[go: up one dir, main page]

WO2018132952A1 - Procédé et appareil de communication sans fil - Google Patents

Procédé et appareil de communication sans fil Download PDF

Info

Publication number
WO2018132952A1
WO2018132952A1 PCT/CN2017/071452 CN2017071452W WO2018132952A1 WO 2018132952 A1 WO2018132952 A1 WO 2018132952A1 CN 2017071452 W CN2017071452 W CN 2017071452W WO 2018132952 A1 WO2018132952 A1 WO 2018132952A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
security
algorithm
gateway device
indication information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/071452
Other languages
English (en)
Chinese (zh)
Inventor
张丽佳
陈璟
张万强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to PCT/CN2017/071452 priority Critical patent/WO2018132952A1/fr
Publication of WO2018132952A1 publication Critical patent/WO2018132952A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic

Definitions

  • the present application relates to the field of communications, and in particular, to a method and apparatus for wireless communication.
  • the terminal device communicates with the enterprise server through a gateway device belonging to the Home Public Land Mobile Network (HPLMN). To ensure data security, it is necessary to establish an end-to-end between the terminal device and the gateway device. (End to End, E2E) Secure communication mechanism.
  • HPLMN Home Public Land Mobile Network
  • the terminal device and the gateway device can determine a key for E2E secure communication, and communicate according to the key and a security algorithm pre-configured in the terminal device, however, when the security algorithm pre-configured in the terminal device appears safe In the case of a vulnerability, the prior art cannot introduce a new security algorithm, resulting in a greater risk of E2E communication between the terminal device and the gateway device.
  • the embodiment of the present application provides a method for wireless communication, which can enhance the security performance of communication between the terminal device and the gateway device.
  • a method for wireless communication comprising: a gateway device determining a target security algorithm from a security algorithm supported by a terminal device; the gateway device transmitting first indication information to the terminal device, the first The indication information is used to indicate the target security algorithm; the gateway device communicates with the terminal device according to the target security algorithm.
  • the gateway device may determine a target security algorithm according to the security capability of the terminal device, and communicate with the terminal device according to the target security algorithm, thereby enhancing communication between the terminal device and the gateway device. Security performance.
  • the method further includes: the gateway device sending the second indication information and the message authentication code MAC to the terminal device,
  • the second indication information is used to indicate an integrity algorithm
  • the integrity algorithm and the MAC are used by the terminal device to check integrity of a message carrying the first indication information.
  • the gateway device instructs the terminal device to perform integrity verification on the message carrying the first indication information, so as to prevent the communication security caused by the tampering of the message carrying the first indication information from being weakened and enhanced. Security performance of communication between terminal devices and gateway devices.
  • the method further includes: the gateway device sending security capability information to the terminal device, so that the terminal device is configured according to the terminal device The security capability of the terminal device verifies whether the security capability information is correct.
  • the terminal device can prevent the network device from determining the target security algorithm according to the security capability of the wrong terminal device by verifying the security capability information sent by the network device, thereby enhancing the terminal device and the gateway device.
  • the method further includes: the gateway device receiving security capability information from the terminal device or the core network device; the gateway device determining, according to the security capability information, a security algorithm supported by the terminal device.
  • the security capability of the terminal device can be flexibly determined.
  • a method for wireless communication comprising: receiving, by a terminal device, first indication information from a gateway device, the first indication information being used to indicate a target security algorithm; and the terminal device is secured according to the target An algorithm communicates with the gateway device.
  • the terminal device communicates with the gateway device according to the target security algorithm indicated by the gateway device, thereby enhancing the security performance of communication between the terminal device and the gateway device.
  • the method further includes: the terminal device receiving second indication information and a MAC from the gateway device, where the second The indication information is used to indicate an integrity algorithm; the terminal device checks the integrity of the message carrying the first indication information according to the integrity algorithm and the MAC check.
  • the terminal device performs integrity verification on the message carrying the first indication information, so that the communication security caused by the tampering of the message carrying the first indication information is prevented, and the security performance of communication between the terminal device and the gateway device is enhanced.
