Transmission processing methods and apparatuses, device, and readable storage medium
By generating a second key between the terminal and network-side devices and using freshness parameters to protect communication messages, the security problem of terminal-NF communication in 5G networks is solved, improving communication security and efficiency.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- VIVO MOBILE COMM CO LTD
- Filing Date
- 2025-12-26
- Publication Date
- 2026-07-09
AI Technical Summary
In the 5G network architecture, communication between the terminal and the network function (NF) cannot achieve fast communication because the signaling needs to go through the AMF, and there is a lack of security protection mechanisms.
By using a key generation process between the terminal and network-side devices, a second key is generated using a freshness parameter to protect communication messages, ensuring secure communication between the terminal and the NF.
It achieves security protection between the terminal and the NF, meets communication security requirements, and improves communication efficiency.
Smart Images

Figure CN2025146032_09072026_PF_FP_ABST
Abstract
Description
Transmission processing method, apparatus, equipment and readable storage medium
[0001] Cross-references to related applications
[0002] This application claims priority to Chinese Patent Application No. 202411973941.3, filed on December 30, 2024, entitled "Transmission Processing Method, Apparatus, Device and Readable Storage Medium", the entire contents of which are incorporated herein by reference. Technical Field
[0003] This application belongs to the field of communication technology, and specifically relates to a transmission processing method, apparatus, device and readable storage medium. Background Technology
[0004] In the 5G network architecture, terminals communicate with network functions (NFs) other than the AMF through the Access and Mobility Management Function (AMF). For example, terminals communicate with the Session Management Function (SMF) through a session management container (SM container) encapsulated in a Non-Access-Stratum (NAS) message. Even when the AMF is deployed in a centrally located area of the network, and the NF is deployed closer to the terminal, rapid communication between the terminal and the NF is still not possible because signaling always needs to detour through the AMF. Ensuring security between the terminal and the NF is a crucial issue that needs to be addressed to enable direct communication between the terminal and the NF. Summary of the Invention
[0005] This application provides a transmission processing method, apparatus, device, and readable storage medium to solve the problem of how to achieve security protection between a terminal and an NF.
[0006] Firstly, a transmission processing method is provided, including:
[0007] The terminal receives a first message, which is used to activate security between the terminal and the first network-side device.
[0008] The terminal obtains a second key based on a first key and a freshness parameter. The first key is available on the second network-side device, and the second key is used to protect communication messages between the terminal and the first network-side device.
[0009] Secondly, a transmission processing method is provided, including:
[0010] The second network-side device obtains a second key based on the first key and the freshness parameter. The second key is used to protect the communication messages between the terminal and the first network-side device.
[0011] The second network-side device sends a fourth message to the first network-side device, the fourth message including the second key.
[0012] Thirdly, a transmission processing method is provided, including:
[0013] The first network-side device receives a fourth message from the second network-side device. The fourth message includes a second key, which is used to protect communication messages between the terminal and the first network-side device.
[0014] The first network-side device sends a first message to the terminal, the first message being used to activate security between the terminal and the first network-side device.
[0015] Fourthly, a transmission processing apparatus is provided for use in a terminal, comprising: a first transceiver unit and a first processing unit;
[0016] The first transceiver unit is used to receive a first message, which is used to activate security between the terminal and the first network-side device.
[0017] The first processing unit is used to obtain a second key based on a first key and a freshness parameter. The first key is available on the second network-side device, and the second key is used to protect communication messages between the terminal and the first network-side device.
[0018] Fifthly, a transmission processing apparatus is provided, comprising: a second transceiver unit and a second processing unit;
[0019] The second processing unit is used to obtain a second key based on the first key and the freshness parameter, the second key being used to protect communication messages between the terminal and the first network-side device;
[0020] The second transceiver unit is used to send a fourth message to the first network-side device, the fourth message including the second key.
[0021] Sixthly, a transmission processing apparatus is provided, comprising: a third transceiver unit and a third processing unit;
[0022] The third transceiver unit is used to receive a fourth message from the second network-side device. The fourth message includes a second key, which is used to protect communication messages between the terminal and the first network-side device.
[0023] The third transceiver unit is also used to send a first message to the terminal, the first message being used to activate security between the terminal and the first network-side device.
[0024] In a seventh aspect, a transmission processing apparatus is provided, the apparatus being configured to perform the steps of the method described in the first aspect, or to implement the steps of the method described in the second aspect, or to implement the steps of the method described in the third aspect.
[0025] In an eighth aspect, a terminal is provided, the device including a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the method as described in the first aspect.
[0026] In a ninth aspect, a terminal is provided, including a processor and a communication interface, wherein the communication interface is used to receive a first message, the first message being used to activate security between the terminal and a first network-side device; the processor is used to obtain a second key based on a first key and a freshness parameter, the first key being available on a second network-side device, and the second key being used to protect communication messages between the terminal and the first network-side device.
[0027] In a tenth aspect, a network-side device is provided, the device including a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the method as described in the second or third aspect.
[0028] Eleventhly, a network-side device is provided, including a processor and a communication interface, wherein the processor obtains a second key based on a first key and a freshness parameter, the second key being used to protect communication messages between a terminal and a first network-side device; the communication interface sends a fourth message to the first network-side device, the fourth message including the second key; or, the communication interface is used to receive a fourth message from a second network-side device, the fourth message including the second key, the second key being used to protect communication messages between the terminal and the first network-side device; the communication interface is also used to send a first message to the terminal, the first message being used to activate security between the terminal and the first network-side device.
[0029] In a twelfth aspect, a readable storage medium is provided, on which a program or instructions are stored, which, when executed by a processor, implement the steps of the method described in the first aspect, or the steps of the method described in the second aspect, or the steps of the method described in the third aspect.
[0030] In a thirteenth aspect, a wireless communication system is provided, comprising: a terminal and a network-side device, wherein the terminal is configured to perform the steps of the method described in the first aspect, and the network-side device is configured to perform the steps of the method described in the second or third aspect.
[0031] In a fourteenth aspect, a chip is provided, the chip including a processor and a communication interface coupled to the processor, the processor being configured to run a program or instructions to implement the steps of the method described in the first aspect, or the steps of the method described in the second aspect, or the steps of the method described in the third aspect.
[0032] In a fifteenth aspect, a computer program / program product is provided, the computer program or program product being stored in a storage medium, the computer program or program product being executed by at least one processor to implement the steps of the method as described in the first aspect, or the steps of the method as described in the second aspect, or the steps of the method as described in the third aspect.
[0033] In this embodiment, the terminal receives a first message, which is used to activate security between the terminal and the first network-side device; the terminal obtains a second key based on a first key and a freshness parameter, the first key is available on the second network-side device, and the second key is used to protect communication messages between the terminal and the first network-side device. In this way, the terminal can communicate securely with the first network-side device based on the second key, thus meeting the security requirements for communication between the terminal and the first network-side device. Attached Figure Description
[0034] Figure 1 is a schematic diagram of a communication system provided in an embodiment of this application;
[0035] Figure 2 is a flowchart of a transmission processing method provided in an embodiment of this application;
[0036] Figure 3 is a flowchart of another transmission processing method provided by an embodiment of this application;
[0037] Figure 4 is a flowchart of another transmission processing method provided by an embodiment of this application;
[0038] Figure 5 is a flowchart of the UE establishing a secure connection with the NF according to an embodiment of this application;
[0039] Figure 6 is a flowchart of how the NF obtains the security context from the SEAF and establishes a secure connection between the UE and the NF, according to an embodiment of this application.
[0040] Figure 7 is a flowchart of how the NF obtains the security context from the SEAF and establishes a secure connection between the UE and the NF, as provided in an embodiment of this application.
[0041] Figure 8 is a structural diagram of a transmission processing apparatus provided in an embodiment of this application;
[0042] Figure 9 is a structural diagram of another transmission processing apparatus provided in an embodiment of this application;
[0043] Figure 10 is a structural diagram of another transmission processing apparatus provided in an embodiment of this application;
[0044] Figure 11 is a structural diagram of a communication device provided in an embodiment of this application;
[0045] Figure 12 is a structural diagram of a terminal provided in an embodiment of this application;
[0046] Figure 13 is a structural diagram of a network-side device provided in an embodiment of this application. Detailed Implementation
[0047] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application are within the scope of protection of this application.
[0048] The terms "first," "second," etc., used in this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such terms can be used interchangeably where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first" and "second" are generally of the same class, not limited in number; for example, the first object can be one or more. Furthermore, "or" in this application indicates at least one of the connected objects. For example, the scope of protection for "A or B" covers at least three scenarios: Scenario 1: including A but not B; Scenario 2: including B but not A; Scenario 3: including both A and B. In addition, the terms "A and / or B," "at least one of A and B," and "at least one of A or B" also cover at least the above three scenarios. The character " / " generally indicates that the preceding and following objects are in an "or" relationship.
[0049] The term "instruction" in this application can be either a direct instruction (or explicit instruction) or an indirect instruction (or implicit instruction). A direct instruction can be understood as the sender explicitly informing the receiver of specific information, the required operation, or the requested result in the instruction sent. An indirect instruction can be understood as the receiver determining the corresponding information based on the instruction sent by the sender, or making a judgment and determining the required operation or requested result based on the judgment result.
[0050] It is worth noting that the technology described in this application is not limited to Long Term Evolution (LTE) / LTE-Advanced (LTE-A) systems, but can also be used in other wireless communication systems, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access (OFDMA), Single-Carrier Frequency-Division Multiple Access (SC-FDMA), or other systems, such as NTN systems, vehicle-to-everything (V2X), vehicle-to-everything (V2X) networks, machine-type communications (MTC), the Internet of Things (IoT), machine-to-machine (M2M) networks, or future mobile communication systems. As a possible application scenario, NTN systems may include satellite systems. Based on their altitude, i.e., their orbital altitude, satellites can be classified into highly elliptical orbit (HEO) satellites, geosynchronous earth orbit (GEO) satellites, medium earth orbit (MEO) satellites, and low earth orbit (LEO) satellites. Furthermore, NTN systems may also include non-terrestrial network-side equipment (or airborne network-side equipment) such as High Altitude Platform Station (HAPS) communication systems. The non-terrestrial network-side equipment involved in this application is not limited to the examples mentioned above.
[0051] The terms "system" and "network" used in the embodiments of this application are often used interchangeably, and the described technologies can be used with respect to the systems and radio technologies mentioned above, as well as other systems and radio technologies. The following description describes a New Radio (NR) system for illustrative purposes, and the term NR is used in most of the following description; however, these technologies can also be applied to systems other than NR systems, such as 6th generation (6G) systems. thGeneration 6G communication system.
[0052] Figure 1 shows a block diagram of a wireless communication system applicable to an embodiment of this application. The wireless communication system includes a terminal 11 and a network-side device 12.
[0053] Terminal 11 can also be referred to as User Equipment (UE). Terminal 11 can be a mobile phone, tablet computer, laptop computer, notebook computer, personal digital assistant (PDA), handheld computer, netbook, ultra-mobile personal computer (UMPC), mobile internet device (MID), augmented reality (AR), virtual reality (VR) device, robot, wearable device, flight vehicle, vehicle user equipment (VUE), shipborne equipment, pedestrian user equipment (PUE), smart home (home devices with wireless communication functions, such as refrigerators, televisions, washing machines or furniture), game console, personal computer (PC), ATM or self-service machine, etc. Wearable devices include: smartwatches, smart bracelets, smart earphones, smart glasses, smart jewelry (smart bracelets, smart chains, smart rings, smart necklaces, smart anklets, smart anklets, etc.), smart wristbands, smart clothing, etc. Among these, in-vehicle devices can also be referred to as in-vehicle terminals, in-vehicle controllers, in-vehicle modules, in-vehicle components, in-vehicle chips, or in-vehicle units, etc. It should be noted that the specific type of terminal 11 is not limited in the embodiments of this application.
[0054] Network-side equipment 12 may include access network equipment or core network equipment. Access network equipment may also be referred to as Radio Access Network (RAN) equipment, radio access network function, radio access network unit, or satellite. Access network equipment may include base stations, Wireless Local Area Network (WLAN) access points (APs), or Wireless Fidelity (WiFi) nodes, etc. Among them, base stations can be referred to as Node B (NB), Evolved Node B (eNB), Next Generation Node B (gNB), New Radio Node B (NR Node B), Access Point, Relay Base Station (RBS), Serving Base Station (SBS), Base Transceiver Station (BTS), Radio Base Station, Radio Transceiver, Basic Service Set (BSS), Extended Service Set (ESS), Home Node B (HNB), Home Evolved Node B, Transmit Receive Point (TRP), or Non-Terrestrial Network (NTN) equipment (such as satellite or high altitude platform). The term "base station" can be any suitable term in the field of "station" or similar terms, as long as it achieves the same technical effect. The base station is not limited to any specific technical term. It should be noted that the embodiments of this application only use the base station in the NR system as an example for introduction, and do not limit the specific type of base station.
[0055] Core network equipment, also known as core network nodes, core network functions, core network elements, or network functions (NFs), includes, but is not limited to, at least one of the following: Mobility Management Entity (MME), Access and Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), Policy Control Function (PCF), Policy and Charging Rules Function (PCRF), Edge Application Server Discovery Function (EASDF), Unified Data Management (UDM), Unified Data Repository (UDR), Home Subscriber Server (HSS), Centralized Network Configuration (CNC), Network Repository Function (NRF), Network Exposure Function (NEF), and Local NEF. The functions include NEF (L-NEF), Binding Support Function (BSF), Application Function (AF), Location Management Function (LMF), Gateway Mobile Location Centre (GMLC), Network Data Analytics Function (NWDAF), and Non-Terrestrial Network (NTN) devices (such as satellite or high altitude platform stations).It should be noted that the embodiments of this application only use the core network equipment in the NR system as an example for introduction, and do not limit the specific type of core network equipment. If the name of the core network equipment mentioned in the embodiments of this application changes in subsequent protocol versions (e.g., 6G), it is also within the scope of protection of this application.
