Message processing method, terminal, and network side device

By negotiating and applying security algorithms between the terminal and network-side devices, the communication delay and security risks between the terminal and core network functions are resolved, enabling fast and secure communication, simplifying signaling processes, and improving security.

WO2026145435A1PCT designated stage Publication Date: 2026-07-09VIVO MOBILE COMM CO LTD

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
VIVO MOBILE COMM CO LTD
Filing Date
2025-12-29
Publication Date
2026-07-09

AI Technical Summary

Technical Problem

In the existing network architecture, there are communication delays and security risks in the communication between the terminal and the network functions of the core network. In particular, when the AMF is deployed in the network center, it is impossible to achieve fast communication between the terminal and the NF. Moreover, once the AMF is compromised, the communication between the terminal and the NF will also be compromised.

Method used

By negotiating and applying security algorithms between the terminal and network-side devices, the terminal receives and deprotects downlink messages, while the network-side devices send protection messages, ensuring the security of communication content and preventing tampering or eavesdropping by intermediate devices.

Benefits of technology

It enables fast and secure communication between the terminal and network-side devices, reduces signaling overhead, simplifies the implementation complexity of network-side devices, and improves the flexibility and consistency of security protection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN2025146643_09072026_PF_FP_ABST
    Figure CN2025146643_09072026_PF_FP_ABST
Patent Text Reader

Abstract

The present application relates to the technical field of communications, and discloses a message processing method, a terminal, and a network side device. The message processing method in the embodiments of the present application comprises: a terminal receives a first message from a first network side device, the first message comprising a first security algorithm, and the first security algorithm being used for communication between the terminal and a second network side device; the terminal receives a first downlink message from the second network side device; and the terminal unprotects the first downlink message on the basis of the first security algorithm. The embodiments of the present application can protect the communication between the terminal and the second network side device.
Need to check novelty before this filing date? Find Prior Art

Description

Message processing methods, terminals and network-side devices

[0001] Cross-reference to related applications

[0002] This application claims priority to Chinese Patent Application No. 202411973677.3, filed on December 30, 2024, the entire contents of which are incorporated herein by reference. Technical Field

[0003] This application belongs to the field of communication technology, specifically relating to a message processing method, a terminal, and a network-side device. Background Technology

[0004] In the current network architecture, control plane communication between the terminal and the network functions of the core network is always conducted through the Access and Mobility Management Function (AMF) and the Network Function (NF) entity of the core network. For example, the terminal communicates with the Session Management Function (SMF) through a session management container (SM container) encapsulated in a Non-access stratum (NAS) message.

[0005] Therefore, existing security solutions establish NAS security between the terminal and the AMF (Application Service Provider) to protect communication between the terminal and the NFs (Network Functions) behind the AMF. A problem with this approach is that, assuming the AMF is deployed in a centralized network location while other NFs are deployed closer to the terminal, faster communication between the terminal and the NFs cannot be achieved because signaling always needs to be routed through the AMF. Furthermore, while the AMF acts as a security anchor point, providing protection for communication, if the AMF is compromised, communication between the terminal and the NFs will also be compromised, posing a security risk. Summary of the Invention

[0006] This application provides a message processing method, a terminal, and a network-side device that can protect the communication between the terminal and a second network-side device.

[0007] Firstly, a message processing method is provided, the method comprising:

[0008] The terminal receives a first message from a first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the terminal and a second network-side device;

[0009] The terminal receives a first downlink message from the second network-side device;

[0010] The terminal deprotects the first downlink message according to the first security algorithm.

[0011] Secondly, a message processing method is provided, including:

[0012] The first network-side device selects a first security algorithm based on the security capabilities of the terminal, and the first security algorithm is used for communication between the terminal and the second network-side device.

[0013] The first network-side device sends a first message to the terminal, the first message including the first security algorithm.

[0014] Thirdly, a message processing method is provided, including:

[0015] The second network-side device receives a first security algorithm from the first network-side device or the third network-side device. The first security algorithm is used for communication between the second network-side device and the terminal.

[0016] The second network-side device sends a first downlink message to the terminal, and the first downlink message is protected by the first security algorithm.

[0017] Fourthly, a message processing method is provided, including:

[0018] The third network-side device receives a first message from the first network-side device. The first message includes a first security algorithm, which is used for communication between the second network-side device and the terminal.

[0019] The third network-side device sends the first message to the terminal.

[0020] Fifthly, a message processing apparatus is provided, comprising:

[0021] A first receiving module is configured to receive a first message from a first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the terminal and a second network-side device; and to receive a first downlink message from the second network-side device.

[0022] The first processing module is used to deprotect the first downlink message according to the first security algorithm.

[0023] Sixthly, a message processing apparatus is provided, comprising:

[0024] The second processing module is used to select a first security algorithm based on the security capabilities of the terminal. The first security algorithm is used for communication between the terminal and the second network-side device.

[0025] A first sending module is configured to send a first message to the terminal, the first message including the first security algorithm.

[0026] In a seventh aspect, a message processing apparatus is provided, comprising:

[0027] The second receiving module is used to receive a first security algorithm from a first network-side device or a third network-side device, the first security algorithm being used for communication between the second network-side device and the terminal;

[0028] The second sending module is used to send a first downlink message to the terminal, and the first downlink message is protected by the first security algorithm.

[0029] Eighthly, a message processing apparatus is provided, comprising:

[0030] The third receiving module is used to receive a first message from the first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the second network-side device and the terminal;

[0031] The third sending module is used to send the first message to the terminal.

[0032] In a ninth aspect, a terminal is provided, the terminal including a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the method as described in the first aspect.

[0033] In a tenth aspect, a network-side device is provided, the network-side device including a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the method as described in the second aspect, or implementing the steps of the method as described in the third aspect, or implementing the steps of the method as described in the fourth aspect.

[0034] Eleventhly, a readable storage medium is provided, on which a program or instructions are stored, which, when executed by a processor, implement the steps of the method as described in the first aspect, or the steps of the method as described in the second aspect, or the steps of the method as described in the third aspect, or the steps of the method as described in the fourth aspect.

[0035] In a twelfth aspect, a wireless communication system is provided, comprising: a terminal and a network-side device, wherein the terminal is configured to perform the steps of the method described in the first aspect, and the network-side device is configured to perform the steps of the method described in the second aspect, or implement the steps of the method described in the third aspect, or implement the steps of the method described in the fourth aspect.

[0036] In a thirteenth aspect, a chip is provided, the chip including a processor and a communication interface coupled to the processor, the processor being configured to run a program or instructions to implement the steps of the method as described in the first aspect, or the steps of the method as described in the second aspect, or the steps of the method as described in the third aspect, or the steps of the method as described in the fourth aspect.

[0037] In a fourteenth aspect, a computer program / program product is provided, the computer program / program product being stored in a storage medium, the computer program / program product being executed by at least one processor to implement the steps of the method as described in the first aspect, or the steps of the method as described in the second aspect, or the steps of the method as described in the third aspect, or the steps of the method as described in the fourth aspect.

[0038] In this embodiment, the terminal obtains a first security algorithm for communicating with the second network side device through the first network side device. In this way, the terminal can protect the content of the messages communicated with the second network side device through the first security algorithm, so that the third network side device cannot know or tamper with the content of the communication between the terminal and the second network side device. Attached Figure Description

[0039] Figure 1 is a block diagram of a wireless communication system applicable to an embodiment of this application;

[0040] Figures 2 to 5 are schematic flowcharts of the message processing method according to embodiments of this application;

[0041] Figure 6 is a flowchart illustrating the message processing method of Embodiment 1 of this application;

[0042] Figure 7 is a flowchart illustrating the message processing method of Embodiment 2 of this application;

[0043] Figure 8 is a flowchart illustrating the message processing method of Embodiment 3 of this application;

[0044] Figures 9 to 12 are structural block diagrams of the message processing device according to an embodiment of this application;

[0045] Figure 13 is a schematic diagram of the structure of a communication device according to an embodiment of this application;

[0046] Figure 14 is a schematic diagram of the structure of the terminal according to an embodiment of this application;

[0047] Figure 15 is a schematic diagram of the structure of the network-side device according to an embodiment of this application. Detailed Implementation

[0048] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application are within the scope of protection of this application.

[0049] The terms "first," "second," etc., used in this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such terms can be used interchangeably where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first" and "second" are generally of the same class, not limited in number; for example, the first object can be one or more. Furthermore, "or" in this application indicates at least one of the connected objects. For example, the scope of protection for "A or B" covers at least three scenarios: Scenario 1: including A but not B; Scenario 2: including B but not A; Scenario 3: including both A and B. In addition, the terms "A and / or B," "at least one of A and B," and "at least one of A or B" also cover at least the above three scenarios. The character " / " generally indicates that the preceding and following objects are in an "or" relationship.

[0050] The term "instruction" in this application can be either a direct instruction (or explicit instruction) or an indirect instruction (or implicit instruction). A direct instruction can be understood as the sender explicitly informing the receiver of specific information, the required operation, or the requested result in the instruction sent. An indirect instruction can be understood as the receiver determining the corresponding information based on the instruction sent by the sender, or making a judgment and determining the required operation or requested result based on the judgment result.

[0051] It is worth noting that the technologies described in this application are not limited to Long Term Evolution (LTE) / LTE-Advanced (LTE-A) systems, but can also be used in other wireless communication systems, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access (OFDMA), Single-carrier Frequency-Division Multiple Access (SC-FDMA), or other systems. The terms "system" and "network" in this application are often used interchangeably, and the described technologies can be used with the systems and radio technologies mentioned above, as well as with other systems and radio technologies. The following description describes New Radio (NR) systems for illustrative purposes, and the term NR is used in most of the following description; however, these technologies can also be applied to systems other than NR systems, such as 6th generation (6G) radio systems. th Generation 6G communication system.

[0052] Figure 1 shows a block diagram of a wireless communication system applicable to an embodiment of this application. The wireless communication system includes a terminal 11 and a network-side device 12. The terminal 11 can also be referred to as User Equipment (UE), and can be a mobile phone, tablet computer, laptop computer, notebook computer, personal digital assistant (PDA), handheld computer, netbook, ultra-mobile personal computer (UMPC), mobile internet device (MID), augmented reality (AR), virtual reality (VR) device, robot, wearable device, flight vehicle, vehicle user equipment (VUE), shipboard equipment, pedestrian user equipment (PUE), smart home (home devices with wireless communication capabilities, such as refrigerators, televisions, washing machines, or furniture), game console, personal computer (PC), ATM, or self-service machine, etc. Wearable devices include: smartwatches, smart bracelets, smart headphones, smart glasses, smart jewelry (smart bracelets, smart chains, smart rings, smart necklaces, smart anklets, smart anklets, etc.), smart wristbands, smart clothing, etc. Among these, in-vehicle devices can also be referred to as in-vehicle terminals, in-vehicle controllers, in-vehicle modules, in-vehicle components, in-vehicle chips, or in-vehicle units, etc. It should be noted that the specific type of terminal 11 is not limited in this application embodiment. Network-side equipment 12 may include access network equipment or core network equipment, wherein access network equipment may also be referred to as Radio Access Network (RAN) equipment, radio access network function, or radio access network unit. Access network equipment may include base stations, Wireless Local Area Network (WLAN) access points (APs), or Wireless Fidelity (WiFi) nodes, etc.Among them, base stations can be referred to as Node B (NB), Evolved Node B (eNB), Next Generation Node B (gNB), New Radio Node B (NR Node B), Access Point, Relay Base Station (RBS), Serving Base Station (SBS), Base Transceiver Station (BTS), Radio Base Station, Radio Transceiver, Basic Service Set (BSS), Extended Service Set (ESS), Home Node B (HNB), Home Evolved Node B, Transmit / Receive Point (TRP), Non-Terrestrial Network (NTN) equipment (such as satellite or high altitude platform stations). The term "base station" can be any suitable term in the field, such as "station" or any other appropriate term in the relevant field, as long as the same technical effect is achieved. The term "base station" is not limited to any specific technical term. It should be noted that the embodiments of this application only use the base station in the NR system as an example for introduction, and do not limit the specific type of base station.

[0053] Core network equipment, also known as core network nodes, core network functions, or core network elements, includes, but is not limited to, at least one of the following: Mobility Management Entity (MME), Access and Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), Policy Control Function (PCF), Policy and Charging Rules Function (PCRF), Edge Application Server Discovery Function (EASDF), Unified Data Management (UDM), Unified Data Repository (UDR), Home Subscriber Server (HSS), Centralized network configuration (CNC), Network Repository Function (NRF), Network Exposure Function (NEF), Local NEF (L-NEF), and Binding Support. Functions include BSF, Application Function (AF), Location Management Function (LMF), Gateway Mobile Location Centre (GMLC), Network Data Analytics Function (NWDAF), and Non-Terrestrial Network (NTN) equipment (such as satellite or high altitude platform station).It should be noted that the embodiments of this application only use the core network equipment in the NR system as an example for introduction, and do not limit the specific type of core network equipment. If the name of the core network equipment mentioned in the embodiments of this application changes in subsequent protocol versions (e.g., 6G), it is also within the scope of protection of this application.