  • the method further includes: the terminal device receiving security capability information from the gateway device; The security capability of the terminal device verifies whether the security capability information is correct.
  • the terminal device can prevent the gateway device from determining the target security algorithm according to the security capability of the wrong terminal device, thereby enhancing the security performance of communication between the terminal device and the gateway device.
  • the method further includes: the terminal device sending security capability information to the gateway device, where the security capability information is used to indicate the terminal device Supported security algorithms.
  • the gateway device can flexibly determine the security capability of the terminal device.
  • the embodiment of the present application provides a device for wireless communication, where the device can implement the functions performed by the gateway device in the method related to the foregoing aspect, where the function can be implemented by hardware, or the corresponding software can be executed by hardware.
  • the hardware or software includes one or more corresponding units or modules of the above functions.
  • the apparatus includes a processor and a communication interface configured to support the apparatus to perform the corresponding functions of the above methods.
  • the communication interface is used to support communication between the device and other network elements.
  • the apparatus can also include a memory for coupling with the processor that retains the program instructions and data necessary for the apparatus.
  • the embodiment of the present application provides a device for wireless communication, where the device can implement the functions performed by the terminal device in the method related to the foregoing aspect, and the function can be implemented by using hardware, or the corresponding software can be executed by hardware.
  • the hardware or software includes one or more corresponding units or modules of the above functions.
  • the apparatus includes a processor and a transceiver configured to support the apparatus to perform the corresponding functions of the above methods.
  • the transceiver is used to support communication between the device and other network elements.
  • the apparatus can also include a memory for coupling with the processor that retains the program instructions and data necessary for the apparatus.
  • the embodiment of the present application provides a communication system, where the system includes the gateway device and the terminal device in the foregoing aspect.
  • the embodiment of the present application provides a computer storage medium for storing computer software instructions used by the gateway device, which includes a program designed to perform the above aspects.
  • the embodiment of the present application provides a computer storage medium for storing the foregoing terminal device.
  • a computer software instruction is included that includes a program designed to perform the above aspects.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device, and indicates the target security selected by the gateway device to the terminal device.
  • the algorithm so that the terminal device and the gateway device can select a suitable security algorithm to communicate, and enhance the security performance of communication between the terminal device and the gateway device.
  • FIG. 1 is a schematic structural diagram of a communication system to which an embodiment of the present application is applied;
  • FIG. 2 is a schematic flowchart of a method for wireless communication provided by an embodiment of the present application
  • FIG. 3 is a schematic flowchart of another method for wireless communication provided by an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application.
  • FIG. 6 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application.
  • FIG. 7 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application.
  • FIG. 8A is a schematic structural diagram of a possible gateway device according to an embodiment of the present disclosure.
  • 8B is a schematic structural diagram of another possible gateway device provided by an embodiment of the present application.
  • 9A is a schematic structural diagram of a possible terminal device according to an embodiment of the present application.
  • FIG. 9B is a schematic structural diagram of another possible terminal device according to an embodiment of the present application.
  • FIG. 1 is a schematic architectural diagram of a communication system suitable for use in an embodiment of the present application.
  • the communication system 100 includes a terminal device 120 and a gateway device 110.
  • the terminal device 120 can directly communicate with the gateway device 110, and can also communicate with the gateway device 110 through other devices.
  • the terminal device 120 may communicate with one or more core network devices via a radio access network, and the terminal device 120 may be referred to as an access terminal, a user equipment (User Equipment, UE), a subscriber unit, User station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device.
  • the access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), with wireless communication.
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • 5G 5th-Generation
  • the gateway device 110 may be a gateway device in a Global System for Mobile Communication (GSM) system, a gateway device in a Code Division Multiple Access (CDMA) system, or a long term evolution ( A gateway device in a Long Term Evolution, LTE) system or a gateway device in a 5G communication system.