[0056] Optionally, the core network equipment can be implemented by one or more functional modules in a single device, or by multiple devices working together; this application does not specifically limit this. It is understood that the aforementioned functional modules can be network elements in hardware devices, software functional modules running on dedicated hardware, or virtualized functional modules instantiated on a platform (e.g., a cloud platform).
[0057] The following description, in conjunction with the accompanying drawings, details the transmission processing method, apparatus, device, and readable storage medium provided in the embodiments of this application through some examples and application scenarios.
[0058] Referring to Figure 2, an embodiment of this application provides a transmission processing method, the specific steps of which include:
[0059] Step 21: The terminal receives a first message, which is used to activate security or security protection between the terminal and the first network-side device;
[0060] Optionally, the first network-side device includes, but is not limited to, other devices besides the third network-side device, such as SMF, PCF, LMF, etc.
[0061] Optionally, the first message can be a Security Mode Command (SMC) message, but it is not limited to this.
[0062] Optionally, the terminal may receive the first message from a third network-side device or from a first network-side device.
[0063] Step 22: The terminal obtains a second key based on the first key and the freshness parameter. The first key is available on the second network-side device, and the second key is used to protect the communication messages between the terminal and the first network-side device.
[0064] In one embodiment, the third network-side device and the second network-side device are the same device, meaning they can be combined. It should be noted that in other embodiments, the third network-side device and the second network-side device can also be configured independently.
[0065] Optionally, the second network-side equipment includes, but is not limited to, AMF, SEAF, or AUSF.
[0066] It should be understood that the availability of the first key on the second network-side device means that the terminal and the second network-side device possess the same key. The terminal and the second network-side device can protect their transmitted messages based on this first key or derive lower-layer keys based on it. The first key can be represented as an AUSF key (K... SEAF SEAF key (K) AUSF ), AMF key (K AMF This could be a key at the same level as the aforementioned keys, or a key in sixth-generation (6G) mobile communication technology.
[0067] It should be understood that the second key is used to protect the communication messages between the terminal and the first network-side device, meaning that the terminal and the first network-side device can use the second key to protect the communication messages between the terminal and the first network-side device, and can also use keys derived from the second key to protect the communication messages between the terminal and the first network-side device.
[0068] In one embodiment of this application, the first message includes a security algorithm, which is used to protect communication messages between the terminal and the first network-side device.
[0069] Optionally, the security algorithm includes, but is not limited to, at least one of encryption algorithms, integrity protection algorithms, etc.
[0070] In one embodiment of this application, the first message includes first indication information, which is used to indicate the derivation of the second key;
[0071] The terminal obtains the second key based on the first key and the freshness parameter, including:
[0072] In response to the first indication information, the terminal obtains the second key based on the first key and the freshness parameter.
[0073] In this embodiment, by introducing a freshness parameter in the second key derivation process, the second key generated for each first network-side device can be different. Thus, even if the key of one first network-side device is compromised, the attacker will not be able to obtain the keys of other first network-side devices, thereby achieving secure key isolation.
[0074] Optionally, the first indication information can also be called a derivation indication.
[0075] Optionally, the first indication information can be implemented in two ways:
[0076] Method 1: Explicit indication, for example, the value of the first indication information is "1" to instruct the UE to deduce the second key, and the value of the first indication information is "0" to instruct the UE not to deduce the second key;
[0077] Method 2: Implicit indication. When the first message contains the first indication information, the UE is instructed to deduce the second key. When the first message does not contain the first indication information, the UE is instructed not to deduce the second key.
[0078] In one embodiment of this application, the freshness parameter includes a first parameter, which includes one or more of the following:
[0079] 1) The terminal identifier (UE ID) of the terminal;
[0080] 2) Anti-Bidding down Between Architectures (ABBA).
[0081] Optionally, the terminal identifier may include, but is not limited to, a Subscription Concealed Identifier (SUCI), a Globally Unique Temporary UE Identity (GUTI), or a Subscription Permanent Identifier (SUPI).
[0082] Optionally, ABBA is used to defend against attacks that compromise security features.
[0083] Optionally, the first parameter is a parameter that the terminal already possesses before deriving the second key. For example, it could be a parameter in a message sent or received by the terminal before deriving the second key, or it could be a parameter preset by the terminal, such as a parameter fixed during the production stage.
[0084] For example, the UE ID and ABBA of the terminal are preset parameters of the terminal.
[0085] In one embodiment of this application, the freshness parameter includes a second parameter, which includes one or more of the following:
[0086] 1) Identification information of the first network-side device, which is used to identify the selected first network-side device.
[0087] Since the identification information of the first network-side device is unique to each first network-side device, by introducing the identification information of the first network-side device as a derivation parameter, the second key generated by the second network-side device for each first network-side device is different, thus achieving secure isolation of the key.
[0088] 2) Downlink counter (COUNT);
[0089] Optionally, a downlink counter is used to indicate the number of downlink messages sent; the downlink counter can be a downlink NAS counter.
[0090] 3) First row of random numbers.
[0091] Optionally, the first downlink random number is randomly generated by the first network-side device.
[0092] In one embodiment of this application, the first message includes first freshness indication information, and before the terminal obtains the second key based on the first key and the freshness parameter, the method further includes:
[0093] The terminal obtains the second parameter based on the first freshness indication information.
[0094] Optionally, the second parameter is a parameter used to characterize either the parameter generated by the first network-side device or the parameter that is first changed by the first network-side device.
[0095] Optionally, the terminal can recover the second parameter based on the first freshness indication information and the information maintained locally.
[0096] For example, when the second parameter is the identification information of the first network-side device, the first freshness parameter indication information can be the identification information of the first network-side device or the identification information of the first network-side device after removing the less significant bits of information known to the terminal. For instance, if the first network-side device identification includes both the Public Land Mobile Network (PLMN) ID and the NF ID, and the terminal knows the PLMN ID, then the first freshness parameter can include only the NF ID.
[0097] For example, when the second parameter is the downlink counter, the first freshness parameter indication information can be the downlink counter sequence number (SN). Here, NAS COUNT is a 32-bit counter, and NAS COUNT SN is a partial field of NAS COUNT. The terminal and the network-side device jointly maintain NAS COUNT, but NAS COUNT can be synchronized by transmitting only NAS SN.
[0098] For example, when the second parameter is the first downlink random number, the first freshness parameter indication information can also be the first downlink random number.
[0099] It should be understood that the second parameter needs to be synchronized between the second network-side device and the terminal through the first freshness indication information in the first message.
[0100] In one embodiment of this application, the freshness parameter includes a third parameter, which includes one or more of the following:
[0101] 1) A counter used to measure the number of derivations of the second key;
[0102] Optionally, the initial value of the counter is set to 0. Each time the second key is deduced, the value of the counter is increased by a specified value, such as 1, but it is not limited to this.
[0103] Since the counter increments with each key derivation, the second key derived for the first network device is different each time, thus achieving secure isolation of the second key.
[0104] 2) Second row of random numbers.
[0105] Optionally, the second downlink random number is randomly generated by the second network-side device.
[0106] In one embodiment of this application, the first message includes second freshness indication information, and before the terminal obtains the second key based on the first key and the freshness parameter, the method further includes:
[0107] The terminal obtains the third parameter based on the second freshness indication information.
[0108] Optionally, the third parameter is a parameter used to characterize either the parameter generated by the second network-side device or the parameter that is first changed by the second network-side device.
[0109] Optionally, the terminal can recover the third parameter based on the second freshness indication information and the information maintained locally.
[0110] For example, when the third parameter is a counter used to measure the number of derivations of the second key, the second freshness parameter indication information may also be a counter used to measure the number of derivations of the second key, or a portion of the least significant bits of the counter used to measure the number of derivations of the second key.
[0111] For example, when the third parameter is the second row random number, the second freshness parameter indication information can also be the second row random number.
[0112] It should be understood that the third parameter needs to be synchronized between the second network-side device and the terminal through the second freshness indication information of the first message.
[0113] In one embodiment of this application, the freshness parameter includes a fourth parameter, which includes one or more of the following:
[0114] 1) Signaling type distinguisher, used to indicate the type of signaling;
[0115] Optionally, the signaling type distinguisher is used to distinguish signaling that communicates with different categories of first network-side devices or to distinguish signaling that is of different types.
[0116] Optionally, the terminal can determine the signaling type distinguisher based on the type of signaling sent to communicate with different types of first network-side devices.
[0117] For example, the signaling type distinguisher can be a signaling type indicator, such as Mobile Management (MM) NAS, Session Management (SM) NAS, etc.
[0118] Assuming that the UE may only communicate with one first network-side device of the same type at a certain time, or that the UE may communicate with multiple first network-side devices of the same type, the keys do not need to be isolated. Therefore, after introducing a signaling type distinguisher as a derivation parameter, the second key generated by the second network-side device for each type of first network-side device is different, thus achieving a coarser-grained key security isolation.
[0119] 2) Upward COUNT;
[0120] Uplink COUNT is used to indicate the number of uplink messages sent. Uplink COUNT can be an uplink NAS counter.
[0121] 3) Random number generated from the top row.
[0122] Optionally, the uplink random number is generated randomly by the terminal.
[0123] In one embodiment of this application, before step 21, the method further includes: the terminal sending a second message to a third network-side device, the second message including a third message, the third message being used to request an association with the first network-side device.
[0124] In one embodiment of this application, the second message includes third freshness indication information, and before the terminal sends the second message to the first network element, the method further includes:
[0125] The terminal obtains the third freshness indication information based on the fourth parameter.
[0126] Optionally, the fourth parameter is used to characterize whether it is generated by the terminal or changed by the terminal first.
[0127] Optionally, the third message can be a message requesting access to the first network-side device; that is, the third message can also be called a request message for accessing the first network-side device. Optionally, the second message can be a Non-Access Stratum (NAS) message, but is not limited to this. Optionally, the second message includes, but is not limited to, registration request messages, service request messages, or Protocol Data Unit (PDU) session establishment messages.
[0128] Optionally, the second message may include a terminal identifier used to address the terminal's context. Optionally, the terminal identifier may include, but is not limited to, SUCI, GUTI, or SUPI.
[0129] Optionally, third-party network devices include, but are not limited to, AMF, Security Anchor Function (SEAF), or Authentication Server Function (AUSF).
[0130] For example, the terminal sends a service request message to a third network-side device (e.g., AMF), the service request message including a PDU session establishment request message; the AMF sends a PDU session establishment request message to a first network-side device (e.g., SMF); the first network-side device (e.g., SMF) directly sends a first message to the UE; the UE receives the first message from the first network-side device (e.g., SMF); the first message is used to activate security or security protection between the terminal and the first network-side device.
[0131] For example, the terminal sends a service request message to a third network-side device (e.g., AMF), the service request message including a PDU session establishment request message; the AMF sends a PDU session establishment request message to a first network-side device (e.g., SMF); the first network-side device (e.g., SMF) sends a first message to the third network-side device (e.g., AMF); the UE receives the first message from the third network-side device (e.g., AMF); the first message is used to activate security or security protection between the terminal and the first network-side device.
[0132] In one embodiment of this application, the second message further includes third freshness indication information. Before the terminal sends the second message to the third network-side device, the method further includes:
[0133] The terminal obtains the third freshness indication information based on the fourth parameter.
[0134] For example, when the fourth parameter is the signaling type distinguisher, the third freshness parameter indication information can be the message type information of the signaling. For instance, if the signaling type distinguisher is MM, the message type information can be a registration request.
[0135] For example, when the fourth parameter is the uplink counter, the third freshness parameter indication information can be the uplink counter sequence number (SN). Here, NAS COUNT is a 32-bit counter, and NAS COUNT SN is a partial field of NAS COUNT. The terminal and the network-side device jointly maintain NAS COUNT, but NAS COUNT can be synchronized by transmitting only NAS SN.
[0136] For example, when the fourth parameter is an uplink random number, the third freshness parameter indicator information can also be an uplink random number.
[0137] It should be understood that the fourth parameter requires the third freshness indication information in the second message to complete the synchronization between the second network-side device and the terminal.
[0138] In one embodiment of this application, the method further includes:
[0139] The terminal receives a paging message from the third network-side device;
[0140] The terminal sends a second message to the third network-side device, including:
[0141] In response to the paging message, the terminal sends the second message to the third network-side device;
[0142] Optionally, the second message can be a service request message.
[0143] In one embodiment of this application, the terminal receives a first message, including:
[0144] The terminal receives a first message from the third network-side device.
[0145] For example, the terminal receives a paging message sent by a third network-side device (e.g., AMF). Since the paging message has the terminal's identifier, the terminal responds to the paging message by sending a service request message to the third network-side device (e.g., AMF). The UE enters the connected state from the idle state. The UE receives a first message from the third network-side device (e.g., AMF). The first message is used to activate security or security protection between the terminal and the first network-side device.
[0146] In this embodiment, the terminal receives a first message, which is used to activate security or security protection between the terminal and the first network-side device; the terminal obtains a second key based on a first key and a freshness parameter, the first key is available on the second network-side device, and the second key is used to protect communication messages between the terminal and the first network-side device, so that the terminal can communicate securely with the first network-side device based on the second key, thus meeting the security requirements of communication between the terminal and the first network-side device.
