1 or 2, wherein, The first key is carried in the first message, which also includes first indication information. The first indication information is used to indicate the processing method of the old first key, and the second node of the first cell is also the second node of the second cell before the cell handover.
4. The method according to any one of claims 1 to 3, wherein, The method also includes one of the following: In response to the cell handover, the first key is generated based on the second key and the identifier of the first cell; In response to the cell handover, the first key is generated based on the second key and the first count value; In response to the cell handover, a first key is generated based on the second key, the identifier of the first cell, and the first count value; The second key is used for the security of communication between the first node and the terminal, and the first count value is different from the first count value before the cell handover.
5. The method according to any one of claims 1 to 4, wherein, The method further includes: Send first information, the first information including at least one of the following: first indication information, identifier of the first cell, first count value, and second indication information; Wherein, the first indication information is used to indicate the processing method of the old first key; the identifier of the first cell is used to generate the first key, the first count value is used to generate the first key; and the second indication information is used to instruct the terminal to generate the first key.
6. The method according to claim 5, wherein, The first information is sent by the first node to the second node of the second cell, which is the cell before the cell handover.
7. The method according to claim 5, wherein, The first information is sent by the first node of the first cell to the first node of the second cell, where the second cell is the cell before the cell handover. The first information includes: a first count value and a second indication information.
8. The method according to any one of claims 1 to 7, wherein, The first node is a centralized unit (CU) in the access network equipment, and the second node is a distributed unit (DU) in the access network equipment.
9. A communication method, executed by a second node of a first cell, wherein the second node of the first cell is controlled by a first node, the method comprising: The system receives a first key sent by the first node. The first key is generated by the first node in response to cell handover. The first key is used for the security of communication between the second node and the terminal in the first cell. The first cell is the cell after the cell handover.
10. The method according to claim 9, wherein, The cell handover includes one of the following: Cell handover between different second nodes controlled by the first node; Cell handover between different cells covered by the second node; Cell handover between the first nodes.
11. The method according to claim 9 or 10, wherein, The first key is carried in the first message, which also includes first indication information. The first indication information is used to indicate the old first key processing method, and the second node of the first cell is also the second node of the second cell before the cell handover.
12. The method according to any one of claims 9 to 11, wherein, The method further includes: Based on the first key, second information is obtained, the second information including at least one of the following: secure connection association key CAK, secure connection association key name CKN.
13. The method according to claim 11, wherein, The method further includes: The old first key is processed based on the first indication information; A third message is sent to the first node, the third message being used to confirm the processing of the old first key.
14. The method according to any one of claims 9 to 13, wherein, The second node of the first cell is also the second node of the second cell before the cell handover, and the method further includes: Receive the first information sent by the first node. Send the fourth message to the terminal; The first information includes at least one of the following: first indication information, identifier of the first cell, first count value, and second indication information; the fourth information includes at least one of the following: identifier of the first cell, first count value, and second indication information; the first indication information is used to indicate the processing method of the old first key; the identifier of the first cell is used to generate the first key, and the first count value is used to generate the first key; the second indication information is used to instruct the terminal to generate the first key.
15. The method according to any one of claims 9 to 14, wherein, The first node is a centralized unit (CU) in the access network equipment, and the second node is a distributed unit (DU) in the access network equipment.
16. A communication method, executed by a second node of a second cell, the second node of the second cell being controlled by a first node, the method comprising: The system receives first information sent by the first node, the first information including at least one of the following: first indication information, identifier of the first cell, first count value, and second indication information; Wherein, the first indication information is used to indicate the processing method of the old first key; the identifier of the first cell is used to generate the first key, the first count value is used to generate the first key, the first key is generated by the first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and the terminal; the second indication information is used to instruct the terminal to generate the first key; the first key is derived from the second key, and the second key is used for the security of communication between the first node and the terminal; the second cell is the cell before the cell handover, and the first cell is the cell after the cell handover.
17. The method according to claim 16, wherein, The cell handover includes one of the following: Cell handover between different second nodes controlled by the first node; Cell handover between different first nodes.
18. The method according to claim 16 or 17, wherein, The second node of the second cell is controlled by the same first node as the second node of the first cell, or by different first nodes.
19. The method according to any one of claims 16 to 18, wherein, The method further includes: The old first key is processed based on the first indication information; A third message is sent to the first node, the third message being used to confirm the processing of the old first key.
20. The method according to any one of claims 16 to 19, wherein, The method further includes: Send a fourth message to the terminal, the fourth message including at least one of the following: the identifier of the first cell, the first count value, and the second indication information.
21. The method according to any one of claims 16 to 20, wherein, The first node is a centralized unit (CU) in the access network equipment, and the second node is a distributed unit (DU) in the access network equipment.
22. A communication method, executed by a terminal, the method further comprising: The system receives fourth information sent by the second node of the second cell, the fourth information including at least one of the following: the identifier of the first cell, the first count value, and the second indication information; Wherein, the identifier of the first cell is used to generate the first key, the first count value is used to generate the first key, the first key is generated by the first node of the first cell in response to cell handover, and the first key is used for the security of communication between the second node of the first cell and the terminal; the second indication information is used to instruct the terminal to generate the first key; the first key is derived from the second key, and the second key is used for the security of communication between the first node of the first cell and the terminal; the first cell is the cell after the cell handover, and the second cell is the cell before the cell handover.
23. The method according to claim 22, wherein, The cell handover includes one of the following: Cell handover between different second nodes controlled by the first node; Cell handover between different cells covered by the second node; Cell handover between different first nodes.
24. The method according to claim 22 or 23, wherein, The method also includes one of the following: The first key is generated based on the second key and the identifier of the first cell; The first key is generated based on the second key and the first count value; The first key is generated based on the second key, the identifier of the first cell, and the first count value.
25. The method according to claim 24, wherein, The method further includes: Based on the first key, second information is obtained, the second information including at least one of the following: secure connection association key CAK, secure connection association key name CKN.
26. The method according to any one of claims 22 to 25, wherein, The first node is a centralized unit (CU) in the access network equipment, and the second node is a distributed unit (DU) in the access network equipment.
27. A communication device configured to implement the communication method according to any one of claims 1 to 8, 9 to 15, 16 to 21, 22 to 26.
28. A communication system comprising a first node, a second node, and a terminal; the first node being configured to implement the communication method as described in any one of claims 1 to 8, the second node being configured to implement the communication method as described in any one of claims 9 to 15, 16 to 21, and the terminal being configured to implement the communication method as described in any one of claims 22 to 26.
29. A storage medium storing instructions that, when executed on a communication device, cause the communication device to perform a communication method as described in any one of 1 to 8, 9 to 15, 16 to 21, and 22 to 26.
30. A computer program product comprising a computer program that, when executed by a processor, implements the communication method as described in any one of claims 1 to 8, 9 to 15, 16 to 21, and 22 to 26.