[0054] Optionally, the core network equipment can be implemented by one or more functional modules in a single device, or by multiple devices working together; this application does not specifically limit this. It is understood that the aforementioned functional modules can be network elements in hardware devices, software functional modules running on dedicated hardware, or virtualized functional modules instantiated on a platform (e.g., a cloud platform).

[0055] In the relevant network architecture, the AMF can always decrypt NAS messages, thus allowing it to see and modify the information cells communicating with the NF within the NAS message, posing a security risk. Furthermore, the expectation is to achieve direct communication between the UE and the NF. Under this assumption, the AMF does not participate in the communication, rendering existing AMF-based protection methods inapplicable. How to achieve secure protection between the UE and the NF is a problem that needs to be solved, particularly determining the appropriate security algorithm for communication between the UE and the NF.

[0056] The message processing method provided in this application will be described in detail below with reference to the accompanying drawings and through some embodiments and application scenarios. It is worth noting that the network-side device in the embodiments of this application can also be referred to as a network element function.

[0057] This application provides a message processing method, as shown in Figure 2, including:

[0058] Step 101: The terminal receives a first message from the first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the terminal and the second network-side device;

[0059] Step 102: The terminal receives a first downlink message from the second network-side device;

[0060] Step 103: The terminal deprotects the first downlink message according to the first security algorithm.

[0061] In some embodiments, the first network-side device can be a Security Anchor Functionality (SEAF), and the second network-side device can be an NF, which may include, but is not limited to, a Session Management Function (SMF), a User Plane Function (UPF), a Location Management Function (LMF), etc.

[0062] In some embodiments, the first message may be a Security Mode Command (SMC) message.

[0063] In some embodiments, the security algorithm includes, but is not limited to, at least one of encryption algorithms, integrity protection algorithms, etc.

[0064] In some embodiments, the terminal may receive a first downlink message from the second network-side device via a third network-side device.

[0065] In some embodiments, the terminal deprotecting the first downlink message according to the first security algorithm may include the terminal decrypting the first downlink message according to an encryption algorithm or the terminal verifying the integrity of the first downlink message according to an integrity protection algorithm.

[0066] For example, the first downlink message may be a response message for accessing the second network-side device, or it may be a downlink message to be transmitted to the terminal, etc., and there is no limitation thereto.

[0067] In some embodiments, the first message further includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling. The type information may indicate service type, signaling type, network element type, etc.; the method further includes:

[0068] The terminal obtains the first security algorithm based on the type information of the first downlink message.

[0069] For example, type information can be a signaling type indicator, such as Mobility Management (MM), Session Management (SM), etc.

[0070] The terminal can store security algorithms or a mapping relationship between security algorithms and type information.

[0071] For example, the terminal receives a first message containing a mapping relationship between security algorithms and type information, such as MM: security algorithm 1, SM: security algorithm 2. The terminal saves this mapping relationship. The terminal receives a first downlink message and, based on the indication in the first downlink message that the current signaling type is MM, the terminal obtains its corresponding security algorithm 1 based on MM.

[0072] By negotiating the security algorithms used by the UE and other NFs during the interaction between the terminal and the first network-side device, the UE and NF no longer need to negotiate the relevant security algorithms. This eliminates the need to design a security algorithm negotiation process for the UE and NF, reduces the signaling overhead between the UE and NF, simplifies the implementation complexity of the NF, and also helps to activate security protection in advance.

[0073] Meanwhile, by negotiating the security algorithm at the type information granularity, the algorithm can be sent to the UE at the type information granularity, thereby improving the flexibility of algorithm negotiation.

[0074] In some embodiments, the method further includes:

[0075] The terminal deprotects the first downlink message according to the first protection key, which is available on the second network-side device.

[0076] It should be understood that the availability of the first protection key on the second network-side device means that the terminal and the second network-side device have the same key, and the terminal and the second network element can protect the messages they transmit based on the key or derive a lower-layer key based on the key.

[0077] In some embodiments, the first protection key includes, but is not limited to, at least one of a first encryption key, a first integrity protection key, etc.

[0078] In some embodiments, the terminal can deprotect the first downlink message based on the first protection key and the first security algorithm.

[0079] In some embodiments, the terminal may deprotect the first downlink message according to the first protection key and the first security algorithm. This may include the terminal decrypting the first downlink message according to the first encryption algorithm and the first encryption key, or the terminal verifying the integrity of the first downlink message according to the first integrity protection algorithm and the first integrity protection key.

[0080] In this embodiment, the first protection key can protect the content of communication between the UE and the second network side device that is forwarded by the third network side device, thereby preventing the third network side device from seeing or tampering with the communication content.

[0081] In some embodiments, after the terminal receives the first downlink message from the second network-side device or after the terminal deprotects the first downlink message according to the first security algorithm, the method further includes:

[0082] The terminal activates uplink and downlink communication security with the second network-side device.

[0083] It should be understood that activating uplink communication security between the terminal and the second network-side device means that all uplink messages sent by the terminal to the second network-side device are protected by a protection key and a security algorithm. The terminal will protect all uplink messages after security is activated, such as through encryption and integrity protection.

[0084] It should be understood that activating downlink communication security between the terminal and the second network-side device means that all downlink messages received by the terminal from the second network-side device are protected by a protection key and a security algorithm. The terminal will deprotect all downlink messages after security is activated, such as through decryption and integrity verification.

[0085] In this embodiment, by activating uplink communication security and downlink communication security during the first downlink message sent to the UE, the security operation of downlink messages can be kept consistent, reducing modifications to the chip.

[0086] In some embodiments, the method further includes:

[0087] The terminal protects the first uplink message according to the first security algorithm. The first uplink message is used by the terminal to establish an association with the second network-side device.

[0088] The terminal generates a second uplink message that includes the first uplink message;

[0089] The terminal protects the second uplink message according to the second security algorithm;

[0090] The terminal sends the second uplink message to the third network-side device.

[0091] For example, the terminal protects the PDU session establishment request message according to security algorithm 1, generates a service request message containing the PDU session establishment request message, protects the service request message according to security algorithm 2, and sends the service request message to the AMF.

[0092] In some embodiments, the second security algorithm is the same as the first security algorithm.

[0093] For example, the terminal receives a first message containing security algorithm 1, which also represents the security algorithm for communicating with the third network element (there may only be one security algorithm negotiated centrally throughout the entire network). The terminal saves the security algorithm 1, and the terminal prepares to send a first uplink message and a second uplink message. The terminal protects the first uplink message according to security algorithm 1, and the terminal protects the second uplink message according to security algorithm 1.

[0094] In this embodiment, the third network-side device can be the AMF. By protecting the first uplink message through the first security algorithm, the terminal can protect the content of the communication message (first uplink message) with the NF in the message (second uplink message) sent to the AMF, thereby preventing the AMF from seeing or tampering with the content of the communication between the UE and the NF.

[0095] In some embodiments, the first message further includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling; the method further includes:

[0096] The terminal obtains the first security algorithm based on the type information of the first uplink message;

[0097] The terminal obtains the second security algorithm based on the type information of the second uplink message.

[0098] For example, type information can be a signaling type indicator, such as Mobility Management (MM), Session Management (SM), etc.

[0099] The terminal can store security algorithms or a mapping relationship between security algorithms and type information.

[0100] For example, the terminal receives a first message containing a mapping relationship between security algorithms and type information, such as MM: security algorithm 1, SM: security algorithm 2. The terminal saves this mapping relationship. The terminal prepares to send a first uplink message and a second uplink message. The terminal obtains the corresponding security algorithm 1 based on the MM indicated in the first uplink message as the current signaling type, and obtains the corresponding security algorithm 2 based on the SM indicated in the second uplink message as the current signaling type.

[0101] By simultaneously negotiating the security algorithms used by the UE and other NFs during the interaction between the terminal and the first network-side device, subsequent negotiations between the UE and NF regarding related security algorithms are eliminated. This eliminates the need to design separate security algorithm negotiation procedures for the UE and NF, reduces signaling overhead between the UE and NF, simplifies the implementation complexity of the NF, and facilitates the early activation of security protection. Furthermore, by negotiating security algorithms at the type information granularity level, algorithms can be distributed to the UE at the type information level, thereby improving the flexibility of algorithm negotiation.

[0102] In some embodiments, the method further includes:

[0103] The terminal protects the second uplink message according to a second protection key, which is available on the third network-side device.

[0104] It should be understood that the availability of the second protection key on the third network element means that the terminal and the third network element have the same key. The terminal and the third network element can protect the messages they transmit based on the key or derive a lower-level key based on the key.

[0105] In some embodiments, the second protection key includes, but is not limited to, at least one of a second encryption key, a second integrity protection key, etc.

[0106] In some embodiments, the terminal can protect the second uplink message according to a second protection key and a second security algorithm.

[0107] In some embodiments, the terminal may deprotect the second uplink message according to the second protection key and the second security algorithm. This may include the terminal encrypting the second uplink message according to the second encryption algorithm and the second encryption key, or the terminal protecting the integrity of the second uplink message according to the second integrity protection algorithm and the second integrity protection key.

[0108] In this embodiment, the second protection key can protect the content of communication between the third network element and the UE.

[0109] In some embodiments, the method further includes:

[0110] The terminal protects the first uplink message according to a first protection key, which is available on the second network-side device.

[0111] It should be understood that the availability of the first protection key on the second network-side device means that the terminal and the second network-side device have the same key, and the terminal and the second network element can protect the messages they transmit based on the key or derive a lower-layer key based on the key.

[0112] In some embodiments, the first protection key includes, but is not limited to, at least one of a first encryption key, a first integrity protection key, etc.

[0113] In some embodiments, the terminal can protect the first uplink message based on a first protection key and a first security algorithm.

[0114] In some embodiments, the terminal may deprotect the first uplink message according to the first protection key and the first security algorithm. This may include the terminal encrypting the first uplink message according to the first encryption algorithm and the first encryption key, or the terminal protecting the integrity of the first uplink message according to the first integrity protection algorithm and the first integrity protection key.

[0115] The terminal can protect the first uplink message according to the first protection key before the terminal protects the second uplink message according to the second protection key; this is not a limitation.

[0116] In this embodiment, the first protection key can protect the content of communication between the UE and the second network element that is forwarded by the third network element, thereby preventing the third network element from seeing or tampering with the communication content.

[0117] In some embodiments, after the terminal sends the second uplink message to the third network-side device, the method further includes:

[0118] The terminal activates uplink and downlink communication security between itself and the second network-side device.

[0119] In this embodiment, by activating uplink communication security and downlink communication security during the first uplink message sent by the UE to the network, the UE and the network can maintain consistency in their security operations for uplink messages, reducing the need for modifications to the chip.

[0120] In some embodiments, before the terminal sends the second uplink message to the third network-side device, the method further includes:

[0121] The terminal activates uplink communication security with the second network-side device;

[0122] After the terminal sends the second uplink message to the third network-side device, the method further includes:

[0123] The terminal activates downlink communication security with the second network-side device.

[0124] In this embodiment, by activating uplink communication security and downlink communication security during the first uplink message sent by the UE to the network, the UE and the network can maintain consistency in their security operations for uplink messages, reducing the need for modifications to the chip.

[0125] In some embodiments, the method further includes:

[0126] The terminal receives a paging message from the third network-side device;

[0127] In response to the paging message, the terminal protects the third uplink message according to the second security algorithm and sends the third uplink message to the third network-side device.

[0128] In this embodiment, the content of communication between the AMF and the UE can be protected through the second security algorithm.

[0129] In some embodiments, the first message further includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling; the method further includes:

[0130] The terminal obtains the second security algorithm based on the type information of the third uplink message.

[0131] The terminal can store security algorithms or a mapping relationship between security algorithms and type information.

[0132] For example, the terminal receives a first message containing a mapping relationship between security algorithms and type information, such as MM: security algorithm 1, SM: security algorithm 2. The terminal saves this mapping relationship. After receiving a paging message from the AMF, the terminal responds to the paging message and prepares to send a service request message. The terminal obtains the corresponding security algorithm 1 based on the MM, which indicates that the current signaling type is MM in the service request message.

