[go: up one dir, main page]

WO2021244569A1 - Procédé et système de transmission de données, dispositif électronique et support de stockage - Google Patents

Procédé et système de transmission de données, dispositif électronique et support de stockage Download PDF

Info

Publication number
WO2021244569A1
WO2021244569A1 PCT/CN2021/097900 CN2021097900W WO2021244569A1 WO 2021244569 A1 WO2021244569 A1 WO 2021244569A1 CN 2021097900 W CN2021097900 W CN 2021097900W WO 2021244569 A1 WO2021244569 A1 WO 2021244569A1
Authority
WO
WIPO (PCT)
Prior art keywords
user plane
key
target user
functional entity
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2021/097900
Other languages
English (en)
Chinese (zh)
Inventor
毛玉欣
闫新成
游世林
彭锦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2021244569A1 publication Critical patent/WO2021244569A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Definitions

  • the present disclosure relates to, but is not limited to, the field of communication security.
  • the present disclosure provides a data transmission method, which is applied to a first control plane functional entity, and the method includes: determining target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity; The target user equipment sends a first notification message, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity.
  • the present disclosure provides a data transmission method applied to a second control plane functional entity.
  • the method includes: receiving a second notification message sent by the first control plane functional entity, where the second notification message is used to notify the The second control plane functional entity generates a first key, the first key is used by the user plane functional entity to generate a second key, and the second key is used by the target user equipment Used with the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity; generate the first key, and transfer the first key Sent to the user plane functional entity.
  • the present disclosure provides a data transmission method, which is applied to a user plane functional entity, and the method includes: obtaining a first key, and generating a second key according to the first key; For being used by the target user equipment and the user plane functional entity, the target user plane data is securely protected between the target user equipment and the user plane functional entity; through the second key pair The target user plane data transmitted between the target user equipment and the user plane functional entity is subjected to security protection processing.
  • the present disclosure provides a data transmission method applied to a target user equipment.
  • the method includes: receiving a first notification message sent by a first control plane functional entity, where the first notification message is used to indicate The target user plane data is securely protected between the user equipment and the user plane functional entity.
  • the present disclosure provides an electronic device, which includes: at least one processor; a memory on which at least one program is stored.
  • the at least one program is executed by the at least one processor, the at least one Processor Any of the data transmission methods described in this article.
  • the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, any one of the data transmission methods described herein is implemented.
  • the present disclosure provides a data transmission system, including: a first control plane functional entity configured to determine target user plane data that needs to be securely protected between a target user equipment and a user plane functional entity; The user equipment sends a first notification message, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity; the target user equipment is configured to receive The first notification message sent by the first control plane functional entity.
  • Figure 1 is a schematic diagram of the security protection mechanism in the process of data transmission in the 5G network defined by the 3rd Generation Partnership Project (3GPP, The 3rd Generation Partnership Project) R15 in related technologies;
  • 3GPP 3rd Generation Partnership Project
  • R15 3rd Generation Partnership Project
  • Fig. 2 is a flowchart of a data transmission method provided by the present disclosure
  • FIG. 3 is a flowchart of a data transmission method provided by the present disclosure
  • Fig. 4 is a flowchart of a data transmission method provided by the present disclosure
  • FIG. 5 is a flowchart of a data transmission method provided by the present disclosure.
  • FIG. 6 is a flowchart of the data transmission method provided in Example 1 of the present disclosure.
  • FIG. 7 is a flowchart of the data transmission method provided in Example 2 of the present disclosure.
  • FIG. 8 is a flowchart of the data transmission method provided in Example 3 of the present disclosure.
  • FIG. 9 is a schematic diagram of the structure of the protocol stack provided in Example 4 of the present disclosure.
  • Fig. 10 is a block diagram of a data transmission device provided by the present disclosure.
  • Figure 11 is a block diagram of a data transmission device provided by the present disclosure.
  • FIG. 12 is a block diagram of a data transmission device provided by the present disclosure.
  • Figure 13 is a block diagram of a data transmission device provided by the present disclosure.
  • Fig. 14 is a block diagram of a data transmission system provided by the present disclosure.
  • 5G has carried out a deep reconstruction of the network architecture.
  • a service-oriented architecture is introduced.
  • virtualized network functions are built on demand according to application requirements, and network slicing is built to provide better Network service performance that meets application requirements. For example, for IoT applications with fixed terminal locations, there is no need to introduce mobility management functions when constructing network slicing to provide network services; for low-latency applications, it is necessary to construct network slicing.
  • the user plane function (UPF, User Plane Function) is deployed at the edge of the network to shorten the data transmission delay to meet the requirements of the application on the network delay.
  • UPF User Plane Function
  • 5G can provide network services with different characteristics for different applications with the help of emerging technologies such as virtualization and network slicing.
  • 5G networks provide network services for applications in various industries, they carry various high-value application data and sensitive data such as privacy. Attacks on networks to obtain or tamper with data have never stopped, and as the future 5G network bears business data continuously enriched, attack methods are still evolving. Therefore, protection measures such as integrity and ciphering protection of data during network transmission are indispensable.
  • Confidentiality refers to the encrypted transmission of data to prevent the data from being eavesdropped and illegally obtained during the transmission; integrity refers to the integrity of the transmitted data at the sending end and the integrity verification at the receiving end, thereby preventing the transmission process The data in it has been tampered with.
  • the data transmitted by the 5G network is divided into two categories: one is control plane signaling data, such as the signaling of users registering to the network, and the signaling of slicing sessions to access the network; the other is user plane data for users to carry out services. , Such as data for online video services.
  • Figure 1 is a schematic diagram of the security protection mechanism in the process of data transmission in the 5G network defined by the 3rd Generation Partnership Project (3GPP, The 3rd Generation Partnership Project) R15.
  • a in Figure 1 represents the confidentiality and/or integrity protection of control plane data between user equipment (UE, User Equipment) and access network (RAN, Radio Access Network)
  • Figure 1 B in the figure represents the confidentiality and/or integrity protection of the user plane data between the UE and the RAN
  • C in Figure 1 represents the control plane data between the UE and the 5G core network (5GC, 5G Core network) Confidentiality and/or integrity protection, but the confidentiality and/or integrity protection of the user plane data transmission between UE and 5GC has not yet been required.
  • User plane data is transmitted in plain text between RAN and 5GC, as shown in Figure 1. In the D.
  • 5G provides network services for vertical industries, based on the business characteristics of the vertical industries, it is necessary to provide user plane data with UE to 5GC transmission path for security protection requirements, mainly based on the following reasons:
  • the configuration of the access network functional entity is easier to expose, and the configuration of the access network functional entity side encryption, authentication, and user plane integrity protection is more vulnerable to attack.
  • the network nodes on the core network side have stronger computing capabilities, which helps to reduce the delay of data interaction, and vertical industries often attach great importance to low-latency experience.
  • Network slicing operators may lease RAN resources from other operators. From the perspective of network slicing operators or industry applications, the access network functional entity is not a device that is absolutely trusted. Therefore, network slicing operators or industry applications hope that data transmission is safely terminated on the core network rather than the access network functional entity of the access network. side.
  • the solution is to implement encryption and/or integrity protection for all data transmitted between the boundary network elements of the access network and the boundary network elements of the core network. Encryption protection is required for data regardless of whether there is an encryption requirement, which will reduce processing Efficiency, increase business delay.
  • the access network functional entity still participates in the process of data encryption and decryption and/or integrity verification, and there is still the risk that the access network functional entity is untrusted and the access network functional entity is attacked, resulting in data security.
  • the application itself provides protection mechanisms such as application layer encryption to ensure the security of user plane data.
  • application layer encryption For example, some applications use Secure Sockets Layer (SSL, Secure Sockets Layer) to encrypt and transmit application data.
  • SSL Secure Sockets Layer
  • not every application has the functions of encrypting, protecting and verifying user plane data at the application layer.