[0147] Referring to Figure 3, an embodiment of this application provides a transmission processing method, the specific steps of which include:
[0148] Step 31: The second network-side device obtains a second key based on the first key and the freshness parameter. The second key is used to protect the communication messages between the terminal and the first network-side device.
[0149] Optionally, the second network-side equipment includes, but is not limited to, AMF, SEAF, or AUSF.
[0150] Optionally, the first network-side device includes, but is not limited to, network functions (NFs) other than the third network-side device, such as SMF, PCF, LMF, etc. For example, the second key is K. nf It should be noted that the second key can be named according to the different categories of the first network-side device. For example, if the NF is LMF, then the second key is K. LMF Other cases follow the same principle and will not be elaborated further.
[0151] It should be understood that the availability of the first key on the second network-side device means that the terminal and the second network-side device possess the same key. The terminal and the second network-side device can protect their transmitted messages based on this key or derive lower-layer keys based on this key. The first key can be represented as K. SEAF K AUSF K AMF Or a key at the same level as the aforementioned key in 6G, etc.
[0152] It should be understood that the second key is used to protect the communication messages between the terminal and the first network-side device, meaning that the terminal and the first network-side device can use the second key to protect the communication messages between the terminal and the first network-side device, and can also use keys derived from the second key to protect the communication messages between the terminal and the first network-side device.
[0153] Step 32: The second network-side device sends a fourth message to the first network-side device, the fourth message including the second key.
[0154] Optionally, the fourth message can also be called a Key Response message.
[0155] In one embodiment of this application, the fourth message further includes the security capabilities of the terminal.
[0156] Optionally, the terminal's security capabilities are used to indicate the security algorithms supported by the terminal. For example, the terminal may support security algorithm 1, security algorithm 2, security algorithm 3, etc.
[0157] In one embodiment of this application, the freshness parameter includes a first parameter, which includes one or more of the following:
[0158] 1) The UE ID of the terminal;
[0159] 2) ABBA.
[0160] Optionally, the UE ID may include, but is not limited to, SUCI, GUTI, or SUPI.
[0161] Optionally, ABBA is used to defend against attacks that compromise security features.
[0162] Optionally, the first parameter is a parameter that the second network-side device already possesses before deriving the second key. For example, it could be a parameter in a message sent or received by the second network-side device before deriving the second key, or it could be a parameter preset by the second network-side device, such as a parameter fixed during the production stage.
[0163] For example, the UE ID of the terminal is a parameter received by the second network-side device before deriving the second key.
[0164] For example, ABBA is a parameter preset by the second network-side device.
[0165] In one embodiment of this application, before the second network-side device sends a fourth message to the first network-side device, the method further includes:
[0166] The second network-side device receives a fifth message from the first network-side device, the fifth message being used to request the second key, and the fourth message being used to respond to the fifth message.
[0167] Optionally, the fifth message may also be referred to as a key for requesting the security context of the terminal.
[0168] Optionally, the fifth message can also be called a Key Request message.
[0169] In one embodiment of this application, the freshness parameter includes a second parameter, which includes one or more of the following:
[0170] 1) Identification information of the first network-side device;
[0171] 2) Downlink COUNT;
[0172] Downlink counters are used to indicate the number of downlink messages sent, such as downlink NAS counters.
[0173] 3) First row of random numbers.
[0174] Optionally, the downlink random number is randomly generated by the first network-side device.
[0175] Optionally, the second parameter is a parameter used to characterize either the parameter generated by the first network-side device or the parameter that is first changed by the first network-side device.
[0176] In one embodiment of this application, the fifth message includes first freshness indication information. After the second network-side device receives the fifth message from the first network-side device, the method further includes:
[0177] The second network-side device obtains the second parameter based on the first freshness indication information.
[0178] For example, when the second parameter is the identification information of the first network-side device, the first freshness parameter indication information may be the identification information of the first network-side device.
[0179] For example, when the second parameter is the downlink counter, the first freshness parameter indication information can also be the downlink counter.
[0180] For example, when the second parameter is a downlink random number, the first freshness parameter indication information can also be a downlink random number.
[0181] It should be understood that the second network-side device needs to obtain the first freshness indication information sent by the first network-side device through the fifth message in order to complete the synchronization of the second parameters between the second network-side device and the terminal.
[0182] In one embodiment of this application, the freshness parameter includes a third parameter, which includes one or more of the following:
[0183] 1) A counter used to measure the number of derivations of the second key;
[0184] Optionally, the initial value of the counter is set to 0. Each time the second key is deduced, the value of the counter is increased by a specified value, such as 1, but it is not limited to this.
[0185] Since the counter increments with each key derivation, the second key derived for the first network device is different each time, thus achieving secure isolation of the second key.
[0186] 2) Second row of random numbers.
[0187] Optionally, the second downlink random number is randomly generated by the second network-side device.
[0188] Optionally, the third parameter is a parameter used to characterize either the parameter generated by the second network-side device or the parameter that is first changed by the second network-side device.
[0189] In one embodiment of this application, the fourth message includes second freshness indication information, and the method further includes: before the second network-side device sends the fourth message to the first network-side device:
[0190] The second network-side device obtains the second freshness indication information based on the third parameter.
[0191] For example, when the third parameter is a counter used to measure the number of derivations of the second key, the second freshness parameter indication information may also be a counter used to measure the number of derivations of the second key, or a portion of the least significant bits of the counter used to measure the number of derivations of the second key.
[0192] For example, when the third parameter is the second row random number, the second freshness parameter indication information can also be the second row random number.
[0193] It should be understood that the second network-side device needs to send the second freshness indication information to the first network-side device through the fourth message, and then the first network-side device sends it to the terminal through the first message to complete the synchronization of the third parameter between the second network-side device and the terminal.
[0194] In one embodiment of this application, the freshness parameter includes a fourth parameter, which includes one or more of the following:
[0195] 1) Signaling type distinguisher, used to indicate the type of signaling;
[0196] Optionally, the signaling type distinguisher is used to distinguish signaling that communicates with different categories of first network-side devices or to distinguish signaling that is of different types.
[0197] 2) Upward COUNT;
[0198] Downlink COUNT is used to indicate the number of uplink messages sent, such as an uplink NAS counter.
[0199] 3) Random number generated from the top row.
[0200] Optionally, the uplink random number is generated randomly by the terminal.
[0201] Optionally, the fourth parameter is used to characterize whether it is generated by the terminal or changed by the terminal first.
[0202] In one embodiment of this application, the fifth message includes third freshness indication information. After the second network-side device receives the fifth message from the first network-side device, the method further includes:
[0203] The second network-side device obtains the fourth parameter based on the third freshness indication information.
[0204] For example, when the fourth parameter is the signaling type distinguisher, the third freshness parameter indication information can be the network element type of the first network-side device. For instance, if the signaling type distinguisher is MM, the network element type of the first network-side device can be AMF.
[0205] For example, when the fourth parameter is the uplink counter, the third freshness parameter indication information can be the uplink counter. Specifically, the terminal and the first network-side device jointly maintain the NAS COUNT, and the first network-side device can indicate this uplink counter.
[0206] For example, when the fourth parameter is an uplink random number, the third freshness parameter indicator information can also be an uplink random number.
[0207] In one embodiment of this application, before the second network-side device obtains the second key based on the first key and the freshness parameter, the method further includes:
[0208] The second network-side device determines whether to obtain the second key according to the first policy;
[0209] The first strategy includes one or more of the following:
[0210] 1) Whether the first network-side device or the terminal has security protection capabilities;
[0211] Optionally, "whether it has security protection capabilities" refers to whether it has the ability to implement effective security policies, security mechanisms (such as encryption and integrity protection), or security technologies (such as security algorithms).
[0212] 2) Does the type of the first network-side device require security protection?
[0213] 3) Whether the message sent by the first network-side device needs to be forwarded by the third network-side device.
[0214] For example, if the first network-side device or the terminal has security protection capabilities, the second network-side device generates the second key.
[0215] For example, if the type of the first network-side device requires security protection, the second network-side device generates the second key. For instance, if the first network-side device is an SMF (Software-Defined Function) that communicates directly with the UE, the second network-side device generates the second key.
[0216] For example, if the message sent by the first network-side device does not need to be forwarded by the third network-side device, meaning that the security between the third network-side device and the terminal cannot be borrowed, then the second network-side device generates the second key.
[0217] In this embodiment, the second network-side device determines whether to obtain the second key according to the first policy, thereby achieving flexible configuration between performance and security.
[0218] Optional third-party network devices include, but are not limited to, AMF, SEAF, or AUSF.
[0219] In one embodiment, the third network-side device and the second network-side device are the same device, meaning they can be combined. It should be noted that in other embodiments, the third network-side device and the second network-side device can also be configured independently.
[0220] For example, the third network-side device and the second network-side device are both AMF, or the third network-side device and the second network-side device are both SEAF.
[0221] Optionally, the first policy can be a local policy of the second network-side device, or it can be a policy received by the second network-side device from other network elements.
[0222] For example, the first policy may be a local policy pre-configured in the second network-side device.
[0223] For example, the first policy may also be a policy received by the second network-side device from other network elements (such as UDM, PCF, etc.).
[0224] In this embodiment, the second network-side device obtains a second key based on the first key and a freshness parameter. The second key is used to protect communication messages between the terminal and the first network-side device. The second network-side device sends a fourth message to the first network-side device, the fourth message including the second key. In this way, the first network-side device can communicate securely with the terminal based on the second key, thus meeting the security protection requirements for communication between the first network-side device and the terminal.
[0225] Referring to Figure 4, an embodiment of this application provides a transmission processing method, the specific steps of which include:
[0226] Step 41: The first network-side device receives a fourth message from the second network-side device, the fourth message including a second key, the second key being used to protect communication messages between the terminal and the first network-side device;
[0227] Optionally, the first network-side device includes, but is not limited to, network functions (NFs) other than those of the third network-side device, such as SMF, PCF, LMF, etc.
[0228] Optionally, the second network-side equipment includes, but is not limited to, AMF, SEAF, and AUSF.
[0229] Optionally, the fourth message can also be called a Key Response message.
[0230] Optionally, the second key is K. nf It should be noted that the second key can be named according to the different categories of the first network-side device. For example, if the first network-side device is LMF, then the second key is K. LMF .
[0231] It should be understood that the second key is used to protect the communication messages between the terminal and the first network-side device, meaning that the terminal and the first network-side device can use the second key to protect the communication messages between the terminal and the first network-side device, and can also use keys derived from the second key to protect the communication messages between the terminal and the first network-side device.
[0232] Step 42: The first network-side device sends a first message to the terminal, the first message being used to activate security or security protection between the terminal and the first network-side device.
[0233] Optionally, the first message can be an SMC message, but it is not limited to this.
[0234] Optionally, the first network-side device can send the first message to the terminal through the third network-side device, or it can send the first message directly to the terminal.
[0235] In one embodiment of this application, the first message includes a security algorithm used to protect communication messages between the terminal and the first network-side device. Before the first network-side device sends the first message to the terminal, the method further includes:
[0236] The first network-side device selects the security algorithm based on the security capabilities of the terminal.
[0237] In this embodiment, by considering a new algorithm negotiation in the security process of establishing the UE and the first network-side device, the algorithm protecting the communication between the UE and the first network-side device can be different from the algorithm used by the UE to communicate with other first network-side devices. Thus, even if the algorithm used by the UE to communicate with other first network-side devices is compromised, it will not affect the security of the UE's communication with the first network-side device, thereby achieving secure isolation of the algorithm.
[0238] Optionally, the security algorithm includes, but is not limited to, at least one of encryption algorithms, integrity protection algorithms, etc.
[0239] In one embodiment of this application, the fourth message further includes the security capabilities of the terminal.
[0240] In this embodiment, by storing the terminal's security capabilities in the second network-side device, the storage of the terminal's security capabilities can be centralized, reducing the overhead of transmitting the terminal's security capabilities between various network elements.
[0241] In one embodiment of this application, the first message includes first indication information, which is used to indicate the derivation of the second key.
[0242] In one embodiment of this application, before the first network-side device receives the fourth message from the second network-side device, the method further includes:
[0243] The first network-side device sends a fifth message to the second network-side device, the fifth message being used to request the second key, and the fourth message being used to respond to the fifth message.
[0244] Optionally, the fifth message may also be referred to as a key for requesting the security context of the terminal.
[0245] Optionally, the fifth message can also be called a Key Request message.
[0246] In one embodiment of this application, the first message or the fifth message further includes first freshness indication information, which is used to indicate the second parameter in the freshness parameters.
[0247] In one embodiment of this application, the second parameter includes one or more of the following:
[0248] 1) Identification information of the first network-side device;
[0249] 2) Downlink COUNT;
[0250] 3) First row of random numbers.
[0251] Optionally, the second parameter is a parameter used to characterize either the parameter generated by the first network-side device or the parameter that is first changed by the first network-side device.
[0252] It should be understood that the first network-side device needs to send a first freshness indication message through the first message so that the terminal can obtain the second parameter. The first network-side device also needs to send a first freshness indication message through the fifth message so that the first network-side device can obtain the second parameter, thereby completing the synchronization of the second parameter between the second network-side device and the terminal.
[0253] It should be understood that, since the local information possessed by the terminal and the second network-side device may differ, the specific form of the first freshness indication information in the first message and the third message may differ, but both are for the terminal or the second network-side device to obtain the second parameter.
