Message processing methods and apparatuses, and terminal and network-side device
By introducing first information into the downlink message, the terminal can obtain the protection key based on this information, which solves the problem that the terminal cannot distinguish the use of the key for deprotection, realizes the correct decryption and integrity verification of the downlink message, and improves communication security.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- VIVO MOBILE COMM CO LTD
- Filing Date
- 2025-12-26
- Publication Date
- 2026-07-09
AI Technical Summary
In scenarios where a terminal communicates directly with multiple core network NFs, the terminal cannot distinguish which key is used to deprotect downlink messages, resulting in messages that cannot be decrypted correctly.
By introducing first information, the terminal can obtain the protection key based on the information, thereby deprotecting the downlink message. By introducing the unencrypted first information into the downlink message, the terminal can obtain the protection key without decryption, thus achieving correct deprotection of the downlink message.
It enables the terminal to correctly decrypt and verify the integrity of downlink messages, ensuring message security and reliability and reducing modifications to the chip.
Smart Images

Figure CN2025146167_09072026_PF_FP_ABST
Abstract
Description
Message processing methods, devices, terminals and network-side equipment
[0001] Cross-references to related applications
[0002] This application claims priority to Chinese Patent Application No. 202411973261.1, filed with the Chinese Patent Office on December 30, 2024, entitled "Message Processing Method, Apparatus, Terminal and Network Side Device", the entire contents of which are incorporated herein by reference. Technical Field
[0003] This application belongs to the field of communication technology, specifically relating to a message processing method, apparatus, terminal, and network-side equipment. Background Technology
[0004] In related technologies, all messages sent between the terminal and the network function (NF) of the core network need to pass through the access and mobility management function (AMF). Therefore, the terminal and the AMF only need to maintain one set of keys to protect the messages (such as encryption and integrity protection), and the terminal does not need to determine which set of keys to use. However, in scenarios where the terminal communicates directly with multiple core network NFs, the terminal may have different keys with different core network NFs or different types of core network NFs. However, the terminal obtains downlink messages from different core network NFs through the same radio access network (RAN). Assuming that the downlink messages are encrypted, before obtaining the key to decrypt the messages, the terminal sees garbled messages and cannot distinguish which set of keys is used to deprotect the downlink messages. Therefore, how to enable the terminal to determine the key is a problem that needs to be solved. Summary of the Invention
[0005] This application provides a message processing method, apparatus, terminal, and network-side device that can solve the problem of how to enable the terminal to determine the key.
[0006] Firstly, a message processing method is provided, executed by a terminal, the method comprising:
[0007] The terminal receives a downlink message from a first network-side device, the downlink message including first information;
[0008] The terminal obtains the protection key based on the first information;
[0009] The terminal deprotects the downlink message according to the protection key.
[0010] Secondly, a message processing method is provided, executed by a first network-side device, the method comprising:
[0011] The first network-side device obtains the first information;
[0012] The first network-side device obtains a protection key, which is related to the first information;
[0013] The first network-side device sends a downlink message protected by the protection key to the terminal, the downlink message containing the first information.
[0014] Thirdly, a message processing method is provided, executed by a second network-side device, the method comprising:
[0015] The second network-side device receives a request message from the first network-side device;
[0016] The second network-side device obtains the first information;
[0017] In response to the request message, the second network-side device generates a third key based on the first key and the first information, and the first key is available on the second network-side device;
[0018] The second network-side device sends a response message to the first network-side device, the response message including the third key.
[0019] Fourthly, a message processing device is provided, applied to a terminal, comprising:
[0020] A first receiving module is configured to receive downlink messages from a first network-side device, the downlink messages including first information;
[0021] The first processing module is used to obtain the protection key based on the first information;
[0022] The second processing module is used to deprotect the downlink message according to the protection key.
[0023] Fifthly, a message processing apparatus is provided, applied to a first network-side device, comprising:
[0024] The fourth processing module is used to obtain the first information;
[0025] The fifth processing module is used to obtain a protection key, which is related to the first information;
[0026] The second sending module is used to send a downlink message protected by the protection key to the terminal, the downlink message containing the first information.
[0027] Sixthly, a message processing apparatus is provided, applied to a second network-side device, comprising:
[0028] The third receiving module is used to receive request messages from the first network-side device;
[0029] The sixth processing module is used to obtain the first information;
[0030] The seventh processing module is configured to, in response to the request message, generate a third key based on the first key and the first information, wherein the first key is available on the second network-side device;
[0031] The fourth sending module is used to send a response message to the first network-side device, the response message including the third key.
[0032] In a seventh aspect, a message processing apparatus is provided, the apparatus being configured to perform the steps of the method described in the first aspect, or to implement the steps of the method described in the second aspect, or to implement the steps of the method described in the third aspect.
[0033] In an eighth aspect, a terminal is provided, the terminal including a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the method as described in the first aspect.
[0034] In a ninth aspect, a terminal is provided, including a processor and a communication interface, wherein the communication interface is configured to receive downlink messages from a first network-side device, the downlink messages including first information; the processor is configured to obtain a protection key based on the first information, and deprotect the downlink messages based on the protection key.
[0035] In a tenth aspect, a network-side device is provided, the network-side device including a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the method as described in the second aspect, or implementing the steps of the method as described in the third aspect.
[0036] Eleventhly, a network-side device is provided, including a processor and a communication interface. For example, the network-side device is a first network-side device. The processor is used to obtain first information and a protection key, the protection key being related to the first information. The communication interface is used to send a downlink message protected by the protection key to a terminal, the downlink message containing the first information. Alternatively, the network-side device is a second network-side device. The communication interface is used to receive a request message from the first network-side device. The processor is used to obtain the first information, and in response to the request message, generate a third key based on the first key and the first information. The first key is available on the second network-side device. The communication interface is also used to send a response message, the response message including the third key.
[0037] In a twelfth aspect, a readable storage medium is provided, on which a program or instructions are stored, which, when executed by a processor, implement the steps of the method described in the first aspect, or the steps of the method described in the second aspect, or the steps of the method described in the third aspect.
[0038] In a thirteenth aspect, a wireless communication system is provided, comprising: a terminal and a network-side device, wherein the terminal is configured to perform the steps of the method described in the first aspect, and the network-side device is configured to perform the steps of the method described in the second aspect, or implement the steps of the method described in the third aspect.
[0039] In a fourteenth aspect, a chip is provided, the chip including a processor and a communication interface coupled to the processor, the processor being configured to run a program or instructions to implement the method as described in the first aspect, or the method as described in the second aspect, or the steps of the method as described in the third aspect.
[0040] In a fifteenth aspect, a computer program / program product is provided, the computer program / program product being stored in a storage medium, the computer program / program product being executed by at least one processor to implement the steps of the method as described in the first aspect, or the steps of the method as described in the second aspect, or the steps of the method as described in the third aspect.
[0041] The solution in this application embodiment can introduce first information into the downlink message, so that the terminal can obtain the protection key for deprotecting the downlink message based on the first information, thereby realizing the correct deprotection of the downlink message. Attached Figure Description
[0042] Figure 1 shows a block diagram of a wireless communication system that can be applied to an embodiment of this application;
[0043] Figure 2 is a flowchart of a message processing method provided in an embodiment of this application;
[0044] Figure 3 is a flowchart of another message processing method provided in an embodiment of this application;
[0045] Figure 4 is a flowchart of another message processing method provided in an embodiment of this application;
[0046] Figure 5 is a schematic diagram of the security establishment process in Embodiment 1 of this application;
[0047] Figure 6 is a schematic diagram of the security establishment process in Embodiment 2 of this application;
[0048] Figure 7 is a schematic diagram of the security establishment process in Embodiment 3 of this application;
[0049] Figure 8 is a schematic diagram of the structure of a message processing device provided in an embodiment of this application;
[0050] Figure 9 is a schematic diagram of another message processing device provided in an embodiment of this application;
[0051] Figure 10 is a schematic diagram of another message processing device provided in an embodiment of this application;
[0052] Figure 11 is a schematic diagram of the structure of a communication device provided in an embodiment of this application;
[0053] Figure 12 is a schematic diagram of the structure of a terminal provided in an embodiment of this application;
[0054] Figure 13 is a schematic diagram of the structure of a network-side device provided in an embodiment of this application. Detailed Implementation
[0055] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application are within the scope of protection of this application.
[0056] The terms "first," "second," etc., used in this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such terms can be used interchangeably where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first" and "second" are generally of the same class, not limited in number; for example, the first object can be one or more. Furthermore, "or" in this application indicates at least one of the connected objects. For example, the scope of protection for "A or B" covers at least three scenarios: Scenario 1: including A but not B; Scenario 2: including B but not A; Scenario 3: including both A and B. In addition, the terms "A and / or B," "at least one of A and B," and "at least one of A or B" also cover at least the above three scenarios. The character " / " generally indicates that the preceding and following objects are in an "or" relationship.
[0057] The term "instruction" in this application can be either a direct instruction (or explicit instruction) or an indirect instruction (or implicit instruction). A direct instruction can be understood as the sender explicitly informing the receiver of specific information, the required operation, or the requested result in the instruction sent. An indirect instruction can be understood as the receiver determining the corresponding information based on the instruction sent by the sender, or making a judgment and determining the required operation or requested result based on the judgment result.
[0058] It is worth noting that the technologies described in this application are not limited to Long Term Evolution (LTE) / LTE-Advanced (LTE-A) systems, but can also be used in other wireless communication systems, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access (OFDMA), Single-carrier Frequency-Division Multiple Access (SC-FDMA), or other systems. The terms "system" and "network" in this application are often used interchangeably, and the described technologies can be used with the systems and radio technologies mentioned above, as well as with other systems and radio technologies. The following description describes New Radio (NR) systems for illustrative purposes, and the term NR is used in most of the following description; however, these technologies can also be applied to systems other than NR systems, such as 6th generation (6G) radio systems. th Generation 6G communication system.