  • the above-mentioned solutions are specific to various applications and are not easy to promote.
  • Fig. 2 is a flowchart of a data transmission method of the present disclosure.
  • the present disclosure provides a data transmission method applied to a first control plane functional entity (for example, it can be executed by the first control plane functional entity).
  • the method may include step 200 and step 201.
  • step 200 the target user plane data that needs to be secured between the target user equipment and the user plane functional entity is determined.
  • the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may be determined according to the user subscription information.
  • the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may also be determined according to whether the first notification message sent by the second control plane functional entity is received, and the first notification The message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity. For example, receiving the first notification message sent by the second network control function entity indicates that the target user plane data needs to be securely protected between the target user equipment and the user plane function entity; the first notification message sent by the second network control function entity is not received. The notification message indicates that there is no need to securely protect the user plane data between the target user equipment and the user plane functional entity.
  • the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the registration process of the target UE to the core network, for example, after the authentication process is completed , To determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
  • the target user plane data is all user plane data transmitted between the target UE and the user plane functional entity.
  • PDU Protocol Data Unit
  • SMF Session Management Function
  • a first notification message is sent to the target user equipment, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity .
  • the first notification message may be sent to the target UE during the registration process of the target UE to the core network, for example, after the authentication process is completed, the first notification message is sent to the target UE.
  • the target UE After receiving the first notification message, the target UE confirms the target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
  • the target user plane data is all user plane data transmitted between the target UE and the user plane functional entity.
  • the first notification message may be sent to the target UE during the PDU session establishment process, for example, after receiving the PDU session context creation response from the SMF entity, the first notification message is sent to the target UE.
  • the target user plane data is the user plane data transmitted by the target UE to the user plane functional entity through the PDU session.
  • the first notification message is sent to the user equipment; for some UEs, the first notification message is sent to the user equipment; After all user plane data does not need to be secured between the user equipment and the user plane functional entity, the first notification message is not sent to the UE.
  • the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • the first notification message is sent to the user equipment; for other UEs In the PDU session, after determining that all user plane data transmitted through the PDU session does not require security protection between the user equipment and the user plane functional entity, the first notification message is not sent to the UE.
  • the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE.
  • the security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE.
  • the user can sign a contract with the operator according to their own needs. accomplish.
  • the method further includes: generating a first key, and sending to the user plane functional entity The first key; wherein the first key is used by the user plane functional entity to generate a second key, and the second key is used by the target user equipment and the user
  • the plane function entity is used to securely protect the target user plane data between the target user equipment and the user plane function entity.
  • the anchor key may be generated first, and then the first key may be generated according to the anchor key.
  • the first key is used for key isolation, preventing one key from being leaked and affecting the security of other keys, improving security.
  • the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.
  • the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity
  • the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.
  • the first key is the first key corresponding to the target UE
  • the second key is the second key corresponding to the target UE.
  • the first keys corresponding to different UEs may be the same or different.
  • the second keys corresponding to different target UEs may be the same or different.
  • the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU protocol data unit
  • one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key;
  • the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session.
  • one PDU session can correspond to one second secret.
  • the key may also correspond to a second key for two or more PDU sessions.
  • the method further includes: sending a second notification message to the second control plane functional entity, so The second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used by the user plane functional entity to generate a second key.
  • the key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment,
  • the target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
  • Fig. 3 is a flowchart of a data transmission method of the present disclosure.
  • the present disclosure provides a data transmission method applied to a second control plane functional entity (for example, it may be executed by the second control plane functional entity).
  • the method may include step 300 and step 301.
  • step 300 a second notification message sent by a first control plane functional entity is received, where the second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used to be
  • the user plane function entity uses the second key to generate a second key, and the second key is used by the target user equipment and the user plane function entity. Perform security protection with the user plane functional entity.
  • the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.
  • the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity
  • the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.
  • the first key is the first key corresponding to the target UE
  • the second key is the second key corresponding to the target UE.
  • the first keys corresponding to different UEs may be the same or different.
  • the second keys corresponding to different target UEs may be the same or different.
  • the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU protocol data unit
  • one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key;
  • the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session.
  • one PDU session can correspond to one second secret.
  • the key may also correspond to a second key for two or more PDU sessions.
  • step 301 the first key is generated, and the first key is sent to the user plane functional entity.
  • the first key may be generated according to the anchor key carried in the second notification message.
  • the first key is used for key isolation, preventing one key from being leaked and affecting the security of other keys, and improving security.
  • the method before receiving the second notification message sent by the first control plane functional entity, may further include: determining target user plane data that needs to be secured between the target user equipment and the user plane functional entity ; Send a first notification message to the first control plane functional entity, the first notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane functional entity .
  • the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may be determined according to the user subscription information.
  • the specific determination strategy is not used to limit the protection scope of the present disclosure, and will not be repeated here.
  • the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the registration process of the target UE to the core network, for example, after the authentication process is completed , To determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
  • the target user plane data is all user plane data of the target UE.
  • the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the establishment of the PDU session, for example, upon receiving the PDU session context creation from the SMF entity After responding, determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
  • the target user plane data is the user plane data transmitted by the target UE to the user plane functional entity through the PDU session.
  • the first notification message is sent to the user equipment; for some UEs, the first notification message is sent to the user equipment; After all user plane data does not need to be secured between the user equipment and the user plane functional entity, the first notification message is not sent to the UE.
  • the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • the first notification message is sent to the user equipment; for the UE
  • the first notification message is not sent to the UE. In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE.
  • the security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE.
  • the user can sign a contract with the operator according to their own needs. accomplish.
  • the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment,
  • the target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
  • Fig. 4 is a flowchart of a data transmission method of the present disclosure.
  • embodiments of the present disclosure provide a data transmission method, which is applied to a user plane functional entity (for example, it can be executed by a user plane functional entity).
  • the method may include step 400 and step 401.
  • step 400 a first key is obtained, and a second key is generated according to the first key; the second key is used to be used by the target user equipment and the user plane functional entity, The user plane data is securely protected between the target user equipment and the user plane functional entity.
  • obtaining the first key includes: receiving the first key sent by the first control plane functional entity.
  • obtaining the first key includes: receiving the first key sent by a second control plane functional entity.
