WO2019088801A1 - Method for protecting user data in wireless communication system and apparatus therefor - Google Patents

Abstract

Disclosed are a method for protecting user data in a wireless communication system and an apparatus therefor. Specifically, a method for protecting user data by a base station including one control plane (CP) entity and at least one user plane (UP) entity in a wireless communication system, comprises: a step in which, when the UP entity for user equipment (UE) is allocated, the CP entity generates a base station UP key for the UP entity on the basis of a base station key and a counter value for the UP entity; a step in which the CP entity transmits the base station UP key to the UP entity; a step in which the UP entity generates an integrity key for protecting date integrity of the UE and an encryption key for protecting data confidentiality of the UE, on the basis of the base station UP key; and a step in which the UP entity performs the protection of the integrity and confidentiality of data of the UE by using the integrity key and the encryption key, wherein, when a plurality of UP entities for the UE are allocated, the counter value for each UP entity ​​is generated differently from one another, such that the user data can be protected.

Description

Method and apparatus for protecting user data in a wireless communication system

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a wireless communication system, and more particularly, to a method for protecting user data in an environment in which a control plane and a user plane of a base station are separated from each other.

The mobile communication system has been developed to provide voice service while ensuring the user 's activity. However, in the mobile communication system, not only the voice but also the data service are extended. At present, due to the increase of the explosive traffic, there is a shortage of resources and users require higher speed service, have.

The requirements of the next-generation mobile communication system largely depend on the acceptance of explosive data traffic, the dramatic increase in the rate per user, the acceptance of a significantly increased number of connected devices, very low end-to-end latency, Should be able to. For this purpose, a dual connectivity, a massive multiple input multiple output (MIMO), an in-band full duplex, a non-orthogonal multiple access (NOMA) wideband support, and device networking.

It is an object of the present invention to provide a method for protecting user data in an environment in which a control plane and a user plane of a base station are separated from each other.

It is another object of the present invention to provide a method of managing a security key in an environment in which a control plane and a user plane of a base station are separated from each other.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, unless further departing from the spirit and scope of the invention as defined by the appended claims. It will be possible.

According to an aspect of the present invention, there is provided a method for protecting user data in a wireless communication system including a control plane (CP) entity and at least one user plane (UP) Generating a base station UP key for the UP entity based on a base station key and a counter value for the UP entity when the UP entity for a UE is allocated; The CP entity transmitting the base station UP key to the UP entity; The UP entity generating an encryption key for integrity key and confidentiality protection for integrity protection of data of the UE based on the base station UP key; And performing the integrity and confidentiality protection of data of the UE using the integrity key and the encryption key when the UP entity is assigned a plurality of UP entities for the UE, The value can protect user data that is generated differently.

Preferably, the counter value is maintained while the CP entity maintains the security context for the UE, and may be incremented by one each time the UP entity is added or changed.

Preferably, the CP entity may further include transmitting the counter value and the security algorithm type information to the UE through Radio Resource Control (RRC) signaling.

Preferably, when the base station key is refreshed, the counter value may be initialized to zero.

Preferably, the CP entity for the UE is fixed and when the UP entity is changed, a base station UP key for the new UP entity may be generated based on the base station key and a counter value for the new UP entity.

According to another aspect of the present invention, there is provided a method for controlling a user equipment (UE) in a wireless communication system, the method comprising: a base station including a control plane (CP) entity and at least one user plane (UP) A method for protecting data, the method comprising: receiving a counter value for the UP entity and security algorithm type information from the CP entity via Radio Resource Control (RRC) signaling when the UP entity for the UE is allocated; ; Generating a base station UP key for the UP entity based on the base station key and the counter value; Generating an encryption key for protecting an integrity key and confidentiality for integrity protection of data of the UE based on the base station UP key; And performing integrity and confidentiality protection of data of the UE using the integrity key and the encryption key.

Preferably, when a plurality of UP entities are assigned to the UE, the counter values may be generated differently for each UP entity.

Preferably, the counter value is maintained while the CP entity maintains the security context for the UE, and may be incremented by one each time the UP entity is added or changed.

Preferably, when the base station key is refreshed, the counter value may be initialized to zero.

According to the embodiment of the present invention, user data can be effectively protected in an environment in which a control plane and a user plane of a base station are separated from each other.

In addition, in a circumstance where a control plane and a user plane of a base station are separated from each other, a security context of user data can be protected.

It is also an object of the present invention to efficiently manage a security key in an environment in which a control plane and a user plane of a base station are separated from each other.

The effects obtained in the present invention are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the following description .

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the technical features of the invention.

1 illustrates a wireless communication system architecture to which the present invention may be applied.

2 is a diagram illustrating a wireless protocol stack in a wireless communication system to which the present invention may be applied.