[0133] By simultaneously negotiating the security algorithms used by the UE and other NFs during the interaction between the terminal and the first network-side device, subsequent negotiations between the UE and NF regarding related security algorithms are eliminated. This eliminates the need to design separate security algorithm negotiation procedures for the UE and NF, reduces signaling overhead between the UE and NF, simplifies the implementation complexity of the NF, and facilitates the early activation of security protection. Furthermore, by negotiating security algorithms at the type information granularity level, algorithms can be distributed to the UE at the type information level, thereby improving the flexibility of algorithm negotiation.

[0134] In some embodiments, the method further includes:

[0135] The terminal protects the third uplink message according to a second protection key, which is available on the third network-side device.

[0136] In this embodiment, the content of communication between the AMF and the UE can be protected by the second protection key.

[0137] In some embodiments, the method further includes:

[0138] In response to the first message, the terminal generates the first protection key based on the first key, which is available on the first network-side device.

[0139] For example, taking Knf as the first protection key, the terminal can generate Knf based on the first key after receiving the first message; the first key may be, for example, Kseaf, Kamf, or Kausf. If the first protection key includes the first encryption key Knf-enc and the first integrity protection key Knf-int, the terminal can also deduce Knf-enc and Knf-int based on Knf.

[0140] It should be understood that the availability of the first protection key on the first network element means that the terminal and the first network element have the same key. The terminal and the first network element can protect the messages they transmit based on the key or derive a lower-level key based on the key.

[0141] In this embodiment, by pre-deducing the first protection key for communication between the UE and NF, the content containing the communication between the UE and NF forwarded by the AMF can be protected, thereby preventing the AMF from seeing or tampering with the communication content.

[0142] In some embodiments, the method further includes:

[0143] In response to the first message, the terminal generates the second protection key based on the first key, which is available on the first network-side device.

[0144] For example, with the second protection key K AMF For example, after receiving the first message, the terminal can generate K based on the first key. AMF The first key is, for example, Kseaf. When the second protection key includes the second encryption key Knas-enc and the second integrity protection key Knas-int, the terminal can also... AMF Derive Knas-enc and Knas-int.

[0145] In this embodiment, the content of communication between the AMF and the UE can be protected by the second protection key.

[0146] In some embodiments, the second security algorithm may be the same as the first security algorithm.

[0147] In some embodiments, the terminal receives a first message from a first network-side device, including:

[0148] The terminal receives the first message from the first network-side device through the third network-side device.

[0149] For example, SEAF first sends a first message to AMF, and then AMF sends the first message to UE.

[0150] This application provides a message processing method, as shown in Figure 3, including:

[0151] Step 201: The first network-side device selects a first security algorithm based on the terminal's security capabilities. The first security algorithm is used for communication between the terminal and the second network-side device.

[0152] Step 202: The first network-side device sends a first message to the terminal, the first message including the first security algorithm.

[0153] In some embodiments, the first network-side device can be a Security Anchor Functionality (SEAF), and the second network-side device can be an NF, which may be, but is not limited to, SMF, UPF, LMF, etc.

[0154] In some embodiments, the first message may be a Security Mode Command (SMC) message.

[0155] In some embodiments, the security algorithm includes, but is not limited to, at least one of encryption algorithms, integrity protection algorithms, etc.

[0156] In some embodiments, the first network element may send a first message to the terminal via a third network-side device.

[0157] In some embodiments, the first network-side device selects a first security algorithm based on the terminal's security capabilities, including:

[0158] The first network-side device selects the first security algorithm based on the terminal's security capabilities and the priority of the security algorithm corresponding to the second network-side device. The terminal's security capabilities indicate the security algorithm specified by the terminal.

[0159] For example, the first network-side device has different security algorithm priorities corresponding to the second network-side devices. The first network-side device determines the security algorithm priority based on the second network-side device that the terminal will access, and then selects the first security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0160] In some embodiments, the first message further includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling. The type information may indicate service type, signaling type, network element type, etc.

[0161] For example, type information can be a signaling type indicator, such as Mobility Management (MM), Session Management (SM), etc.

[0162] In some embodiments, the method further includes:

[0163] The first network-side device selects the first security algorithm based on the security capabilities of the terminal and the priority of the security algorithm corresponding to the type information.

[0164] For example, the first network-side device has security algorithm priorities corresponding to different type information, such as MM: priority 1; SM: priority 2. The first network-side device determines the security algorithm priority based on the type information of the second network-side device that the terminal will access, and then selects the first security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0165] By introducing algorithmic negotiation with per-type information granularity (such as per-network-side device type), the complexity of network configuration can be reduced.

[0166] In some embodiments, the first network-side device selects a first security algorithm based on the terminal's security capabilities, including:

[0167] The first network-side device selects the first security algorithm based on the security capabilities of the terminal and the security algorithm priority corresponding to the PLMN (Public Land Mobile Communication Network) to which the first network-side device is located.

[0168] For example, the first network-side device has only one security algorithm priority in the entire PLMN. The first network-side device selects the first security algorithm according to the security capabilities of the terminal and the security algorithm priority. This can be applied to the second network-side device or the third network-side device.

[0169] By introducing per-PLMN granular algorithm negotiation, only a security algorithm priority list needs to be introduced on the first network-side device, which can further reduce the complexity of network configuration.

[0170] In some embodiments, the method further includes:

[0171] The first network-side device receives a security context request message sent by the second network-side device, the security context request message including the identifier of the terminal;

[0172] The first network-side device obtains the first protection key based on the terminal's identifier;

[0173] The first network-side device sends a security context response message to the second network-side device, the security context response message including the first protection key.

[0174] In some embodiments, a security context request message is used to request a security context for the terminal, wherein the security context may include a key and a security algorithm.

[0175] In some embodiments, the first network-side device obtains a first protection key based on the identifier of the terminal, including:

[0176] The first network-side device obtains a first key based on the identifier of the terminal, and the first key is available on the first network-side device;

[0177] The first network-side device generates the first protection key based on the first key.

[0178] For example, taking Knf as the first protection key, the first network-side device can obtain the first key (such as Kseaf) based on the terminal's identifier after receiving the terminal's identifier, and then generate Knf based on the first key.

[0179] In some embodiments, the security context response message further includes the first security algorithm.

[0180] In some embodiments, the security context request message further includes the identifier or type information of the second network-side device, and the method further includes:

[0181] The first network-side device obtains the first security algorithm based on the identifier or type information of the second network-side device.

[0182] For example, the first network-side device obtains the security algorithm priority corresponding to the second network-side device based on the identifier of the second network-side device, and then selects the first security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0183] For example, the first network-side device obtains the security algorithm priority corresponding to the type information based on the type information of the second network-side device. For example, if the type information is MM, the security algorithm priority corresponding to MM is priority 1. The first network-side device selects the first security algorithm based on the security capabilities of the terminal and the security algorithm priority 1.

[0184] In some embodiments, the first network-side device sends a first message to the terminal, including:

[0185] The first network-side device sends the first message to the terminal through the third network-side device. In this embodiment, the third network-side device can be an AMF (Advanced Network Filter).

[0186] For example, SEAF first sends a first message to AMF, and then AMF sends the first message to UE.

[0187] This application provides a message processing method, as shown in Figure 4, including:

[0188] Step 301: The second network-side device receives a first security algorithm from the first network-side device or the third network-side device. The first security algorithm is used for communication between the second network-side device and the terminal.

[0189] Step 302: The second network-side device sends a first downlink message to the terminal, and the first downlink message is protected by the first security algorithm.

[0190] In some embodiments, the first network-side device can be a Security Anchor Functionality (SEAF), the second network-side device can be an NF, which may be, but is not limited to, SMF, UPF, LMF, etc., and the third network-side device can be an AMF.

[0191] In some embodiments, the second network-side device may send a first downlink message to the terminal via a third network-side device.

[0192] In some embodiments, the security algorithm includes, but is not limited to, at least one of encryption algorithms, integrity protection algorithms, etc.

[0193] In some embodiments, the protection of the first downlink message by the first security algorithm may include the second network-side device encrypting the first downlink message according to an encryption algorithm or the second network-side device protecting the integrity of the first downlink message according to an integrity protection algorithm.

[0194] For example, the first downlink message may be a response message for accessing the second network-side device, or it may be a downlink message to be transmitted to the terminal, etc., and there is no limitation thereto.

[0195] In some embodiments, the method further includes:

[0196] The second network-side device protects the first downlink message according to the first protection key, which is available on the second network-side device.

[0197] It should be understood that the availability of the first protection key on the second network-side device means that the terminal and the second network-side device have the same key, and the terminal and the second network element can protect the messages they transmit based on the key or derive a lower-layer key based on the key.

[0198] In some embodiments, the first protection key includes, but is not limited to, at least one of a first encryption key, a first integrity protection key, etc.

[0199] In some embodiments, the second network-side device may protect the first downlink message based on a first protection key and a first security algorithm.

[0200] In some embodiments, the second network-side device may protect the first downlink message according to the first protection key and the first security algorithm. This may include the second network-side device encrypting the first downlink message according to the first encryption algorithm and the first encryption key, or the second network-side device protecting the integrity of the first downlink message according to the first integrity protection algorithm and the first integrity protection key.

[0201] In this embodiment, the first protection key can protect the content of communication between the UE and NF forwarded by the AMF, thereby preventing the AMF from seeing or tampering with the communication content.

[0202] In some embodiments, the method further includes:

[0203] The second network-side device sends a security context request message to the first network-side device, the security context request message including the identifier of the terminal;

[0204] The second network-side device sends a security context response message to the first network-side device, the security context response message including the first protection key.

[0205] In some embodiments, a security context request message is used to request a security context for the terminal, wherein the security context may include a key and a security algorithm.

[0206] In some embodiments, the security context response message further includes the first security algorithm.

[0207] For example, the second network-side device receives a first security algorithm from a security context response message sent by the first network-side device.

[0208] In some embodiments, the security context request message also includes the identifier or type information of the second network-side device.

[0209] For example, the second network-side device sends a security context request message to the first network-side device, the message containing the identifier or type information of the second network-side device. The first network-side device selects a first security algorithm based on the security capabilities of the UE and the identifier or type information of the second network-side device. The first network-side device then sends a security context response message to the second network-side device, the message including the first security algorithm.

[0210] In some embodiments, the method further includes:

[0211] The second network-side device receives a first uplink message sent by the third network-side device, the first uplink message being used by the second network-side device to establish an association with the terminal;

[0212] The second network-side device deprotects the first uplink message according to the first security algorithm.

[0213] For example, the first uplink message may include a PDU session establishment request message.

[0214] In some embodiments, the second network-side device may deprotect the first uplink message according to the first security algorithm, which may include the second network-side device decrypting the first uplink message according to the first encryption algorithm or the second network-side device verifying the integrity of the first uplink message according to the first integrity protection algorithm.

[0215] In some embodiments, the second network-side device receives a first uplink message sent by the third network-side device, including:

[0216] The second network-side device receives the first uplink message and the first security algorithm sent by the third network-side device.

[0217] For example, the second network-side device receives a first security algorithm sent from the first network-side device at the same time as receiving the first uplink message.

[0218] In some embodiments, the method further includes:

[0219] The second network-side device deprotects the first uplink message according to the first protection key.

[0220] In some embodiments, the second network-side device may deprotect the first uplink message according to the first protection key. This may include the second network-side device decrypting the first uplink message according to the first encryption key and the first encryption algorithm, or the second network-side device verifying the integrity of the first uplink message according to the first integrity protection key and the first integrity protection algorithm.

[0221] In some embodiments, the method further includes:

[0222] After the second network-side device deprotects the first uplink message according to the first protection key, it activates uplink and downlink communication security with the terminal; or

[0223] After receiving the first uplink message, the second network-side device activates uplink and downlink communication security with the terminal.

[0224] It should be understood that activating uplink communication security between the second network-side device and the terminal means that all uplink messages received by the second network-side device from the terminal are protected by a protection key and a security algorithm. The second network-side device will deprotect all uplink messages after security is activated, such as through decryption and integrity verification.

[0225] It should be understood that activating downlink communication security between the terminal and the second network-side device means that all downlink messages sent from the second network-side device to the terminal are protected by a protection key and a security algorithm. The second network-side device will protect all downlink messages after security is activated, for example, through encryption and integrity protection.

[0226] In this embodiment, by activating uplink communication security and downlink communication security during the first uplink message sent by the UE to the network, the UE and the network can maintain consistency in their security operations for uplink messages, reducing the need for modifications to the chip.

[0227] This application provides a message processing method, as shown in Figure 5, including:

[0228] Step 401: The third network-side device receives a first message from the first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the second network-side device and the terminal;

[0229] Step 402: The third network-side device sends the first message to the terminal.