[0254] For example, when the second parameter is the identification information of the first network-side device, the first freshness parameter indication information in the first message can be the identification information of the first network-side device after removing the less significant bits of the terminal's known information, and the first freshness parameter in the fifth message can be the identification information of the first network-side device. For instance, if the first network-side device identification includes both PLMN ID and NF ID, and the terminal knows the PLMN ID, then the first freshness parameter in the first message can only include the NF ID, and the first freshness parameter in the fifth message can include both the PLMN ID and the NF ID.
[0255] For example, when the second parameter is a downlink counter, the first freshness parameter indication information in the first message can be the downlink counter sequence number (SN), and the first freshness parameter in the fifth message can be the downlink counter. Here, NAS COUNT is a 32-bit counter, and NAS COUNT SN is a partial field of NAS COUNT. The terminal and the first network-side device jointly maintain the NAS COUNT. Therefore, the first network-side device can enable the terminal to obtain the NAS COUNT by transmitting only the NAS SN. However, the second network-side device does not possess the NAS COUNT SN, so the first network-side device needs to transmit the entire NAS COUNT for the second network-side device to obtain the NAS COUNT.
[0256] For example, when the second parameter is the first downlink random number, the first freshness parameter indication information in both the first message and the fifth message can be the first downlink random number.
[0257] In one embodiment of this application, the first message or the fourth message includes second freshness indication information, which is used to indicate a third parameter in the freshness parameters.
[0258] In one embodiment of this application, the third parameter includes one or more of the following:
[0259] 1) A counter used to measure the number of derivations of the second key;
[0260] 2) Second row of random numbers.
[0261] Optionally, the third parameter is a parameter used to characterize either the parameter generated by the second network-side device or the parameter first changed by the first network-side device.
[0262] It should be understood that the second network-side device needs to send a fourth message to the first network-side device. The fourth message includes a second freshness indication information. Then, the first network-side device forwards the second freshness indication information to the terminal through the first message, so that the terminal obtains the third parameter, thereby completing the synchronization of the third parameter between the second network-side device and the terminal.
[0263] In one embodiment of this application, the second message or the fifth message includes third freshness indication information, which is used to indicate the fourth parameter in the freshness parameters.
[0264] In one embodiment of this application, the fourth parameter includes one or more of the following:
[0265] 1) Signaling type distinguisher, used to indicate the type of signaling;
[0266] 2) Upward COUNT;
[0267] 3) Random number generated from the top row.
[0268] Optionally, the fourth parameter is used to characterize whether it is generated by the terminal or changed by the terminal first.
[0269] It should be understood that the terminal needs to send a second message to the first network-side device, which includes a third freshness indication message. Then, the first network-side device forwards the third freshness indication message to the second network-side device through a fifth message, so that the second network-side device can obtain the fourth parameter, thereby completing the synchronization of the fourth parameter between the second network-side device and the terminal.
[0270] It should be understood that, since the local information possessed by the first network-side device and the second network-side device may differ, the specific form of the first freshness indication information in the second message and the fifth message may differ, but both are for the terminal or the second network-side device to obtain the second parameter.
[0271] For example, when the fourth parameter is the signaling type distinguisher, the third freshness parameter indication information in the second message can be the message type information of the signaling, and the third freshness parameter indication information in the fifth message can be the network element type of the first network-side device. For instance, when the signaling type distinguisher is MM, the message type information can be a registration request, and the network element type of the first network-side device can be AMF.
[0272] For example, when the fourth parameter is the uplink counter, the third freshness parameter indication information in the second message can be the uplink counter sequence number (SN), and the third freshness parameter indication information in the fifth message can be the uplink counter. Here, NAS COUNT is a 32-bit counter, and NAS COUNT SN is a partial field of NAS COUNT. The terminal and the first network-side device jointly maintain the NAS COUNT. Therefore, the terminal can transmit only the NAS SN so that the first network-side device can obtain the NAS COUNT. However, the second network-side device does not possess the NAS COUNT SN, so the first network-side device needs to transmit the entire NAS COUNT so that the second network-side device can obtain the NAS COUNT.
[0273] For example, when the fourth parameter is an uplink random number, the third freshness parameter indicator information can also be an uplink random number.
[0274] In one embodiment of this application, the method further includes:
[0275] The first network-side device obtains the identification information of the second network-side device;
[0276] The first network-side device sends a fifth message to the second network-side device, including:
[0277] The first network-side device sends a fifth message to the second network-side device based on the identification information of the second network-side device.
[0278] In this embodiment, by introducing the identification information of the second network-side device, the first network-side device can obtain the second network-side device serving the UE or a group of UEs through the UE ID or parameters indicating the UE range in different scenarios, thereby covering key acquisition in both uplink and downlink triggering scenarios.
[0279] In one embodiment of this application, the method further includes:
[0280] The first network-side device determines whether security protection is provided between the terminal and the first network-side device according to the second strategy;
[0281] The second strategy includes one or more of the following:
[0282] 1) Whether the first network-side device or the terminal has security protection capabilities;
[0283] 2) Does the type of the first network-side device require security protection?
[0284] 3) Whether the message sent by the first network-side device needs to be forwarded by the third network-side device;
[0285] If it is determined that security protection is required, the first network-side device performs one or more of the following actions:
[0286] 1) Trigger execution to send the first message to the terminal;
[0287] 2) Trigger execution to send the fifth message to the second network-side device.
[0288] For example, if the first network-side device or the terminal does not have security protection capabilities, the first network-side device determines that no security protection is provided between the terminal and the first network-side device.
[0289] For example, if the type of the first network-side device requires security protection, the first network-side device determines that security protection should be implemented between the terminal and the first network-side device. For instance, if the first network-side device is an SMF (Software-Defined Function) that communicates directly with the UE, then the first network-side device determines that security protection should be implemented between the terminal and the first network-side device.
[0290] For example, if the message sent by the first network-side device does not need to be forwarded by the third network-side device, it means that the security or security protection between the third network-side device and the terminal can not be used, and the first network-side device determines that security protection should be provided between the terminal and the first network-side device.
[0291] In this embodiment, the first network-side device determines whether protection is needed for communication between the UE and the first network-side device, thereby achieving flexible configuration between performance and security. Specifically, regarding the determination of whether messages sent by the first network-side device need to be forwarded by the third network-side device, since the UE and the third network-side device already have NAS security, if messages sent by the first network-side device are always forwarded by the third network-side device, then no further security or security protection between the UE and the first network-side device is needed.
[0292] Optionally, the second strategy can be a local strategy of the first network-side device, or it can be a strategy received by the first network-side device from other network elements.
[0293] For example, the second policy may be a local policy pre-configured in the first network-side device.
[0294] For example, the second policy may also be a policy received by the first network-side device from other network elements (such as UDM, PCF).
[0295] In one embodiment of this application, the first network-side device sends a first message to the terminal, including:
[0296] The first network-side device sends the first message to the terminal through the third network-side device.
[0297] In one embodiment of this application, before the first network-side device receives the fourth message from the second network-side device, the method further includes:
[0298] The first network-side device receives a third message from the terminal through the third network-side device. The third message is used to request to establish an association with the first network-side device.
[0299] Optionally, the third message can be a message used to request access to the first network-side device; that is, the third message can also be called a request message to access the first network-side device.
[0300] For example, the terminal sends a service request message to a third network-side device (e.g., AMF), the service request message including a PDU session establishment request message, and the third network-side device (e.g., AMF) sends a PDU session establishment request message to a first network-side device (e.g., SMF).
[0301] In one embodiment of this application, the first network-side device obtains the identification information of the second network-side device, including:
[0302] The first network-side device receives the identification information of the second network-side device from the third network-side device.
[0303] For example, the terminal sends a service request message to a third network-side device (e.g., AMF). The service request message includes a PDU session establishment request message. The third network-side device (e.g., AMF) sends a PDU session establishment request message and a SEAF ID to a first network-side device (e.g., SMF).
[0304] In one embodiment of this application, before the first network-side device sends the first message to the terminal, the method further includes:
[0305] The first network-side device sends the terminal's identifier to the fourth network-side device;
[0306] The first network-side device receives the identification information of the second network-side device from the fourth network-side device.
[0307] Optionally, the terminal identifier may include, but is not limited to, SUPI, SUCI, or GUTI.
[0308] Optionally, the fourth network-side device includes, but is not limited to, UDM.
[0309] For example, a first network-side device (e.g., SMF) sends a subscription acquisition request message to a fourth network-side device (e.g., UDM). The message includes the terminal's SUPI. The fourth network-side device (e.g., UDM) obtains the identification information of the second network-side device currently serving the terminal based on the terminal's SUPI, and returns a subscription acquisition response message to the first network-side device (e.g., SMF).
[0310] In one embodiment of this application, before the first network-side device sends the first message to the terminal, the method further includes:
[0311] The first network-side device sends area information to the fourth network-side device;
[0312] The first network-side device receives the identification information of the second network-side device corresponding to the terminal from the fourth network-side device, and the terminal belongs to the area.
[0313] Optionally, the information for the area includes, but is not limited to, at least one of the following: Area of Interest (AoI), Tracking Area Identity (TAI).
[0314] For example, a first network-side device (e.g., SMF) sends a subscription acquisition request message to a fourth network-side device (e.g., UDM). The message includes an AoI. The fourth network-side device (e.g., UDM) obtains the SUPI of all terminals in the area based on the AoI, as well as the identification information of the second network-side device currently serving these terminals. It then returns the SUPI and the corresponding identification information of the second network-side device to the first network-side device (e.g., SMF) through a subscription acquisition response message.
[0315] In one embodiment of this application, after the first network-side device sends a first message to the terminal, the method further includes:
[0316] The first network-side device sends a paging indication first message to the third network-side device, the paging indication being used to page the terminal.
[0317] For example, a first network-side device (e.g., SMF) sends a paging indication and a first message to a third network-side device (e.g., AMF). The third network-side device (e.g., AMF) pagees the UE through the paging indication. After receiving the service request message sent by the UE, it sends the second request message to the UE.
[0318] In one embodiment, the third network-side device and the second network-side device are the same device, meaning they can be combined. It should be noted that in other embodiments, the third network-side device and the second network-side device can also be configured independently.
[0319] Optional third-party network devices include, but are not limited to, AMF, SEAF, or AUSF.
[0320] In this embodiment, the first network-side device receives a fourth message from the second network-side device. The fourth message includes a second key, which is used to protect communication messages between the terminal and the first network-side device. The first network-side device sends a first message to the terminal, which is used to activate security or security protection between the terminal and the first network-side device. In this way, the terminal can communicate securely with the first network-side device based on the second key, thus meeting the security protection requirements for communication between the terminal and the first network-side device.
[0321] The following examples, based on Embodiments 1 to 3, use NF as the first network-side device, SEAF as the second network-side device, AMF as the third network-side device, and UDM as the fourth network-side device, with K as the first key. seaf or K amf The second key is K nf Let's take an example to illustrate.
[0322] Example 1: AMF or SEAF merging, uplink NAS triggered security establishment.
[0323] This embodiment is based on a 5G architecture and still assumes that AMF and SEAF are merged. When the current UE attempts to access the NF behind the AMF, security is established between the UE and the NF.
[0324] Referring to Figure 5, the specific steps are as follows:
[0325] Step 1: The UE sends a NAS message (i.e., the second message) to the AMF or SEAF. The NAS message includes at least one of the following: UE identifier and a request for NF (i.e., the third message), where the UE identifier is used to address the UE's context and the request for NF is used to establish an association with the NF.
[0326] Optionally, the NAS message also includes a third freshness indication message (fresh para3), which is used by AMF or SEAF to obtain the freshness parameter (i.e., the fourth parameter).
[0327] Step 2: The AMF or SEAF sends a sixth message to the NF, which includes at least one of the following: a SUbscription Permanent Identifier (SUPI), K nf And the request message for accessing NF (i.e., the third message).
[0328] Optionally, the sixth message includes at least one of the following: UE security capability, third freshness indication information, second freshness indication information (fresh para2), the second freshness indication information being used by the UE to obtain freshness parameters (third parameters).
[0329] The SUPI can be determined based on the UE identifier. Optionally, the UE identifier may include: SUCI, GUTI, or SUPI. For example, the AMF or SEAF obtains the UE's SUPI based on the UE identifier.
[0330] The third freshness indication information is used to indicate the fourth parameter, which is used to characterize the parameter generated by the terminal or changed by the terminal first.
[0331] Optionally, prior to step 2, the method may also include: step 2a: AMF or SEAF selects NF based on the NAS message.
[0332] Optionally, prior to step 2, the method may also include: Step 2b: The AMF or SEAF determines whether security protection is required between the UE and the NF based on the first strategy.
[0333] Optionally, the first strategy may include at least one of the following:
[0334] 1) Does the NF or UE have the security protection capability between the UE and the NF?
[0335] 2) Does the NF type require security protection, for example, security policies at the NF granularity or NF type granularity?
[0336] 3) Whether messages sent by NF need to be forwarded by AMF.
[0337] By introducing network-side checks to determine whether communication between the UE and NF needs protection, flexible configuration between performance and security can be achieved. Specifically, regarding the determination of whether messages sent by the NF should be forwarded by the AMF, since the UE and AMF already have NAS security, if messages sent by the NF are always forwarded by the AMF, then no further security between the UE and NF is needed.
[0338] If security protection is not required, the AMF or SEAF will not send security-related parameters, such as K, which may include but is not limited to. nf The NF will not initiate step 3 if it does not receive any of the aforementioned security-related parameters, including UE security capabilities and third-party freshness indication information.