  • the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.
  • the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity
  • the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.
  • the first key is the first key corresponding to the target UE
  • the second key is the second key corresponding to the target UE.
  • the first keys corresponding to different UEs may be the same or different.
  • the second keys corresponding to different target UEs may be the same or different.
  • the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU protocol data unit
  • one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key;
  • the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session.
  • one PDU session can correspond to one second secret.
  • the key may also correspond to a second key for two or more PDU sessions.
  • the first key corresponding to the UE if it is obtained, it means that all user plane data of the UE needs to be secured between the UE and the user plane function entity; for some UEs, if Failure to obtain the first key corresponding to the UE indicates that it is not necessary to perform security protection for all user plane data of the UE between the UE and the user plane functional entity. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • the first key corresponding to the PDU session if it is obtained, it means that all user plane data transmitted by the UE through the PDU session need to be protected between the UE and the user plane function entity. ; For other PDU sessions of the UE, if the first key corresponding to the PDU session is not obtained, it means that there is no need to securely protect all user plane data transmitted by the UE through the PDU session between the UE and the user plane functional entity . In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • the user plane data corresponding to which PDU sessions of the UE is specifically protected between the UE and the user plane functional entity can be determined according to the UE’s subscription data, and the user can sign with the operator according to their own needs. accomplish.
  • the second key can be generated in multiple ways.
  • the specific generation method is not used to limit the scope of protection of the present disclosure.
  • the present disclosure emphasizes that the second key is for user equipment and user plane functions.
  • the key used to securely protect user plane data between entities is different from the key used to securely protect user plane data or control plane data between UE and RAN functional entities.
  • RAN does not participate in UE and user plane functional entities. For the security protection of user plane data.
  • step 401 security protection processing is performed on the target user plane data transmitted between the target user equipment and the user plane functional entity through the second key.
  • the second key includes a confidentiality key and/or an integrity key
  • the target user plane transmitted between the target user equipment and the user plane functional entity is transferred through the second key.
  • Data security protection includes: using the confidentiality key to encrypt the target user plane data sent to the target user equipment; using the confidentiality key to encrypt the target user plane data received from the target user equipment Perform decryption; or, use the integrity key to perform integrity protection on the target user plane data sent to the target user equipment; use the integrity key to perform the integrity protection on the target user plane data received from the target user equipment Performing integrity verification; or, using the confidentiality key to encrypt the target user plane data sent to the target user equipment, and using the integrity key to perform integrity protection on the target user plane data;
  • the integrity key is used to perform integrity verification on the target user plane data received from the target user equipment, and after the verification is passed, the confidentiality key is used to decrypt the target user plane data.
  • the security protection of the target user plane data transmitted between the target user equipment and the user plane functional entity by using the second key includes: the downlink target user sent to the target user equipment Before the plane data is encapsulated in PDCP (Packet Data Convergence Protocol, Packet Data Convergence Protocol), the second key is used to perform the first security protection process on the downlink target user plane data, and the downlink target after the first security protection process
  • PDCP Packet Data Convergence Protocol
  • Packet Data Convergence Protocol Packet Data Convergence Protocol
  • the user plane data is sent to the target user equipment; after PDCP encapsulation is performed on the uplink target user plane data received from the target user equipment after the first security protection process, the second key is used to pair the second key
  • the uplink target user plane data after a security protection process is subjected to a second security protection process.
  • the second key is the second key corresponding to the target UE
  • the downlink target user plane data sent to the target UE is all downlink target user plane data sent by the user plane functional entity to the target UE.
  • the received uplink target user plane data from the target UE after the first security protection processing is all the uplink target user plane data from the target UE received by the user plane function entity.
  • the second key is used to perform the first security protection process on all downlink target user plane data sent by the user plane function entity to the target UE, and the second key is used to perform the first security protection process on all the uplink target user plane data received from the target UE.
  • the data undergoes second security protection processing.
  • the second key is the second key corresponding to the PDU session of the target UE.
  • one PDU session may correspond to one second key, or two or more PDU sessions may correspond to one second key.
  • the downlink user plane data sent to the UE is the downlink user plane data sent by the core network to the UE through the PDU session
  • the uplink user plane data received from the UE after the first security protection process is the core network The uplink user plane data from the UE received through the PDU session.
  • the second key is used to perform the first security protection process on the downlink target user plane data sent by the user plane function entity to the target UE through the PDU session corresponding to the second key.
  • the downlink target user plane data sent to the UE by the PDU session corresponding to the key does not require the first security protection process, but is performed according to the existing technology.
  • the security protection may be any one of the following three situations: confidentiality protection, integrity protection, confidentiality protection, and integrity protection. The three situations are described below respectively.
  • the second key only includes an encryption key
  • the using the second key to perform the first security protection processing on the downlink target user plane data includes: using the encryption key to perform the first security protection process on the downlink target Encrypting user plane data; and performing the second security protection process on the uplink target user data after the first security protection process by using the second key includes: decrypting the encrypted uplink target user data by using the encryption key.
  • the second key only includes the integrity key
  • the using the second key to perform the first security protection processing on the downlink target user plane data includes: using the integrity key to Performing integrity protection processing on the downlink target user plane data; said using the second key to perform the second security protection processing on the uplink target user plane data after the first security protection processing includes: using the integrity key to perform integrity protection
  • the processed uplink target user plane data is checked for integrity.
  • Security protection includes both confidentiality protection and integrity protection
  • the second key includes an encryption key and an integrity key.
  • the using the second key to perform the first security protection processing on the downlink target user plane data includes: using the encryption key pair Encrypting the downlink target user plane data, using the integrity key to perform integrity protection processing on the encrypted downlink target user plane data; using the second key to perform the integrity protection processing on the uplink target user after the first security protection processing Performing the second security protection processing on the plane data includes: using the integrity key to perform integrity verification on the uplink target user plane data after encryption and integrity protection processing, and after the verification is passed, the encryption key is used to encrypt the data.
  • the upstream target user data is decrypted.
  • the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment, Make the target user equipment and the user plane functional entity secure the target user plane data, and realize the security protection of the target user plane data between the target user equipment and the user plane functional entity; and the RAN does not participate in the UE and the core network
  • the RAN transparently transmits the user plane data transmitted between the UE and the core network, and does not maintain the second key, which is suitable for scenarios where the RAN is untrusted and vulnerable to attacks.
  • Fig. 5 is a flowchart of a data transmission method of the present disclosure.
  • the present disclosure provides a data transmission method applied to a target UE (for example, it may be executed by the target UE).
  • the method may include step 500.
  • step 500 a first notification message sent by a first control plane functional entity is received, where the first notification message is used to indicate that the target user plane data is performed between the target user equipment and the user plane functional entity. safety protection.
  • the first notification message from the first control plane functional entity is not received, and this process ends.
  • the UE receives the first notification message from the first control plane function entity during the registration process of the UE with the core network, it means that the UE and the user plane function entity need to deal with each other. All user plane data of the UE is secured; for some UEs, if the UE does not receive the first notification message from the first control plane functional entity during the registration process of the UE to the core network, it means that there is no need to connect the UE to the core network.