[0230] In this embodiment, the first network-side device can be a Security Anchor Functionality (SEAF), the second network-side device can be an NF, which may be selected from, but is not limited to, SMF, UPF, LMF, etc., and the third network-side device can be an AMF.

[0231] In some embodiments, the first message may be a Security Mode Command (SMC) message.

[0232] In some embodiments, the security algorithm includes, but is not limited to, at least one of encryption algorithms, integrity protection algorithms, etc.

[0233] In some embodiments, the first message further includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling. The type information may indicate service type, signaling type, network element type, etc.

[0234] For example, type information can be a signaling type indicator, such as Mobility Management (MM), Session Management (SM), etc.

[0235] By introducing algorithmic negotiation with per-type information granularity (such as per-network-side device type), the complexity of network configuration can be reduced.

[0236] In some embodiments, the method further includes:

[0237] The third network-side device receives a second uplink message from the terminal;

[0238] The third network-side device deprotects the second uplink message according to the second security algorithm and obtains the first uplink message;

[0239] The third network-side device sends the second uplink message to the second network-side device.

[0240] For example, the terminal protects the PDU session establishment request message according to security algorithm 1, generates a service request message containing the PDU session establishment request message, protects the service request message according to security algorithm 2, and sends the service request message to the AMF.

[0241] In some embodiments, the second security algorithm is the same as the first security algorithm.

[0242] For example, the terminal receives a first message containing security algorithm 1, which also represents the security algorithm for communicating with the third network element (there may only be one security algorithm negotiated centrally throughout the entire network). The terminal saves the security algorithm 1, and the terminal prepares to send a first uplink message and a second uplink message. The terminal protects the first uplink message according to security algorithm 1, and the terminal protects the second uplink message according to security algorithm 1.

[0243] In this embodiment, the first security algorithm enables the terminal to protect the content of the communication message (first uplink message) with the NF in the message (second uplink message) sent to the AMF, thereby preventing the AMF from seeing or tampering with the content of the UE's communication with the NF.

[0244] In some embodiments, the method further includes:

[0245] The third network-side device receives a second security algorithm from the first network-side device, and the second security algorithm is used for communication between the third network-side device and the terminal.

[0246] In this embodiment, the second security algorithm can protect the communication between the third network-side device and the terminal.

[0247] In some embodiments, the security algorithm includes, but is not limited to, at least one of encryption algorithms, integrity protection algorithms, etc.

[0248] In some embodiments, the method further includes:

[0249] The third network-side device deprotects the second uplink message according to the second protection key, which is available on the third network-side device.

[0250] In this embodiment, the content of communication between the AMF and the UE can be protected by the second protection key.

[0251] It should be understood that the availability of the second protection key on the third network-side device means that the terminal and the third network-side device have the same key, and the terminal and the third network-side device can protect the messages they transmit based on the key or derive a lower-level key based on the key.

[0252] In some embodiments, the second protection key includes, but is not limited to, at least one of a second encryption key, a second integrity protection key, etc.

[0253] In some embodiments, the method further includes:

[0254] The third network-side device receives the second protection key from the first network-side device.

[0255] In some embodiments, the method further includes:

[0256] The third network-side device sends the first security algorithm to the second network-side device.

[0257] In some embodiments, the method further includes:

[0258] The third network-side device sends a first uplink message and the first security algorithm to the second network-side device. The first uplink message is used by the second network-side device to establish an association with the terminal.

[0259] For example, the first uplink message may include a PDU session establishment request message.

[0260] In some embodiments, the second network-side device may deprotect the first uplink message according to the first security algorithm, which may include the second network-side device decrypting the first uplink message according to the first encryption algorithm or the second network-side device verifying the integrity of the first uplink message according to the first integrity protection algorithm.

[0261] For example, the third network-side device sends the first security algorithm to the second network-side device at the same time as sending the first uplink message.

[0262] The message processing method of this application will be further described below with reference to the accompanying drawings and specific embodiments:

[0263] Example 1

[0264] In this embodiment, as shown in Figure 6, the AMF and SEAF are merged. The UE and NF can obtain the security context of the communication between the UE and NF in advance, such as the key and algorithm, so no additional messages are needed to activate security. This embodiment includes the following steps:

[0265] Step 1: The AMF / SEAF sends a Security Mode Command (SMC) message to the UE. This message contains a security algorithm used not only for communication between the UE and the AMF, but also for communication between the UE and the NF. Optionally, this message may also contain type information.

[0266] For example, AMF / SEAF has different security algorithm priorities corresponding to different NFs. AMF / SEAF determines the security algorithm priority based on the NF that the terminal will access, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0267] For example, AMF / SEAF obtains the security algorithm priority corresponding to the NF based on the NF's identifier, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0268] For example, the AMF / SEAF determines the corresponding security algorithm priority based on the PLMN it is in, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority. The selected security algorithm is the same for the communication between the UE and the AMF and the communication between the UE and the NF (i.e., the first security algorithm is the same as the second security algorithm).

[0269] Type information is used to distinguish signaling for different categories of NF communication or to distinguish different types of signaling, such as mobility management type signaling (communicating with AMF), session management type signaling (communicating with SMF), data management type signaling (communicating with data management function), and location type information signaling (communicating with location management function).

[0270] For example, type information can be a signaling type indicator, such as Mobility Management (MM), Session Management (SM), etc.

[0271] It is understandable that when the type information is a non-MM type indicator, the corresponding security algorithm is the first security algorithm, and when the type information is MM, the corresponding security algorithm is the second security algorithm.

[0272] For example, AMF / SEAF obtains the security algorithm priority corresponding to the type information of the NF. For example, if the type information is MM, the security algorithm priority corresponding to MM is priority 1. SEAF selects the first security algorithm according to the security capabilities of the terminal and the security algorithm priority 1.

[0273] Security algorithms include encryption algorithms and integrity protection algorithms. AMF / SEAF obtains security algorithms based on the UE's security capabilities, including the following methods:

[0274] Method 1: Assuming the core network elements support all security algorithms, and the AMF / SEAF has a priority list of algorithms favored by the operator's network, the AMF / SEAF selects a security algorithm based on the UE's security capabilities and this priority list. In this case, the security algorithm can be used by all NFs (including the AMF), and type information is not required.

[0275] Method 2: Assuming the AMF / SEAF has an algorithm priority list with type-information granularity, the AMF / SEAF selects a security algorithm based on the UE's security capabilities and the algorithm priority list corresponding to each type of information. In this case, the security algorithm is type-information granular, corresponding one-to-one with different types of information.

[0276] For example, AMF / SEAF has security algorithm priorities corresponding to different type information, such as MM: priority 1; SM: priority 2. AMF / SEAF determines the security algorithm priority based on the type information of the NF that the terminal will access, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0277] By introducing algorithmic negotiation at the per-type information granularity (such as per-network-side device type, per-signaling type, or per-PLMN granularity), the complexity of network configuration can be reduced.

[0278] The UE stores the security algorithm, or the mapping relationship between the security algorithm and type information. By negotiating the algorithms used by the UE and other NFs during the interaction between the UE and the AMF, subsequent negotiations between the UE and NFs on related security algorithms are unnecessary. This eliminates the need to design separate security algorithm negotiation procedures for the UE and NFs, reduces signaling overhead between the UE and NFs, simplifies the implementation complexity of NFs, and facilitates early activation of security protection. Introducing per-NF type algorithm negotiation improves the flexibility of algorithm negotiation. Furthermore, introducing per-PLMN granular algorithm negotiation reduces network configuration complexity.

[0279] Optionally, in response to the NAS SMC message, the UE can deduce the Knf (i.e., the first protection key) in advance to protect communication between the UE and the NF. Optionally, the UE deduces the Knf based on the Kseaf / Kamf (i.e., the first key, which is the key generated by the terminal and SEAF after master authentication). By deduce the first protection key in advance to protect communication between the UE and the NF, the content containing communication between the UE and the NF forwarded by the AMF can be protected, thereby preventing the AMF from seeing or tampering with the communication content.

[0280] Optionally, in response to the NAS SMC message, the UE can deduce the Kamf (i.e., the second protection key) in advance to protect the communication between the UE and the NF.

[0281] For example, with the second protection key K AMF For example, after receiving the NAS SMC message, the terminal can generate K based on the first key. AMF The first key is, for example, Kseaf. When the second protection key includes the second encryption key Knas-enc and the second integrity protection key Knas-int, the terminal can also... AMF Derive Knas-enc and Knas-int.

[0282] Step 2: The UE sends a NAS Security Mode Complete (SMP) message to the AMF / SEAF.

[0283] Step 3: The UE sends an uplink NAS message to the AMF / SEAF. This message contains the UE identifier and a request message to access the NF. The UE identifier is used to address the UE's context; the request message to access the NF is used to establish an association with the NF.

[0284] If the UE does not derive Knf in step 1, then the UE derives Knf in this step in the same way as in step 1.

[0285] The UE can use Knf and the first security algorithm to protect the request message for accessing the NF. The UE can use Knf and the first security algorithm to generate Knf-enc and Knf-int. The UE can use Knf-enc and the first encryption algorithm to encrypt and protect the request message for accessing the NF. The UE can use Knf-int and the first integrity protection algorithm to protect the integrity of the request message for accessing the NF.

[0286] Optionally, the UE uses the first security algorithm corresponding to the Knf and the current type information to protect the request message for accessing the NF.

[0287] The UE can obtain the current type information based on the request to access the NF. For example, if the request to access the NF is a PDU session establishment request message, then the type information is the signaling of the session management type, and the UE obtains the first security algorithm corresponding to the signaling of the session management type.

[0288] The UE can also use the security algorithm in the NAS SMC as the primary security algorithm, for example, the security algorithm is applicable to all NFs.

[0289] The UE uses Kamf and security algorithms to protect uplink NAS messages. The UE can use Knas-enc and Knas-int derived from Kamf in step 2. The UE can use Knas-enc and a second encryption algorithm to encrypt and protect uplink NAS request messages. The UE can use Knas-int and a second integrity protection algorithm to protect the integrity of uplink NAS request messages.

[0290] The UE can obtain the current type information based on the uplink NAS message. For example, if the uplink NAS message is a service request message, then the type information is the signaling of the mobility management type, and the UE obtains the second security algorithm corresponding to the signaling of the mobility management type.

[0291] The UE can also use the security algorithm in the NAS SMC as a second security algorithm, for example, the security algorithm is applicable to all NFs.

[0292] For example, the terminal protects the PDU session establishment request message according to security algorithm 1, generates a service request message containing the PDU session establishment request message, protects the service request message according to security algorithm 2, and sends the service request message to the AMF.

[0293] UE can activate security with NF, including in the following ways:

[0294] Method 1: After sending the uplink NAS message, the UE activates uplink and downlink security with the NF.

[0295] Method 2: Before sending the uplink NAS message, the UE activates uplink security with the NF. After sending the uplink NAS message, the UE activates downlink security with the NF.

[0296] Activating security during the first uplink message sent by the UE to the network ensures that the UE maintains consistent security operations for uplink messages, reducing the need for chip modifications.

[0297] It should be understood that activating uplink communication security between the UE and the NF means that all uplink messages sent by the UE to the NF are protected by a protection key and a security algorithm. The UE will protect all uplink messages after security is activated, such as through encryption and integrity protection.

[0298] It should be understood that when a UE activates downlink communication security between the UE and the NF, all downlink messages received by the UE from the NF are protected by a protection key and a security algorithm. The UE will then deprotect all downlink messages after security is activated, performing actions such as decryption and integrity verification.

[0299] Step 4: AMF / SEAF sends a security context response message to NF, which includes the Subscription Permanent Identifier (SUPI), Knf, security algorithm, and a request message to access NF.

[0300] AMF / SEAF uses KamF and security algorithms to deprotect uplink NAS messages. AMF / SEAF uses Knas-enc and Knas-int, derived from KamF in step 1. AMF / SEAF can use Knas-int and integrity protection algorithms to perform integrity verification on uplink NAS request messages, and AMF / SEAF can use Knas-enc and encryption algorithms to decrypt uplink NAS request messages.

[0301] The SUPI is obtained based on the UE identifier, which can be a temporary identifier - a globally unique temporary identifier (GUTI). The AMF / SEAF obtains the UE's permanent identifier SUPI based on the temporary identifier.

[0302] AMF / SEAF derives Knf. Optionally, AMF / SEAF derives Knf from Kseaf / Kamf.

[0303] AMF / SEAF sends security algorithms to NF in the following ways:

[0304] Method 1: If the core network element supports all security algorithms, then the security algorithm is the one used in step 1.

[0305] Method 2: If the security algorithm is type-information granular, then AMF / SEAF obtains the current type information based on the NF access request, and then sends the security algorithm corresponding to the current type information. By introducing per-NF type algorithm negotiation, the flexibility of algorithm negotiation can be improved.