[0059] Figure 1 shows a block diagram of a wireless communication system applicable to an embodiment of this application. The wireless communication system includes a terminal 11 and a network-side device 12. The terminal 11 can also be referred to as User Equipment (UE), and can be a mobile phone, tablet computer, laptop computer, notebook computer, personal digital assistant (PDA), handheld computer, netbook, ultra-mobile personal computer (UMPC), mobile internet device (MID), augmented reality (AR), virtual reality (VR) device, robot, wearable device, flight vehicle, vehicle user equipment (VUE), shipboard equipment, pedestrian user equipment (PUE), smart home (home devices with wireless communication capabilities, such as refrigerators, televisions, washing machines, or furniture), game console, personal computer (PC), ATM, or self-service machine, etc. Wearable devices include: smartwatches, smart bracelets, smart earphones, smart glasses, smart jewelry (smart bracelets, smart chains, smart rings, smart necklaces, smart anklets, smart anklets, etc.), smart wristbands, smart clothing, etc. Among these, in-vehicle devices can also be referred to as in-vehicle terminals, in-vehicle controllers, in-vehicle modules, in-vehicle components, in-vehicle chips, or in-vehicle units, etc. Furthermore, in addition to the terminals described above, terminal 11 can also be a chip within a terminal, such as a modem chip, a system-on-chip (SoC), etc. It should be noted that the specific type of terminal 11 is not limited in the embodiments of this application.
[0060] Network-side equipment 12 may include access network equipment or core network equipment. Access network equipment may also be referred to as Radio Access Network (RAN) equipment, radio access network function, or radio access network unit. Access network equipment may include base stations, wireless local area network (WLAN) access points (APs), or wireless Fidelity (WiFi) nodes, etc. Among them, base stations can be referred to as Node B (NB), Evolved Node B (eNB), Next Generation Node B (gNB), New Radio Node B (NR Node B), Access Point, Relay Base Station (RBS), Serving Base Station (SBS), Base Transceiver Station (BTS), Radio Base Station, Radio Transceiver, Basic Service Set (BSS), Extended Service Set (ESS), Home Node B (HNB), Home Evolved Node B, Transmit / Receive Point (TRP), Non-Terrestrial Network (NTN) equipment (such as satellite or high altitude platform stations). The term "base station" can be any suitable term in the field, such as "station" or any other appropriate term in the relevant field, as long as the same technical effect is achieved. The term "base station" is not limited to specific technical terms. It should be noted that the embodiments of this application only use the base station in the NR system as an example for introduction, and do not limit the specific type of base station.
[0061] Core network equipment, also known as core network nodes, core network functions, or core network elements, includes, but is not limited to, at least one of the following: Mobility Management Entity (MME), Access and Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), Policy Control Function (PCF), Policy and Charging Rules Function (PCRF), Edge Application Server Discovery Function (EASDF), Unified Data Management (UDM), Unified Data Repository (UDR), Home Subscriber Server (HSS), Centralized network configuration (CNC), Network Repository Function (NRF), Network Exposure Function (NEF), Local NEF (L-NEF), and Binding Support. Functions include BSF, Application Function (AF), Location Management Function (LMF), Gateway Mobile Location Centre (GMLC), Network Data Analytics Function (NWDAF), and Non-Terrestrial Network (NTN) equipment (such as satellite or high altitude platform station).It should be noted that the embodiments of this application only use the core network equipment in the NR system as an example for introduction, and do not limit the specific type of core network equipment. If the name of the core network equipment mentioned in the embodiments of this application changes in subsequent protocol versions (e.g., 6G), it is also within the scope of protection of this application.
[0062] Optionally, the core network equipment can be implemented by one or more functional modules in a single device, or by multiple devices working together; this application does not specifically limit this. It is understood that the aforementioned functional modules can be network elements in hardware devices, software functional modules running on dedicated hardware, or virtualized functional modules instantiated on a platform (e.g., a cloud platform).
[0063] The message processing method, apparatus, terminal, and network-side device provided in this application will be described in detail below with reference to the accompanying drawings and through some embodiments and application scenarios.
[0064] Please refer to Figure 2, which is a flowchart of a message processing method provided in an embodiment of this application. The method is executed by a terminal. As shown in Figure 2, the method includes the following steps:
[0065] Step 21: The terminal receives a downlink message from the first network-side device, the downlink message including first information;
[0066] Step 22: The terminal obtains the protection key based on the first information;
[0067] Step 23: The terminal deprotects the downlink message according to the protection key.
[0068] In this embodiment of the application, the first network-side device is a core network device that communicates with the terminal, and may be selected as, but is not limited to, SMF, UPF, LMF, UDM, etc.
[0069] The first information is used to obtain the protection key. The first information may also be referred to as association information, association identifier, etc. The first information can be used as a parameter for generating the protection key. The first information can be generated / allocated by the terminal, or by network-side devices, etc.
[0070] Optionally, the first information included in the downlink message is not encrypted; that is, the first information is carried in the unencrypted portion of the downlink message. This allows the terminal to obtain the first information without decryption, thereby obtaining the corresponding protection key based on the first information and correctly deprotecting the downlink message.
[0071] For example, the downlink message includes at least an encrypted portion and an unencrypted portion, the unencrypted portion containing first information. However, this first information can be protected for integrity.
[0072] For example, the downlink message may be a response message for accessing the first network-side device, or it may be a downlink message to be transmitted to the terminal, etc., and there is no limitation thereto.
[0073] The solution in this application embodiment can introduce first information into the downlink message, so that the terminal can obtain the protection key for deprotecting the downlink message based on the first information, thereby realizing the correct deprotection of the downlink message.
[0074] In this embodiment, the first information can be used to distinguish communication between the terminal and different network-side devices; or, the first information can be used to distinguish communication between the terminal and different types of network-side devices. Therefore, the terminal can find the corresponding security context based on the signaling of the current communication to deprotect the corresponding signaling, wherein the security context may include security algorithms, keys, etc.
[0075] In this embodiment of the application, the first information can be obtained in different ways.
[0076] Optionally, the first information can be an identifier of the signaling channel between the terminal and the first network-side device; that is, in this embodiment, the first information can be an identifier of the signaling channel between the terminal and the NF, thereby distinguishing the signaling of different NF communications; for example, in this embodiment, the first information can be a value that can uniquely identify the signaling channel between the terminal and the NF, which is a per-NF granularity identifier. Therefore, when generating a key based on the first information, an NF-granularity key can be generated, thereby achieving secure isolation.
[0077] Optionally, the first information can be an identifier of the signaling type between the terminal and the first network-side device; that is, the first information in this embodiment can be an identifier of the signaling type between the terminal and the NF, thereby distinguishing signaling for different categories of NF communication or for different types of signaling. This is a per-NF type granularity identifier. For example, the different types of signaling can be, but are not limited to, mobility management type signaling (such as UE communication with AMF), session management type signaling (such as UE communication with SMF), data management type signaling (such as UE communication with data management function), location service type signaling (such as UE communication with location management function), etc. Therefore, when generating a key based on the first information, an NF type granular key can be generated, thereby achieving security isolation.
[0078] For example, the first information can be generated by the NF. For instance, the NF can generate an identifier for the corresponding signaling type based on the request message currently accessing the NF. Alternatively, the NF can allocate an unused value to distinguish signaling used for communication with different UEs.
[0079] In this embodiment of the application, the protection key includes a confidentiality key, such as KNF-ENC. The downlink message also includes an encryption part, and step 23 above may include:
[0080] The terminal decrypts the encrypted portion using the confidentiality key. That is, the terminal can decrypt only the encrypted portion of the downlink message using the obtained confidentiality key, thereby achieving the decryption of the downlink message.
[0081] Optionally, the protection key may also include an integrity key, such as Knf-int. The downlink message may also include a message authentication code, and step 23 may further include:
[0082] The terminal verifies the message authentication code based on the integrity key, the encrypted portion, and the first information. This enables integrity verification of the corresponding downlink message. It should be noted that the specific verification method for the message authentication code in this embodiment can refer to existing methods and is not limited thereto.
[0083] In this embodiment, the terminal can deduce the protection key based on the obtained first information. Obtaining the protection key based on the first information may include:
[0084] The terminal obtains a protection key based on the first key and the first information; wherein, the first key is available on a second network-side device, and the second network-side device is specifically a Security Anchor Functionality (SEAF) or other NF that can achieve similar functions.
[0085] It should be understood that the availability of the first key on the second network-side device means that the terminal and the second network-side device have the same key, and the terminal and the second network-side device can protect the messages they transmit based on the key or derive a lower-level key based on the key.
[0086] Optionally, the first key can be any of the following: Kseaf, Kamf, or Kausf.
[0087] For example, the terminal takes the first key and the first information as input parameters to the Key Derivation Function (KDF) and then obtains the protection key from the output.
[0088] Therefore, by introducing first information during the derivation of the protection key, and with the first information identifying the communication messages between the terminal and a certain NF (NF type), it is possible to ensure that the keys generated for each NF are different. Thus, even if the key of one NF is compromised, an attacker cannot obtain the keys of other NFs, thereby achieving secure isolation of keys at the NF level. Similarly, when the first information identifies the communication messages between the terminal and a certain type of NF, it is possible to ensure that the keys generated for each type of NF are different. Thus, even if the key of one type of NF is compromised, an attacker cannot obtain the keys of other types of NFs, thereby achieving secure isolation of keys at the NF category level.