  • the user plane functional entities perform security protection for all user plane data of the UE.
  • the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • the first notification message from the first control plane functional entity is received during the establishment of the PDU session, it indicates that the UE needs to pass between the UE and the user plane functional entity.
  • the user plane data transmitted in the PDU session is secured; for other PDU sessions of the UE, if the first notification message from the first control plane functional entity is not received during the establishment of the PDU session, it means that there is no need for the UE Security protection is performed between the user plane function entity and the user plane data transmitted by the UE through the PDU session.
  • the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE.
  • the security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE.
  • the user can sign a contract with the operator according to their own needs. accomplish.
  • the method may further include: generating a first key, and generating a second key according to the first key; wherein, The second key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.
  • the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity
  • the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.
  • the first key is the first key corresponding to the target UE
  • the second key is the second key corresponding to the target UE.
  • the first keys corresponding to different target UEs may be the same or Different
  • the second keys corresponding to different target UEs may be the same or different.
  • the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU protocol data unit
  • one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key;
  • the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session.
  • one PDU session can correspond to one second secret.
  • the key may also correspond to a second key for two or more PDU sessions.
  • the method may further include: performing security protection processing on target user plane data transmitted between the target user equipment and the user plane functional entity through the second key.
  • the second key includes a confidentiality key and/or an integrity key; the second key is used to transmit data between the target user equipment and the user plane functional entity.
  • the security protection processing of the target user plane data includes: using the confidentiality key to encrypt the target user plane data sent to the user plane functional entity; using the confidentiality key to encrypt the target user plane data received from the user functional entity Data decryption; or, using the integrity key to perform integrity protection processing on the target user plane data sent to the user function entity; using the integrity key to perform integrity protection on the target user plane data received from the user functional entity Integrity verification; or, using the confidentiality key to encrypt the target user plane data sent to the user plane functional entity, and using the integrity key to perform integrity protection on the encrypted target user plane data Processing; use the integrity key to perform integrity verification on the target user plane data received from the user functional entity, and use the confidentiality key to decrypt the target user plane data after the verification is passed.
  • performing security protection processing on the target user plane data transmitted between the target user equipment and the user plane functional entity by using the second key includes: Before PDCP encapsulation of the uplink target user plane data, the second key is used to perform the first security protection process on the uplink target user plane data, and the uplink target user plane data after the first security protection process is sent to the user plane function Entity; after PDCP decapsulation is performed on the downlink target user plane data received from the user plane functional entity after the first security protection process, the second key is used to perform the first security protection process on the downlink target user The surface data undergoes second security protection processing.
  • the second key is the second key corresponding to the target UE
  • the uplink target user plane data sent to the user plane function entity is all uplink user plane data sent by the target UE to the user plane function entity
  • the received downlink target user plane data from the user plane functional entity after the first security protection processing is all downlink user plane data from the user plane functional entity received by the target UE.
  • the second key is used to perform the first security protection process on all uplink target user plane data sent by the target UE to the user plane functional entity, and the second key is used to perform the first security protection process on all downlink targets received from the user plane functional entity.
  • the user plane data undergoes the second security protection processing.
  • the second key is the second key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU Protocol Data Unit
  • one second key may correspond to one PDU session, or two One or more PDU sessions correspond to a second key
  • the uplink target user plane data sent to the user plane functional entity is the uplink user plane data sent by the target UE to the user plane functional entity through the PDU session
  • the received data is from
  • the downlink target user plane data processed by the first security protection of the user plane function entity is the downlink user plane data from the user plane function entity received by the UE through the PDU session.
  • the second key is used to perform the first security protection process on the uplink target user plane data sent by the target UE to the user plane function entity through the PDU session corresponding to the second key, and the target UE is not connected with the second key.
  • the uplink user plane data sent by the corresponding PDU session (that is, the PDU session other than the PDU session corresponding to the second key) to the user plane function entity does not require the first security protection process, but is performed in accordance with the existing technology.
  • the security protection may be any one of the following three situations: confidentiality protection, integrity protection, confidentiality protection, and integrity protection. The three situations are described below respectively.
  • the second key only includes the encryption key. Accordingly, using the second key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key to perform the first security protection process on the uplink target user plane. Encrypting the data; the using the second key to perform the second security protection process on the downlink target user data after the first security protection process includes: using the encryption key to decrypt the encrypted downlink target user data.
  • the second key only includes the integrity key
  • the using the second key to perform the first security protection processing on the uplink target user plane data includes: using the integrity key to pair the Performing integrity protection processing on the uplink target user plane data; the using the second key to perform the second security protection processing on the downlink target user plane data after the first security protection processing includes: using the integrity key to perform integrity protection
  • the processed downlink target user plane data is checked for integrity.
  • Security protection includes both confidentiality protection and integrity protection
  • the second key includes an encryption key and an integrity key.
  • the using the second key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key pair Encrypting the uplink target user plane data, using the integrity key to perform integrity protection processing on the encrypted uplink target user plane data; using the second key to perform the integrity protection processing on the downlink target user after the first security protection processing Performing the second security protection processing on the plane data includes: using the integrity key to perform integrity verification on the downstream target user plane data after encryption and integrity protection processing, and after the verification is passed, the encryption key is used to encrypt the data.
  • the downlink target user data is decrypted.
  • the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment, Make the target user equipment and the user plane functional entity secure the target user plane data, and realize the security protection of the target user plane data between the target user equipment and the user plane functional entity; and the RAN does not participate in the UE and the core network
  • the RAN transparently transmits the user plane data transmitted between the UE and the core network, and does not maintain the second key, which is suitable for scenarios where the RAN is untrusted and vulnerable to attacks.
  • the first control plane functional entity, the second control plane functional entity, and the user plane functional entity are set in different devices in the core network.
  • the first control plane functional entity and the second control plane functional entity are control plane network functions responsible for user equipment access and service processing.
  • the user plane function entity is a forwarding plane network function that processes user application data.
  • the first control plane functional entity is an access management function (AMF, Access Management Function)
  • the second control plane functional entity is a session management function (SMF, Session Management Function)
  • the server is the user plane function (UPF, User Plane Function).
  • the first control plane functional entity is a mobility management entity (MME, Mobility Management Entity)
  • MME Mobility Management Entity
  • PGW Packet GateWay
  • the access equipment is not trustworthy for the application, and an encrypted channel needs to be established directly between the UE and the core network equipment; or in the following scenario, multiple core network operators Shared access network, in order to ensure data security, it is also necessary to establish an encrypted channel between the UE and each core network.
  • the key required for user plane data encryption can be generated during the registration and authentication phase of the UE accessing the core network, so that the user plane data can be encrypted for transmission when the UE conducts services.
  • the first control plane functional entity is an AMF entity