  • GSM Global System for Mobile Communication
  • CDMA Code Division Multiple Access
  • LTE Long Term Evolution
  • the communication system applicable to the embodiment of the present application may further include a Mobility Management Entity (MME).
  • MME Mobility Management Entity
  • the terminal device communicates with the gateway device through the MME; for example, the communication system applicable to the embodiment of the present application may further include a serving GPRS support node (Serving GPRS Support) Node, SGSN, where GPRS is the abbreviation of "General Packet Radio Service", and the terminal device communicates with the gateway device through the SGSN.
  • the communication system applicable to the embodiment of the present application may further include an Access Management Function (AMF) and/or a Session Management Function (SMF), and the terminal device uses the AMF and/or the SMF and the gateway device.
  • AMF Access Management Function
  • SMF Session Management Function
  • FIG. 2 is a schematic flowchart of a method for wireless communication provided by an embodiment of the present application. As shown in Figure 2, the method includes:
  • the gateway device determines a target security algorithm from a security algorithm supported by the terminal device.
  • the terminal device may support one security algorithm or multiple security algorithms.
  • the gateway device determines that the security algorithm is a target security algorithm; when the terminal device supports multiple security algorithms, the gateway device determines a target security algorithm from the multiple security algorithms, where the target security
  • the algorithm may be the security algorithm with the highest security level among the multiple security algorithms, or the security algorithm with lower security level among the multiple security algorithms, so that the appropriate security algorithm can be flexibly determined according to actual conditions.
  • the gateway device sends first indication information to the terminal device, where the first indication information is used to indicate the target security algorithm.
  • the gateway device communicates with the terminal device according to the target security algorithm.
  • the communication is performed according to the target security algorithm, thereby enhancing the security performance of communication between the terminal device and the gateway device.
  • the method 200 further includes:
  • the gateway device sends second indication information and a message authentication code (MAC) to the terminal device, where the second indication information is used to indicate an integrity algorithm, the integrity algorithm, and the The MAC is used by the terminal device to check the integrity of the message carrying the first indication information.
  • MAC message authentication code
  • the second indication information is used to indicate an integrity algorithm selected by the gateway device (where the terminal device supports the integrity algorithm), and the MAC is a correct result calculated according to the integrity algorithm, if the terminal device is configured according to the The result obtained by the integrity algorithm is the same as the MAC, indicating that the message carrying the first indication information is complete and has not been tampered with, and the terminal device can communicate with the gateway device according to the target security algorithm indicated by the first indication information;
  • the result obtained by the integrity algorithm is different from the MAC, indicating that the message carrying the first indication information is incomplete, the message may be tampered with, and the terminal device may abandon the target security algorithm indicated by the first indication information.
  • the second indication information and the MAC may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
  • the gateway device instructs the terminal device to perform integrity verification on the message carrying the first indication information, so that the communication security caused by the tampering of the message carrying the first indication information is prevented from being weakened.
  • the security of communication between the terminal device and the gateway device is enhanced.
  • the method 200 further includes:
  • the gateway device sends security capability information to the terminal device, so that the terminal device checks whether the security capability information is correct according to the security capability of the terminal device.
  • the security capability information indicates a security algorithm.
  • the terminal device After receiving the security capability information, the terminal device verifies whether the security capability information is correct according to a security algorithm supported by the terminal device. If the security capability information indicates a security algorithm and If the security algorithm supported by the terminal device is consistent, the terminal device determines that the security capability information is correct, indicating that the security capability of the terminal device determined by the gateway device is correct, and the terminal device can communicate with the gateway device according to the target security algorithm indicated by the first indication information; If the security algorithm indicated by the security capability information is inconsistent with the security algorithm supported by the terminal device, the terminal device determines that the security capability information is incorrect, indicating that the security capability of the terminal device determined by the gateway device is incorrect, and the terminal device may abandon the use of the first indication information.