[0089] Optionally, after obtaining the protection key based on the first key and the first information, the terminal can establish an association between the first information and the protection key, that is, to associate the protection key with the first information, so that the protection key can be used to deprotect downlink messages from the same NF or similar NFs in the future.
[0090] For example, suppose the terminal receives downlink message 1 from NF1. Downlink message 1 includes association information 1 (i.e., first information). If the terminal cannot find the protection key associated with association information 1 locally through association information 1, it can generate protection key 1 based on the first key and association information 1, and use protection key 1 to deprotect downlink message 1, establishing and storing the association relationship between protection key 1 and association information 1. Subsequently, if the terminal receives another downlink message from NF1, such as downlink message 2, which includes association information 1, it can find the protection key 1 associated with association information 1 locally through association information 1, and use protection key 1 to directly deprotect downlink message 2.
[0091] Optionally, obtaining the protection key based on the first information in step 22 above may include: the terminal obtaining the protection key associated with the first information based on the association between the stored first information and the protection key.
[0092] In this embodiment, the first information included in the downlink message can be provided by the terminal to the first network-side device. Before receiving the downlink message from the first network-side device, the terminal can send the first information to the first network-side device so that the first network-side device can obtain the corresponding protection key based on the first information and protect the downlink message sent to the terminal.
[0093] Optionally, sending the first information to the first network-side device may include: the terminal sending the first information to the first network-side device through a third network-side device. The third network-side device may be, for example, an AMF or other NF that can perform similar functions.
[0094] For example, the terminal sends a service request message to the AMF device, the service request message containing the first information, and the AMF sends a message to the first network-side device, the message containing the first information.
[0095] Optionally, the method in this embodiment may further include: the terminal generating the first information. That is, the first information sent by the terminal to the first network-side device is generated by the terminal.
[0096] For example, the terminal maintains a resource pool of first information. Whenever the terminal needs to initiate communication with a new NF, the terminal allocates an unused integer value from the resource pool as the first information.
[0097] For example, the terminal generates first information based on the signaling type of the request message to be sent. For instance, if the terminal will send session management type signaling (such as UE communicating with SMF), the first information generated by the terminal can be represented as the string "SM".
[0098] Optionally, after generating the first information, the terminal can obtain a protection key based on the first key and the generated first information, so as to deprotect the corresponding downlink message using the protection key. The first key is available on a second network-side device, specifically a Secure Anchor Function (SEAF) or other NF capable of similar functionality. The first key can be any of the following: Kseaf, Kamf, or Kausf.
[0099] Optionally, after obtaining the protection key based on the first key and the generated first information, the terminal can establish an association between the first information and the protection key, that is, to associate the protection key with the first information, so that the protection key can be used to deprotect the corresponding downlink messages in the future.
[0100] For example, assuming the terminal generates first information, such as association information 2, which identifies the communication message between the terminal and NF2, after generating association information 2, the terminal can generate protection key 2 based on the first key and association information 2, and establish and store the association relationship between protection key 2 and association information 2. Subsequently, if the terminal receives a downlink message from NF2, such as downlink message 3, which includes association information 2, it can find the associated protection key 2 locally through association information 2 and use protection key 2 to directly deprotect downlink message 3.
[0101] For example, assuming the terminal generates first information, such as association information 3, which identifies the communication message between the terminal and NF class 1, after generating association information 3, the terminal can generate protection key 3 based on the first key and association information 3, and establish and store the association relationship between protection key 3 and association information 3. Subsequently, if the terminal receives a downlink message from an NF under NF class 1, such as downlink message 4, and the downlink message 4 includes association information 3, it can find the associated protection key 3 locally through association information 3, and use protection key 3 to directly deprotect downlink message 4.
[0102] Optionally, obtaining the protection key based on the first key and the first information may include:
[0103] The terminal generates a second key based on the first key and the first information; this second key is, for example, a secondary key Knf.
[0104] The terminal generates the protection key based on the second key.
[0105] For example, taking the confidentiality key Knf-enc as an example, the terminal can first generate Knf based on the first key and the obtained first information, and then generate Knf-enc based on Knf; the first key is, for example, Kseaf, Kamf or Kausf.
[0106] For example, taking the integrity key Knf-int as an example, the terminal can first generate Knf based on the first key and the obtained first information, and then generate Knf-int based on Knf; the first key is, for example, Kseaf, Kamf or Kausf.
[0107] In this embodiment, the terminal can activate uplink message security and downlink message security between the terminal and the first network-side device. This ensures that the terminal and the first network-side device maintain consistent security operations for downlink messages, reducing the need for chip modifications.
[0108] It should be understood that activating uplink message security between the terminal and the first network-side device means that all uplink messages sent by the terminal to the first network-side device are protected by a protection key. The terminal will protect all uplink messages after security is activated, such as through encryption and integrity protection.
[0109] It should be understood that activating downlink message security between the terminal and the first network-side device means that all downlink messages received by the terminal from the first network-side device are protected by the protection key. The terminal will deprotect all downlink messages after security is activated, such as through decryption and integrity verification.
[0110] For example, after obtaining the protection key based on the first information, the terminal can activate uplink message security and downlink message security between the terminal and the first network-side device.
[0111] For example, after deprotecting the downlink message according to the protection key, the terminal can activate uplink message security and downlink message security between the terminal and the first network-side device.
[0112] Please refer to Figure 3, which is a flowchart of a message processing method provided in an embodiment of this application. The method is executed by a first network-side device. As shown in Figure 3, the method includes the following steps:
[0113] Step 31: The first network-side device obtains the first information;
[0114] Step 32: The first network-side device obtains a protection key, which is related to the first information;
[0115] Step 33: The first network-side device sends a downlink message protected by the protection key to the terminal, the downlink message containing the first information.
[0116] In this embodiment of the application, the first network-side device is a core network device that communicates with the terminal, and may be selected as, but is not limited to, SMF, UPF, LMF, UDM, etc.
[0117] The first information is used to obtain the protection key. The first information may also be referred to as association information, association identifier, etc. The first information can be used as a parameter for generating the protection key. The first information can be generated / allocated by the terminal, or by network-side devices, etc.
[0118] Optionally, the first information included in the downlink message is not encrypted; that is, the first information is carried in the unencrypted portion of the downlink message. This allows the terminal to obtain the first information without decryption, thereby obtaining the corresponding protection key based on the first information and correctly deprotecting the downlink message.
[0119] For example, the downlink message includes at least an encrypted portion and an unencrypted portion, the unencrypted portion containing first information. However, this first information can be protected for integrity.
[0120] For example, the downlink message may be a response message for accessing the first network-side device, or it may be a downlink message to be transmitted to the terminal, etc., and there is no limitation thereto.
[0121] For example, after obtaining the protection key, the first network-side device can first protect the downlink message according to the protection key, and then send the downlink message protected by the protection key to the terminal.
[0122] The solution proposed in this application embodiment can introduce first information into the downlink message, enabling the first network-side device to obtain a protection key for protecting the downlink message based on the first information, thereby achieving protection of the downlink message.
[0123] In this embodiment, the first information can be used to distinguish communication between the terminal and different network-side devices; or, the first information can be used to distinguish communication between the terminal and different types of network-side devices. Therefore, the terminal can find the corresponding security context based on the signaling of the current communication to deprotect the corresponding signaling, wherein the security context may include security algorithms, keys, etc.
[0124] Optionally, the first information can be an identifier of the signaling channel between the terminal and the first network-side device; that is, in this embodiment, the first information can be an identifier of the signaling channel between the terminal and the NF, thereby distinguishing the signaling of different NF communications; for example, in this embodiment, the first information can be a value that can uniquely identify the signaling channel between the terminal and the NF, which is a per-NF granularity identifier. Therefore, when generating a key based on the first information, an NF-granular key can be generated, thereby achieving secure isolation.
[0125] Optionally, the first information can be an identifier of the signaling type between the terminal and the first network-side device; that is, the first information in this embodiment can be an identifier of the signaling type between the terminal and the NF, thereby distinguishing signaling for different categories of NF communication or for different types of signaling. This is a per-NF type granularity identifier. For example, the different types of signaling can be, but are not limited to, mobility management type signaling (such as UE communication with AMF), session management type signaling (such as UE communication with SMF), data management type signaling (such as UE communication with data management function), location service type signaling (such as UE communication with location management function), etc. Therefore, when generating a key based on the first information, an NF type granular key can be generated, thereby achieving security isolation.
[0126] For example, the first information can be generated by the NF. For instance, the NF can generate an identifier for the corresponding signaling type based on the request message currently accessing the NF. Alternatively, the NF can allocate an unused value to distinguish signaling used for communication with different UEs.
[0127] In this embodiment, the protection key includes a confidentiality key, such as KNF-ENC. The downlink message also includes an encryption portion, which is obtained by encryption using the confidentiality key. That is, the first network-side device can encrypt the encryption portion of the downlink message using the obtained confidentiality key, thereby achieving encryption of the downlink message.
[0128] Optionally, the protection key may also include an integrity key, such as Knf-int. The downlink message may also include a message authentication code, which is generated based on the integrity key, the encrypted portion, and the first information. This enables integrity protection for the corresponding downlink message.
[0129] In this embodiment of the application, the protection key can be obtained through a request operation from the first network-side device. The message processing method may further include:
[0130] The first network-side device sends a request message to the second network-side device; the second network-side device is, for example, a Secure Anchoring Function (SEAF) or other NF that can perform similar functions.