  • the user plane functional entity is a UPF entity.
  • the UE requests to access the 5G network and initiates a registration authentication request to the AMF entity.
  • the RAN functional entity routes the registration authentication request to the AMF entity according to the hidden subscription identifier (SUCI, Subscription Identifier) in the registration authentication request.
  • SUCI hidden subscription identifier
  • the authentication and authentication process is completed between the UE, AMF entity, Authentication Server Function (AUSF, Authentication Server Function) entity, and Unified Data Management (UDM, Unified Data Management) entity.
  • AUSF Authentication Server Function
  • UDM Unified Data Management
  • the AMF entity After the authentication process is completed, the AMF entity generates the anchor key K SEAF . If the AMF entity decides that the user plane data needs to be secured between the UE and the user plane function entity (for example, the operator policy or user subscription information stipulates that the user plane data needs to be secured between the UE and the user plane function entity Protection, the AMF entity needs to securely protect the user plane data between the UE and the user plane function entity according to the operator’s policy or user subscription information), the AMF entity uses the key generation algorithm to derive the key according to the K SEAF, and finally generates The first (intermediate) key K 1 .
  • the operator policy or user subscription information stipulates that the user plane data needs to be secured between the UE and the user plane function entity Protection
  • the AMF entity needs to securely protect the user plane data between the UE and the user plane function entity according to the operator’s policy or user subscription information
  • the AMF entity uses the key generation algorithm to derive the key according to the K SEAF, and finally generates The first (intermedi
  • the transmitting entity UPF process may be established by the AMF during transmission through the session management entity (SMF, Session Management Function) entity to the session in the PDU.
  • SMF Session Management Function
  • the UPF entity saves the first key K 1 .
  • the AMF entity notifies the UE that the user plane data needs to be secured between the UE and the user plane function entity.
  • the remaining registration procedures are completed between the UE, the RAN functional entity, and the AMF entity.
  • the UPF entity uses a key generation algorithm to generate a second key according to K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the UE uses a key generation algorithm to generate a second key according to K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the UE uses the anchor key K SEAF according to the same key generation algorithm on the network side, further generates the first key K 1 , and generates the encryption key according to the first key K 1 K 2 and integrity key K 3 .
  • the above solution describes the security protection of user plane data between the UE and the 5G core network after the UE is registered on the 5G network, that is, all user plane data interacting between the UE and the 5G core network are protected for confidentiality and integrity .
  • the above solution is also applicable to EPC.
  • the first control plane functional entity described in the solution is MME, and the user plane functional entity is SGW or PGW.
  • an encryption key K2 and an integrity key K3 are generated on the UE and SGW/PGW.
  • Example 1 describes the security protection of user plane data between the UE and the 5G core network.
  • the 5G network can also provide network services in the form of network slicing, that is, 5GC can include multiple network slices. After the UE is registered on the 5G network, it can access up to 8 network slices.
  • Example 2 describes the provision of security protection for user plane data between the UE and the core network at the network slicing level, and the implementation process is shown in FIG. 7.
  • the first network control function entity is an AMF entity
  • the second network control function entity is an SMF entity
  • the user plane function entity is a UPF entity:
  • the UE After the UE has successfully registered to the 5G network, the UE requests to access the network slice and initiates a PDU session establishment request.
  • the PDU session establishment request includes a NAS (Non-Access Stratum) message, and the NAS message includes: single Network slice selection assistance information (S-NSSAI, Single Network Slice Selection Assistance Information), etc.
  • S-NSSAI contains the network slice identifier that authorizes the UE to request access.
  • the AMF entity stores S-NSSAI and other information.
  • the AMF entity selects the SMF entity based on information such as S-NSSAI.
  • the AMF entity initiates a PDU session context creation request to the SMF entity, and the PDU session context creation request includes information such as the user's permanent identifier (SUPI, Subscription Permanent Identifier), S-NSSAI, and so on.
  • SUPI user's permanent identifier
  • S-NSSAI Service-Specific Identifier
  • the SMF entity uses SUPI, S-NSSAI and other information to obtain session management-related subscription data from the UDM entity; among them, the session management-related subscription data contains information indicating whether user plane data security protection is required between the UE and the core network .
  • step 5 If the PDU session establishment request in step 1 is sent for the first time, the SMF entity performs UPF entity selection; if the PDU session establishment request in step 1 is not sent for the first time, step 7 is directly executed.
  • An N4 session is established between the SMF entity and the UPF entity.
  • the SMF entity makes a decision based on the subscription data whether it is necessary to securely protect the user plane data between the UE and the user plane functional entity.
  • the SMF entity and the AMF entity exchange PDU session establishment messages or PDU session update messages.
  • the SMF entity sends information indicating whether the user plane data needs to be secured between the UE and the user plane function entity to the AMF entity.
  • the AMF entity After the AMF entity receives the information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity, it sends the anchor key (for example, K SEAF ) generated after the authentication is successful to the SMF entity .
  • the anchor key for example, K SEAF
  • the SMF entity saves the anchor key K SEAF and generates the first key K 1 according to the anchor key K SEAF using a key generation algorithm.
  • the SMF entity sends the first key K 1 to the UPF entity.
  • the UPF entity saves the first key K 1 .
  • the AMF entity returns to the UE information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity.
  • the UE, AMF entity, SMF entity, and UPF entity complete the rest of the PDU session establishment process.
  • the UE After the UE receives the information indicating whether the user plane data needs to be securely protected between the UE and the user plane functional entity, it uses the key generation algorithm to generate the first key K 1 , and generates the first key K 1 according to the first key K 1 Two keys (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the UPF entity uses the same key generation algorithm to generate a second key according to the first key K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the SMF entity decides to perform security protection for the user plane data between the UE and the core network for the network slice, and informs the AMF entity.
  • the SMF entity generates the first key K1 according to the anchor key K SEAF provided by the AMF entity and provides it to the UPF entity.
  • the above process can also be implemented as follows: The network slice decision corresponding to the S-NSSAI requested by the AMF entity for the UE is executed.
  • the user plane data is securely protected between the UE and the core network, and the first key K is generated according to the anchor key KSEAF. 1 is provided to the SMF entity, and the SMF entity provides K 1 to the UPF entity.
  • Example 1 describes the security protection of user plane data between the UE and the 5G core network.
  • the 5G network can also provide network services in the form of network slicing, that is, 5GC can include multiple network slices. After the UE is registered on the 5G network, it can access up to 8 network slices.
  • Example 3 describes the provision of security protection for user plane data between the UE and the core network at the network slicing level, and the implementation process is shown in Figure 8.
  • the first network control function entity is an AMF entity
  • the second network control function entity is an SMF entity
  • the user plane function entity is a UPF entity:
  • the UE After the UE has successfully registered to the 5G network, the UE requests to access the network slice and initiates a PDU session establishment request.
  • the PDU session establishment request contains a NAS message.
  • the NAS message includes: Single network slice selection auxiliary information (S-NSSAI, Single) Network Slice Selection Assistance Information) etc.
  • S-NSSAI contains the network slice identifier that authorizes the UE to request access.
  • the AMF entity stores S-NSSAI and other information.
  • the AMF entity selects the SMF entity based on information such as S-NSSAI.
  • the AMF entity initiates a PDU session context creation request to the SMF entity, and the PDU session context creation request includes information such as SUPI, S-NSSAI, etc.
  • the SMF entity uses SUPI, S-NSSAI and other information to obtain session management-related contract data from UDM; among them, the session management-related contract data contains information indicating whether user plane data needs to be secured between the UE and the user plane function entity. information.
  • step 5 If the PDU session establishment request in step 1 is sent for the first time, the SMF entity performs UPF entity selection; if the PDU session establishment request in step 1 is not sent for the first time, step 7 is directly executed.
  • An N4 session is established between the SMF entity and the UPF entity.
  • the SMF entity and the AMF entity exchange PDU session establishment messages or PDU session update messages.
  • the SMF entity sends information indicating whether user plane data security protection between the UE and the user plane function entity needs to be performed to the AMF entity.
  • the decision of the AMF entity requires the security protection of the user plane data between the UE and the user plane functional entity, and the first (intermediate) key is generated using the key generation algorithm according to the anchor key K SEAF generated after the authentication is successful K 1 , sending the first key K 1 to the SMF entity.