3 illustrates an NG-RAN architecture in a wireless communication system to which the present invention may be applied.

FIG. 4 illustrates a RAN architecture in which a CU-CP and a CU-UP are separated in a wireless communication system to which the present invention can be applied.

Figure 5 illustrates a key hierarchy in a wireless communication system to which the present invention may be applied.

FIG. 6 illustrates a handover key chaining model in a wireless communication system to which the present invention may be applied.

7 illustrates a key distribution and key derivation scheme for a network node in an E-UTRAN.

8 illustrates a key derivation scheme for an ME in an E-UTRAN.

9 is a diagram illustrating a method of protecting user data according to an embodiment of the present invention.

10 is a diagram illustrating a method of protecting user data according to an embodiment of the present invention.

11 illustrates a block diagram of a network node according to an embodiment of the present invention.

12 illustrates a block diagram of a user equipment according to an embodiment of the present invention.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The following detailed description, together with the accompanying drawings, is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced. The following detailed description includes specific details in order to provide a thorough understanding of the present invention. However, those skilled in the art will appreciate that the present invention may be practiced without these specific details.

In some instances, well-known structures and devices may be omitted or may be shown in block diagram form, centering on the core functionality of each structure and device, to avoid obscuring the concepts of the present invention.

In this specification, a base station has a meaning as a terminal node of a network that directly communicates with a terminal. The specific operation described herein as performed by the base station may be performed by an upper node of the base station, as the case may be. That is, it is apparent that various operations performed for communication with a terminal in a network composed of a plurality of network nodes including a base station can be performed by a network node other than the base station or the base station. A 'base station (BS)' may be replaced by terms such as a fixed station, a Node B, an evolved NodeB (eNB), a base transceiver system (BTS), an access point (AP) . Also, a 'terminal' may be fixed or mobile and may be a mobile station (UE), a mobile station (MS), a user terminal (UT), a mobile subscriber station (MSS), a subscriber station (SS) Advanced Mobile Station (WT), Wireless Terminal (WT), Machine-Type Communication (MTC), Machine-to-Machine (M2M), and Device-to-Device (D2D) devices.

Hereinafter, a downlink (DL) means communication from a base station to a terminal, and an uplink (UL) means communication from a terminal to a base station. In the downlink, the transmitter may be part of the base station, and the receiver may be part of the terminal. In the uplink, the transmitter may be part of the terminal and the receiver may be part of the base station.

The specific terminology used in the following description is provided to aid understanding of the present invention, and the use of such specific terminology may be changed into other forms without departing from the technical idea of the present invention.

Embodiments of the present invention may be supported by standard documents disclosed in at least one of the wireless access systems IEEE 802, 3GPP and 3GPP2. That is, the steps or portions of the embodiments of the present invention that are not described in order to clearly illustrate the technical idea of the present invention can be supported by the documents. In addition, all terms disclosed in this document may be described by the standard document.

For clarity of description, the 3GPP 5G (5 Generation) system is mainly described, but the technical features of the present invention are not limited thereto.

The terms used in this document can be defined as follows.

- Evolved Packet System (EPS): Network system consisting of Evolved Packet Core (EPC), which is an IP (Internet Protocol) based packet switched core network, and access networks such as LTE and UTRAN. UMTS (Universal Mobile Telecommunications System) is an evolved form of network.

- eNodeB: base station of the EPS network. It is installed outdoors and its coverage is macro cell scale.

- International Mobile Subscriber Identity (IMSI): A user identifier that is globally unique assigned in a mobile communication network.

- Public Land Mobile Network (PLMN): A network configured to provide mobile communication services to individuals. And can be configured separately for each operator.

- 5G System (5GS: 5G System): A system consisting of 5G Access Network (AN), 5G Core Network and User Equipment (UE)

- 5G Access Network (5G-AN): A new generation radio access network (NG-RAN) and / or non-3GPP access network (NG) 3GPP AN: non-5G Access Network).

- Next Generation Radio Access Network (NG-RAN) (or RAN): A wireless access network that has the common feature of being connected to a 5GC and supports one or more of the following options:

1) Standalone New Radio.

2) A new radio that is an anchor that supports E-UTRA extension.

3) Standalone E-UTRA (eNodeB, for example).

4) An anchor that supports new radio expansion.

- 5G Core Network (5GC: 5G Core Network): core network connected to 5G access network

Network Function (NF): A processing function adopted in 3GPP in the network or defined in 3GPP. This processing function defines the functional behavior defined in 3GPP and the interface defined in 3GPP. .