[0339] Optionally, prior to step 2, the method may further include: Step 2c: AMF or SEAF according to K seaf or K amf And the generation of the freshness parameter K nf Among them, K seaf or K amf It can be generated using existing methods, which will not be elaborated here.
[0340] Among them, K seaf It is the shared key between the terminal and SEAF, K amf This is the shared key between the terminal and the AMF.
[0341] Optionally, the freshness parameter may include at least one of the following: a first parameter, a second parameter, a third parameter, and a fourth parameter, wherein,
[0342] 1) The first parameter is a parameter that the terminal already possesses before deriving the second key. For example, the first parameter may include the terminal's UE ID or ABBA.
[0343] 2) The second parameter is used to characterize the parameter generated by the AMF or changed by the AMF first. The second parameter needs to be synchronized between SEAF and the terminal through the first freshness indication information in the SMC message (i.e. the first message). The terminal can recover the second parameter based on the first freshness indication information and the information maintained locally.
[0344] Optionally, the second parameter may include at least one of the following:
[0345] a) NF identifier, used to identify the selected NF. The AMF or SEAF obtains the NF ID after selecting the NF based on the NAS message. At this time, the first freshness indication information (fresh para1) is the selected NF ID.
[0346] Since the NF identifier is unique to each NF, by introducing the NF identifier as a derivation parameter, SEAF generates a different key for each NF, thus achieving secure key isolation.
[0347] b) Downlink NAS COUNT, used to indicate the number of downlink messages sent. The UE reconstructs the entire downlink NAS COUNT based on the NAS COUNT SN (the low-significant bits of the NAS COUNT) in the downlink message and the stored information (the high-significant bits of the NAS COUNT). In this case, the first freshness indication information is the NAS COUNT SN.
[0348] c) The first downlink random number, which can be a random number generated by NF. When the second parameter is the first downlink random number, the first freshness parameter indication information can be the first downlink random number.
[0349] 3) The third parameter is used to characterize the parameter generated by SEAF or changed by SEAF first. The third parameter needs to be synchronized between SEAF and terminal through the second freshness indication information of the first message. The terminal can recover the third parameter based on the second freshness indication information and the information maintained locally.
[0350] Optionally, the third parameter may include at least one of the following:
[0351] a) Counter: Used to indicate the derivation K nf The number of times. AMF or SEAF sets the initial value of this counter to 0, and increments it every time K completes. nf Based on this deduction, the value is increased (for example, by 1 or more), and the UE obtains the counter from the downlink message. At this time, the first freshness indication information is this counter.
[0352] Since the counter increments with each key derivation, the key derived for each NF derivation is different, thus enabling secure key isolation.
[0353] b) A second downlink random number, which can be a random number generated by the AMF or SEAF. The UE obtains the second downlink random number based on the downlink message. When the third parameter is the second downlink random number, the second freshness parameter indication information can also be the second downlink random number.
[0354] 4) The fourth parameter is used to characterize the parameter generated by the terminal or changed by the terminal first. The fourth parameter needs to be synchronized between SEAF and the terminal through the third freshness indication information in the second message.
[0355] Optionally, the fourth parameter may include at least one of the following:
[0356] a) Signaling type distinguisher, used to distinguish signaling communicating with different categories of NFs or to distinguish signaling of different types. For example, Mobile Management (MM) represents mobile management type signaling (communicating with AMF, represented by 0x00), Session Management (SM) represents session management type signaling (communicating with SMF, represented by 0x01), Data (DATA) represents data management type signaling (communicating with data management function, represented by 0x02), and Location Service (LCS) represents location service type signaling (communicating with location management function, represented by 0x03). After receiving a NAS message, the AMF or SEAF can set different signaling type distinguishers according to the message type of the request message for accessing the NF. For example, SM is used when deriving the key for communication with the session management function, and DATA is used when deriving the key for communication with the data management function. In this case, the third freshness indication information can indicate the request message for accessing the NF, or it can be a signaling type indication used to indicate the type of the request message for accessing the NF.
[0357] Since a UE may only communicate with one NF of the same type at a time, by introducing a signaling type distinguisher as a derivation parameter, SEAF generates different keys for each type of NF, thus achieving coarser-grained key security isolation.
[0358] b) The uplink NAS counter (COUNT) indicates the number of NAS messages sent. AMF or SEAF reconstructs the entire uplink NAS COUNT based on the NAS COUNT serial number (SN) (the low-significant bits of the NAS COUNT) in the NAS message combined with the stored information (the high-significant bits of the NAS COUNT). At this point, the third freshness indicator is the NAS COUNT SN.
[0359] c) Uplink random number, which can be a random number generated by the terminal.
[0360] Step 3: The NF sends an SMC message (i.e., the first message) to the UE. This SMC message is used to instruct the UE to activate security with the NF.
[0361] Optionally, the SMC message may include at least one of the following: a derivation instruction, a security algorithm, a first freshness indication message, and a second freshness indication message.
[0362] Among them, the deduction indication is used to instruct the UE to deduce K. nf .
[0363] Optionally, derivation indicators can be implemented in two ways:
[0364] Method 1: Display indication, for example, the value of the deduction indication is "1" to indicate that the UE deduces K. nf The value of the deduction indicator is "0", indicating that the UE does not deduce K. nf .
[0365] Method 2: Implicit indication. When the SMC message contains this deduction indication, it instructs the UE to deduce K. nf If the SMC message does not contain this deduction indication, the SMC message instructs the UE not to deduce K. nf .
[0366] Optionally, whether the SMC message carries the first freshness indication information can be determined with reference to step 2. One implementation is that the derivation indication includes the first freshness indication information.
[0367] Optionally, the NF obtains the security algorithm based on the UE's security capabilities. Alternatively, the NF selects a security algorithm based on the UE's security capabilities and a pre-configured list of algorithm priorities.
[0368] By considering new algorithm negotiation in the establishment of the security process between UE and NF, the algorithm protecting the communication between UE and NF can be different from the algorithm used by UE to communicate with other NFs. Thus, even if the algorithm for UE to communicate with other NFs is compromised, it will not affect the security of UE to communicate with that NF, achieving secure isolation of the algorithm.
[0369] Optionally, after step 3, the method may further include: step 3b: UE according to K amf or K seaf K is generated from freshness parameters nf .
[0370] In this embodiment, by introducing a freshness parameter during the new key derivation process, it is possible to ensure that the K generated for each NF is... nf Since they are different, it is assumed that if the key of one NF is compromised, the attacker will not be able to obtain the keys of other NFs, thus achieving secure isolation of keys.
[0371] Optionally, the UE can obtain the second parameter based on the first freshness indication information, or it can obtain the second parameter directly.
[0372] Optionally, the UE can obtain the third parameter based on the second freshness indication information, or it can obtain the third parameter directly.
[0373] Optionally, the UE, based on the derivation instruction, and then based on K amf or K seaf K is generated from freshness parameters nfThe UE instructs the UE to infer K according to the inference instruction. nf In the case of generating K again nf Otherwise, K will not be generated. nf .
[0374] It should be noted that UE derivation K nf The method of deducing K from the AMF or SEAF side nf The method is the same.
[0375] Step 4: The UE replies to the NF with a Security Mode Complete (SMP) message, which is used in response to the SMC message.
[0376] After this step, security is activated between the UE and the NF, meaning that subsequent communication between the UE and the NF is protected by encryption and integrity.
[0377] Step 5: The NF sends a response message to the UE requesting access to the NF. This response message is used to respond to the NF access request message.
[0378] In this embodiment, the NF protects the response message, and the UE deprotects the response message.
[0379] Example 2: AMF or SEAF separation, uplink NAS-triggered security establishment.
[0380] This embodiment assumes that the AMF and SEAF are separate. When the current UE attempts to access the NF behind the AMF, the NF obtains the security context from the SEAF and establishes security between the UE and the NF.
[0381] Referring to Figure 6, the specific steps are as follows:
[0382] Step 1: The UE sends a NAS message (i.e., the second message) to the AMF. The NAS message includes at least one of the following: UE identifier and a request for NF (i.e., the third message), where the UE identifier is used to address the UE's context and the request for NF is used to establish an association with the NF.
[0383] Optionally, the NAS message also includes a third freshness indication message (fresh para3), which is used by AMF or SEAF to obtain the freshness parameter (i.e., the fourth parameter).
[0384] Step 2: The AMF sends a sixth message to the NF, which includes at least one of the following: SUPI, a request message to access the NF (i.e., the third message).
[0385] Optionally, the sixth message may also include at least one of the following: UE security capabilities, third freshness indication information.
[0386] The SUPI can be determined based on the UE identifier. Optionally, the UE identifier may include: SUCI, GUTI, or SUPI. For example, the AMF obtains the UE's SUPI based on the UE identifier.
[0387] Optionally, the SEAF ID is stored in the UE context by the AMF.
[0388] By introducing SEAF ID, the NF can obtain the SEAF serving the UE or a group of UEs through the UE ID or parameters indicating the UE range in different scenarios, thereby covering key acquisition in both uplink and downlink triggering scenarios.
[0389] Optionally, prior to step 2, the method may also include: step 2a: the AMF selects the NF based on the NAS message.
[0390] Optionally, prior to step 2, the method may also include: step 2b: the AMF determines whether security protection is required between the UE and the NF based on the first strategy.
[0391] Optionally, the first strategy may include at least one of the following:
[0392] 1) Does the NF or UE have the security protection capability between the UE and the NF?
[0393] 2) Does the NF type require security protection, such as security policies at the NF granularity or NF type granularity?
[0394] 3) Whether messages sent by NF need to be forwarded by AMF.
[0395] If security protection is not required, the AMF will not send security-related parameters. These parameters include, but are not limited to, at least one of the following: UE security capabilities, second freshness indication information, etc. The NF will not initiate step 3 if it does not receive the aforementioned security-related parameters.
[0396] Step 3: NF sends a key request message (i.e., the fifth message) to SEAF. Optionally, this key request message includes SUPI.
[0397] Optionally, the key request message may also include a first freshness indication or a third freshness indication.
[0398] Optionally, prior to step 3, the method may also include: step 3a: NF selects (or addresses) SEAF based on SEAF ID.
[0399] Optionally, the SEAF ID can be obtained by NF through step 2.
[0400] Optionally, the SEAF ID can also be obtained by an NF by querying other NFs through SUPI. For example, other NFs include, but are not limited to, UDM, which already has a binding relationship between SUPI and SEAF ID.
[0401] Step 4: SEAF sends a key response message (i.e., the fourth message) to NF. This key response message may contain K. nf Optionally, the key response message may also include at least one of the following: UE security capabilities, and second freshness indication information (fresh para2).
[0402] Optionally, prior to step 4, the method may further include: Step 4a: SEAF according to K seaf And the generation of the freshness parameter K nf Among them, K seaf It is a key generated in the background technology.
[0403] Optionally, the freshness parameter may include at least one of the following: a first parameter, a second parameter, a third parameter, and a fourth parameter, wherein,
[0404] 1) The first parameter is a parameter that the terminal already possesses before deriving the second key. For example, the first parameter may include the terminal's UE ID or ABBA.
[0405] 2) The second parameter is used to characterize the parameter generated by the AMF or changed by the AMF first. The second parameter needs to be synchronized between SEAF and the terminal through the first freshness indication information in the SMC message (i.e. the first message). The terminal can recover the second parameter based on the first freshness indication information and the information maintained locally.
[0406] 3) The third parameter is used to characterize the parameter generated by SEAF or changed by SEAF first. The third parameter needs to be synchronized between SEAF and terminal through the second freshness indication information of the first message. The terminal can recover the third parameter based on the second freshness indication information and the information maintained locally.
[0407] 4) The fourth parameter is used to characterize the parameter generated by the terminal or changed by the terminal first. The fourth parameter needs to be synchronized between SEAF and the terminal through the third freshness indication information in the second message.
[0408] It should be noted that the specific details of the first, second, third, and fourth parameters can be found in the description in Example 1, and will not be repeated here.
[0409] In this embodiment, by introducing a freshness parameter during the new key derivation process, it is possible to ensure that the K generated for each NF is...nf Since they are different, it is assumed that if the key of one NF is compromised, the attacker will not be able to obtain the keys of other NFs, thus achieving secure isolation of keys.
[0410] Step 5: The NF sends an SMC message (i.e., the first message) to the UE. This SMC message is used to instruct the UE to activate security with the NF.
[0411] Optionally, the SMC message may include at least one of the following: a derivation instruction, a security algorithm, a first freshness indication message, and a second freshness indication message.
[0412] Among them, the deduction indication is used to instruct the UE to deduce K. nf .
[0413] Optionally, derivation indicators can be implemented in two ways:
[0414] Method 1: Display indication, for example, the value of the deduction indication is "1" to indicate that the UE deduces K. nf The value of the deduction indicator is "0", indicating that the UE does not deduce K. nf .
[0415] Method 2: Implicit indication. When the SMC message contains this deduction indication, it instructs the UE to deduce K. nf If the SMC message does not contain this deduction indication, the SMC message instructs the UE not to deduce K. nf .
[0416] Optionally, before step 5, the method may also include: step 5a: NF obtains a security algorithm based on the UE's security capabilities.
[0417] Optionally, after step 5, the method may further include: Step 5b: UE according to K seaf K is generated from freshness parameters nf .
[0418] Optionally, the UE can obtain the freshness parameter (i.e., the second parameter) based on the first freshness indication information, or it can obtain the freshness parameter (i.e., the second parameter) directly.