  • the SMF entity sends the first key K 1 to the UPF entity.
  • the UPF entity saves the first key K 1 .
  • the AMF entity returns to the UE information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity.
  • the remaining process of PDU session establishment is completed among UE, AMF entity, SMF entity, and UPF entity.
  • the UE After the UE receives the information indicating whether the user plane data needs to be securely protected between the UE and the user plane functional entity, it uses the key generation algorithm to generate the first key K 1 , and generates the first key K 1 according to the first key K 1 Two keys (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the UPF entity uses the same key generation algorithm to generate a second key according to the first key K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • Example 4 for the process of confidentiality and integrity protection of user plane data between the UE and the UPF entity.
  • security protection for user plane data is performed between the UE and the RAN functional entity, which is a prior art.
  • the AMF entity sends the first notification message to the UE, the user plane data is securely protected between the UE and the UPF entity, that is, the encryption key K 2 and the integrity key K 3 are used .
  • this example describes the schematic diagram of the protocol stack processing of the user plane data security endpoint in the UPF, as shown in Figure 9, that is, the PDCP connection is established between the UE and the UPF entity, and the PDCP connection is used Encryption and integrity protection of user plane data.
  • Intermediate network functional entities such as RAN functional entities, are not involved in the encryption and decryption processing and integrity protection of user plane data.
  • the specific implementation process is described as follows:
  • the UE completes the encapsulation of the sent uplink user plane data according to the UE protocol stack part shown in FIG. 9 and sends the encapsulated uplink user plane data.
  • the application layer encapsulation is performed on the uplink user plane data
  • the PDU layer encapsulation is performed on the uplink user plane data after the application layer encapsulation
  • the Simple Distributed File Transfer System Access Protocol (SDAP, Simple Distribution File System Access Protocol) encapsulation using the encryption key K 2 to encrypt the SDAP encapsulated uplink user plane data, and using the integrity key K 3 to perform integrity protection processing on the encrypted uplink user plane data.
  • SDAP Simple Distributed File Transfer System Access Protocol
  • PDCP encapsulation is performed on the uplink user plane data after sexual protection processing
  • the radio link control layer (RLC, Radio Link Control) encapsulation is performed on the uplink user plane data after PDCP encapsulation
  • the media access control is performed on the uplink user plane data after RLC encapsulation.
  • RLC Radio Link Control
  • MAC Medica Access Control
  • PHY Physical layer
  • the RAN entity completes the protocol conversion of the uplink user plane data.
  • the PHY encapsulated uplink user plane data is PHY decapsulated, and the PHY decapsulated uplink user The plane data is decapsulated at the MAC layer, the uplink user plane data after the MAC layer decapsulation is decapsulated, and then the uplink user plane data after the RLC decapsulation is converted into a general packet radio service (GPRS, General Packet Radio Service) tunnel Protocol (GTP, GPRS Tunnelling Protocol) encapsulation format.
  • GPRS General Packet Radio Service
  • the RAN entity does not perform any processing on the PDCP layer and above, that is, does not perform decryption and integrity verification processing on the uplink user plane data. After the RAN entity completes the protocol conversion processing on the uplink user plane data, it is sent to the UPF entity.
  • the UPF entity receives the upstream user plane data after protocol conversion, decapsulates the upstream user plane data after protocol conversion, decapsulates the upstream user plane data after the protocol conversion, decapsulates the upstream user plane data decapsulated at the L1 layer, decapsulates the upstream user plane data at the L2 layer, and decapsulates the L2 layer Decapsulate the upstream user plane data at the GTP-U/UDP/IP layer, decapsulate the upstream user plane decapsulated at the GTP-U/UDP/IP layer using PDCP, and decapsulate PDCP with the integrity key K 3 Integrity check is performed on the uplink user plane data.
  • the encapsulated uplink user plane data is decapsulated at the PDU layer.
  • the UPF entity completes the encapsulation of the sent downlink user plane data according to the UPF protocol stack part shown in FIG. 9, and sends the encapsulated downlink user plane data.
  • perform PDU layer encapsulation on the downlink user plane data perform SDAP encapsulation on the PDU layer encapsulated downlink user plane data, use encryption key K 2 to encrypt the SDAP encapsulated downlink user plane data, and use the integrity key K 3 performs integrity protection processing on the encrypted downlink user plane data, performs PDCP encapsulation on the downlink user plane data after integrity protection processing, and performs GTP-U/UDP/IP layer encapsulation on the PDCP encapsulated downlink user plane data , L2 layer encapsulation is performed on the downlink user plane data after the GTP-U/UDP/IP layer encapsulation, and the L1 layer encapsulation is performed on the downlink user plane data after the L2 layer encapsulation.
  • the RAN entity completes the protocol conversion of the downlink user plane data.
  • the L1 layer encapsulated downlink user plane data is decapsulated at the L1 layer
  • the L1 layer decapsulated downlink user plane data is decapsulated at the L2 layer.
  • Layer decapsulation decapsulate the downlink user plane data decapsulated at the L2 layer at the GTP-U/DPU/IP layer, and then convert the decapsulated downlink user plane data at the GTP-U/DPU/IP layer into an RLC encapsulation format .
  • the RAN entity does not perform any processing on the PDCP layer and above, that is, does not perform decryption and integrity verification processing on the downlink user plane data.
  • the RAN entity completes the protocol conversion processing on the downlink user plane data, it is sent to the UE.
  • the UE receives the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after PHY decapsulation, and decapsulates the downlink user plane data after the MAC layer decapsulation.
  • the plane data is decapsulated at the RLC layer
  • the downlink user plane decapsulated at the RLC layer is decapsulated with PDCP
  • the integrity key K 3 is used to verify the integrity of the downlink user plane data after the PDCP decapsulation.
  • the present disclosure provides an electronic device, which includes: at least one processor; a memory on which at least one program is stored.
  • the at least one processor implements any one of the foregoing.
  • Kind of data transmission method is:
  • the processor is a device with data processing capabilities, which includes but is not limited to a central processing unit (CPU), etc.;
  • the memory is a device with data storage capabilities, which includes but is not limited to random access memory (RAM, more specifically such as SDRAM). , DDR, etc.), read-only memory (ROM), charged erasable programmable read-only memory (EEPROM), flash memory (FLASH).
  • RAM random access memory
  • ROM read-only memory
  • EEPROM charged erasable programmable read-only memory
  • FLASH flash memory
  • the processor and the memory are connected to each other through a bus, and further connected to other components of the computing device.
  • the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, any one of the aforementioned data transmission methods is implemented.
  • FIG. 10 is a block diagram of the composition of a data transmission device of the present disclosure.
  • the present disclosure provides a data transmission device (such as a first control plane functional entity), including: a first determining module 1001 configured to determine that it needs to perform between the target user equipment and the user plane functional entity Security-protected target user plane data; the first notification message sending module 1002 is configured to send a first notification message to the target user equipment, where the first notification message is used to indicate that the target user equipment and the user plane
  • the functional entities perform security protection on the target user plane data.
  • the data transmission device further includes: a first key processing module 1003, configured to generate a first key, and send the first key to the user plane functional entity; wherein, the first key A key is used to be used by the user plane functional entity to generate a second key, and the second key is used to be used by the target user equipment and the user plane functional entity to perform data on the target user plane. Security protection is performed between the target user equipment and the user plane functional entity.
  • the first determining module 1001 is configured to receive the first notification message sent by the second control plane functional entity.
  • the data transmission apparatus further includes: a second notification message sending module 1004, configured to send a second notification message to a second control plane functional entity, where the second notification message is used to notify the second
  • the control plane function entity generates a first key
  • the first key is used by the user plane function entity to generate a second key
  • the second key is used by the target user equipment and the The user plane functional entity is used to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the data transmission method on the functional entity side of the first control plane in the foregoing embodiment, and will not be repeated here.
  • FIG. 11 is a block diagram of the composition of a data transmission device of the present disclosure.
  • the present disclosure provides a data transmission device (such as a second control plane functional entity), including: a first notification message receiving module 1101, configured to receive a second notification sent by the first control plane functional entity Message, the second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used by the user plane functional entity to generate a second key, the The second key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity; the second secret
  • the key processing module 1102 is configured to generate the first key, and send the first key to the user plane function entity.