[0306] The NF uses KNF and security algorithms to deprotect request messages for accessing the NF. The NF can generate KNF-enc and KNF-int using KNF and security algorithms. The NF can use KNF-int and integrity protection algorithms to perform integrity verification on request messages for accessing the NF. The NF can use KNF-enc and encryption algorithms to decrypt request messages for accessing the NF. By pre-deriving the key protecting the communication between the UE and the NF, the content containing communication between the UE and the NF forwarded by the AMF can be protected, thereby preventing the AMF from seeing or tampering with the communication content.

[0307] NF activation and UE security include the following methods:

[0308] Method 1: After deprotecting the request message for accessing the NF, the NF is activated and the uplink and downlink security of the UE is ensured.

[0309] Method 2: After receiving a request message to access the NF, the NF activates uplink and downlink security for the UE.

[0310] It should be understood that activating uplink communication security between the NF terminal and the NF means that all uplink messages received by the NF from the terminal are protected by a protection key and a security algorithm. The NF will deprotect all uplink messages after security is activated, such as through decryption and integrity verification.

[0311] It should be understood that activating downlink communication security between the NF terminal and the NF means that all downlink messages sent by the NF to the terminal are protected by a protection key and a security algorithm. The NF will protect all downlink messages after security is activated, for example, through encryption and integrity protection.

[0312] Step 5: The NF sends a response message to the UE to access the NF. This message is used to respond to the request message to access the NF and is protected by KNF and security algorithms.

[0313] For example, the terminal receives a NAS security mode command message, which contains a mapping relationship between security algorithms and type information, such as MM: security algorithm 1, SM: security algorithm 2. The terminal saves this mapping relationship. The terminal receives a response message for accessing the NF, and according to the response message for accessing the NF indicating that the current signaling type is MM, the terminal obtains the corresponding security algorithm 1 based on MM.

[0314] Example 2

[0315] In this embodiment, as shown in Figure 7, the AMF and SEAF are separated. The UE and NF can obtain the security context of communication between the UE and NF in advance, such as keys and security algorithms, so no additional messages are needed to activate security. This embodiment includes the following steps:

[0316] Step 1: SEAF sends the security algorithm to AMF. This security algorithm is used not only for communication between the UE and AMF, but also for communication between the UE and NF. Optionally, SEAF also sends type information to AMF.

[0317] For example, SEAF has security algorithm priorities corresponding to different NFs. SEAF determines the security algorithm priority based on the NF that the terminal will access, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0318] For example, SEAF obtains the security algorithm priority corresponding to the NF based on the NF's identifier, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0319] For example, SEAF determines the corresponding security algorithm priority based on the PLMN it is in, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority. The selected security algorithm is the same for the communication between UE and AMF and the communication between UE and NF (i.e., the first security algorithm is the same as the second security algorithm).

[0320] Type information is used to distinguish signaling for different categories of NF communication or to distinguish different types of signaling, such as mobility management type signaling (communicating with AMF), session management type signaling (communicating with SMF), data management type signaling (communicating with data management function), and location type information signaling (communicating with location management function).

[0321] For example, type information can be a signaling type indicator, such as Mobility Management (MM), Session Management (SM), etc.

[0322] It is understandable that when the type information is a non-MM type indicator, the corresponding security algorithm is the first security algorithm, and when the type information is MM, the corresponding security algorithm is the second security algorithm.

[0323] For example, SEAF obtains the security algorithm priority corresponding to the type information of the NF. For example, if the type information is MM, the security algorithm priority corresponding to MM is priority 1. SEAF selects the first security algorithm according to the security capabilities of the terminal and the security algorithm priority 1.

[0324] Security algorithms include encryption algorithms and integrity protection algorithms. SEAF obtains security algorithms based on the UE's security capabilities, including the following methods:

[0325] Method 1: Assuming the core network elements support all security algorithms, and the SEAF has a priority list of algorithms favored by the operator's network, the SEAF selects a security algorithm based on the UE's security capabilities and this priority list. In this case, the security algorithm can be used by all NFs without requiring type information.

[0326] Method 2: Assuming the SEAF has an algorithm priority list with type-level information granularity, the SEAF selects a security algorithm based on the UE's security capabilities and the algorithm priority list corresponding to each type of information. In this case, the security algorithm is type-level granular, corresponding one-to-one with different types of information.

[0327] For example, SEAF has security algorithm priorities corresponding to different type information, such as MM: priority 1; SM: priority 2. SEAF determines the security algorithm priority based on the type information of the NF that the terminal will access, and then selects the first security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0328] By introducing algorithmic negotiation with per-type information granularity (such as per-network-side device type), the complexity of network configuration can be reduced.

[0329] Step 2: The AMF sends a NAS Security Mode Command (SMC) message to the UE. This message contains the security algorithm. Optionally, the message may also contain type information.

[0330] In some embodiments, the security algorithm includes, but is not limited to, at least one of encryption algorithms, integrity protection algorithms, etc.

[0331] The UE stores the security algorithm, or stores the mapping relationship between the security algorithm and type information.

[0332] By negotiating the algorithms used by the UE and other NFs simultaneously during the interaction between the UE and AMF, subsequent negotiation of related security algorithms between the UE and NF is unnecessary. This eliminates the need to design separate security algorithm negotiation procedures for the UE and NF, reduces signaling overhead between the UE and NF, simplifies NF implementation complexity, and facilitates early activation of security protection. Introducing per-NF type algorithm negotiation enhances the flexibility of algorithm negotiation. Furthermore, per-PLMN granular algorithm negotiation can reduce network configuration complexity.

[0333] Optionally, the UE predetermines the Knf (i.e., the first protection key) to protect communication between the UE and the NF. Alternatively, the UE derives the Knf based on the Kseaf / Kamf (i.e., the first key, generated by the terminal and SEAF after master authentication). By predetermining the key to protect communication between the UE and the NF, the content containing communication between the UE and the NF forwarded by the AMF can be protected, thereby preventing the AMF from seeing or tampering with the communication content.

[0334] Optionally, in response to the NAS SMC message, the UE can deduce the Kamf (i.e., the second protection key) in advance to protect the communication between the UE and the NF.

[0335] For example, with the second protection key K AMF For example, after receiving the NAS SMC message, the terminal can generate K based on the first key. AMF The first key is, for example, Kseaf. When the second protection key includes the second encryption key Knas-enc and the second integrity protection key Knas-int, the terminal can also... AMF Derive Knas-enc and Knas-int.

[0336] Step 3: The UE sends a NAS Security Mode Complete (SMP) message to the AMF.

[0337] Step 4: AMF sends a NAS SMP message to SEAF.

[0338] Step 5: The UE sends an uplink NAS message to the AMF. This message contains the UE identifier and a request message to access the NF. The UE identifier is used to address the UE's context; the request message to access the NF is used to establish an association with the NF.

[0339] For example, the terminal protects the PDU session establishment request message according to security algorithm 1, generates a service request message containing the PDU session establishment request message, protects the service request message according to security algorithm 2, and sends the service request message to the AMF.

[0340] If the UE does not derive Knf in step 1, then the UE derives Knf in this step in the same way as in step 1.

[0341] The UE uses Knf and a first security algorithm to protect the NF access request message. The UE uses Knf and the first security algorithm to generate Knf-enc and Knf-int. The UE can use Knf-enc and the first encryption algorithm to encrypt and protect the NF access request message. The UE can use Knf-int and the first integrity protection algorithm to protect the integrity of the NF access request message.

[0342] Optionally, the UE uses the first security algorithm corresponding to the Knf and the current type information to protect the request message for accessing the NF.

[0343] The UE can obtain the current type information based on the request to access the NF. For example, if the request to access the NF is a PDU session establishment request message, then the type information is signaling of the session management type. The UE obtains the first security algorithm corresponding to the signaling of the session management type.

[0344] The UE can also use the security algorithm in the NAS SMC as the primary security algorithm, for example, the security algorithm is applicable to all NFs.

[0345] The UE uses Kamf and security algorithms to protect uplink NAS messages. The UE can use Knas-enc and Knas-int derived from Kamf in step 2. The UE can use Knas-enc and encryption algorithms to encrypt and protect uplink NAS request messages. The UE can use Knas-int and integrity protection algorithms to protect the integrity of uplink NAS request messages.

[0346] The UE can obtain the current type information based on the uplink NAS message. For example, if the uplink NAS message is a service request message, then the type information is the signaling of the mobility management type, and the UE obtains the second security algorithm corresponding to the signaling of the mobility management type.

[0347] The UE can also use the security algorithm in the NAS SMC as a second security algorithm, for example, the security algorithm is applicable to all NFs.

[0348] For example, the terminal protects the PDU session establishment request message according to security algorithm 1, generates a service request message containing the PDU session establishment request message, protects the service request message according to security algorithm 2, and sends the service request message to the AMF.

[0349] By pre-deducing the key for protecting the communication between the UE and NF, the content containing the communication between the UE and NF forwarded by the AMF can be protected, thereby preventing the AMF from seeing or tampering with the communication content.

[0350] UE activation and NF security include the following methods:

[0351] Method 1: After sending the uplink NAS message, the UE activates uplink and downlink security with the NF.

[0352] Method 2: Before sending the uplink NAS message, the UE activates uplink security with the NF. After sending the uplink NAS message, the UE activates downlink security with the NF.

[0353] Activating security during the first uplink message sent by the UE to the network ensures that the UE maintains consistent security operations for uplink messages, reducing the need for chip modifications.

[0354] It should be understood that activating uplink communication security between the UE and the NF means that all uplink messages sent by the UE to the NF are protected by a protection key and a security algorithm. The UE will protect all uplink messages after security is activated, such as through encryption and integrity protection.

[0355] It should be understood that when a UE activates downlink communication security between the UE and the NF, all downlink messages received by the UE from the NF are protected by a protection key and a security algorithm. The UE will then deprotect all downlink messages after security is activated, performing actions such as decryption and integrity verification.

[0356] Step 6: The AMF sends a SUPI and a request message to the NF to access the NF. Optionally, a security algorithm is also sent.

[0357] AMF uses KamF and security algorithms to deprotect uplink NAS messages. AMF can utilize Knas-enc and Knas-int derived from KamF in step 2. AMF can use Knas-int and integrity protection algorithms to perform integrity verification on uplink NAS request messages. AMF can use Knas-enc and encryption algorithms to decrypt uplink NAS request messages.

[0358] SUPI is obtained based on the UE identifier. The UE identifier can be a temporary identifier (GUTI), and the AMF / SEAF obtains the UE's permanent identifier (SUPI) based on the temporary identifier.

[0359] AMF transmission security algorithms include the following:

[0360] Method 1: If the core network element supports all security algorithms, then the security algorithm is the one obtained in step 1.

[0361] Method 2: If the security algorithm is type information granular, then AMF obtains the current type information based on the request to access NF, and then sends the security algorithm corresponding to the current type information.

[0362] Step 7: NF sends a key request message to SEAF, which contains SUPI.

[0363] Step 8: SEAF sends a key response message to NF, which includes Knf. Optionally, the message also includes a security algorithm.

[0364] SEAF generates Knf and sends it to NF. Optionally, SEAF derives Knf from Kseaf / Kamf.

[0365] For security algorithms, SEAF can send them to NF in this step, including the following methods:

[0366] Method 1: If the core network element supports all security algorithms, then the security algorithm is the one obtained in step 1.

[0367] Method 2: If the security algorithm is type-information granular, then SEAF obtains the current type information based on the type of NF, and then sends the security algorithm corresponding to the current type information.

[0368] The security algorithm can also be sent by AMF to NF in step 6.

[0369] NF uses KNF and security algorithms to deprotect request messages for accessing NF. NF uses KNF and security algorithms to generate KNF-enc and KNF-int. NF can use KNF-int and integrity protection algorithms to perform integrity verification on request messages for accessing NF. NF can use KNF-enc and encryption algorithms to decrypt request messages for accessing NF.

[0370] NF activation and UE security include the following methods:

[0371] Method 1: After deprotecting the request message for accessing the NF, the NF is activated and the uplink and downlink security of the UE is ensured.

[0372] Method 2: After receiving a request message to access the NF, the NF activates uplink and downlink security for the UE.

[0373] It should be understood that activating uplink communication security between the NF terminal and the NF means that all uplink messages received by the NF from the terminal are protected by a protection key and a security algorithm. The NF will deprotect all uplink messages after security is activated, such as through decryption and integrity verification.

[0374] It should be understood that activating downlink communication security between the NF terminal and the NF means that all downlink messages sent by the NF to the terminal are protected by a protection key and a security algorithm. The NF will protect all downlink messages after security is activated, for example, through encryption and integrity protection.