  • the security information may also indicate other content.
  • the security capability information may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
  • the terminal device can prevent the network device from determining the target security algorithm according to the security capability of the wrong terminal device by verifying the security capability information sent by the network device, thereby enhancing the terminal device and the gateway. Security performance of communication between devices.
  • the method 200 further includes:
  • the gateway device receives security capability information from the terminal device or a core network device.
  • the gateway device determines, according to the security capability information, a security algorithm supported by the terminal device.
  • the gateway device may obtain the security capability information of the terminal device from the terminal device, or obtain the terminal device from other core network devices (for example, a Home Subscriber Server (HSS) or a Home Location Register (HLR)). Security capability information, so that the security capabilities of the terminal device can be flexibly determined.
  • HSS Home Subscriber Server
  • HLR Home Location Register
  • FIG. 3 is a schematic flowchart of another method for wireless communication provided by an embodiment of the present application. As shown in FIG. 3, the method includes:
  • the terminal device receives first indication information from the gateway device, where the first indication information is used to indicate a target security algorithm.
  • the terminal device may support one security algorithm or multiple security algorithms.
  • the target security algorithm is the security algorithm; when the terminal device supports multiple security algorithms, the target security algorithm may be the security algorithm with the highest security level among the multiple security algorithms, or A security algorithm with a lower security level in multiple security algorithms, so that a suitable security algorithm can be flexibly determined according to actual conditions. .
  • the terminal device communicates with the gateway device according to the target security algorithm.
  • the terminal device After determining the target security algorithm according to the indication information sent by the gateway device, the terminal device communicates with the gateway device according to the target security algorithm, thereby enhancing the security performance of communication between the terminal device and the gateway device.
  • the method 300 further includes:
  • the terminal device receives second indication information and a MAC from the gateway device, where the second indication information is used to indicate an integrity algorithm.
  • the terminal device checks, according to the integrity algorithm and the MAC, the integrity of the message that carries the first indication information.
  • the second indication information is used to indicate an integrity algorithm selected by the gateway device (ie, the gateway device), wherein the terminal device supports the integrity algorithm, and the MAC is the correct result calculated according to the integrity algorithm. If the result obtained by the terminal device according to the integrity algorithm is the same as the MAC, the message carrying the first indication information is complete and has not been tampered with, and the target device may use the target security algorithm and the gateway device indicated by the first indication information. Communicate; if the terminal device obtains a result different from the MAC according to the integrity algorithm, The message carrying the first indication information is incomplete, the message may be tampered with, and the terminal device may abandon the target security algorithm indicated by the first indication information.
  • the second indication information and the MAC may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
  • the terminal device performs integrity verification on the message carrying the first indication information, so that the communication security caused by the tampering of the message carrying the first indication information is prevented, and the terminal is enhanced.
  • the security of communication between the device and the gateway device is enhanced.
  • the method 300 further includes:
  • the terminal device receives security capability information from the gateway device.
  • S360 The terminal device checks whether the security capability information is correct according to the security capability of the terminal device.
  • the security capability information may, for example, indicate a security algorithm.
  • the terminal device After receiving the security capability information, the terminal device checks whether the security capability information is correct according to a security algorithm supported by the terminal device, if the security algorithm indicated by the security capability information and the security algorithm supported by the terminal device. If the security device is correct, the terminal device determines that the security capability of the terminal device is correct, and the terminal device can communicate with the gateway device according to the target security algorithm indicated by the first indication information; if the security capability information indicates The security algorithm is inconsistent with the security algorithm supported by the terminal device, and the terminal device determines that the security capability information is incorrect, indicating that the security capability of the terminal device determined by the gateway device is incorrect, and the terminal device may abandon the target security algorithm indicated by the first indication information.