[0131] The first network-side device receives a response message from the second network-side device, the response message including a third key.
[0132] The above-mentioned acquisition of the protection key includes: the first network-side device obtaining the protection key based on the third key.
[0133] Optionally, the third key is the second key, and obtaining the protection key based on the third key includes: the first network-side device generating the protection key based on the second key. The second key, for example, is a secondary key Knf, generated based on the first key and first information; this first information can be provided by the first network-side device or generated by the second network-side device; this first key, for example, is Kseaf, Kamf, or Kausf.
[0134] Optionally, the third key is the protection key, that is, the second network-side device directly feeds back the protection key to the first network-side device through a response message.
[0135] Optionally, the request message includes the first information. This allows the second network-side device to obtain the first information, thereby obtaining the third key based on the first information, and feeding back the third key to the first network-side device via a response message.
[0136] Optionally, the response message includes the first information. In this case, the first information may be generated by the second network-side device so that the first network-side device obtains the first information associated with the protection key.
[0137] In this application embodiment, the first information can be obtained in different ways. Obtaining the first information may include any of the following:
[0138] (1) The first network-side device generates the first information;
[0139] (2) The first network-side device receives the first information from the terminal, that is, the first information is generated by the terminal.
[0140] Optionally, receiving the first information from the terminal may include: the first network-side device receiving the first information from the terminal through a third network-side device.
[0141] For example, the first network-side device maintains a resource pool of first information. Whenever the first network-side device initiates communication with a new terminal, the first network-side device allocates an unused integer value from the resource pool as the first information.
[0142] For example, the first network-side device generates first information based on the signaling type of the request message for accessing the first network-side device received from the terminal. For instance, if the first network-side device receives session management type signaling from the UE (such as the UE communicating with an SMF), the first information generated by the first network-side device can be represented as the string "SM".
[0143] For example, after the terminal initiates a connection establishment request to the first network-side device, the first network-side device generates first information and then sends a request message to the second network-side device, carrying the first information in the request message so that the second network-side device can obtain the first information; the second network-side device sends a response message to the first network-side device, and the first network-side device carries the first information when sending a downlink message to the terminal so that the terminal can obtain the first information.
[0144] For example, after generating the first information, the terminal can first send the first information to a third network-side device, and then the third network-side device can forward the first information to the first network-side device; the first network-side device sends a request message to a second network-side device, carrying the first information in the request message, so that the second network-side device can obtain the first information; the second network-side device sends a response message to the first network-side device, and the first network-side device carries the first information when sending a downlink message to the terminal, so that the terminal can obtain the first information.
[0145] Optionally, after obtaining the protection key, the first network-side device can establish an association between the protection key and the first information so that it can subsequently obtain the protection key based on the association and protect the downlink messages sent to the terminal based on the protection key.
[0146] For example, assuming the first network-side device obtains the association information 4 (i.e., the first information) and the related protection key 4, the association information 4 identifies the communication message between the first network-side device and the terminal, and the association relationship between the protection key 4 and the association information 4 can be established and stored; subsequently, when the first network-side device has a downlink message to be sent to the terminal and obtains the association information 4 corresponding to the terminal, it can find the associated protection key 4 locally through the association information 4, and use the protection key 4 to protect the downlink message to be sent to the terminal.
[0147] In this embodiment, the first network-side device can activate uplink message security and downlink message security between the terminal and the first network-side device. For example, uplink message security and downlink message security can be activated during the sending of the first downlink message to the terminal. This ensures that the terminal and the first network-side device maintain consistent security operations for downlink messages, reducing modifications to the chip.
[0148] It should be understood that activating the uplink message security between the first network-side device and the terminal means that all uplink messages received by the first network-side device from the terminal are protected by the protection key. The first network-side device will deprotect all uplink messages after security is activated, such as through decryption and integrity verification.
[0149] It should be understood that the activation of downlink message security by the first network-side device on both the terminal and the device itself means that all downlink messages sent from the first network-side device to the terminal are protected by a protection key. The first network-side device will protect all downlink messages after security is activated, for example, through encryption and integrity protection.
[0150] For example, after obtaining the protection key, the first network-side device can activate uplink message security and downlink message security between the terminal and the first network-side device.
[0151] For example, after sending a downlink message protected by a protection key to the terminal, the first network-side device can activate uplink message security and downlink message security between the terminal and the first network-side device.
[0152] Please refer to Figure 4, which is a flowchart of a message processing method provided in an embodiment of this application. The method is executed by a second network-side device. As shown in Figure 4, the method includes the following steps:
[0153] Step 41: The second network-side device receives a request message from the first network-side device;
[0154] Step 42: The second network-side device obtains the first information;
[0155] Step 43: In response to the request message, the second network-side device generates a third key based on the first key and the first information, and the first key is available on the second network-side device;
[0156] Step 44: The second network-side device sends a response message to the first network-side device, the response message including the third key.
[0157] In this embodiment, the first network-side device is a core network device that communicates with the terminal, and may be, but is not limited to, SMF, UPF, LMF, UDM, etc. The second network-side device may be, for example, a Security Anchoring Function (SEAF) or other NF that can achieve similar functions.
[0158] The first information is used to obtain the protection key. The first information may also be referred to as association information, association identifier, etc. The first information can be used as a parameter for generating the protection key. The first information can be generated / allocated by the terminal, or by network-side devices, etc.
[0159] Optionally, the third key is used to obtain a protection key for protecting downlink messages.
[0160] Optionally, the first key can be any of the following: Kseaf, Kamf, or Kausf.
[0161] For example, the request message is a key request message, and the response message is a key response message.
[0162] The solution provided in this application embodiment enables the first network-side device to obtain a third key, and then obtain a protection key for protecting downlink messages, thereby achieving protection of downlink messages.
[0163] Optionally, the third key can be a second key or a protection key; wherein, the second key is, for example, a secondary key Knf, and the protection key is used to protect downlink messages, such as including a confidentiality key Knf-enc and / or an integrity key Knf-int.
[0164] For example, after receiving a request message from the first network-side device, the second network-side device can first generate a second key (e.g., KNF) based on the first key and the obtained first information, and then send the second key back to the first network-side device through a response message, i.e., the response message includes the second key. After receiving the response message, the first network-side device can obtain a protection key based on the second key in the response message, and use the protection key to protect downlink messages.
[0165] For example, after receiving a request message from the first network-side device, the second network-side device can first generate a protection key (such as Knf-enc and / or Knf-int) based on the first key and the obtained first information, and then send the protection key back to the first network-side device through a response message, that is, the response message includes the protection key. After receiving the response message, the first network-side device can directly obtain the protection key and use the protection key to protect downlink messages.
[0166] For example, after receiving a request message from the first network-side device, the second network-side device can first generate a second key (e.g., Knf) based on the first key and the obtained first information, then generate a protection key (e.g., Knf-enc and / or Knf-int) based on the second key, and then send the protection key back to the first network-side device through a response message, i.e., the response message includes the protection key. After receiving the response message, the first network-side device can directly obtain the protection key and use the protection key to protect downlink messages.
[0167] In this application embodiment, the first information can be obtained in different ways. Obtaining the first information may include any of the following:
[0168] (1) The second network-side device generates the first information;
[0169] (2) The second network-side device obtains the first information from the request message, that is, the terminal or the first network-side device generates the first information and sends the first information to the second network-side device.
[0170] For example, the second network-side device maintains a resource pool of first information. Whenever a terminal initiates communication with a new NF, the second network-side device allocates an unused integer value from the resource pool as the first information.
[0171] For example, the second network-side device generates first information based on the signaling type of the request message for accessing the first network-side device received from the first network-side device. For instance, if the second network-side device receives a session management signaling type (such as UE communicating with SMF) from the first network-side device, the generated first information can be represented as the string "SM".
[0172] For example, the second network-side device generates first information based on the type of the first network-side device received from the first network-side device. For instance, if the first network-side device is an SMF, the second network-side device generates first information characterized as "SM".
[0173] For example, after the terminal initiates a connection establishment request to the first network-side device, the first network-side device sends a request message to the second network-side device. The second network-side device generates first information and then sends a response message to the first network-side device, carrying the first information in the response message. When the first network-side device sends a downlink message to the terminal, it carries the first information so that the terminal can obtain the first information.
[0174] In this embodiment, the first information can be used to distinguish communication between the terminal and different network-side devices; or, the first information can be used to distinguish communication between the terminal and different types of network-side devices. Therefore, the terminal can find the corresponding security context based on the signaling of the current communication to deprotect the corresponding signaling, wherein the security context may include security algorithms, keys, etc.
[0175] Optionally, the first information can be an identifier of the signaling channel between the terminal and the first network-side device; that is, in this embodiment, the first information can be an identifier of the signaling channel between the terminal and the NF, thereby distinguishing the signaling of different NF communications; for example, in this embodiment, the first information can be a value that can uniquely identify the signaling channel between the terminal and the NF, which is a per-NF granularity identifier. Therefore, when generating a key based on the first information, an NF-granular key can be generated, thereby achieving secure isolation.
[0176] Optionally, the first information can be an identifier of the signaling type between the terminal and the first network-side device; that is, the first information in this embodiment can be an identifier of the signaling type between the terminal and the NF, thereby distinguishing signaling for different categories of NF communication or for different types of signaling. This is a per-NF type granularity identifier. For example, the different types of signaling can be, but are not limited to, mobility management type signaling (such as UE communication with AMF), session management type signaling (such as UE communication with SMF), data management type signaling (such as UE communication with data management function), location service type signaling (such as UE communication with location management function), etc. Therefore, when generating a key based on the first information, an NF type granular key can be generated, thereby achieving security isolation.