- NF service: A function that is exposed by the NF through a service-based interface and consumed by other authenticated NF (s)

- Network Slice: A logical network that provides specific network capability (s) and network feature (s)

Network Slice instance: A set of NF instance (s) forming the network slice to be deployed and the required resource (s) (e.g., computation, storage and networking resources)

Protocol Data Unit (PDU) Connectivity Service: A service that provides the exchange of PDU (s) between the UE and the data network.

PDU Connectivity Service: A service that provides the exchange of PDU (s) between the UE and the data network.

PDU Session: An association between a UE and a data network that provides a PDU Connectivity Service. The association type may be Internet Protocol (IP), Ethernet, or unstructured.

- Non-Access Stratum (NAS): A functional layer for sending and receiving signaling and traffic messages between the terminal and the core network in the EPS and 5GS protocol stacks. Supporting the mobility of the terminal, and supporting the session management procedure.

The 5G system architecture to which the present invention may be applied

The 5G system is an advanced technology from the 4th generation LTE mobile communication technology. It is equipped with new radio access technology (RAT: Radio Access Technology), LTE (Long Term), etc. through Evolution or Clean- (E. G., Extended LTE), non-3GPP (e. G., Wireless local area network (WLAN)) access.

The 5G system architecture is defined to support data connectivity and services so that deployment can use technologies such as Network Function Virtualization and Software Defined Networking. The 5G system architecture utilizes service-based interactions between control plane (CP) network functions (NFs).

1 illustrates a wireless communication system architecture to which the present invention may be applied.

The 5G system architecture may include various components (i. E., Network function (NF)) and illustrates components corresponding to some of them in FIG.

The Access and Mobility Management Function (AMF) is a protocol for inter-CN signaling for mobility between 3GPP access networks, termination of a Radio Access Network (RAN) CP interface (N2) End of signaling N1, registration management (registration area management), idle mode UE reachability, network slicing support, and SMF selection.

Some or all functions of the AMF may be supported within a single instance of an AMF.

A data network (DN) is, for example, an operator service, an Internet connection or a third party service. The DN transmits a downlink PDU (Protocol Data Unit) to the UPF or receives a PDU transmitted from the UE from the UPF.

The policy control function (PCF) receives the information about the packet flow from the application server and provides functions for determining policies such as mobility management and session management.

The Session Management Function (SMF) provides a session management function. If the UE has a plurality of sessions, it can be managed by different SMFs for each session.

Some or all of the functions of an SMF may be supported within a single instance of an SMF.

Unified Data Management (UDM) stores user subscription data, policy data, and so on.

The user plane function (UPF) transmits the downlink PDU received from the DN to the UE via the (R) AN, and the uplink PDU received from the UE via the (R) AN to the DN .

Application functions (AF) support service provisioning (eg, application impact on traffic routing, access to network capability exposures, and interoperability with policy frameworks for policy control). Interoperate with the 3GPP core network.

(Radio) Access Network (AN) is a new version of the evolved E-UTRA (Evolved E-UTRA) and new radio access technology (NR: New Radio) ≪ / RTI > for example, gNB).

The gNB includes functions for radio resource management (i.e., radio bearer control, radio admission control, connection mobility control), dynamic resource allocation to the UE in the uplink / And dynamic allocation of resources (i.e., scheduling)).

A user equipment (UE) refers to a user equipment.

In the 3GPP system, a conceptual link connecting NFs in a 5G system is defined as a reference point.

N1 (or NG1) is the reference point between the UE and the AMF; N2 (or NG2) is the reference point between (R) AN and AMF; N3 N6 (or NG6): a reference point between UPF and the data network; N7 (or NG7) is a reference point between SMF and PCF; N24 Or NG24 is the reference point between the PCF in the visited network and the PCF in the home network, N8 (or NG8) is the reference point between UDM and AMF, N9 (or NG9) (Or NG10) is the reference point between AMF and AUSF, and N13 (or NG13) is the reference point between UDM and SMF. A reference point between authentication server functions (AUSF), N14 (or NG14) is a reference point between two AMFs, N15 (or N G15) refers to the reference point between PCF and AMF in the case of non-roaming scenario, and between PCF and AMF in the visited network in case of roaming scenario.

Meanwhile, FIG. 1 illustrates a reference model for accessing a single DN using one PDU session, but the present invention is not limited thereto.

2 is a diagram illustrating a wireless protocol stack in a wireless communication system to which the present invention may be applied.

2 (a) illustrates a radio interface user plane protocol stack between a UE and a gNB, and FIG. 2 (b) illustrates a radio interface control plane protocol stack between a UE and a gNB.

The control plane is a path through which control messages used by the UE and the network to manage calls are transmitted. The user plane means a path through which data generated in the application layer, for example, voice data or Internet packet data, is transmitted.

Referring to FIG. 2 (a), the user plane protocol stack may be divided into a first layer (i.e., a physical (PHY) layer) and a second layer (a layer 2).