  • the security information may also indicate other content.
  • the security capability information may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
  • the terminal device can prevent the gateway device from determining the target security algorithm according to the security capability of the wrong terminal device by verifying the security capability information sent by the gateway device, thereby enhancing the terminal device and the gateway. Security performance of communication between devices.
  • the method before the receiving, by the terminal device, the first indication information, the method further includes:
  • the terminal device sends security capability information to the gateway device, where the security capability information is used to indicate a security algorithm supported by the terminal device.
  • the method for wireless communication provided by the embodiment of the present application can enable the gateway device to flexibly determine the security capability of the terminal device.
  • the foregoing embodiment describes the method of the wireless communication provided by the present application from the perspective of the gateway device and the terminal device.
  • the following describes the embodiments of the present application in further detail based on the common aspects of the embodiments of the present application.
  • FIG. 4 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 4, the method 400 includes:
  • the UE sends an attach request/tracking area update request message to the SGSN, where the request message carries the identifier of the UE.
  • the SGSN sends an authentication data request message to the HLR/HSS, where the request message carries the identifier of the UE.
  • the HLR/HSS generates an Authentication Vector (AV) according to the identifier of the UE, and calculates an E2E security key, where the security key includes an encryption key (Ciphering Key, CK) and an integrity key (Integrity Key, IK). ).
  • AV Authentication Vector
  • the HLR/HSS sends the AV to the SGSN.
  • the UE and the SGSN perform authentication according to the AV.
  • the HLR/HSS pushes the E2E security key to the Gateway GPRS Support Node (GGSN).
  • GGSN Gateway GPRS Support Node
  • the UE sends a Packet Data Protocol (PDP) context request message to the SGSN, where the request message includes the identifier of the UE, the security capability of the UE, and the E2E security indication.
  • PDP Packet Data Protocol
  • the E2E security indication is optional. ).
  • the SGSN sends a PDP Context Request message to the GGSN, where the request message includes the identifier of the UE, the security capability of the UE, and the E2E security indication.
  • the GGSN obtains an E2E security key from the HLR/HSS, where S410 and S407 are performed one by one.
  • the GGSN selects an encryption algorithm (ie, a target security algorithm) and an integrity algorithm according to the security capability of the UE and the GGSN algorithm priority list.
  • the GGSN sends a setup PDP context response message to the SGSN, where the response message includes an encryption algorithm selected by the GGSN, an integrity algorithm, a security capability of the UE, and a MAC value.
  • the SGSN sends an activation PDP context accept message to the UE, where the acceptance message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC value.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates the target selected by the gateway device to the terminal device.
  • the security algorithm can select a suitable security algorithm for communication, and enhances the security performance of communication between the terminal device and the gateway device.
  • FIG. 5 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 5, the method 500 includes:
  • S501 The UE sends an attach request/tracking area update request message to the MME, where the request message carries the identifier of the UE.
  • the MME sends an authentication data request message to the HLR/HSS, where the request message carries the identifier of the UE.
  • the HLR/HSS generates an AV according to the identifier of the UE and calculates an E2E security key, where the security key includes CK and IK.
  • the HLR/HSS sends the AV and E2E security indication to the MME.
  • the UE and the MME perform authentication according to the AV.
  • the HLR/HSS pushes the E2E security key to the Packet Data Network Gateway (P-GW).
  • P-GW Packet Data Network Gateway
  • the MME sends a setup session request message to the serving gateway (S-GW). If the MME receives the E2E security indication from the HLR/HSS, the request message includes the identifier of the UE and the security capability of the UE.
  • S-GW serving gateway
  • the S-GW sends a setup session request message to the P-GW, where the request message includes an identifier of the UE, and a security capability of the UE.
  • the P-GW obtains an E2E security key from the HLR/HSS, where S510 and S507 are selectively executed.
  • the P-GW selects an encryption algorithm (ie, a target security algorithm) and an integrity algorithm according to the security capability of the UE and the P-GW algorithm priority list.
  • the P-GW sends a session establishment response message to the S-GW, where the response message includes an encryption algorithm selected by the P-GW, an integrity algorithm, a security capability of the UE, and a MAC.