[0375] Step 9: The NF sends a response message to the UE to access the NF. This message is used to respond to the request message to access the NF and is protected by KNF and security algorithms.

[0376] For example, the terminal receives a NAS security mode command message, which contains a mapping relationship between security algorithms and type information, such as MM: security algorithm 1, SM: security algorithm 2. The terminal saves this mapping relationship. The terminal receives a response message for accessing the NF, and according to the response message for accessing the NF indicating that the current signaling type is MM, the terminal obtains the corresponding security algorithm 1 based on MM.

[0377] Example 3

[0378] In this embodiment, as shown in Figure 8, the AMF / SEAF is separated or merged. The UE and NF can obtain the security context of the communication between the UE and NF in advance, such as the key and security algorithm, so no additional message is needed to activate security. This embodiment includes the following steps:

[0379] Step 1: SEAF sends the security algorithm to AMF. This security algorithm is used not only for communication between the UE and AMF, but also for communication between the UE and NF. Optionally, SEAF also sends type information to AMF.

[0380] For example, SEAF has security algorithm priorities corresponding to different NFs. SEAF determines the security algorithm priority based on the NF that the terminal will access, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0381] For example, SEAF obtains the security algorithm priority corresponding to the NF based on the NF's identifier, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0382] For example, SEAF determines the corresponding security algorithm priority based on the PLMN it is in, and then selects the security algorithm based on the terminal's security capabilities and the security algorithm priority. The selected security algorithm is the same for the communication between UE and AMF and the communication between UE and NF (i.e., the first security algorithm is the same as the second security algorithm).

[0383] Type information is used to distinguish signaling for different categories of NF communication or to distinguish different types of signaling, such as mobility management type signaling (communicating with AMF), session management type signaling (communicating with SMF), data management type signaling (communicating with data management function), and location type information signaling (communicating with location management function).

[0384] For example, type information can be a signaling type indicator, such as Mobility Management (MM), Session Management (SM), etc.

[0385] It is understandable that when the type information is a non-MM type indicator, the corresponding security algorithm is the first security algorithm, and when the type information is MM, the corresponding security algorithm is the second security algorithm.

[0386] For example, SEAF obtains the security algorithm priority corresponding to the type information of the NF. For example, if the type information is MM, the security algorithm priority corresponding to MM is priority 1. SEAF selects the first security algorithm according to the security capabilities of the terminal and the security algorithm priority 1.

[0387] Security algorithms include encryption algorithms and integrity protection algorithms. SEAF obtains security algorithms based on the UE's security capabilities, including the following methods:

[0388] Method 1: Assuming the core network elements support all security algorithms, and the SEAF has a priority list of algorithms favored by the operator's network, the SEAF selects a security algorithm based on the UE's security capabilities and this priority list. In this case, the security algorithm can be used by all NFs without requiring type information.

[0389] Method 2: Assuming the SEAF has an algorithm priority list with type-level information granularity, the SEAF selects a security algorithm based on the UE's security capabilities and the algorithm priority list corresponding to each type of information. In this case, the security algorithm is type-level granular, corresponding one-to-one with different types of information.

[0390] For example, SEAF has security algorithm priorities corresponding to different type information, such as MM: priority 1; SM: priority 2. SEAF determines the security algorithm priority based on the type information of the NF that the terminal will access, and then selects the first security algorithm based on the terminal's security capabilities and the security algorithm priority.

[0391] By introducing algorithmic negotiation with per-type information granularity (such as per-network-side device type), the complexity of network configuration can be reduced.

[0392] Step 2: The AMF sends a NAS Security Mode Command (SMC) message to the UE. This message contains the security algorithm. Optionally, the message may also contain type information.

[0393] In some embodiments, the security algorithm includes, but is not limited to, at least one of encryption algorithms, integrity protection algorithms, etc.

[0394] The UE stores the security algorithm, or stores the mapping relationship between the security algorithm and type information.

[0395] By negotiating the algorithms used by the UE and other NFs simultaneously during the interaction between the UE and AMF, subsequent negotiation of related security algorithms between the UE and NF is unnecessary. This eliminates the need to design separate security algorithm negotiation procedures for the UE and NF, reduces signaling overhead between the UE and NF, simplifies NF implementation complexity, and facilitates early activation of security protection. Introducing per-NF type algorithm negotiation enhances the flexibility of algorithm negotiation. Furthermore, per-PLMN granular algorithm negotiation can reduce network configuration complexity.

[0396] Optionally, the UE predetermines the Knf (i.e., the first protection key) to protect communication between the UE and the NF. Alternatively, the UE derives the Knf based on the Kseaf / Kamf (i.e., the first key, generated by the terminal and SEAF after master authentication). By predetermining the key to protect communication between the UE and the NF, the content containing communication between the UE and the NF forwarded by the AMF can be protected, thereby preventing the AMF from seeing or tampering with the communication content.

[0397] Optionally, in response to the NAS SMC message, the UE can deduce the Kamf (i.e., the second protection key) in advance to protect the communication between the UE and the NF.

[0398] For example, with the second protection key K AMF For example, after receiving the NAS SMC message, the terminal can generate K based on the first key. AMF The first key is, for example, Kseaf. When the second protection key includes the second encryption key Knas-enc and the second integrity protection key Knas-int, the terminal can also... AMF Derive Knas-enc and Knas-int.

[0399] Step 3: The UE sends a NAS Security Mode Complete (SMP) message to the AMF.

[0400] Step 4: AMF sends a NAS SMP message to SEAF.

[0401] Step 5: NF sends a key request message to SEAF, which contains SUPI.

[0402] An NF may not have any UE context. For example, if an NF wants to initiate communication with all UEs within a certain range, it will send a key request message to SEAF.

[0403] Step 6: SEAF sends a key response message to NF, which includes Knf. Optionally, the message also includes a security algorithm.

[0404] SEAF generates the Knf and sends it to NF. Optionally, SEAF derives the Knf based on Kseaf / Kamf. By pre-deriving the key that protects the communication between the UE and NF, the content containing the communication between the UE and NF forwarded by AMF can be protected, thereby preventing AMF from seeing or tampering with the communication content.

[0405] SEAF sends security algorithms, including the following methods:

[0406] Method 1: If the core network element supports all security algorithms, then the security algorithm is the one obtained in step 1.

[0407] Method 2: If the security algorithm is type-information granular, then SEAF obtains the current type information based on the type of NF, and then sends the security algorithm corresponding to the current type information.

[0408] The Network Functions (NF) uses KNF and security algorithms to protect downlink network function messages (DL NF messages). The NF uses KNF and security algorithms to generate KNF-enc and KNF-int. The NF can use KNF-int and integrity protection algorithms to protect the integrity of DL NF messages, and the NF can use KNF-enc and encryption algorithms to encrypt DL NF messages.

[0409] NF activation and UE security include the following methods:

[0410] Method 1: After sending the DL NF message, NF activation and UE uplink and downlink security are achieved.

[0411] Method 2: Before sending the DL NF message, NF activation and UE uplink security are performed. After sending the DL NF message, NF activation and UE downlink security are performed.

[0412] By activating security during the first downlink message sent to the UE, security operations for downlink messages can be kept consistent, reducing modifications to the chip.

[0413] It should be understood that activating uplink communication security between the NF terminal and the NF means that all uplink messages received by the NF from the terminal are protected by a protection key and a security algorithm. The NF will deprotect all uplink messages after security is activated, such as through decryption and integrity verification.

[0414] It should be understood that activating downlink communication security between the NF terminal and the NF means that all downlink messages sent by the NF to the terminal are protected by a protection key and a security algorithm. The NF will protect all downlink messages after security is activated, for example, through encryption and integrity protection.

[0415] Step 7: NF sends SUPI and DL NF message to AMF.

[0416] Step 8: AMF sends a paging message to UE.

[0417] If the UE is in IDLE state, the AMF initiates a paging message to return the UE to CONNECTED state; otherwise, the AMF can directly execute step 8.

[0418] Step 9: The UE sends a Service Request to the AMF in response to the paging message.

[0419] The UE uses Kamf and security algorithms to protect Service Request messages. Since the UE already has Knas-enc and Knas-int from step 2, it can use Knas-enc and encryption algorithms to encrypt Service Request messages, and it can use Knas-int and integrity protection algorithms to protect the integrity of Service Request messages.

[0420] Step 10: The AMF sends a DL NF message to the UE.

[0421] After successfully deprotecting the Service Request message, AMF sends a DL NF message to the UE.

[0422] If the UE does not derive Knf in step 2, then the UE derives Knf. If the UE derives Knf in step 2, then the UE obtains Knf accordingly.

[0423] The UE uses Knf and a second security algorithm to deprotect the DL NF message. The UE uses Knf and the second security algorithm to generate Knf-enc and Knf-int. The UE can use Knf-int and the second integrity protection algorithm to perform integrity verification on the DL NF message. The UE can use Knf-enc and the second encryption algorithm to decrypt the DL NF message.

[0424] Optionally, the UE uses a second security algorithm corresponding to the KNF and the current type information to deprotect the DL NF message.

[0425] Optionally, the UE can also use the security algorithm in the NAS SMC as a second security algorithm, for example, the security algorithm is applicable to all NFs.

[0426] UE activation and NF security include the following methods:

[0427] Method 1: After receiving the DL NF message, the UE activates uplink and downlink security with the NF.

[0428] Method 2: After deprotecting the DL NF mechanism, the UE activates uplink and downlink security with the NF.

[0429] By activating security during the first downlink message sent to the UE, security operations for downlink messages can be kept consistent, reducing modifications to the chip.

[0430] It should be understood that activating uplink communication security between the UE and the NF means that all uplink messages sent by the UE to the NF are protected by a protection key and a security algorithm. The UE will protect all uplink messages after security is activated, such as through encryption and integrity protection.

[0431] It should be understood that when a UE activates downlink communication security between the UE and the NF, all downlink messages received by the UE from the NF are protected by a protection key and a security algorithm. The UE will then deprotect all downlink messages after security is activated, performing actions such as decryption and integrity verification.

[0432] The message processing method provided in this application can be executed by a message processing device. This application uses an example of a message processing device executing the message processing method to illustrate the message processing device provided in this application.

[0433] This application provides a message processing device, as shown in FIG9, applied to a terminal, including:

[0434] The first receiving module 11 is configured to receive a first message from a first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the terminal and the second network-side device; and to receive a first downlink message from the second network-side device.

[0435] The first processing module 12 is used to deprotect the first downlink message according to the first security algorithm.

[0436] In this embodiment, the terminal obtains a first security algorithm for communicating with the second network side device through the first network side device. In this way, the terminal can protect the content of the messages communicated with the second network side device through the first security algorithm, so that the third network side device cannot know or tamper with the content of the communication between the terminal and the second network side device.

[0437] In some embodiments, the first message further includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling; the apparatus further includes:

[0438] The acquisition module is used to obtain the first security algorithm based on the type information of the first downlink message.

[0439] In some embodiments, the first processing module 12 is further configured to deprotect the first downlink message according to a first protection key, the first protection key being available on the second network-side device.

[0440] In some embodiments, the apparatus further includes:

[0441] The activation module is used to activate uplink communication security and downlink communication security with the second network-side device after the terminal receives the first downlink message from the second network-side device or after the terminal deprotects the first downlink message according to the first security algorithm.

[0442] In some embodiments, the apparatus further includes:

[0443] The third processing module is used to protect the first uplink message according to the first security algorithm. The first uplink message is used for the terminal to establish an association with the second network-side device.

[0444] The generation module is used to generate a second uplink message that includes the first uplink message;

[0445] The third processing module is also used to protect the second uplink message according to the second security algorithm;

[0446] The sending module is used to send the second uplink message to the third network-side device.

[0447] In some embodiments, the first message further includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling; the acquisition module is further configured to obtain the first security algorithm based on the type information of the first uplink message; and to obtain the second security algorithm based on the type information of the second uplink message.

[0448] In some embodiments, the third processing module is further configured to protect the second uplink message according to a second protection key, which is available on the third network-side device.

[0449] In some embodiments, the third processing module is further configured to protect the first uplink message according to a first protection key, which is available on the second network-side device.

[0450] In some embodiments, the apparatus further includes:

[0451] The activation module is used to activate uplink and downlink communication security between the terminal and the second network-side device after the terminal sends the second uplink message to the third network-side device.

[0452] In some embodiments, the apparatus further includes:

[0453] The activation module is used to activate uplink communication security with the second network-side device before the terminal sends the second uplink message to the third network-side device; and to activate downlink communication security with the second network-side device after the terminal sends the second uplink message to the third network-side device.