[0177] The present application will now be described in conjunction with the accompanying drawings and specific embodiments.
[0178] Example 1
[0179] This first embodiment describes the security establishment process triggered by the uplink Non-Access Stratum (NAS). In this process, network-side devices (such as SEAF or NF) allocate / generate first information (or: association identifier information, association flag), enabling the UE to associate the first information in downlink messages communicated with the NF with the corresponding security context, thereby deprotecting the downlink messages. As shown in Figure 5, the specific security establishment process includes:
[0180] Step 1. The UE sends an uplink NAS message to the AMF, which includes the UE ID and a request message to access the NF. The UE ID is used to address the UE's context. The request message to access the NF is used to establish an association with the NF. This NF can be an SMF, LMF, UDM, etc.
[0181] Optionally, the UE uses Kamf to protect uplink NAS messages. The UE already has Knas-enc and Knas-int before step 1. The UE can use Knas-enc to encrypt and protect uplink NAS messages, and use Knas-int to protect the integrity of uplink NAS messages.
[0182] For example, the request message for accessing the NF may include, but is not limited to, the PDU session establishment request message.
[0183] Step 2. The AMF sends the Subscription Permanent Identifier (SUPI) and a request message to the NF to access the NF.
[0184] Optionally, after using Kamf to deprotect the uplink NAS message, the AMF obtains the UE ID and the request message to access the NF. The AMF already has Knas-enc and Knas-int before step 1. The AMF can use Knas-int to perform integrity verification on the uplink NAS message and use Knas-enc to decrypt the uplink NAS message.
[0185] Optionally, the SUPI is obtained based on the UE ID. The UE ID can be a temporary identifier such as GUTI, and the AMF / SEAF obtains the UE's permanent identifier SUPI based on the temporary identifier.
[0186] Step 3. NF sends a key request message to SEAF, which contains SUPI.
[0187] Optionally, before step 3, step 3a, i.e., NF generates the first information, may also be included.
[0188] Optionally, if NF generates the first information, the key request message may also include the first information.
[0189] Optionally, the first information is used to distinguish communication between the UE and different NFs, or to distinguish communication between the UE and different types of NFs, so that the UE can obtain the corresponding security context to decrypt the corresponding signaling based on the signaling of the current communication. The security context may include security algorithms, keys, etc.
[0190] Optionally, the first information may be an identifier of the signaling type between the UE and the NF, or an identifier of the signaling channel between the UE and the NF.
[0191] Optionally, when the first information is generated by the NF, the NF can generate an identifier of the corresponding signaling type as the first information based on the request message of the current access to the NF, or it can allocate an unused value as the first information to distinguish the signaling communication with different UEs.
[0192] Step 4. SEAF sends a key response message to NF, which contains the Knf.
[0193] Optionally, steps 4a and 4b may be included before step 4.
[0194] Step 4a. SEAF generates the first information.
[0195] Step 4b. SEAF generates Knf based on the first information.
[0196] Optionally, the key response message may also include first information. This first information can be obtained from step 3 or generated by SEAF (in which case step 3 does not need to carry the first information).
[0197] It should be noted that when the first information is generated by SEAF, the first information can be referred to the description in step 3. In particular, if the first information is an identifier of the signaling type between the UE and NF, the key request message should also include an identifier indicating the signaling type.
[0198] Optionally, SEAF can generate Knf based on Kseaf and the first information.
[0199] It should be noted that when AMF and SEAF are the same network element, steps 3 and 4 above are combined into step 2. The function of generating the first information is performed by SEAF. In step 2, AMF / SEAF sends SUPI, Knf, the first information and a request message to access NF to NF.
[0200] Step 5. The NF sends a response message to the UE to access the NF. This message is used to respond to the request message to access the NF and contains the first information.
[0201] For example, the response message for accessing the NF may include, but is not limited to, the PDU session establishment response message.
[0202] Optionally, before step 5, step 5a is included: the NF uses KNF protection to access the NF's response message. After protection, the response message also includes an encrypted portion and a message verification code.
[0203] Optionally, when securing the response message to an NF access point, the NF can use Knf to generate Knf-enc and Knf-int, and use Knf-enc to encrypt the response message, and use Knf-int to protect its integrity. It's important to note that the initial information cannot be encrypted; therefore, it must be placed in the unencrypted portion of the NF access response message, but its integrity can be protected. Thus, the protected NF access response message contains a message authentication code, with the initial information and the encrypted portion used to generate the message authentication code.
[0204] Optionally, NF can activate security with UE, and the activation method is as follows:
[0205] Method 1: After completing the protection of the response message for accessing the NF, the NF is activated and the uplink and downlink security of the UE is ensured.
[0206] Method 2: After receiving Knf, NF activates uplink and downlink security for UE.
[0207] Optionally, the NF can associate the first information with the security context of the UE, including the NF mapping the first information to Knf, Knf-enc and Knf-int, that is, establishing the association between the first information and Knf, Knf-enc and Knf-int.
[0208] Step 5b: The UE generates Knf based on Kseaf and the first information.
[0209] For example, suppose the UE receives downlink message 1 from NF1. Downlink message 1 includes association information 1 (i.e., first information). If the terminal cannot find the protection key associated with association information 1 locally through association information 1, it can generate Knf1 based on Kseaf1 and association information 1, and use Knf1 to deprotect downlink message 1, establishing and storing the association relationship between Knf1 and association information 1. Subsequently, if the terminal receives another downlink message from NF1, such as downlink message 2, which includes association information 1, it can find the Knf1 associated with association information 1 locally through association information 1, and use Knf1 to directly deprotect downlink message 2.
[0210] Step 5c: The UE associates the first information with the UE's security context, including the UE mapping the first information to Knf, Knf-enc and Knf-int, that is, establishing the association between the first information and Knf, Knf-enc and Knf-int.
[0211] Step 5d: The UE uses the Knf deprotection access NF response message.
[0212] Optionally, NF uses Knf to generate Knf-enc and Knf-int. NF can use Knf-int to perform integrity checks on the response messages to NF access, such as verifying the message authentication code through the first information and the encrypted part, and can use Knf-enc to decrypt the response messages to NF access (decrypting only the encrypted part).
[0213] Optionally, UE can activate security with NF, and the activation method is as follows:
[0214] Method 1: After deprotecting the response message for accessing the NF, the UE activates uplink and downlink security with the NF.
[0215] Method 2: After the UE obtains Knf, the UE activates uplink and downlink security with NF.
[0216] Example 2
[0217] In this second embodiment, the security establishment process triggered by uplink NAS is described. In this process, the UE allocates / generates first information (or: association information, association identifier), enabling the UE to associate the first information in the downlink message communicated with the NF with the corresponding security context, thereby deprotecting the downlink message. As shown in Figure 6, the specific security establishment process includes:
[0218] Step 1. The UE sends an uplink NAS message to the AMF, which includes the UE ID and a request message to access the NF. This NF access request message contains initial information. The UE ID is used to address the UE's context. The NF access request message is used to establish an association with the NF.
[0219] It should be noted that the description of the first information can refer to the description in step 3 of the above embodiment.
[0220] Optionally, the following steps may be included before step 1:
[0221] Step 1a. The UE generates first information. For example: (1) The UE generates the corresponding signaling type identifier as the first information based on the current NF access request message; (2) The UE allocates an unused value as the first information to distinguish the signaling communication with different NFs.
[0222] Step 1b. The UE generates Knf based on Kseaf and the first information. Optionally, the UE can also derive Knf-enc and Knf-int based on Knf.
[0223] Step 1c. The UE associates the first information with the security context, including the UE mapping the first information to Knf, Knf-enc and Knf-int, that is, establishing the association between the first information and Knf, Knf-enc and Knf-int.
[0224] Optionally, the UE uses Kamf to protect uplink NAS messages. The UE already has Knas-enc and Knas-int before step 1. The UE can use Knas-enc to encrypt and protect uplink NAS messages, and can use Knas-int to protect the integrity of uplink NAS messages.
[0225] Step 2. The AMF sends a SUPI and a request message to access the NF.
[0226] Optionally, after using Kamf to deprotect the uplink NAS message, the AMF obtains the UE ID and the request message to access the NF. The AMF already has Knas-enc and Knas-int before step 1. The AMF can use Knas-int to perform integrity verification on the uplink NAS message and use Knas-enc to decrypt the uplink NAS message.
[0227] Optionally, the SUPI is obtained based on the UE ID. The UE ID can be a temporary identifier such as GUTI, and the AMF / SEAF obtains the UE's permanent identifier SUPI based on the temporary identifier.
[0228] Step 3. NF sends a key request message to SEAF, which contains SUPI and first information. This first information is obtained from step 2.
[0229] Step 4. SEAF sends a key response message to NF, which contains the Knf.
[0230] Optionally, before step 4, step 4a may also be included, in which SEAF generates Knf based on Kseaf and the first information.
[0231] It is important to note that when the AMF and SEAF are the same network element, steps 3 and 4 above are combined into step 2. In step 2, the AMF / SEAF sends SUPI, Knf, first information, and a request message to access the NF to the NF. In this case, the UE can place the first information in the uplink NAS message instead of the request message to access the NF, while the AMF / SEAF needs to forward the first information to the NF.
[0232] Step 5. The NF sends a response message to the UE to access the NF. This message is used to respond to the request message to access the NF and contains the first information.
[0233] Optionally, the first information can be obtained from the UE (i.e., from step 2).
[0234] Optionally, before step 5, step 5a is included: the NF uses KNF protection to access the NF's response message. After protection, the response message also includes an encrypted portion and a message verification code.