  • the S-GW sends a setup session response message to the MME, where the response message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
  • the MME sends an attach accept message to the UE, where the accept message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
  • the UE verifies the security capabilities of the MAC and the UE.
  • the UE After the UE successfully verifies the MAC and the security capability of the UE, the UE sends an attach complete message to the MME.
  • the MME sends a modify bearer request message to the S-GW.
  • the S-GW sends a modify bearer request message to the P-GW.
  • the UE and the P-GW provide E2E confidentiality and integrity protection for the data.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates to the terminal device that the gateway device selects The target security algorithm, so that a suitable security algorithm can be selected for communication, and the security performance of communication between the terminal device and the gateway device is enhanced.
  • FIG. 6 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 6, the method 600 includes:
  • the HLR/HSS pushes the E2E security key and the security capability of the UE to the GGSN/P-GW, or the GGSN/P-GW obtains the E2E security key and the security capability of the UE from the HLR/HSS, wherein the HLR/HSS saves
  • the security data of the UE is pre-configured in the subscription data.
  • the GGSN selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the GGSN algorithm priority list, or the P-GW selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the P-GW algorithm priority list.
  • the GGSN sends a response message to the SGSN, where the response message includes an encryption algorithm selected by the GGSN (ie, a target security algorithm), an integrity algorithm, a security capability of the UE, and a MAC, or the P-GW sends a response message to the MME, and the response message is sent.
  • the encryption algorithm selected by the P-GW ie, the target security algorithm
  • the integrity algorithm ie, the security capability of the UE, and the MAC are included.
  • the SGSN/MME sends a response message to the UE, where the response message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
  • the UE verifies the security capabilities of the MAC and the UE.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates the gateway device to the terminal device.
  • the selected target security algorithm can select a suitable security algorithm for communication, and enhances the security performance of communication between the terminal device and the gateway device.
  • FIG. 7 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 7, the method 700 includes:
  • the HLR/HSS pushes the E2E security key to the GGSN/P-GW, where the subscription data saved by the HLR/HSS is pre-configured with the security capability of the UE.
  • S702 The UE sends a request message to the SGSN/MME, where the message includes the security capability of the UE.
  • the SGSN sends a request message to the GGSN, where the request message includes the security capability of the UE.
  • the MME sends a request message to the P-GW, where the request message includes the security capability of the UE.
  • the GGSN/P-GW obtains an E2E security key from the HLR/HSS, where S701 and S704 are performed by one of two;
  • the GGSN selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the GGSN algorithm priority list.
  • the P-GW selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the P-GW algorithm priority list.
  • the GGSN sends a response message to the SGSN, where the response message includes an encryption algorithm selected by the GGSN (ie, a target security algorithm), an integrity algorithm, a security capability of the UE, and a MAC.
  • the P-GW sends a response message to the MME, and the response message is sent.
  • the encryption algorithm selected by the P-GW ie, the target security algorithm
  • the integrity algorithm the security capability of the UE, and the MAC are included.
  • the SGSN/MME sends a response message to the UE, where the response message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
  • the UE verifies the security capabilities of the MAC and the UE.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates the gateway device to the terminal device.
  • the selected target security algorithm can select a suitable security algorithm for communication, and enhances the security performance of communication between the terminal device and the gateway device.
  • the gateway device and the terminal device include corresponding hardware structures and/or software modules for performing the respective functions in order to implement the above functions.
  • the present application can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.
  • the embodiments of the present application may perform functional unit division on a gateway device, a terminal device, and the like according to the foregoing method.
  • each functional unit may be divided according to each function, or two or more functions may be integrated into one processing unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logical function division. In actual implementation, there may be another division manner.
  • FIG. 8A shows a possible structural diagram of the gateway device involved in the above embodiment.
  • the gateway device 800 includes a processing unit 802 and a communication unit 803.
  • Processing unit 802 is configured to control management of the actions of gateway device 800, for example, processing unit 802 for supporting gateway device 800 to perform S210 of FIG. 2 and/or other processes for the techniques described herein.
  • Communication unit 803 is used to support communication between gateway device 800 and other network entities, such as with the UE shown in FIG.