[0454] In some embodiments, the first receiving module 11 is further configured to receive a paging message from the third network-side device;

[0455] The third processing module is further configured to respond to the paging message, protect the third uplink message according to the second security algorithm, and send the third uplink message to the third network-side device.

[0456] In some embodiments, the first message further includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling; the acquisition module is also used to obtain the second security algorithm based on the type information of the third downlink message.

[0457] In some embodiments, the third processing module is further configured to protect the third uplink message according to a second protection key, which is available on the third network-side device.

[0458] In some embodiments, the apparatus further includes:

[0459] A generation module is configured to generate the first protection key in response to the first message, based on the first key, wherein the first key is available on the first network-side device.

[0460] In some embodiments, the apparatus further includes:

[0461] A generation module is configured to generate a second protection key in response to the first message, based on a first key, wherein the first key is available on a first network-side device.

[0462] In some embodiments, the second security algorithm is the same as the first security algorithm.

[0463] In some embodiments, the first receiving module 11 is used to receive the first message from the first network side device through the third network side device.

[0464] This application provides a message processing apparatus, as shown in FIG10, applied to a first network-side device, including:

[0465] The second processing module 21 is used to select a first security algorithm based on the security capabilities of the terminal, and the first security algorithm is used for communication between the terminal and the second network-side device.

[0466] The first sending module 22 is used to send a first message to the terminal, the first message including the first security algorithm.

[0467] In this embodiment, the terminal can obtain a first security algorithm for communicating with the second network side device through the first network side device. In this way, the terminal can protect the content of the messages communicated with the second network side device through the first security algorithm, so that the third network side device cannot know or tamper with the content of the communication between the terminal and the second network side device.

[0468] In some embodiments, the first network-side device selects a first security algorithm based on the security capabilities of the terminal, and the second processing module 21 is specifically used to select the first security algorithm based on the security capabilities of the terminal and the priority of the security algorithm corresponding to the second network-side device.

[0469] In some embodiments, the first message further includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling.

[0470] In some embodiments, the second processing module 21 is used to select the first security algorithm based on the security capabilities of the terminal and the priority of the security algorithm corresponding to the type information.

[0471] In some embodiments, the second processing module 21 is used to select the first security algorithm based on the security capabilities of the terminal and the security algorithm priority corresponding to the public terrestrial mobile communication network (PLMN) where the first network-side device is located.

[0472] In some embodiments, the apparatus further includes:

[0473] The processing module is configured to receive a security context request message sent by the second network-side device, the security context request message including the identifier of the terminal; and obtain a first protection key based on the identifier of the terminal;

[0474] The first sending module 22 is used to send a security context response message to the second network-side device, the security context response message including the first protection key.

[0475] In some embodiments, the processing module is configured to obtain a first key based on the identifier of the terminal, the first key being available on the first network-side device; and generate a first protection key based on the first key.

[0476] In some embodiments, the security context response message further includes the first security algorithm.

[0477] In some embodiments, the security context request message further includes the identifier or type information of the second network-side device, and the second processing module 21 is used to obtain the first security algorithm based on the identifier or type information of the second network-side device.

[0478] In some embodiments, the first sending module 22 is used to send the first message to the terminal through the third network-side device.

[0479] This application provides a message processing apparatus, as shown in FIG11, applied to a second network-side device, including:

[0480] The second receiving module 31 is used to receive a first security algorithm from a first network-side device or a third network-side device, the first security algorithm being used for communication between the second network-side device and the terminal;

[0481] The second sending module 32 is used to send a first downlink message to the terminal, the first downlink message being protected by the first security algorithm.

[0482] In this embodiment, the first security algorithm can protect the content of the messages communicated between the terminal and the second network-side device, so that the third network-side device cannot know or tamper with the content of the communication between the terminal and the second network-side device.

[0483] In some embodiments, the apparatus further includes:

[0484] The third processing module is used to protect the first downlink message according to the first protection key, which is available on the second network-side device.

[0485] In some embodiments, the second sending module 32 is configured to send a security context request message to the first network-side device, the security context request message including the identifier of the terminal; and send a security context response message to the first network-side device, the security context response message including the first protection key.

[0486] In some embodiments, the security context response message further includes the first security algorithm.

[0487] In some embodiments, the security context request message also includes the identifier or type information of the second network-side device.

[0488] In some embodiments, the second receiving module 31 is configured to receive a first uplink message sent by the third network-side device, the first uplink message being used by the second network-side device to establish an association with the terminal; and to deprotect the first uplink message according to the first security algorithm.

[0489] In some embodiments, the second receiving module 31 is configured to deprotect the first uplink message according to the first protection key.

[0490] In some embodiments, the apparatus further includes:

[0491] The activation module is used to activate uplink and downlink communication security with the terminal after deprotecting the first uplink message according to the first protection key; or, after receiving the first uplink message, to activate uplink and downlink communication security with the terminal.

[0492] This application provides a message processing apparatus, as shown in FIG12, applied to a third network-side device, including:

[0493] The third receiving module 41 is used to receive a first message from the first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the second network-side device and the terminal;

[0494] The third sending module 42 is used to send the first message to the terminal.

[0495] In this embodiment, the terminal obtains a first security algorithm for communicating with the second network side device through the third network side device. In this way, the terminal can protect the content of the messages communicating with the second network side device through the first security algorithm, so that the third network side device cannot know or tamper with the content of the communication between the terminal and the second network side device.

[0496] In some embodiments, the third receiving module 41 is further configured to receive a second uplink message from the terminal, deprotect the second uplink message according to a second security algorithm, and obtain the first uplink message;

[0497] The third sending module 42 is also used to send the second uplink message to the second network-side device.

[0498] In some embodiments, the third receiving module 41 is configured to receive a second security algorithm from the first network-side device, the second security algorithm being used for communication between the third network-side device and the terminal.

[0499] In some embodiments, the third receiving module 41 is configured to deprotect the second uplink message according to a second protection key, which is available on the third network-side device.

[0500] In some embodiments, the third receiving module 41 is used to receive the second protection key from the first network-side device.

[0501] In some embodiments, the third sending module 42 is further configured to send the first security algorithm to the second network-side device.

[0502] In some embodiments, the third sending module 42 is further configured to send a first uplink message and the first security algorithm to the second network-side device, wherein the first uplink message is used for the second network-side device to establish an association with the terminal.

[0503] This application provides a message processing apparatus. As an example, the message processing apparatus may be a communication device or a component within a communication device, such as a chip. The communication device may be a terminal, a network-side device, or a server, etc. Exemplarily, the terminal may include, but is not limited to, the type of terminal 11 listed above, and the network-side device may include, but is not limited to, the type of network-side device 12 listed above. This application does not impose specific limitations.

[0504] The message processing device includes a receiving module, a sending module, and a processing module. These modules can be implemented in software or hardware. When implemented in hardware, the processing module can be implemented by a processor. For example, the processor can include general-purpose processors, special-purpose processors, etc., such as central processing units (CPUs), microprocessors, digital signal processors (DSPs), artificial intelligence (AI) processors, graphics processing units (GPUs), application-specific integrated circuits (ASICs), network processors (NPs), field-programmable gate arrays (FPGAs), or other programmable logic devices, gate circuits, transistors, discrete hardware components, etc. The receiving and sending modules can be implemented by a communication interface, which can include one or more of the following: transceivers, pins, circuits, buses, radio frequency units, etc.

[0505] The message processing apparatus provided in this application embodiment can implement the various processes implemented in the method embodiments of Figures 2 to 8 and achieve the same technical effect. To avoid repetition, it will not be described again here.

[0506] As shown in Figure 13, this application embodiment also provides a communication device 500, including a processor 501 and a memory 502. The memory 502 stores programs or instructions that can run on the processor 501. For example, when the communication device 500 is a terminal, the program or instructions executed by the processor 501 implement the various steps of the above-described message processing method embodiment and achieve the same technical effect. When the communication device 500 is a network-side device, the program or instructions executed by the processor 501 implement the various steps of the above-described message processing method embodiment and achieve the same technical effect. To avoid repetition, this will not be described again here.

[0507] This application also provides a terminal, including a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the steps in the method embodiment shown in FIG2. This terminal embodiment corresponds to the above-described terminal-side method embodiment, and all implementation processes and methods of the above-described method embodiments can be applied to this terminal embodiment and can achieve the same technical effect. The terminal can be the message processing device shown in FIG9. Specifically, FIG14 is a schematic diagram of the hardware structure of a terminal implementing an embodiment of this application.

[0508] The terminal 600 includes, but is not limited to, at least some of the following components: radio frequency unit 601, network module 602, audio output unit 603, input unit 604, sensor 605, display unit 606, user input unit 607, interface unit 608, memory 609, and processor 610.

[0509] Those skilled in the art will understand that terminal 600 may also include a power supply (such as a battery) for powering various components. The power supply can be logically connected to processor 610 through a power management system, thereby enabling functions such as charging, discharging, and power consumption management through the power management system. The terminal structure shown in Figure 14 does not constitute a limitation on the terminal. The terminal may include more or fewer components than shown, or combine certain components, or have different component arrangements, which will not be elaborated here.

[0510] It should be understood that, in this embodiment, the input unit 604 may include a graphics processor 6041 and a microphone 6042. The graphics processor 6041 processes image data of still images or videos obtained by an image capture device (such as a camera) in video capture mode or image capture mode. The display unit 606 may include a display panel 6061, which may be configured in the form of a liquid crystal display, an organic light-emitting diode, or the like. The user input unit 607 includes at least one of a touch panel 6071 and other input devices 6072. The touch panel 6071 is also called a touch screen. The touch panel 6071 may include two parts: a touch detection device and a touch controller. Other input devices 6072 may include, but are not limited to, a physical keyboard, function keys (such as volume control buttons, power buttons, etc.), a trackball, a mouse, and a joystick, which will not be described in detail here.

[0511] In this embodiment, after receiving downlink data from the network-side device, the radio frequency unit 601 can transmit it to the processor 610 for processing; in addition, the radio frequency unit 601 can send uplink data to the network-side device. Typically, the radio frequency unit 601 includes, but is not limited to, antennas, amplifiers, transceivers, couplers, low-noise amplifiers, duplexers, etc.

[0512] The memory 609 can be used to store software programs or instructions, as well as various data. The memory 609 may primarily include a first storage area for storing programs or instructions and a second storage area for storing data. The first storage area may store the operating system, application programs or instructions required for at least one function (such as sound playback, image playback, etc.). Furthermore, the memory 609 may include volatile memory or non-volatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory can be random access memory (RAM), static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), and direct memory bus RAM (DRRAM). The memory 609 in this embodiment includes, but is not limited to, these and any other suitable types of memory.

[0513] Processor 610 may include one or more processing units; optionally, processor 610 integrates an application processor and a modem processor, wherein the application processor mainly handles operations involving the operating system, user interface, and applications, and the modem processor mainly handles wireless communication signals, such as a baseband processor. It is understood that the aforementioned modem processor may also not be integrated into processor 610.

[0514] The radio frequency unit 601 is used to receive a first message from a first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the terminal and the second network-side device; and to receive a first downlink message from the second network-side device.

[0515] Processor 610 is configured to deprotect the first downlink message according to the first security algorithm.

[0516] In this embodiment, the terminal obtains a first security algorithm for communicating with the second network side device through the first network side device. In this way, the terminal can protect the content of the messages communicated with the second network side device through the first security algorithm, so that the third network side device cannot know or tamper with the content of the communication between the terminal and the second network side device.

[0517] It is understood that the implementation process of each implementation method mentioned in this embodiment can refer to the relevant description of the method embodiment and achieve the same or corresponding technical effect. To avoid repetition, it will not be described again here.

[0518] This application also provides a network-side device, including a processor and a communication interface. The communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the steps of the method embodiment shown in the figure. This network-side device embodiment corresponds to the above-described network-side device method embodiment. All implementation processes and methods of the above-described method embodiments can be applied to this network-side device embodiment and achieve the same technical effects.

[0519] Specifically, this application also provides a network-side device. As shown in FIG15, the network-side device 700 includes a processor 701, a network interface 702, and a memory 703. The network-side device may be the message processing device shown in FIG10-FILE. The network interface 702 is, for example, a Common Public Radio Interface (CPRI).

[0520] In some embodiments, the processor 701 is configured to select a first security algorithm based on the security capabilities of the terminal, the first security algorithm being used for communication between the terminal and the second network-side device;

[0521] The network interface 702 is used to send a first message to the terminal, the first message including the first security algorithm.

[0522] In some embodiments, network interface 702 is used to receive a first security algorithm from a first network-side device or a third network-side device, the first security algorithm being used for communication between the second network-side device and the terminal; and to send a first downlink message to the terminal, the first downlink message being protected by the first security algorithm.