  • the data transmission apparatus further includes: a third determining module 1103 configured to determine target user plane data that needs to be secured between the target user equipment and the user plane functional entity; and a third notification message sending module 1104. It is configured to send a first notification message to the first control plane functional entity, where the first notification message is used to indicate that the target user plane data is received between the target user equipment and the user plane functional entity. Carry out safety protection.
  • the specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the data transmission method on the functional entity side of the second control plane in the foregoing embodiment, and will not be repeated here.
  • FIG. 12 is a block diagram of the composition of a data transmission device of the present disclosure.
  • the present disclosure provides a data transmission device (such as a user plane functional entity), including: a third key processing module 1201, configured to obtain a first key, and generate The second key; the second key is used to be used by the target user equipment and the user plane functional entity, and the target user plane data is between the target user equipment and the user plane functional entity Perform security protection; the first data processing module 1202 is configured to perform security protection processing on target user plane data transmitted between the target user equipment and the user plane functional entity through the second key.
  • a data transmission device such as a user plane functional entity
  • the third key processing module 1201 is configured to obtain the first key in the following manner: receiving the first key sent by the first control plane functional entity.
  • the third key processing module 1201 is configured to obtain the first key in the following manner: receiving the first key sent by the second control plane functional entity.
  • the second key includes a confidentiality key and/or an integrity key
  • the first data processing module 1202 is configured to: use the confidentiality key pair to send to the target user equipment
  • the target user plane data is encrypted; the confidentiality key is used to decrypt the target user plane data received from the target user equipment; or the integrity key is used to send to the target user of the target user equipment Protect the integrity of the plane data; use the integrity key to verify the integrity of the target user plane data received from the target user equipment; or, use the confidentiality key pair to send to the target user equipment
  • To encrypt the target user plane data use the integrity key to perform integrity protection on the target user plane data; use the integrity key to perform integrity on the target user plane data received from the target user equipment After the verification is passed, the confidentiality key is used to decrypt the target user plane data.
  • the specific implementation process of the foregoing data transmission device is the same as the specific implementation process of the data transmission method on the user plane function entity side of the foregoing embodiment, and will not be repeated here.
  • FIG. 13 is a block diagram of the composition of a data transmission device of the present disclosure.
  • the present disclosure provides another data transmission device (such as a target UE), including: a second notification message receiving module 1301, configured to receive a first notification message sent by a first control plane functional entity, so The first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity.
  • a second notification message receiving module 1301 configured to receive a first notification message sent by a first control plane functional entity, so The first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity.
  • the data transmission device further includes: a fourth key processing module 1302, configured to generate a first key, and generate a second key according to the first key; wherein, the second key The key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • a fourth key processing module 1302 configured to generate a first key, and generate a second key according to the first key; wherein, the second key The key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the second key includes a confidentiality key and/or an integrity key
  • the data transmission device further includes: a second data processing module 1303 configured to: use the confidentiality key Encrypt the target user plane data sent to the user plane functional entity; use the confidentiality key to decrypt the target user plane data received from the user functional entity; or use the integrity key pair to send to the user plane Perform integrity protection processing on the target user plane data of the functional entity; use the integrity key to perform integrity verification on the target user plane data received from the user functional entity; or use the confidentiality key pair to send to the user Encrypt the target user plane data of the user plane function entity, use the integrity key to perform integrity protection processing on the encrypted target user plane data; use the integrity key to perform the integrity protection processing on the target user received from the user function entity The integrity check is performed on the plane data, and the confidentiality key is used to decrypt the target user plane data after the verification is passed.
  • the specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the data transmission method on the target UE side in the foregoing embodiment, and will not be repeated here.
  • FIG. 14 is a block diagram of the composition of a data transmission system of the present disclosure.
  • the present disclosure provides a data transmission system, including: a first control plane function entity 1401, configured to determine the target user plane that needs to be secured between the target user equipment and the user plane function entity Data; sending a first notification message to the target user equipment, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity; target The user equipment 1402 is configured to receive the first notification message sent by the first control plane functional entity.
  • the first control plane functional entity 1401 is further configured to: generate a first key, and send the first key to the user plane functional entity; wherein, the first key is used for Is used by the user plane functional entity to generate a second key, and the second key is used by the target user equipment and the user plane functional entity, and for the target user plane data in the target user Security protection is performed between the device and the user plane functional entity;
  • the data transmission system further includes: a user plane functional entity 1403 configured to receive the first key sent by the first control plane functional entity; according to the first secret Key to generate a second key; using the second key to perform security protection processing on the target user plane data transmitted between the target user equipment and the user plane functional entity;
  • the target user equipment 1402 is further configured to: generate a second key A key for generating a second key according to the first key; using the second key to perform security protection processing on target user plane data transmitted between the target user equipment and the user plane functional entity.
  • the first control plane functional entity 1401 is configured to determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity in the following manner: receiving the second control plane functional entity The first notification message sent; the data transmission system further includes: a second control plane functional entity 1404 configured to determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity; The control plane functional entity sends the first notification message.
  • the first control plane functional entity 1401 is further configured to send a second notification message to the second control plane functional entity, where the second notification message is used to notify the second control plane functional entity to generate A first key, the first key is used to be used by the user plane functional entity to generate a second key, the second key is used to be used by the target user equipment and the user plane functional entity ,
  • the data transmission system further includes: a second control plane functional entity 1404 configured to receive the first control plane functional entity The second notification message sent; the first key is generated, and the first key is sent to the user plane function entity;
  • the user plane function entity 1403 is configured to receive the first message sent by the second control plane function entity Key; generate a second key according to the first key; use the second key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity; target The user equipment 1402 is further configured to: generate a first key, and generate a second key according to the first key
  • Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or a non-transitory medium) and a communication medium (or a transitory medium).
  • the term computer storage medium includes volatile and non-volatile implementations in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media.
  • Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer.
  • a communication medium usually contains computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transmission mechanism, and may include any information delivery medium. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente demande concerne un procédé de transmission de données appliqué dans une première entité de fonction de panneau de commande. Le procédé consiste à : déterminer des données de plan utilisateur cible qui nécessitent une protection de sécurité entre un équipement utilisateur cible et une entité à fonction de plan utilisateur ; et envoyer un premier message de notification à l'équipement utilisateur cible, le premier message de notification étant utilisé pour demander d'effectuer une protection de sécurité sur les données de plan utilisateur cible entre l'équipement utilisateur cible et l'entité à fonction de plan utilisateur. L'invention concerne également un système de transmission de données, un dispositif électronique et un support de stockage lisible par ordinateur.
PCT/CN2021/097900 2020-06-03 2021-06-02 Procédé et système de transmission de données, dispositif électronique et support de stockage Ceased WO2021244569A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010497412.6 2020-06-03
CN202010497412.6A CN112838925B (zh) 2020-06-03 2020-06-03 数据传输方法、装置和系统、电子设备、存储介质