[0235] Optionally, when protecting the response message to an NF access point, the NF can use Knf to generate Knf-enc and Knf-int. The NF can use Knf-enc to encrypt the response message and Knf-int to protect its integrity. It's important to note that the first piece of information cannot be encrypted; therefore, it must be placed in the unencrypted portion of the response message. Thus, a protected response message to an NF access point must contain at least the first piece of information and the encrypted portion. However, the first piece of information can be protected for integrity; therefore, a protected response message to an NF access point includes a message authentication code, which is generated using the first piece of information and the encrypted portion.
[0236] Optionally, NF can activate security with UE, and the activation method is as follows:
[0237] Method 1: After completing the protection of the response message for accessing the NF, the NF is activated and the uplink and downlink security of the UE is ensured.
[0238] Method 2: After receiving Knf, NF activates uplink and downlink security for UE.
[0239] Optionally, the NF can associate the first information with the security context of the UE, including the NF mapping the first information to Knf, Knf-enc and Knf-int, that is, establishing the association between the first information and Knf, Knf-enc and Knf-int.
[0240] Step 5b: The UE obtains Knf based on the first information.
[0241] Optionally, the UE determines the corresponding security context, such as Knf, based on the first information. In step 1, the UE already has a correspondence between the first information and the security context. Based on this correspondence, the UE can determine the security context corresponding to the first information, thereby obtaining the Knf.
[0242] Step 5c: The UE uses the Knf deprotection access NF response message.
[0243] Optionally, NF uses Knf to generate Knf-enc and Knf-int. NF can use Knf-int to perform integrity checks on the response messages to NF access, such as verifying the message authentication code through the first information and the encrypted part, and can use Knf-enc to decrypt the response messages to NF access (decrypting only the encrypted part).
[0244] Optionally, UE can activate security with NF, and the activation method is as follows:
[0245] Method 1: After deprotecting the response message for accessing the NF, the UE activates uplink and downlink security with the NF.
[0246] Method 2: After the UE obtains Knf, the UE activates uplink and downlink security with NF.
[0247] Example 3
[0248] In this third embodiment, the security establishment process triggered by downlink NAS is described. In this process, since the UE has no uplink messages, the network-side device (such as SEAF or NF) allocates / generates first information (or: association identifier), allowing the UE to associate the downlink message with the corresponding security context through this first information in the downlink message communicated with the NF, thereby deprotecting the downlink message. As shown in Figure 7, the specific security establishment process includes:
[0249] Step 1. NF sends a key request message to SEAF, which contains SUPI. Optionally, this message may contain first information.
[0250] Optionally, steps 1a and 1b may be included before step 3.
[0251] Step 1a. The NF has the downlink NF message (i.e., DL NF message) that needs to be transmitted;
[0252] Step 1b.NF generates the first information. At this time, the key request message includes the first information.
[0253] It should be noted that the description of the first information can refer to the description in step 3 of the above embodiment.
[0254] Step 2. SEAF sends a key response message to NF, which contains the Knf.
[0255] Optionally, steps 2a and 2b may be included before step 2.
[0256] Step 2a. SEAF generates the first information.
[0257] Step 2b. SEAF generates Knf based on the first information.
[0258] Optionally, the key response message may also include first information. The first information can be obtained from step 1 or generated by SEAF (in which case step 3 does not need to carry the first information).
[0259] Optionally, SEAF can generate Knf based on Kseaf and the first information.
[0260] Step 3. The NF sends an N1N2 transfer message (i.e., N1N2 messageTransfer) to the AMF. This message contains the SUPI and the downlink NF message.
[0261] Optionally, before step 3, step 3a is included: the NF uses KNF to protect the downlink NF message. After protection, the downlink NF message also includes an encrypted portion and a message verification code.
[0262] Optionally, when providing security protection for downlink NF messages, NF can use Knf to generate Knf-enc and Knf-int, use Knf-enc to encrypt and protect downlink NF messages, and use Knf-int to protect the integrity of downlink NF messages.
[0263] Step 4. Optionally, the AMF sends a paging message to the UE.
[0264] For example, if the UE is in the IDLE state, the AMF initiates a paging message to return the UE to the connected state; otherwise, the AMF can directly execute step 6.
[0265] Step 5. Optionally, the UE sends a Service Request message to the AMF in response to the paging message.
[0266] Optionally, the UE uses Kam to protect the Service Request message. Since the UE already has Knas-enc and Knas-int from step 2, the UE can use Knas-enc to encrypt the Service Request message and use Knas-int to protect its integrity.
[0267] Step 6. The AMF sends a downlink NF message to the UE, which contains the first information.
[0268] Step 7: The UE generates Knf based on Kseaf and the first information.
[0269] Step 8: The UE associates the first information with the UE's security context, including the UE mapping the first information to Knf, Knf-enc, and Knf-int, that is, establishing the association between the first information and Knf, Knf-enc, and Knf-int.
[0270] Step 9: The UE uses Knf to deprotect the downlink NF message.
[0271] Optionally, NF uses Knf to generate Knf-enc and Knf-int. NF can use Knf-int to perform integrity checks on downlink NF messages, such as verifying the message authentication code through the first information and the encrypted part, and can use Knf-enc to decrypt downlink NF messages (decrypting only the encrypted part).
[0272] Optionally, UE can activate security with NF, and the activation method is as follows:
[0273] Method 1: After deprotecting the downlink NF message, the UE activates uplink and downlink security with the NF.
[0274] Method 2: After the UE obtains Knf, the UE activates uplink and downlink security with NF.
[0275] The message processing method provided in this application can be executed by a message processing device. This application uses an example of a message processing device executing the message processing method to illustrate the message processing device provided in this application.
[0276] This application provides a message processing apparatus. As an example, the message processing apparatus may be a communication device or a component within a communication device, such as a chip. The communication device may be a terminal, a network-side device, or a server, etc. Exemplarily, the terminal may include, but is not limited to, the type of terminal 11 listed above, and the network-side device may include, but is not limited to, the type of network-side device 12 listed above. This application does not impose specific limitations.
[0277] The message processing device includes a receiving module, a sending module, and a processing module. These modules can be implemented in software or hardware. When implemented in hardware, the processing module can be implemented by a processor. For example, the processor can include general-purpose processors, special-purpose processors, etc., such as central processing units (CPUs), microprocessors, digital signal processors (DSPs), artificial intelligence (AI) processors, graphics processing units (GPUs), application-specific integrated circuits (ASICs), network processors (NPs), field-programmable gate arrays (FPGAs), or other programmable logic devices, gate circuits, transistors, discrete hardware components, etc. The receiving and sending modules can be implemented by a communication interface, which can include one or more of the following: transceivers, pins, circuits, buses, radio frequency units, etc.
[0278] Specifically, referring to Figure 8, when the message processing device is a terminal or a component within a terminal, the message processing device 80 includes:
[0279] The first receiving module 81 is configured to receive a downlink message from a first network-side device, the downlink message including first information;
[0280] The first processing module 82 is used to obtain a protection key based on the first information;
[0281] The second processing module 83 is used to deprotect the downlink message according to the protection key.
[0282] Optionally, the first information is not encrypted.
[0283] Optionally, the first information is used to distinguish the communication between the terminal and different network-side devices;
[0284] Alternatively, the first information may be used to distinguish the communication between the terminal and different types of network-side devices.
[0285] Optionally, the first information is the identifier of the signaling channel between the terminal and the first network-side device;
[0286] Alternatively, the first information may be an identifier of the signaling type between the terminal and the first network-side device.
[0287] Optionally, the first processing module 82 is specifically used to: obtain the protection key based on the first key and the first information; wherein the first key is available on the second network-side device.
[0288] Optionally, the message processing device 80 further includes:
[0289] The first sending module is configured to send the first information to the first network-side device before receiving a downlink message from the first network-side device.
[0290] Optionally, the first sending module is specifically used to: send the first information to the first network-side device through the third network-side device.
[0291] Optionally, the message processing device 80 further includes:
[0292] The generation module is used to generate the first information.
[0293] Optionally, the message processing device 80 further includes:
[0294] The third processing module is used to obtain a protection key based on the first key and the generated first information; wherein the first key is available on the second network-side device.
[0295] Optionally, the message processing device 80 further includes:
[0296] The first establishment module is used to establish the association between the first information and the protection key.
[0297] Optionally, the first processing module 82 is specifically used to: generate a second key based on the first key and the first information, and generate the protection key based on the second key.
[0298] Optionally, the third processing module is specifically used to: generate a second key based on the first key and the first information, and generate the protection key based on the second key.
[0299] Optionally, the message processing device 80 further includes:
[0300] The first activation module is used to activate the uplink message security and downlink message security between the terminal and the first network-side device.
[0301] Optionally, the protection key includes a confidentiality key, and the downlink message further includes an encrypted portion; the second processing module 83 is specifically used to: decrypt the encrypted portion according to the confidentiality key.
[0302] Optionally, the protection key further includes an integrity key, and the downlink message further includes a message authentication code; the second processing module 83 is further configured to: verify the message authentication code based on the integrity key, the encrypted portion, and the first information.
[0303] Optionally, the first key is any of the following: Kseaf, Kamf, or Kausf.
[0304] The message processing device 80 provided in this application embodiment can implement the various processes implemented in the method embodiment shown in 2 and achieve the same technical effect. To avoid repetition, it will not be described again here.
[0305] Referring to Figure 9, when the message processing device is a first network-side device or a component of the first network-side device, the message processing device 90 includes:
[0306] The fourth processing module 91 is used to obtain the first information;
[0307] The fifth processing module 92 is used to obtain a protection key, which is related to the first information;
[0308] The second sending module 93 is used to send a downlink message protected by the protection key to the terminal, the downlink message containing the first information.