[0523] In some embodiments, network interface 702 receives a first message from a first network-side device, the first message including a first security algorithm used for communication between the second network-side device and the terminal; and sends the first message to the terminal.

[0524] In addition, the network-side device 700 of this application embodiment also includes: a program or instructions stored in a memory 703 and executable on a processor 701. The processor 701 calls the program or instructions in the memory 703 to execute the methods executed by the modules shown in Figures 10-12 and achieve the same technical effect. To avoid repetition, it will not be described in detail here.

[0525] This application also provides a readable storage medium storing a program or instructions. When the program or instructions are executed by a processor, they implement the various processes of the above-described message processing method embodiments and achieve the same technical effects. To avoid repetition, they will not be described again here.

[0526] The processor mentioned above is either the processor in the terminal described in the above embodiments or the processor in the network-side device. The readable storage medium includes computer-readable storage media, such as computer read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk. In some examples, the readable storage medium may be a non-transient readable storage medium.

[0527] This application embodiment also provides a chip, which includes a processor and a communication interface. The communication interface is coupled to the processor. The processor is used to run programs or instructions to implement the various processes of the above message processing method embodiments and can achieve the same technical effect. To avoid repetition, it will not be described again here.

[0528] It should be understood that the chip mentioned in the embodiments of this application may also be referred to as a system-on-a-chip, system chip, chip system, or system-on-a-chip, etc.

[0529] This application also provides a computer program / program product, which is stored in a storage medium and executed by at least one processor to implement the various processes of the above-described message processing method embodiments, and can achieve the same technical effect. To avoid repetition, it will not be described again here.

[0530] This application also provides a wireless communication system, including: a terminal and a network-side device, wherein the terminal can be used to execute the steps of the message processing method described above, and the network-side device can be used to execute the steps of the message processing method described above.

[0531] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element. Furthermore, it should be noted that the scope of the methods and apparatuses in the embodiments of this application is not limited to performing functions in the order shown or discussed, but may also include performing functions substantially simultaneously or in the reverse order, depending on the functions involved. For example, the described methods may be performed in a different order than described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

[0532] From the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of computer software products plus necessary general-purpose hardware platforms, and of course, they can also be implemented by hardware. The computer software product is stored in a storage medium (such as ROM, RAM, magnetic disk, optical disk, etc.), and the computer software product includes several instructions to cause the terminal or network-side device to execute the methods described in the various embodiments of this application.

[0533] The embodiments of this application have been described above with reference to the accompanying drawings. However, this application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other implementations under the guidance of this application without departing from the spirit and scope of the claims. All of these implementations are within the protection scope of this application.

Claims

A message processing method, wherein, include: The terminal receives a first message from a first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the terminal and a second network-side device; The terminal receives a first downlink message from the second network-side device; The terminal deprotects the first downlink message according to the first security algorithm. According to the method of claim 1, wherein, The first message also includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling; the method further includes: The terminal obtains the first security algorithm based on the type information of the first downlink message. The method according to claim 1 or 2, wherein, The method further includes: The terminal deprotects the first downlink message according to the first protection key, which is available on the second network-side device. The method according to any one of claims 1 to 3, wherein, After the terminal receives the first downlink message from the second network-side device or after the terminal deprotects the first downlink message according to the first security algorithm, the method further includes: The terminal activates uplink and downlink communication security with the second network-side device. The method according to claim 1 or 2, wherein, The method further includes: The terminal protects the first uplink message according to the first security algorithm. The first uplink message is used by the terminal to establish an association with the second network-side device. The terminal generates a second uplink message that includes the first uplink message; The terminal protects the second uplink message according to the second security algorithm; The terminal sends the second uplink message to the third network-side device. The method according to claim 5, wherein, The first message also includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling; the method further includes: The terminal obtains the first security algorithm based on the type information of the first uplink message; The terminal obtains the second security algorithm based on the type information of the second uplink message. The method according to claim 5 or 6, wherein, The method further includes: The terminal protects the second uplink message according to a second protection key, which is available on the third network-side device. The method according to claim 7, wherein, The method further includes: The terminal protects the first uplink message according to a first protection key, which is available on the second network-side device. The method according to any one of claims 5 to 8, wherein, After the terminal sends the second uplink message to the third network-side device, the method further includes: The terminal activates uplink and downlink communication security between itself and the second network-side device. The method according to any one of claims 5 to 8, wherein, Before the terminal sends the second uplink message to the third network-side device, the method further includes: The terminal activates uplink communication security with the second network-side device; After the terminal sends the second uplink message to the third network-side device, the method further includes: The terminal activates downlink communication security with the second network-side device. The method according to claim 1 or 2, wherein, The method further includes: The terminal receives a paging message from the third network-side device; In response to the paging message, the terminal protects the third uplink message according to the second security algorithm and sends the third uplink message to the third network-side device. The method according to claim 11, wherein, The first message also includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling; the method further includes: The terminal obtains the second security algorithm based on the type information of the third uplink message. The method according to claim 11, wherein, The method further includes: The terminal protects the third uplink message according to a second protection key, which is available on the third network-side device. The method according to claim 3 or 8, wherein, The method further includes: In response to the first message, the terminal generates the first protection key based on the first key, which is available on the first network-side device. The method according to claim 7 or 13, wherein, The method further includes: In response to the first message, the terminal generates the second protection key based on the first key, which is available on the first network-side device. The method according to any one of claims 5 to 15, wherein, The second security algorithm is the same as the first security algorithm. The method according to any one of claims 5 to 16, wherein, The terminal receives a first message from the first network-side device, including: The terminal receives the first message from the first network-side device through the third network-side device. A message processing method, wherein, include: The first network-side device selects a first security algorithm based on the security capabilities of the terminal, and the first security algorithm is used for communication between the terminal and the second network-side device. The first network-side device sends a first message to the terminal, the first message including the first security algorithm. The method according to claim 18, wherein, The first network-side device selects a first security algorithm based on the terminal's security capabilities, including: The first network-side device selects the first security algorithm based on the security capabilities of the terminal and the priority of the security algorithm corresponding to the second network-side device. The method according to claim 18, wherein, The first message also includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling. The method according to claim 20, wherein, The method further includes: The first network-side device selects the first security algorithm based on the security capabilities of the terminal and the priority of the security algorithm corresponding to the type information. The method according to claim 18, wherein, The first network-side device selects a first security algorithm based on the terminal's security capabilities, including: The first network-side device selects the first security algorithm based on the security capabilities of the terminal and the security algorithm priority corresponding to the PLMN (Public Land Mobile Communication Network) to which the first network-side device is located. The method according to any one of claims 18 to 22, wherein, The method further includes: The first network-side device receives a security context request message sent by the second network-side device, the security context request message including the identifier of the terminal; The first network-side device obtains the first protection key based on the terminal's identifier; The first network-side device sends a security context response message to the second network-side device, the security context response message including the first protection key. The method according to claim 23, wherein, The first network-side device obtains a first protection key based on the identifier of the terminal, including: The first network-side device obtains a first key based on the identifier of the terminal, and the first key is available on the first network-side device; The first network-side device generates the first protection key based on the first key. The method according to claim 23 or 24, wherein, The security context response message also includes the first security algorithm. The method according to claim 25, wherein, The security context request message also includes the identifier or type information of the second network-side device, and the method further includes: The first network-side device obtains the first security algorithm based on the identifier or type information of the second network-side device. The method according to any one of claims 18 to 26, wherein, The first network-side device sends a first message to the terminal, including: The first network-side device sends the first message to the terminal through the third network-side device. A message processing method, wherein, include: The second network-side device receives a first security algorithm from the first network-side device or the third network-side device. The first security algorithm is used for communication between the second network-side device and the terminal. The second network-side device sends a first downlink message to the terminal, and the first downlink message is protected by the first security algorithm. The method according to claim 28, wherein, The method further includes: The second network-side device protects the first downlink message according to the first protection key, which is available on the second network-side device. The method according to claim 28 or 29, wherein, The method further includes: The second network-side device sends a security context request message to the first network-side device, the security context request message including the identifier of the terminal; The second network-side device sends a security context response message to the first network-side device, the security context response message including the first protection key. The method according to claim 30, wherein, The security context response message also includes the first security algorithm. The method according to claim 30 or 31, wherein, The security context request message also includes the identifier or type information of the second network-side device. The method according to any one of claims 29 to 31, wherein, The method further includes: The second network-side device receives a first uplink message sent by the third network-side device, the first uplink message being used by the second network-side device to establish an association with the terminal; The second network-side device deprotects the first uplink message according to the first security algorithm. The method according to claim 33, wherein, The method further includes: The second network-side device deprotects the first uplink message according to the first protection key. The method according to any one of claims 28-34, wherein, The method further includes: After the second network-side device deprotects the first uplink message according to the first protection key, it activates uplink and downlink communication security with the terminal; or After receiving the first uplink message, the second network-side device activates uplink and downlink communication security with the terminal. A message processing method, wherein, include: The third network-side device receives a first message from the first network-side device. The first message includes a first security algorithm, which is used for communication between the second network-side device and the terminal. The third network-side device sends the first message to the terminal. The method according to claim 36, wherein, The method further includes: The third network-side device receives a second uplink message from the terminal; The third network-side device deprotects the second uplink message according to the second security algorithm and obtains the first uplink message; The third network-side device sends the second uplink message to the second network-side device. The method according to claim 37, wherein, The method further includes: The third network-side device receives a second security algorithm from the first network-side device, and the second security algorithm is used for communication between the third network-side device and the terminal. The method according to claim 37 or 38, wherein, The method further includes: The third network-side device deprotects the second uplink message according to the second protection key, which is available on the third network-side device. The method according to claim 39, wherein, The method further includes: The third network-side device receives the second protection key from the first network-side device. The method according to claim 36, wherein, The method further includes: The third network-side device sends the first security algorithm to the second network-side device. The method according to claim 36, wherein, The method further includes: The third network-side device sends a first uplink message and the first security algorithm to the second network-side device. The first uplink message is used by the second network-side device to establish an association with the terminal. A message processing device, wherein, include: A first receiving module is configured to receive a first message from a first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the terminal and a second network-side device; and to receive a first downlink message from the second network-side device. The first processing module is used to deprotect the first downlink message according to the first security algorithm. The apparatus according to claim 43, wherein, The first message also includes type information, which is used to distinguish different categories of the second network-side devices or to distinguish different types of signaling; the device further includes: The acquisition module is used to obtain the first security algorithm based on the type information of the first downlink message. A message processing device, wherein, include: The second processing module is used to select a first security algorithm based on the security capabilities of the terminal. The first security algorithm is used for communication between the terminal and the second network-side device. A first sending module is configured to send a first message to the terminal, the first message including the first security algorithm. The apparatus according to claim 45, wherein, The first network-side device selects a first security algorithm based on the terminal's security capabilities, and the second processing module is specifically used to select the first security algorithm based on the terminal's security capabilities and the priority of the security algorithm corresponding to the second network-side device. A message processing device, wherein, include: The second receiving module is used to receive a first security algorithm from a first network-side device or a third network-side device, the first security algorithm being used for communication between the second network-side device and the terminal; The second sending module is used to send a first downlink message to the terminal, and the first downlink message is protected by the first security algorithm. The apparatus according to claim 47, wherein, The device further includes: The third processing module is used to protect the first downlink message according to the first protection key, which is available on the second network-side device. A message processing device, wherein, include: The third receiving module is used to receive a first message from the first network-side device, the first message including a first security algorithm, the first security algorithm being used for communication between the second network-side device and the terminal; The third sending module is used to send the first message to the terminal. The apparatus according to claim 49, wherein, The third receiving module is further configured to receive a second uplink message from the terminal, deprotect the second uplink message according to the second security algorithm, and obtain the first uplink message; The third sending module is also used to send the second uplink message to the second network-side device. A terminal, wherein, It includes a processor and a memory, the memory storing a program or instructions that can run on the processor, the program or instructions being executed by the processor to implement the steps of the message processing method as described in any one of claims 1 to 17. A network-side device, wherein, The device includes a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions being executed by the processor to implement the steps of the message processing method as described in any one of claims 18 to 27, or the steps of the message processing method as described in any one of claims 28 to 35, or the steps of the message processing method as described in any one of claims 36 to 42. A readable storage medium, wherein, The readable storage medium stores a program or instructions that, when executed by a processor, implement the steps of the message processing method as described in any one of claims 1-17, or the steps of the message processing method as described in any one of claims 18-27, or the steps of the message processing method as described in any one of claims 28-35, or the steps of the message processing method as described in any one of claims 36-42.