Publications (1)

Publication Number Publication Date
WO2021244569A1 true WO2021244569A1 (fr) 2021-12-09

Family

ID=75923173

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/097900 Ceased WO2021244569A1 (fr) 2020-06-03 2021-06-02 Procédé et système de transmission de données, dispositif électronique et support de stockage

Country Status (2)

Country Link
CN (1) CN112838925B (fr)
WO (1) WO2021244569A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788594B (zh) * 2020-06-03 2023-06-27 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质
CN112838925B (zh) * 2020-06-03 2023-04-18 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质
CN113872752B (zh) * 2021-09-07 2023-10-13 哲库科技(北京)有限公司 安全引擎模组、安全引擎装置和通信设备

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108235300A (zh) * 2017-12-22 2018-06-29 中国科学院信息工程研究所 移动通信网络用户数据安全保护方法及系统
CN108810884A (zh) * 2017-05-06 2018-11-13 华为技术有限公司 密钥配置方法、装置以及系统
CN109560929A (zh) * 2016-07-01 2019-04-02 华为技术有限公司 密钥配置及安全策略确定方法、装置
CN110830991A (zh) * 2018-08-10 2020-02-21 华为技术有限公司 安全会话方法和装置
CN112788594A (zh) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质
CN112838925A (zh) * 2020-06-03 2021-05-25 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103583063B (zh) * 2011-03-18 2017-03-01 阿尔卡特朗讯公司 用于地理冗余网关处的故障恢复的系统和方法
CN108632308B (zh) * 2017-03-17 2020-07-14 电信科学技术研究院 控制方法、装置、smf、upf、ue、pcf及an
CN109511113B (zh) * 2017-07-28 2020-04-14 华为技术有限公司 安全实现方法、相关装置以及系统
CN109413005A (zh) * 2017-08-17 2019-03-01 中兴通讯股份有限公司 数据流传输安全控制方法及装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109560929A (zh) * 2016-07-01 2019-04-02 华为技术有限公司 密钥配置及安全策略确定方法、装置
CN108810884A (zh) * 2017-05-06 2018-11-13 华为技术有限公司 密钥配置方法、装置以及系统
CN108235300A (zh) * 2017-12-22 2018-06-29 中国科学院信息工程研究所 移动通信网络用户数据安全保护方法及系统
CN110830991A (zh) * 2018-08-10 2020-02-21 华为技术有限公司 安全会话方法和装置
CN112788594A (zh) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质
CN112838925A (zh) * 2020-06-03 2021-05-25 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质

Also Published As

Publication number Publication date
CN112838925B (zh) 2023-04-18
CN112838925A (zh) 2021-05-25

Similar Documents

Publication Publication Date Title
US12052350B2 (en) Quantum resistant secure key distribution in various protocols and technologies
CN112788594B (zh) 数据传输方法、装置和系统、电子设备、存储介质
US10785653B2 (en) Secure short message service over non-access stratum
CN113630773B (zh) 安全实现方法、设备以及系统
JP5480890B2 (ja) 制御信号の暗号化方法
US20110305339A1 (en) Key Establishment for Relay Node in a Wireless Communication System
CN107079023A (zh) 用于下一代蜂窝网络的用户面安全
CN110769420B (zh) 网络接入方法、装置、终端、基站和可读存储介质
EP3510803B1 (fr) Connexion sécurisée de couche de liaison sur des réseaux locaux sans fil
CN110808830A (zh) 一种基于5G网络切片的IoT安全验证框架及其服务方法
CN108353279A (zh) 一种认证方法和认证系统
WO2021244569A1 (fr) Procédé et système de transmission de données, dispositif électronique et support de stockage
JP7192107B2 (ja) システム間変更中のセキュリティ・コンテキストを扱う方法及び装置
US20100161958A1 (en) Device for Realizing Security Function in Mac of Portable Internet System and Authentication Method Using the Device
CN103139770B (zh) Wlan接入网络中传递成对主密钥的方法和系统
CN113784351B (zh) 切片服务验证方法、实体及设备
CN120050800A (zh) 一种通信方法及装置
KR20100092371A (ko) 트래픽 카운트 키 및 키 카운트 관리 방법 및 장치
WO2017070973A1 (fr) Équipement utilisateur, procédé d'établissement de tunnel de sécurité de protocole internet et station de base
CN119892356B (zh) 一种个人应用级全域量子安全加密代理网关及通信系统
KR102780207B1 (ko) 오버레이 네트워크를 통한 통신 방법 및 그 시스템
CN115278660B (zh) 接入认证方法、装置及系统
WO2025026232A1 (fr) Procédé d'établissement de session et appareil associé
WO2025140141A1 (fr) Procédé et appareil de communication
CN121037843A (zh) 接入认证方法及网络设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21819011

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21819011

Country of ref document: EP

Kind code of ref document: A1