[0309] Optionally, the first information is not encrypted.
[0310] Optionally, the first information is used to distinguish the communication between the terminal and different network-side devices;
[0311] Alternatively, the first information may be used to distinguish the communication between the terminal and different types of network-side devices.
[0312] Optionally, the first information is the identifier of the signaling channel between the terminal and the first network-side device;
[0313] Alternatively, the first information may be an identifier of the signaling type between the terminal and the first network-side device.
[0314] Optionally, the message processing device 90 further includes:
[0315] The fifth processing module 92 includes:
[0316] The third sending module is used to send request messages to the second network-side device;
[0317] The second receiving module is configured to receive a response message from the second network-side device, the response message including a third key;
[0318] The fifth processing module 92 is further configured to: obtain the protection key based on the third key.
[0319] Optionally, the third key is the second key, and the acquisition unit is specifically used to generate the protection key based on the second key.
[0320] Optionally, the third key is the protection key.
[0321] Optionally, the request message includes the first information.
[0322] Optionally, the response message includes the first information.
[0323] Optionally, the fourth processing module 91 is used for any of the following:
[0324] Generate the first information;
[0325] Receive the first information from the terminal.
[0326] Optionally, the fourth processing module 91 is further configured to: receive the first information from the terminal via a third network-side device.
[0327] Optionally, the message processing device 90 further includes:
[0328] The second establishment module is used to establish the association between the protection key and the first information.
[0329] Optionally, the message processing device 90 further includes:
[0330] The second activation module is used to activate the uplink message security and downlink message security between the terminal and the first network-side device.
[0331] Optionally, the protection key includes a confidentiality key, and the downlink message further includes an encryption portion, which is obtained by encrypting the message using the confidentiality key.
[0332] Optionally, the protection key further includes an integrity key, and the downlink message further includes a message authentication code, which is generated based on the integrity key, the encryption portion, and the first information.
[0333] The message processing device 90 provided in this application embodiment can implement the various processes implemented in the method embodiment shown in 3 and achieve the same technical effect. To avoid repetition, it will not be described again here.
[0334] Referring to Figure 10, when the message processing device is a second network-side device or a component of a second network-side device, the message processing device 100 includes:
[0335] The third receiving module 101 is used to receive a request message from the first network-side device;
[0336] The sixth processing module 102 is used to obtain the first information;
[0337] The seventh processing module 103 is configured to generate a third key in response to the request message, based on the first key and the first information, wherein the first key is available on the second network-side device;
[0338] The fourth sending module 104 is used to send a response message to the first network-side device, the response message including the third key.
[0339] Optionally, the third key is the second key or a protection key.
[0340] Optionally, the sixth processing module 102 is used for any of the following:
[0341] Generate the first information;
[0342] The first information is obtained from the request message.
[0343] Optionally, the first information is used to distinguish the communication between the terminal and different network-side devices;
[0344] Alternatively, the first information may be used to distinguish the communication between the terminal and different types of network-side devices.
[0345] Optionally, the first information is the identifier of the signaling channel between the terminal and the first network-side device;
[0346] Alternatively, the first information may be an identifier of the signaling type between the terminal and the first network-side device.
[0347] Optionally, the first key is any of the following: Kseaf, Kamf, or Kausf.
[0348] The message processing device 100 provided in this application embodiment can implement the various processes implemented in the method embodiment shown in 4 and achieve the same technical effect. To avoid repetition, it will not be described again here.
[0349] As shown in Figure 11, this application embodiment also provides a communication device 110, including a processor 111 and a memory 112. The memory 112 stores a program or instructions that can run on the processor 111. For example, when the communication device 110 is a terminal, the program or instructions executed by the processor 111 implement the various steps of the method embodiment shown in Figure 2 above, and achieve the same technical effect. When the communication device 110 is a network-side device, the program or instructions executed by the processor 111 implement the various steps of the method embodiment shown in Figure 3 or Figure 4 above, and achieve the same technical effect. To avoid repetition, these will not be described again here.
[0350] This application also provides a terminal, including a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the steps in the method embodiment shown in FIG2. This terminal embodiment corresponds to the above-described terminal-side method embodiment, and all implementation processes and methods of the above-described method embodiments can be applied to this terminal embodiment and can achieve the same technical effect. The terminal may be the message processing device shown in FIG8. Specifically, FIG12 is a schematic diagram of the hardware structure of a terminal implementing an embodiment of this application.
[0351] The terminal 1200 includes, but is not limited to, at least some of the following components: radio frequency unit 1201, network module 1202, audio output unit 1203, input unit 1204, sensor 1205, display unit 1206, user input unit 1207, interface unit 1208, memory 1209, and processor 1210.
[0352] Those skilled in the art will understand that the terminal 1200 may also include a power supply (such as a battery) for powering various components. The power supply can be logically connected to the processor 1200 through a power management system, thereby enabling functions such as charging, discharging, and power consumption management through the power management system. The terminal structure shown in Figure 12 does not constitute a limitation on the terminal. The terminal may include more or fewer components than shown, or combine certain components, or have different component arrangements, which will not be elaborated here.
[0353] It should be understood that, in this embodiment, the input unit 1204 may include a graphics processor 12041 and a microphone 12042. The graphics processor 12041 processes image data of still images or videos obtained by an image capture device (such as a camera) in video capture mode or image capture mode. The display unit 1206 may include a display panel 12061, which may be configured in the form of a liquid crystal display, an organic light-emitting diode, or the like. The user input unit 1207 includes a touch panel 12071 and at least one of other input devices 12072. The touch panel 12071 is also called a touch screen. The touch panel 12071 may include a touch detection device and a touch controller. Other input devices 12072 may include, but are not limited to, physical keyboards, function keys (such as volume control buttons, power buttons, etc.), trackballs, mice, and joysticks, which will not be described in detail here.
[0354] In this embodiment, after receiving downlink data from the network-side device, the radio frequency unit 1201 can transmit it to the processor 1210 for processing; in addition, the radio frequency unit 1201 can send uplink data to the network-side device. Typically, the radio frequency unit 1201 includes, but is not limited to, antennas, amplifiers, transceivers, couplers, low-noise amplifiers, duplexers, etc.
[0355] The memory 1209 can be used to store software programs or instructions, as well as various data. The memory 1209 may primarily include a first storage area for storing programs or instructions and a second storage area for storing data. The first storage area may store the operating system, application programs or instructions required for at least one function (such as sound playback, image playback, etc.). Furthermore, the memory 1209 may include volatile memory or non-volatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory can be random access memory (RAM), static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), and direct memory bus RAM (DRRAM). The memory 1209 in this embodiment includes, but is not limited to, these and any other suitable types of memory.
[0356] Processor 1210 may include one or more processing units; optionally, processor 1210 integrates an application processor and a modem processor, wherein the application processor mainly handles operations involving the operating system, user interface, and applications, and the modem processor mainly handles wireless communication signals, such as a baseband processor. It is understood that the aforementioned modem processor may also not be integrated into processor 1210.
[0357] The radio frequency unit 1201 is used to receive downlink messages from a first network-side device, the downlink messages including first information;
[0358] Processor 1210 is configured to obtain a protection key based on the first information and deprotect the downlink message based on the protection key.
[0359] It is understood that the implementation process of each implementation method mentioned in this embodiment can refer to the relevant description of the method embodiment shown in Figure 2, and achieve the same or corresponding technical effects. To avoid repetition, it will not be described again here.
[0360] This application also provides a network-side device, including a processor and a communication interface. The communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the steps of the method embodiment shown in FIG3 or FIG4. This network-side device embodiment corresponds to the above-described network-side device method embodiment. All implementation processes and methods of the above-described method embodiments can be applied to this network-side device embodiment and can achieve the same technical effect.
[0361] Specifically, this application also provides a network-side device. As shown in FIG13, the network-side device 130 includes a processor 131, a network interface 132, and a memory 133. The network-side device may be the message processing device shown in FIG1. The network interface 132 is, for example, a Common Public Radio Interface (CPRI).
[0362] For example, the network-side device 130 is a first network-side device, and the processor 131 is used to obtain first information and obtain a protection key, wherein the protection key is related to the first information;
[0363] Network interface 132 is used to send downlink messages protected by the protection key to the terminal, the downlink messages containing the first information.
[0364] Alternatively, the network-side device 130 is a second network-side device, and the network interface 132 is used to receive a request message from the first network-side device; the processor 131 is used to obtain first information, generate a third key based on the first key and the first information, and the first key is available on the second network-side device; the network interface 132 is also used to send a response message to the first network-side device, and the response message includes the third key.
[0365] In addition, the network-side device 130 of this application embodiment also includes: a program or instructions stored in a memory 133 and executable on a processor 131. The processor 131 calls the program or instructions in the memory 133 to execute the methods executed by the modules shown in FIG9 or FIG10 and achieve the same technical effect. To avoid repetition, it will not be described in detail here.
[0366] This application also provides a readable storage medium storing a program or instructions. When the program or instructions are executed by a processor, they implement the various processes of the above-described message processing method embodiments and achieve the same technical effects. To avoid repetition, they will not be described again here.
[0367] The processor mentioned above is either the processor in the terminal described in the above embodiments or the processor in the network-side device. The readable storage medium includes computer-readable storage media, such as computer read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk. In some examples, the readable storage medium may be a non-transient readable storage medium.
[0368] This application embodiment also provides a chip, which includes a processor and a communication interface. The communication interface is coupled to the processor. The processor is used to run programs or instructions to implement the various processes of the above message processing method embodiments and can achieve the same technical effect. To avoid repetition, it will not be described again here.