[0419] Optionally, the UE can obtain the freshness parameter (i.e., the third parameter) based on the second freshness indication information, or it can obtain the freshness parameter (i.e., the third parameter) directly.
[0420] Optionally, the UE, based on the derivation instruction, and then based on K seaf K is generated from freshness parameters nf The UE instructs the UE to infer K according to the inference instruction. nf In the case of generating K again nf Otherwise, K will not be generated. nf.
[0421] It should be noted that UE derivation K nf The method and SEAF side derivation K nf The method is the same.
[0422] Step 6: The UE replies to the NF with an SMP message in response to the SMC message.
[0423] After this step, security is activated between the UE and the NF, meaning that subsequent communication between the UE and the NF is protected by encryption and integrity.
[0424] Step 7: The NF sends a response message to the UE requesting access to the NF. This response message is used to respond to the NF access request message.
[0425] It is understood that steps 5 to 7 of Embodiment 2 can refer to steps 3 to 5 of Embodiment 1.
[0426] In this embodiment, the NF protects the response message, and the UE deprotects the response message.
[0427] Example 3: AMF or SEAF separation or merging, downlink NAS-triggered security establishment.
[0428] Under the condition of security establishment triggered by downlink NAS, when the NF attempts to actively access the UE, how does the NF obtain the security context from SEAF and establish security between the UE and the NF?
[0429] Referring to Figure 7, the specific steps are as follows:
[0430] Step 1: NF sends a Location Request message to UDM.
[0431] Optionally, the location request message may include at least one of the following: SUPI, Discovery Request Information. Discovery Request Information is used to indicate the need to obtain a set of SUPIs within a certain range. For example, the set of SUPIs may be information about regions, such as Area of Interest (AoI), Tracking Area Identity (TAI), etc.
[0432] Optionally, the NF may not have any UE context. For example, if the NF wants to initiate communication with all UEs within a certain range, it will send a discovery request message to the UDM.
[0433] Optionally, an NF may have a SUPI for a UE, for example, when it receives a request from another NF that includes a SUPI, in which case the NF sends the SUPI to the UDM.
[0434] Optionally, prior to step 1, the method includes step 1a: the NF determines whether security protection is required between the UE and the NF based on a second strategy.
[0435] Optionally, the second strategy may include at least one of the following:
[0436] 1) Does the NF have security protection capabilities between the UE and the NF?
[0437] 2) Does the NF type require security protection, for example, security policies at the NF granularity or NF type granularity?
[0438] 3) Whether messages sent by NF need to be forwarded by AMF.
[0439] By introducing network-side checks to determine whether communication between the UE and NF needs protection, flexible configuration between performance and security can be achieved. Specifically, regarding the determination of whether messages sent by the NF should be forwarded by the AMF, since the UE and AMF already have NAS security, if messages sent by the NF are always forwarded by the AMF, then no further security between the UE and NF is needed.
[0440] If security protection is not required, NF will not initiate step 1.
[0441] Step 2: The UDM sends a Location Response message to the NF. This Location Response message contains the SEAF ID. Optionally, the Location Response message may also include at least one of the following: AMF ID, SUPI.
[0442] Optionally, the UDM pre-stores a mapping relationship between SUPI and at least one of the following: discovery requirement information, SEAF ID, and AMF ID. When the UDM obtains a SUPI, it can return the corresponding SEAF ID or AMF ID. When the UDM obtains discovery requirement information, it can obtain the corresponding SUPI and the corresponding SEAF ID or AMF ID.
[0443] Step 3: NF sends a Key Request message (i.e., the fifth message) to SEAF. This Key Request message contains SUPI, and optionally, it also includes a first freshness indication or a third freshness indication.
[0444] Optionally, the NF addresses the SEAF based on the SEAF ID, which can come from step 2.
[0445] Step 4: SEAF sends a Key Response message (i.e., the fourth message) to NF. This Key Response message contains K nfOptionally, the key response message may also include at least one of the following: UE security capabilities, and second freshness indication information (fresh para2).
[0446] Optionally, prior to step 4, SEAF according to K seaf And the generation of the freshness parameter K nf Among them, K seaf It can be a key generated based on existing methods.
[0447] Optionally, the freshness parameter may include at least one of the following: a first parameter, a second parameter, a third parameter, and a fourth parameter, wherein,
[0448] 1) The first parameter is a parameter that the terminal already possesses before deriving the second key. For example, the first parameter may include the terminal's UE ID or ABBA.
[0449] 2) The second parameter is used to characterize the parameter generated by the AMF or changed by the AMF first. The second parameter needs to be synchronized between SEAF and the terminal through the first freshness indication information in the SMC message (i.e. the first message). The terminal can recover the second parameter based on the first freshness indication information and the information maintained locally.
[0450] 3) The third parameter is used to characterize the parameter generated by SEAF or changed by SEAF first. The third parameter needs to be synchronized between SEAF and terminal through the second freshness indication information of the first message. The terminal can recover the third parameter based on the second freshness indication information and the information maintained locally.
[0451] 4) The fourth parameter is used to characterize the parameter generated by the terminal or changed by the terminal first. The fourth parameter needs to be synchronized between SEAF and the terminal through the third freshness indication information in the second message.
[0452] It should be noted that the specific details of the first, second, third, and fourth parameters can be found in the description in Example 1, and will not be repeated here.
[0453] Step 5: The NF sends a SUPI and an SMC message (i.e., the first message) to the AMF. This SMC message is used to instruct the UE to activate security with the NF.
[0454] Optionally, the SMC message may include at least one of the following: derivation indication, security algorithm, second freshness indication information, and first freshness indication information.
[0455] Optionally, the NF addresses the AMF based on the AMF ID, which can come from step 2.
[0456] Optionally, the derivation indicator is used to instruct the UE to derivate K. nf .
[0457] Optionally, derivation indicators can be implemented in two ways:
[0458] Method 1: Display indication, for example, the value of the deduction indication is "1" to indicate that the UE deduces K. nf The value of the deduction indicator is "0", indicating that the UE does not deduce K. nf .
[0459] Method 2: Implicit indication. When the SMC message contains this deduction indication, it instructs the UE to deduce K. nf If the SMC message does not contain this deduction indication, it instructs the UE not to deduce K. nf .
[0460] Optionally, the SMC message may further include at least one of the following: second freshness indication information and first freshness indication information. Whether the SMC message carries the second freshness indication information or the first freshness indication information is determined by referring to step 2. One implementation is that the derivation indication includes at least one of the following: a second freshness indication information and a first freshness indication information.
[0461] Optionally, before step 5, step 4a is also included: the NF obtains a security algorithm based on the UE's security capabilities. The NF selects a security algorithm based on the UE's security capabilities and a pre-configured algorithm priority list.
[0462] By considering new algorithm negotiation in the establishment of the security process between UE and NF, the algorithm protecting the communication between UE and NF can be different from the algorithm used by UE to communicate with other NFs. Thus, even if the algorithm for UE to communicate with other NFs is compromised, it will not affect the security of UE to communicate with that NF, achieving secure isolation of the algorithm.
[0463] Step 6: The AMF sends a paging message to the UE.
[0464] If the UE is in the idle state, the AMF initiates a paging message to return the UE to the connected state; otherwise, the AMF can directly execute step 8.
[0465] Step 7: The UE sends a Service Request to the AMF in response to the paging message. The Service Request may include the UE's GUTI.
[0466] Step 8: The AMF sends an SMC message to the UE.
[0467] Optionally, the UE depends on K. seaf K is generated from freshness parameters nf .
[0468] Optionally, the UE can obtain the second parameter based on the first freshness indication information, or it can obtain the second parameter directly.
[0469] Optionally, the UE can obtain the third parameter based on the second freshness indication information, or it can obtain the third parameter directly.
[0470] Optionally, the UE, based on the derivation instruction, and then based on K seaf K is generated from freshness parameters nf The UE instructs the UE to infer K according to the inference instruction. nf In the case of generating K again nf Otherwise, it will not be generated.
[0471] It should be noted that UE derivation K nf The method of deducing K from the AMF or SEAF side nf The method is the same.
[0472] In this embodiment, by introducing a freshness parameter during the new key derivation process, it is possible to ensure that the K generated for each NF is... nf Since they are different, it is assumed that if the key of one NF is compromised, the attacker will not be able to obtain the keys of other NFs, thus achieving secure isolation of keys.
[0473] Step 9: The UE replies to the NF with an SMP message in response to the SMC message.
[0474] After this step, security is activated between the UE and the NF, meaning that subsequent communication between the UE and the NF is protected by encryption and integrity.
[0475] Step 10: AMF forwards SMP messages to NF.
[0476] Step 11: The NF sends a response message to the UE requesting access to the NF. This message is used to respond to the request message for accessing the NF.
[0477] In this embodiment, the NF protects the response message, and the UE deprotects the response message.
[0478] Referring to Figure 8, an embodiment of this application provides a transmission processing device applied to a terminal. The device 800 includes: a first transceiver unit 801 and a first processing unit 802.
[0479] The first transceiver unit 801 is used to receive a first message, which is used to activate security or security protection between the terminal and the first network-side device.
[0480] The first processing unit 802 is used to obtain a second key based on a first key and a freshness parameter. The first key is available on a second network-side device, and the second key is used to protect communication messages between the terminal and the first network-side device.
[0481] In one embodiment of this application, the first message includes a security algorithm, which is used to protect communication messages between the terminal and the first network-side device.
[0482] In one embodiment of this application, the first message includes first indication information, which is used to indicate the derivation of the second key;
[0483] The first processing unit 802 is further configured to, in response to the first indication information, obtain the second key based on the first key and the freshness parameter.
[0484] In one embodiment of this application, the freshness parameter includes a first parameter, which includes one or more of the following:
[0485] 1) The UE ID of the terminal;
[0486] 2) ABBA.
[0487] In one embodiment of this application, the freshness parameter includes a second parameter, which includes one or more of the following:
[0488] 1) Identification information of the first network-side device;
[0489] 2) Downlink COUNT;
[0490] 3) First row of random numbers.
[0491] In one embodiment of this application, the first message includes first freshness indication information, and the first processing unit 802 is further configured to obtain the second parameter based on the first freshness indication information.
[0492] In one embodiment of this application, the freshness parameter includes a third parameter, which includes one or more of the following:
[0493] A counter used to measure the number of derivations of the second key;
[0494] The second row of random numbers.
[0495] In one embodiment of this application, the first message includes second freshness indication information, and the first processing unit 802 is further configured to obtain the third parameter based on the second freshness indication information.
[0496] In one embodiment of this application, the freshness parameter includes a fourth parameter, which includes one or more of the following:
[0497] 1) Signaling type distinguisher, used to indicate the type of signaling;
[0498] 2) Upward COUNT;
[0499] 3) Random number generated from the top row.
[0500] In one embodiment of this application, the first transceiver unit 801 is further configured to send a second message to a third network-side device, the second message including a third message, the third message being used to request the establishment of an association with the first network-side device.
[0501] In one embodiment of this application, the second message further includes third freshness indication information, and the first processing unit 802 is further configured to obtain the third freshness indication information according to the fourth parameter.
[0502] In one embodiment of this application, the first transceiver unit 801 is further configured to receive a paging message sent from the third network-side device;
[0503] The first transceiver unit 801 is further configured to send the second message to the third network-side device;
[0504] The first transceiver unit 801 is further configured to receive a first message from the third network-side device.
[0505] In one embodiment of this application, the third network-side device and the second network-side device are the same device.
[0506] In one embodiment of this application, the first key includes at least one of the following: K ausf K seaf K amf .
[0507] The apparatus provided in this application embodiment can implement the various processes implemented in the method embodiment of FIG2 and achieve the same technical effect. To avoid repetition, it will not be described again here.
[0508] Referring to Figure 9, an embodiment of this application provides a transmission processing apparatus applied to a second network-side device. The apparatus 900 includes: a second transceiver unit 901 and a second processing unit 902.
[0509] The second processing unit 902 is used to obtain a second key based on the first key and the freshness parameter, wherein the second key is used to protect communication messages between the terminal and the first network-side device.
[0510] The second transceiver unit 901 is used to send a fourth message to the first network-side device, the fourth message including the second key.
[0511] In one embodiment of this application, the fourth message further includes the security capabilities of the terminal.
[0512] In one embodiment of this application, the freshness parameter includes a first parameter, which includes one or more of the following:
[0513] 1) The UE ID of the terminal;
[0514] 2) ABBA.
[0515] In one embodiment of this application, the second transceiver unit 901 is further configured to receive a fifth message from the first network-side device, the fifth message being used to request the second key, and the fourth message being used to respond to the fifth message.
[0516] In one embodiment of this application, the freshness parameter includes a second parameter, which includes one or more of the following:
[0517] 1) Identification information of the first network-side device;
[0518] 2) Downlink COUNT;
[0519] 3) First row of random numbers.
[0520] In one embodiment of this application, the fifth message includes first freshness indication information, and the second processing unit 902 is further configured to obtain the second parameter based on the first freshness indication information.
[0521] In one embodiment of this application, the freshness parameter includes a third parameter, which includes one or more of the following:
[0522] A counter used to measure the number of derivations of the second key;
[0523] The second row of random numbers.
[0524] In one embodiment of this application, the fourth message includes second freshness indication information, and the second processing unit 902 is further configured to obtain the second freshness indication information according to the third parameter.
[0525] In one embodiment of this application, the freshness parameter includes a third parameter, which includes one or more of the following:
[0526] 1) Signaling type distinguisher, used to indicate the type of signaling;
[0527] 2) Upward COUNT;
[0528] 3) Random number generated from the top row.