  • Gateway device 800 can also
  • a storage unit 801 is included for storing program codes and data of the gateway device 800.
  • the processing unit 802 can be a processor or a controller, and can be, for example, a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 803 can be a communication interface or the like.
  • the storage unit 801 can be a memory.
  • the gateway device involved in the embodiment of the present application may be the gateway device shown in FIG. 8B.
  • the gateway device 810 includes a processor 812, a communication interface 813, and a memory 811.
  • the communication interface 813, the processor 812, and the memory 811 can communicate with each other through an internal connection path to transfer control and/or data signals.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device, and indicates the target security algorithm selected by the gateway device to the terminal device, so that a suitable security algorithm can be selected for communication.
  • the security of communication between the terminal device and the gateway device is enhanced.
  • FIG. 9A shows a possible structural diagram of the terminal device involved in the above embodiment.
  • the terminal device 900 includes a processing unit 902 and a communication unit 903.
  • the processing unit 902 is configured to control and manage the actions of the terminal device 900.
  • the processing unit 902 is configured to support the terminal device 900 through the communication unit 903 to perform S310 of FIG. 3, and/or other processes for the techniques described herein.
  • Communication unit 903 is used to support communication between terminal device 900 and other network entities, such as with the GGSN shown in FIG.
  • the terminal device 900 may further include a storage unit 901 for storing program codes and data of the terminal device 900.
  • the processing unit 902 can be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 903 can be a transceiver, a transceiver circuit, or the like.
  • the storage unit 901 can be a memory.
  • the terminal device involved in the embodiment of the present application may be the terminal device shown in FIG. 9B.
  • the terminal device 910 includes a processor 912, a transceiver 913, and a memory 911.
  • the transceiver 913, the processor 912, and the memory 911 can communicate with each other through an internal connection path to transfer control and/or data signals.
  • the terminal device provided by the embodiment of the present application communicates with the gateway device according to the target security algorithm, thereby enhancing the terminal device and the gateway device.
  • the size of the sequence number of each process does not mean the order of execution sequence, and the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application. .
  • the steps of the method or algorithm described in connection with the disclosure of the embodiments of the present application may be implemented in a hardware manner, or may be implemented by a processor executing software instructions.
  • the software instructions may be composed of corresponding software modules, which may be stored in a random access memory (RAM), a flash memory, a read only memory (ROM), an erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read only memory (EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor to enable the processor to read information from, and write information to, the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and the storage medium can be located in an ASIC.
  • the ASIC can be located in a gateway device or a terminal device.
  • the processor and the storage medium may also exist as a discrete component in the gateway device or the terminal device.
  • the functions described herein can be implemented in hardware, software, firmware, or any combination thereof.
  • the functions may be stored in a computer readable medium or transmitted as one or more instructions or code on a computer readable medium.
  • Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another.
  • a storage medium may be any available media that can be accessed by a general purpose or special purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un appareil de communications sans fil. Le procédé comprend les étapes suivantes : un dispositif passerelle détermine un algorithme de sécurité cible à partir d'algorithmes de sécurité pris en charge par un dispositif terminal ; le dispositif passerelle transmet des premières informations d'indication au dispositif terminal, les premières informations d'indication étant utilisées pour indiquer l'algorithme de sécurité cible ; le dispositif passerelle communique avec le dispositif terminal conformément à l'algorithme de sécurité cible. Selon le procédé et l'appareil de communication sans fil fournis par des modes de réalisation de la présente invention, le dispositif passerelle détermine des algorithmes de sécurité pris en charge par un dispositif terminal en fonction de la capacité de sécurité du dispositif terminal, et indique l'algorithme de sécurité cible sélectionné par le dispositif passerelle au dispositif terminal, de telle sorte que le dispositif terminal et le dispositif passerelle peuvent sélectionner un algorithme de sécurité approprié pour une communication, améliorant ainsi les performances de sécurité de communication entre le dispositif terminal et le dispositif passerelle.
PCT/CN2017/071452 2017-01-17 2017-01-17 Procédé et appareil de communication sans fil Ceased WO2018132952A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/071452 WO2018132952A1 (fr) 2017-01-17 2017-01-17 Procédé et appareil de communication sans fil