[0369] It should be understood that the chip mentioned in the embodiments of this application may also be referred to as a system-on-a-chip, system chip, chip system, or system-on-a-chip, etc.
[0370] This application also provides a computer program / program product, which is stored in a storage medium and executed by at least one processor to implement the various processes of the above-described message processing method embodiments, and can achieve the same technical effect. To avoid repetition, it will not be described again here.
[0371] This application also provides a communication system, including a terminal and a network-side device. The terminal can be used to execute the steps of the message processing method as shown in Figure 2 above, and the network-side device can be used to execute the steps of the message processing method as shown in Figure 3 or Figure 4 above.
[0372] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element. Furthermore, it should be noted that the scope of the methods and apparatuses in the embodiments of this application is not limited to performing functions in the order shown or discussed, but may also include performing functions substantially simultaneously or in the reverse order, depending on the functions involved. For example, the described methods may be performed in a different order than described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
[0373] From the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of computer software products plus necessary general-purpose hardware platforms, and of course, they can also be implemented by hardware. The computer software product is stored in a storage medium (such as ROM, RAM, magnetic disk, optical disk, etc.), and the computer software product includes several instructions to cause the terminal or network-side device to execute the methods described in the various embodiments of this application.
[0374] The embodiments of this application have been described above with reference to the accompanying drawings. However, this application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other implementations under the guidance of this application without departing from the spirit and scope of the claims. All of these implementations are within the protection scope of this application.
Claims
1. A message processing method, wherein, include: The terminal receives a downlink message from a first network-side device, the downlink message including first information; The terminal obtains the protection key based on the first information; The terminal deprotects the downlink message according to the protection key.
2. The method according to claim 1, wherein, The first piece of information was not encrypted.
3. The method according to claim 1 or 2, wherein, The first information is used to distinguish the communication between the terminal and different network-side devices; Alternatively, the first information may be used to distinguish the communication between the terminal and different types of network-side devices.
4. The method according to any one of claims 1 to 3, wherein, The first information is the identifier of the signaling channel between the terminal and the first network-side device; Alternatively, the first information may be an identifier of the signaling type between the terminal and the first network-side device.
5. The method according to any one of claims 1 to 4, wherein, The terminal obtains a protection key based on the first information, including: The terminal obtains the protection key based on the first key and the first information; wherein the first key is available on the second network-side device.
6. The method according to any one of claims 1 to 4, wherein, Before the terminal receives the downlink message from the first network-side device, the method further includes: The terminal sends the first information to the first network-side device.
7. The method according to claim 6, wherein, The terminal sends the first information to the first network-side device, including: The terminal sends the first information to the first network-side device through the third network-side device.
8. The method according to claim 6 or 7, wherein, The method further includes: The terminal generates the first information.
9. The method according to claim 8, wherein, After the terminal generates the first information, the method further includes: The terminal obtains a protection key based on the first key and the generated first information; wherein the first key is available on the second network-side device.
10. The method according to claim 5 or 9, wherein, The method further includes: The terminal establishes an association between the first information and the protection key.
11. The method according to claim 9 or 10, wherein, The terminal obtains the protection key based on the first key and the first information, including: The terminal generates a second key based on the first key and the first information; The terminal generates the protection key based on the second key.
12. The method according to any one of claims 1 to 11, wherein, The method further includes: The terminal activates uplink message security and downlink message security between the terminal and the first network-side device.
13. The method according to any one of claims 1 to 12, wherein, The protection key includes a confidentiality key, and the downlink message also includes an encrypted portion; The terminal deprotects the downlink message according to the protection key, including: The terminal decrypts the encrypted portion using the confidentiality key.
14. The method according to claim 13, wherein, The protection key also includes an integrity key, and the downlink message also includes a message authentication code; The terminal further includes deprotecting the downlink message according to the protection key, and also includes: The terminal verifies the message authentication code based on the integrity key, the encrypted portion, and the first information.
15. A message processing method, wherein, include: The first network-side device obtains the first information; The first network-side device obtains a protection key, which is related to the first information; The first network-side device sends a downlink message protected by the protection key to the terminal, the downlink message containing the first information.
16. The method according to claim 15, wherein, The first piece of information was not encrypted.
17. The method according to claim 15 or 16, wherein, The first information is used to distinguish the communication between the terminal and different network-side devices; Alternatively, the first information may be used to distinguish the communication between the terminal and different types of network-side devices.
18. The method according to any one of claims 15 to 17, wherein, The first information is the identifier of the signaling channel between the terminal and the first network-side device; Alternatively, the first information may be an identifier of the signaling type between the terminal and the first network-side device.
19. The method according to any one of claims 15 to 18, wherein, The method further includes: The first network-side device sends a request message to the second network-side device; The first network-side device receives a response message from the second network-side device, the response message including a third key; The first network-side device obtains the protection key, including: The first network-side device obtains the protection key based on the third key.
20. The method according to claim 19, wherein, The third key is the second key, and the first network-side device obtains the protection key based on the third key, including: The first network-side device generates the protection key based on the second key.
21. The method according to claim 19, wherein, The third key is the protection key.
22. The method according to any one of claims 19 to 21, wherein, The request message includes the first information.
23. The method according to any one of claims 19 to 21, wherein, The response message includes the first information.
24. The method according to any one of claims 15 to 23, wherein, The first network-side device obtains first information, including any one of the following: The first network-side device generates the first information; The first network-side device receives the first information from the terminal.
25. The method according to claim 24, wherein, The first network-side device receives the first information from the terminal, including: The first network-side device receives the first information from the terminal through the third network-side device.
26. The method according to any one of claims 15 to 25, wherein, The method further includes: The first network-side device establishes an association between the protection key and the first information.
27. The method according to any one of claims 15 to 26, wherein, The method further includes: The first network-side device activates uplink message security and downlink message security between the terminal and the first network-side device.
28. The method according to any one of claims 15 to 27, wherein, The protection key includes a confidentiality key, and the downlink message also includes an encryption part, which is obtained by encrypting the message using the confidentiality key.
29. The method according to claim 28, wherein, The protection key also includes an integrity key, and the downlink message also includes a message authentication code, which is generated based on the integrity key, the encrypted portion, and the first information.
30. A message processing method, wherein, include: The second network-side device receives a request message from the first network-side device; The second network-side device obtains the first information; In response to the request message, the second network-side device generates a third key based on the first key and the first information, and the first key is available on the second network-side device; The second network-side device sends a response message to the first network-side device, the response message including the third key.
31. The method according to claim 30, wherein, The third key is either the second key or the protection key.
32. The method according to claim 30 or 31, wherein, The second network-side device obtains the first information, including any one of the following: The second network-side device generates the first information; The second network-side device obtains the first information from the request message.
33. The method according to any one of claims 30 to 32, wherein, The first information is used to distinguish the communication between the terminal and different network-side devices; Alternatively, the first information may be used to distinguish between communication between the terminal and different types of network-side devices.
34. The method according to any one of claims 30 to 33, wherein, The first information is the identifier of the signaling channel between the terminal and the first network-side device; Alternatively, the first information may be an identifier of the signaling type between the terminal and the first network-side device.
35. A message processing apparatus, wherein, include: A first receiving module is configured to receive downlink messages from a first network-side device, the downlink messages including first information; The first processing module is used to obtain the protection key based on the first information; The second processing module is used to deprotect the downlink message according to the protection key.
36. The apparatus according to claim 35, wherein, The first information is used to distinguish the communication between the terminal and different network-side devices; Alternatively, the first information may be used to distinguish between communication between the terminal and different types of network-side devices.
37. The apparatus according to claim 35 or 36, wherein, The first information is the identifier of the signaling channel between the terminal and the first network-side device; Alternatively, the first information may be an identifier of the signaling type between the terminal and the first network-side device.
38. The apparatus according to any one of claims 35 to 37, wherein, The second processing module is specifically used to: obtain the protection key based on the first key and the first information; wherein the first key is available on the second network-side device.
39. A message processing apparatus, wherein, include: The fourth processing module is used to obtain the first information; The fifth processing module is used to obtain a protection key, which is related to the first information; The second sending module is used to send a downlink message protected by the protection key to the terminal, the downlink message containing the first information.
40. The apparatus according to claim 39, wherein, The device further includes: The third sending module is used to send request messages to the second network-side device; The second receiving module is configured to receive a response message from the second network-side device, the response message including a third key; The fifth processing module is specifically used to: obtain the protection key based on the third key.
41. A message processing apparatus, wherein, include: The third receiving module is used to receive request messages from the first network-side device; The sixth processing module is used to obtain the first information; The seventh processing module is configured to, in response to the request message, generate a third key based on the first key and the first information, wherein the first key is available on the second network-side device; The fourth sending module is used to send a response message to the first network-side device, the response message including the third key.
42. A terminal, wherein, It includes a processor and a memory, the memory storing a program or instructions that can run on the processor, the program or instructions being executed by the processor to implement the steps of the message processing method as described in any one of claims 1 to 14.
43. A network-side device, wherein, It includes a processor and a memory, the memory storing a program or instructions that can run on the processor, the program or instructions being executed by the processor to implement the steps of the message processing method as described in any one of claims 15 to 29, or to implement the steps of the message processing method as described in any one of claims 30 to 34.
44. A readable storage medium, wherein, The readable storage medium stores a program or instructions that, when executed by a processor, implement the steps of the message processing method as described in any one of claims 1 to 15, or the steps of the message processing method as described in any one of claims 15 to 29, or the steps of the message processing method as described in any one of claims 30 to 34.