[0529] In one embodiment of this application, the fifth message includes third freshness indication information, and the second processing unit 902 is further configured to obtain the fourth parameter based on the third freshness indication information.
[0530] In one embodiment of this application, the second processing unit 902 is further configured to determine whether to obtain the second key according to the first strategy;
[0531] The first strategy includes one or more of the following:
[0532] Whether the first network-side device or the terminal has security protection capabilities;
[0533] Does the type of the first network-side device require security protection?
[0534] Does the message sent by the first network-side device need to be forwarded by the third network-side device?
[0535] In one embodiment of this application, the third network-side device and the second network-side device are the same device.
[0536] In one embodiment of this application, the first key includes at least one of the following: K ausf K seaf K amf .
[0537] The apparatus provided in this application embodiment can implement the various processes implemented in the method embodiment of FIG3 and achieve the same technical effect. To avoid repetition, it will not be described again here.
[0538] Referring to Figure 10, an embodiment of this application provides a transmission processing apparatus applied to a first network-side device. The apparatus 1000 includes a third transceiver unit 1001 and a third processing unit 1002.
[0539] The third transceiver unit 1001 is used to receive a fourth message from the second network-side device, the fourth message including a second key, the second key being used to protect communication messages between the terminal and the first network-side device;
[0540] The third transceiver unit 1001 is also used to send a first message to the terminal, the first message being used to activate security or security protection between the terminal and the first network-side device.
[0541] In one embodiment of this application, the first message includes a security algorithm, which is used to protect communication messages between the terminal and the first network-side device, and the third transceiver unit 1001 is used to select the security algorithm according to the security capabilities of the terminal.
[0542] In one embodiment of this application, the fourth message further includes the security capabilities of the terminal.
[0543] In one embodiment of this application, the first message includes first indication information, which is used to indicate the derivation of the second key.
[0544] In one embodiment of this application, the third transceiver unit 1001 is further configured to send a fifth message to the second network-side device, the fifth message being used to request the second key, and the fourth message being used to respond to the fifth message.
[0545] In one embodiment of this application, the first message or the fifth message further includes first freshness indication information, which is used to indicate the second parameter in the freshness parameters.
[0546] In one embodiment of this application, the second parameter includes one or more of the following:
[0547] 1) Identification information of the first network-side device;
[0548] 2) Downlink COUNT;
[0549] 3) First row of random numbers.
[0550] In one embodiment of this application, the first message or the fourth message includes second freshness indication information, which is used to indicate a third parameter in the freshness parameters.
[0551] In one embodiment of this application, the third parameter includes one or more of the following:
[0552] 1) A counter used to measure the number of derivations of the second key;
[0553] 2) Second row of random numbers.
[0554] In one embodiment of this application, the second message or the fifth message includes third freshness indication information, which is used to indicate the fourth parameter in the freshness parameters.
[0555] In one embodiment of this application, the fourth parameter includes one or more of the following:
[0556] 1) Signaling type distinguisher, used to indicate the type of signaling;
[0557] 2) Upward COUNT;
[0558] 3) Random number generated from the top row.
[0559] In one embodiment of this application, the third transceiver unit 1001 is further configured to obtain the identification information of the second network side device from the first network side device; the third transceiver unit 1001 is further configured to send a fifth message to the second network side device according to the identification information of the second network side device.
[0560] In one embodiment of this application, the third processing unit 1002 is used to determine whether security protection is performed between the terminal and the first network-side device according to the second strategy;
[0561] The second strategy includes one or more of the following:
[0562] Whether the first network-side device or the terminal has security protection capabilities;
[0563] Does the type of the first network-side device require security protection?
[0564] Whether the message sent by the first network-side device needs to be forwarded by the third network-side device;
[0565] The third processing unit 1002 is also configured to perform one or more of the following actions when it is determined that security protection is required:
[0566] Trigger execution to send a first message to the terminal;
[0567] The process is triggered to send a fifth message to the second network-side device.
[0568] In one embodiment of this application, the third transceiver unit 1001 is further configured to send the first message to the terminal via a third network-side device.
[0569] In one embodiment of this application, the third transceiver unit 1001 is further configured to receive a third message sent from the terminal through the third network-side device, the third message being used to request an association with the first network-side device.
[0570] In one embodiment of this application, the third transceiver unit 1001 is further configured to receive identification information of the second network-side device from the third network-side device.
[0571] In one embodiment of this application, the third transceiver unit 1001 is further configured to send the identifier of the terminal to the fourth network-side device; the third transceiver unit 1001 is further configured to receive the identifier information of the second network-side device from the fourth network-side device.
[0572] In one embodiment of this application, the third transceiver unit 1001 is further configured to send area information to the fourth network-side device; the third transceiver unit 1001 is further configured to have the fourth network-side device receive the identification information of the second network-side device corresponding to the terminal, wherein the terminal belongs to the area.
[0573] In one embodiment of this application, the third transceiver unit 1001 is further configured to send a paging indication first message to a third network-side device, the paging indication being used to page the terminal.
[0574] The apparatus provided in this application embodiment can implement the various processes implemented in the method embodiment of FIG4 and achieve the same technical effect. To avoid repetition, it will not be described again here.
[0575] As shown in Figure 11, this application embodiment also provides a communication device 1100, including a processor 1101 and a memory 1102. The memory 1102 stores a program or instructions that can run on the processor 1101. For example, when the communication device 1100 is a terminal, the program or instructions executed by the processor 1101 implement the various steps of the method embodiment shown in Figure 2 above, and can achieve the same technical effect. When the communication device 1100 is a network-side device, the program or instructions executed by the processor 1101 implement the various steps of the method embodiment shown in Figure 3 or Figure 4 above, and can achieve the same technical effect. To avoid repetition, it will not be described again here.
[0576] This application also provides a terminal, including a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the steps in the method embodiment shown in FIG2. This terminal may be the communication processing device shown in FIG8. Specifically, FIG12 is a schematic diagram of the hardware structure of a terminal implementing an embodiment of this application.
[0577] The terminal 1200 includes, but is not limited to, at least some of the following components: radio frequency unit 1201, network module 1202, audio output unit 1203, input unit 1204, sensor 1205, display unit 1206, user input unit 1207, interface unit 1208, memory 1209, and processor 1210.
[0578] Those skilled in the art will understand that terminal 1200 may also include a power supply (such as a battery) for powering various components. The power supply can be logically connected to processor 1210 through a power management system, thereby enabling functions such as charging, discharging, and power consumption management through the power management system. The terminal structure shown in Figure 12 does not constitute a limitation on the terminal. The terminal may include more or fewer components than shown, or combine certain components, or have different component arrangements, which will not be elaborated here.
[0579] It should be understood that, in this embodiment, the input unit 1204 may include a graphics processor 12041 and a microphone 12042. The graphics processor 12041 processes image data of still images or videos obtained by an image capture device (such as a camera) in video capture mode or image capture mode. The display unit 1206 may include a display panel 12061, which may be configured in the form of a liquid crystal display, an organic light-emitting diode, or the like. The user input unit 1207 includes a touch panel 12071 and at least one of other input devices 12072. The touch panel 12071 is also called a touch screen. The touch panel 12071 may include a touch detection device and a touch controller. Other input devices 12072 may include, but are not limited to, physical keyboards, function keys (such as volume control buttons, power buttons, etc.), trackballs, mice, and joysticks, which will not be described in detail here.
[0580] In this embodiment, after receiving downlink data from the network-side device, the radio frequency unit 1201 can transmit it to the processor 1210 for processing; in addition, the radio frequency unit 1201 can send uplink data to the network-side device. Typically, the radio frequency unit 1201 includes, but is not limited to, antennas, amplifiers, transceivers, couplers, low-noise amplifiers, duplexers, etc.
[0581] The memory 1209 can be used to store software programs or instructions, as well as various data. The memory 1209 may primarily include a first storage area for storing programs or instructions and a second storage area for storing data. The first storage area may store the operating system, application programs or instructions required for at least one function (such as sound playback, image playback, etc.). Furthermore, the memory 1209 may include volatile memory or non-volatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory can be random access memory (RAM), static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), and direct memory bus RAM (DRRAM). The memory 1209 in this embodiment includes, but is not limited to, these and any other suitable types of memory.
[0582] Optionally, the radio frequency unit 1201 is used to receive a first message, which is used to activate security between the terminal and the first network-side device; the processor 1210 is used to obtain a second key based on a first key and a freshness parameter, the first key being available on the second network-side device, and the second key being used to protect communication messages between the terminal and the first network-side device.
[0583] Optionally, the first message includes first indication information, which is used to indicate the derivation of the second key; the processor 1210 is further configured to, in response to the first indication information, obtain the second key based on the first key and the freshness parameter.
[0584] Optionally, the first message includes first freshness indication information, and the processor 1210 is further configured to obtain the second parameter based on the first freshness indication information.
[0585] Optionally, the first message includes second freshness indication information, and the processor 1210 is further configured to obtain the third parameter based on the second freshness indication information.
[0586] Optionally, the radio frequency unit 1201 is further configured to send a second message to a third network-side device, the second message including a third message, the third message being used to request an association with the first network-side device.
[0587] Optionally, the second message may also include third freshness indication information, and the processor 1210 may further be configured to obtain the third freshness indication information based on the fourth parameter.
[0588] Optionally, the radio frequency unit 1201 is also used to receive paging messages sent from the third network-side device;
[0589] The radio frequency unit 1201 is further configured to send the second message to the third network-side device;
[0590] The radio frequency unit 1201 is further configured to receive a first message from the third network-side device.
[0591] Processor 1210 may include one or more processing units; optionally, processor 1210 integrates an application processor and a modem processor, wherein the application processor mainly handles operations involving the operating system, user interface, and applications, and the modem processor mainly handles wireless communication signals, such as a baseband processor. It is understood that the aforementioned modem processor may also not be integrated into processor 1210.
[0592] It is understood that the implementation process of each implementation method mentioned in this embodiment can refer to the relevant description of the method embodiment shown in Figure 2, and achieve the same or corresponding technical effects. To avoid repetition, it will not be described again here.
[0593] This application also provides a network-side device, including a processor and a communication interface. The communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the steps of the method embodiment shown in FIG3 or FIG4. This network-side device embodiment corresponds to the above-described network-side device method embodiment. All implementation processes and methods of the above-described method embodiments can be applied to this network-side device embodiment and can achieve the same technical effect.
[0594] Specifically, this application also provides a network-side device. As shown in FIG13, the network-side device 1300 includes a processor 1301, a network interface 1302, and a memory 1303. The core network element can be the device shown in FIG7 or FIG8. The network interface 1302 is, for example, a Common Public Radio Interface (CPRI).
[0595] In one embodiment, the processor 1304 is configured to obtain a second key based on a first key and a freshness parameter, the second key being used to protect communication messages between the terminal and a first network-side device; the network interface 1302 is configured to send a fourth message to the first network-side device, the fourth message including the second key.
[0596] Optionally, network interface 1302 is further configured to receive a fifth message from the first network-side device, the fifth message being used to request the second key, and the fourth message being used to respond to the fifth message.
[0597] Optionally, the fifth message includes first freshness indication information, and the processor 1304 is further configured to obtain the second parameter based on the first freshness indication information.
[0598] Optionally, the fourth message includes second freshness indication information, and the processor 1304 is further configured to obtain the second freshness indication information based on the third parameter.
[0599] Optionally, the fifth message includes third freshness indication information, and the processor 1304 is further configured to obtain the fourth parameter based on the third freshness indication information.
[0600] Optionally, the processor 1304 is further configured to determine whether to obtain the second key based on the first strategy;
[0601] The first strategy includes one or more of the following:
[0602] Whether the first network-side device or the terminal has security protection capabilities;
[0603] Does the type of the first network-side device require security protection?
[0604] Does the message sent by the first network-side device need to be forwarded by the third network-side device?
[0605] In another embodiment, network interface 1302 is used to receive a fourth message from a second network-side device, the fourth message including a second key, the second key being used to protect communication messages between the terminal and the first network-side device; network interface 1302 is also used to send a first message to the terminal, the first message being used to activate security between the terminal and the first network-side device.
[0606] Optionally, the first message includes a security algorithm, which is used to protect communication messages between the terminal and the first network-side device, and the network interface 1302 is used to select the security algorithm according to the security capabilities of the terminal.
[0607] Optionally, network interface 1302 is further configured to send a fifth message to the second network-side device, the fifth message being used to request the second key, and the fourth message being used to respond to the fifth message.
[0608] Optionally, network interface 1302 is further configured to allow the first network-side device to obtain the identification information of the second network-side device; network interface 1302 is also configured to send a fifth message to the second network-side device based on the identification information of the second network-side device.
[0609] Optionally, the processor 1304 is further configured to determine whether security protection is provided between the terminal and the first network-side device according to the second strategy;
[0610] The second strategy includes one or more of the following:
[0611] Whether the first network-side device or the terminal has security protection capabilities;
[0612] Does the type of the first network-side device require security protection?
[0613] Whether the message sent by the first network-side device needs to be forwarded by the third network-side device;
[0614] Network interface 1302 is also used to perform one or more of the following actions when it is determined that security protection is required:
[0615] Trigger execution to send a first message to the terminal;
[0616] The process is triggered to send a fifth message to the second network-side device.
[0617] Optionally, network interface 1302 is also used to send the first message to the terminal via a third network-side device.
[0618] Optionally, network interface 1302 is further configured to receive a third message sent from the terminal via the third network-side device, the third message being used to request an association with the first network-side device.