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/071452 WO2018132952A1 (fr) 2017-01-17 2017-01-17 Procédé et appareil de communication sans fil

Publications (1)

Publication Number Publication Date
WO2018132952A1 true WO2018132952A1 (fr) 2018-07-26

Family

ID=62907615

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/071452 Ceased WO2018132952A1 (fr) 2017-01-17 2017-01-17 Procédé et appareil de communication sans fil

Country Status (1)

Country Link
WO (1) WO2018132952A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601943A (zh) * 2003-09-25 2005-03-30 华为技术有限公司 一种选择安全通信算法的方法
US20060026671A1 (en) * 2004-08-02 2006-02-02 Darran Potter Method and apparatus for determining authentication capabilities
CN101378591A (zh) * 2007-08-31 2009-03-04 华为技术有限公司 终端移动时安全能力协商的方法、系统及装置
CN101854625A (zh) * 2009-04-03 2010-10-06 华为技术有限公司 安全算法选择处理方法与装置、网络实体及通信系统
CN102869007A (zh) * 2007-02-05 2013-01-09 华为技术有限公司 安全算法协商的方法、装置及网络系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601943A (zh) * 2003-09-25 2005-03-30 华为技术有限公司 一种选择安全通信算法的方法
US20060026671A1 (en) * 2004-08-02 2006-02-02 Darran Potter Method and apparatus for determining authentication capabilities
CN102869007A (zh) * 2007-02-05 2013-01-09 华为技术有限公司 安全算法协商的方法、装置及网络系统
CN101378591A (zh) * 2007-08-31 2009-03-04 华为技术有限公司 终端移动时安全能力协商的方法、系统及装置
CN101854625A (zh) * 2009-04-03 2010-10-06 华为技术有限公司 安全算法选择处理方法与装置、网络实体及通信系统

Similar Documents

Publication Publication Date Title
US11736519B2 (en) Mobile communication method, apparatus, and device
CN109587685B (zh) 获取密钥的方法、设备和通信系统
CN109560919B (zh) 一种密钥衍生算法的协商方法及装置
WO2019096279A1 (fr) Procédé et dispositif de communication sécurisée
CN101843126A (zh) 用于认证上下文转移的系统和方法
CN111491394B (zh) 用户面安全保护的方法和装置
WO2022170994A1 (fr) Procédé et appareil de traitement de clé racine pc5, ausf et terminal distant
WO2019029531A1 (fr) Procédé de déclenchement d'authentification de réseau et dispositif associé
CN111866870B (zh) 密钥的管理方法和装置
CN109819439A (zh) 密钥更新的方法及相关实体
EP3471365A1 (fr) Procédé et appareil d'acquisition de clé
WO2017143521A1 (fr) Procédé de communication sécurisée et nœud de réseau central
WO2018049689A1 (fr) Appareil et procédé de négociation de clé
CN110583001A (zh) 移动通信中错误ksi处理的改进
WO2018195971A1 (fr) Procédé pour acquérir des informations de configuration de contexte, dispositif terminal et dispositif de réseau d'accès
WO2018132952A1 (fr) Procédé et appareil de communication sans fil
US10893075B2 (en) Flexible selection of security features in mobile networks
CN110830994A (zh) 会话迁移的方法和装置
JP2024506102A (ja) 進化型パケットシステム非アクセス層セキュリティアルゴリズムを構成する方法、および関連装置
CN116709337A (zh) 通信方法与装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17892485

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17892485

Country of ref document: EP

Kind code of ref document: A1