[0619] Optionally, network interface 1302 is also used to receive identification information of the second network side device from the third network side device.
[0620] Optionally, network interface 1302 is also used to send the identifier of the terminal to the fourth network-side device; network interface 1302 is also used to receive the identifier information of the second network-side device from the fourth network-side device.
[0621] Optionally, network interface 1302 is also used to send area information to the fourth network-side device; network interface 1302 is also used for the fourth network-side device to receive the identification information of the second network-side device corresponding to the terminal, and the terminal belongs to the area.
[0622] Optionally, network interface 1302 is also used to send a paging indication first message to a third network-side device, the paging indication being used to page the terminal.
[0623] Specifically, the core network element 1300 in this application embodiment also includes: instructions or programs stored in memory 1303 and executable on processor 1301. Processor 1301 calls the instructions or programs in memory 1303 to execute the methods executed by each unit shown in FIG9 or FIG10 and achieve the same technical effect. To avoid repetition, it will not be described in detail here.
[0624] It is understood that the implementation process of each implementation method mentioned in this embodiment can refer to the relevant description of the method embodiment shown in Figure 3 or Figure 4, and achieve the same or corresponding technical effects. To avoid repetition, it will not be described again here.
[0625] This application also provides a readable storage medium storing a program or instructions. When the program or instructions are executed by a processor, they implement the various processes of the method embodiments shown in FIG2, FIG3, or FIG4 above and achieve the same technical effect. To avoid repetition, they will not be described again here.
[0626] The processor mentioned above is the processor in the terminal or network-side device described in the above embodiments. The readable storage medium includes computer-readable storage media, such as computer read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk. In some examples, the readable storage medium may be a non-transient readable storage medium.
[0627] This application embodiment also provides a chip, which includes a processor and a communication interface. The communication interface is coupled to the processor. The processor is used to run programs or instructions to implement the various processes of the method embodiments shown in Figure 2, Figure 3 or Figure 4 above, and can achieve the same technical effect. To avoid repetition, it will not be described again here.
[0628] It should be understood that the chip mentioned in the embodiments of this application may also be referred to as a system-on-a-chip, system chip, chip system, or system-on-a-chip, etc.
[0629] This application also provides a computer program / program product, which is stored in a storage medium and executed by at least one processor to implement the various processes of the method embodiments shown in FIG2, FIG3, or FIG4 above, and can achieve the same technical effect. To avoid repetition, it will not be described again here.
[0630] This application also provides a wireless communication system, including a terminal and a network-side device. The terminal can be used to perform the steps of the method shown in FIG2 provided in this application embodiment, and the network-side device can be used to perform the steps of the method shown in FIG3 or FIG4 provided in this application embodiment.
[0631] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element. Furthermore, it should be noted that the scope of the methods and apparatuses in the embodiments of this application is not limited to performing functions in the order shown or discussed, but may also include performing functions substantially simultaneously or in the reverse order, depending on the functions involved. For example, the described methods may be performed in a different order than described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
[0632] From the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of computer software products plus necessary general-purpose hardware platforms, and of course, they can also be implemented by hardware. The computer software product is stored in a storage medium (such as ROM, RAM, magnetic disk, optical disk, etc.), and the computer software product includes several instructions to cause the terminal or network-side device to execute the methods described in the various embodiments of this application.
[0633] The embodiments of this application have been described above with reference to the accompanying drawings. However, this application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other implementations under the guidance of this application without departing from the spirit and scope of the claims. All of these implementations are within the protection scope of this application.
Claims
1. A transmission processing method, wherein, include: The terminal receives a first message, which is used to activate security between the terminal and the first network-side device. The terminal obtains a second key based on a first key and a freshness parameter. The first key is available on the second network-side device, and the second key is used to protect communication messages between the terminal and the first network-side device.
2. The method according to claim 1, wherein, The first message includes a security algorithm, which is used to protect communication messages between the terminal and the first network-side device.
3. The method according to claim 1 or 2, wherein, The first message includes first indication information, which is used to indicate the derivation of the second key; The terminal obtains the second key based on the first key and the freshness parameter, including: In response to the first indication information, the terminal obtains the second key based on the first key and the freshness parameter.
4. The method according to any one of claims 1-3, wherein, The freshness parameter includes a first parameter, which includes one or more of the following: The terminal identifier UE ID; ABBA (Architecture-Based Architecture) is designed to resist degradation between different architectures.
5. The method according to any one of claims 1-4, wherein, The freshness parameter includes a second parameter, which includes one or more of the following: The identification information of the first network-side device; Downlink counter COUNT; First row of random numbers.
6. The method according to claim 5, wherein, The first message includes a first freshness indication, and the method further includes: The terminal obtains the second parameter based on the first freshness indication information.
7. The method according to any one of claims 1-6, wherein, The freshness parameter includes a third parameter, which includes one or more of the following: A counter used to measure the number of derivations of the second key; The second row of random numbers.
8. The method according to claim 7, wherein, The first message includes a second freshness indication, and the method further includes: The terminal obtains the third parameter based on the second freshness indication information.
9. The method according to any one of claims 1-6, wherein, The freshness parameter includes a fourth parameter, which includes one or more of the following: Signaling type distinguisher, used to indicate the type of signaling; Upward COUNT; Random number from the top row.
10. The method according to any one of claims 1 to 9, wherein, The method further includes: The terminal sends a second message to the third network-side device; The second message includes a third message, which is used to request an association with the first network-side device.
11. The method according to claim 10, wherein, The second message also includes a third freshness indication message, and the method further includes: The terminal obtains the third freshness indication information based on the fourth parameter.
12. The method according to claim 10, wherein, The method further includes: The terminal receives a paging message sent from the third network-side device; The terminal sends a second message to the third network-side device, including: In response to the paging message, the terminal sends the second message to the third network-side device; The terminal receives a first message, including: The terminal receives a first message from the third network-side device.
13. The method according to any one of claims 1-12, wherein, The second network-side device and the third network-side device are the same device.
14. The method according to any one of claims 1-13, wherein, The first key includes at least one of the following: Authentication Service Function (AUSF) key K ausf Security Anchor Function SEAF Key K seaf Access and Mobility Management Function (AMF) Key K amf .
15. A transmission processing method, wherein, include: The second network-side device obtains a second key based on the first key and the freshness parameter. The second key is used to protect the communication messages between the terminal and the first network-side device. The second network-side device sends a fourth message to the first network-side device, the fourth message including the second key.
16. The method according to claim 15, wherein, The fourth message also includes the terminal's security capabilities.
17. The method according to claim 15 or 16, wherein, The freshness parameter includes a first parameter, which includes one or more of the following: The UE ID of the terminal; ABBA.
18. The method according to any one of claims 15-17, wherein, The method further includes: The second network-side device receives a fifth message from the first network-side device, the fifth message being used to request the second key, and the fourth message being used to respond to the fifth message.
19. The method according to claim 18, wherein, The freshness parameter includes a second parameter, which includes one or more of the following: Identification information of the first network-side device; Downlink COUNT; First row of random numbers.
20. The method according to claim 19, wherein, The fifth message includes a first freshness indication message, and the method further includes: The second network-side device obtains the second parameter based on the first freshness indication information.
21. The method according to any one of claims 15-20, wherein, The freshness parameter includes a third parameter, which includes one or more of the following: A counter used to measure the number of derivations of the second key; The second row of random numbers.
22. The method according to claim 21, wherein, The fourth message includes a second freshness indication message, and the method further includes: The second network-side device obtains the second freshness indication information based on the third parameter.
23. The method according to any one of claims 18-22, wherein, The freshness parameter includes a fourth parameter, which includes one or more of the following: Signaling type distinguisher, used to indicate the type of signaling; Upward COUNT; Random number from the top row.
24. The method according to claim 23, wherein, The fifth message includes a third freshness indication message, and the method further includes: The second network-side device obtains the fourth parameter based on the third freshness indication information.
25. The method according to any one of claims 15-24, wherein, The method further includes: The second network-side device determines whether to obtain the second key according to the first policy; The first strategy includes one or more of the following: Whether the first network-side device or the terminal has security protection capabilities; Does the type of the first network-side device require security protection? Does the message sent by the first network-side device need to be forwarded by the third network-side device? 26. The method according to any one of claims 15-25, wherein, The second network-side device and the third network-side device are the same device.
27. A transmission processing method, wherein, include: The first network-side device receives a fourth message from the second network-side device. The fourth message includes a second key, which is used to protect communication messages between the terminal and the first network-side device. The first network-side device sends a first message to the terminal, the first message being used to activate security between the terminal and the first network-side device.
28. The method according to claim 27, wherein, The first message includes a security algorithm, which is used to protect communication messages between the terminal and the first network-side device. The method further includes: The first network-side device selects the security algorithm based on the security capabilities of the terminal.
29. The method according to claim 28, wherein, The fourth message also includes the terminal's security capabilities.
30. The method according to any one of claims 27-29, wherein, The first message includes first indication information, which is used to indicate the derivation of the second key.
31. The method according to any one of claims 27-30, wherein, The method further includes: The first network-side device sends a fifth message to the second network-side device, the fifth message being used to request the second key, and the fourth message being used to respond to the fifth message.
32. The method according to claim 31, wherein, The first message or the fifth message further includes first freshness indication information, which is used to indicate the second parameter in the freshness parameters.
33. The method according to any one of claims 27-32, wherein, The first message or the fourth message includes a second freshness indication, which is used to indicate a third parameter in the freshness parameters.
34. The method according to any one of claims 27-33, wherein, The second or fifth message includes a third freshness indication, which is used to indicate the fourth parameter in the freshness parameters.
35. The method according to any one of claims 27-34, wherein, The method further includes: The first network-side device obtains the identification information of the second network-side device; The first network-side device sends a fifth message to the second network-side device, including: The first network-side device sends a fifth message to the second network-side device based on the identification information of the second network-side device.
36. The method according to any one of claims 27-35, wherein, The method further includes: The first network-side device determines whether security protection is performed between the terminal and the first network-side device according to a second strategy; wherein, the second strategy includes one or more of the following: whether the first network-side device or the terminal has security protection capabilities; whether the type of the first network-side device requires security protection; and whether the message sent by the first network-side device needs to be forwarded by the third network-side device. If it is determined that security protection is required, the first network-side device performs one or more of the following actions: Trigger execution to send a first message to the terminal; The process is triggered to send a fifth message to the second network-side device.
37. The method according to any one of claims 27-36, wherein, The first network-side device sends a first message to the terminal, including: The first network-side device sends the first message to the terminal through the third network-side device.
38. The method according to claim 37, wherein, The method further includes: The first network-side device receives a third message from the terminal through the third network-side device. The third message is used to request to establish an association with the first network-side device.
39. The method according to claim 38, wherein, The first network-side device obtains the identification information of the second network-side device, including: The first network-side device receives the identification information of the second network-side device from the third network-side device.
40. The method according to any one of claims 27-39, wherein, The method further includes: The first network-side device sends the terminal's identifier to the fourth network-side device; The first network-side device receives the identification information of the second network-side device from the fourth network-side device.
41. The method according to any one of claims 27-40, wherein, The method further includes: The first network-side device sends area information to the fourth network-side device; The first network-side device receives the identification information of the second network-side device corresponding to the terminal from the fourth network-side device, and the terminal belongs to the area.
42. The method according to claim 40 or 41, wherein, The method further includes: The first network-side device sends a paging indication first message to the third network-side device, the paging indication being used to page the terminal.
43. A transmission processing apparatus, wherein, include: First transceiver unit and first processing unit; The first transceiver unit is used to receive a first message, which is used to activate security between the terminal and the first network-side device. The first processing unit is used to obtain a second key based on a first key and a freshness parameter. The first key is available on the second network-side device, and the second key is used to protect communication messages between the terminal and the first network-side device.
44. The apparatus according to claim 43, wherein, The first message includes a security algorithm, which is used to protect communication messages between the terminal and the first network-side device.
45. A transmission processing apparatus, wherein, include: Second transceiver unit and second processing unit; The second processing unit is used to obtain a second key based on the first key and the freshness parameter, the second key being used to protect communication messages between the terminal and the first network-side device; The second transceiver unit is used to send a fourth message to the first network-side device, the fourth message including the second key.
46. The apparatus according to claim 45, wherein, The fourth message also includes the terminal's security capabilities.
47. A transmission processing apparatus, wherein, include: The third transceiver unit and the third processing unit; The third transceiver unit is used to receive a fourth message from the second network-side device. The fourth message includes a second key, which is used to protect communication messages between the terminal and the first network-side device. The third transceiver unit is also used to send a first message to the terminal, the first message being used to activate security between the terminal and the first network-side device.
48. The apparatus according to claim 47, wherein, The first message includes a security algorithm, which is used to protect communication messages between the terminal and the first network-side device. The third transceiver unit is used to select the security algorithm based on the security capabilities of the terminal.
49. A terminal, wherein, It includes a processor and a memory, the memory storing a program or instructions that can run on the processor, the program or instructions being executed by the processor to implement the steps of the method as described in any one of claims 1 to 14.
50. A network-side device, wherein, It includes a processor and a memory, the memory storing a program or instructions that can run on the processor, the program or instructions being executed by the processor to implement the steps of the method as claimed in any one of claims 15 to 26, or the steps of the method as claimed in any one of claims 27 to 42.
51. A readable storage medium, wherein, The readable storage medium stores a program or instructions that, when executed by a processor, implement the steps of the method as claimed in any one of claims 1 to 14, or the steps of the method as claimed in any one of claims 15 to 26, or the steps of the method as claimed in any one of claims 27 to 42.