Referring to FIG. 2B, the control plane protocol stack includes a first layer (i.e., a PHY layer), a second layer, a third layer (i.e., a Radio Resource Control (RRC) layer) And may be divided into a non-access stratum (NAS) layer.

The second layer includes a medium access control (MAC) sublayer, a radio link control (RLC) sublayer, a packet data convergence protocol (PDCP) sublayer, a service data adaptation protocol SDAP: Service Data Adaptation Protocol) sublayer (in the case of a user plane).

Radio bearers are classified into two groups: a data radio bearer (DRB) for user plane data and a signaling radio bearer (SRB) for control plane data.

Hereinafter, the layers of the control plane and the user plane of the wireless protocol will be described.

1) The PHY layer as the first layer provides an information transfer service to an upper layer by using a physical channel. The physical layer is connected to a MAC sublayer at a higher level via a transport channel, and data is transmitted between the MAC sublayer and the PHY layer through a transport channel. The transport channel is classified according to how the data is transmitted through the air interface. Data is transmitted between the PHY layer of the transmitting end and the PHY layer of the receiving end through a physical channel between different physical layers.

2) the MAC sublayer is a mapping between a logical channel and a transport channel; Multiplexing / demultiplexing of MAC Service Data Units (SDUs) belonging to one or a different logical channel to / from a transport block (TB) conveyed to / from the PHY layer via a transport channel; Scheduling information reporting; Error correction through hybrid automatic repeat request (HARQ); Priority handling among UEs using dynamic scheduling; Priority handling between logical channels of one UE using logical channel priority; Padding is performed.

Different types of data carry the services provided by the MAC sublayer. Each logical channel type defines what type of information is delivered.

Logical channels are grouped into two groups: Control Channel and Traffic Channel.

i) The control channel is used to transmit only the control plane information and is as follows.

Broadcast Control Channel (BCCH): A downlink channel for broadcasting system control information.

Paging Control Channel (PCCH): A downlink channel carrying paging information and system information change notification.

- Common Control Channel (CCCH): A channel for transmitting control information between the UE and the network. This channel is used for UEs that do not have a network and RRC connection.

Dedicated Control Channel (DCCH): A point-to-point bi-directional channel for transmitting dedicated control information between the UE and the network. Used by UEs with RRC connections.

ii) The traffic channel is used to use only user plane information:

Dedicated Traffic Channel (DTCH): A point-to-point channel dedicated to a single UE for transmitting user information. A DTCH can exist in both uplink and downlink .

In the downlink, the connection between the logical channel and the transport channel is as follows.

The BCCH can be mapped to the BCH. The BCCH can be mapped to the DL-SCH. The PCCH can be mapped to PCH. The CCCH can be mapped to the DL-SCH. The DCCH may be mapped to the DL-SCH. The DTCH can be mapped to the DL-SCH.

In the uplink, the connection between the logical channel and the transport channel is as follows. The CCCH can be mapped to the UL-SCH. The DCCH can be mapped to the UL-SCH. The DTCH can be mapped to the UL-SCH.

3) The RLC sublayer supports three transmission modes: Transparent Mode (TM), Unacknowledged Mode (UM), and Acknowledged Mode (AM).

The RLC setting can be applied for each logical channel. For SRB, TM or AM mode is used, whereas for DRB, UM or AM mode is used.

The RLC sub-layer is used for transmission of an upper layer PDU; Sequence numbering independent of PDCP; Error correction through automatic repeat request (ARQ); Segmentation and re-segmentation; Reassembly of SDUs; RLC SDU discard; RLC re-establishment is performed.

4) The PDCP sublayer for the user plane includes sequence numbering; Header compression and decompression (Robust Header Compression only); User data transfer; Reordering and duplicate detection (when delivery to a layer higher than PDCP is required); PDCP PDU routing (for split bearers); Retransmission of PDCP SDUs; Ciphering and deciphering; PDCP SDU discarded; PDCP re-establishment and data recovery for RLC AM; And performs replication of the PDCP PDU.

The PDCP sublayer for the control plane additionally includes sequence numbering; Ciphering, deciphering and integrity protection; Control plane data transfer; Replication detection; And performs replication of the PDCP PDU.

When duplication for the radio bearer is established by the RRC, additional RLC entities and additional logical channels are added to the radio bearer to control the replicated PDCP PDU (s). Replication in the PDCP involves transmitting the same PDCP PDU (s) twice. Once to the original RLC entity, and second to the additional RLC entity. At this time, the original PDCP PDU and the corresponding replica are not transmitted to the same transport block. Two different logical channels may belong to the same MAC entity (in case of CA) or in different MAC entities (in case of DC). In the former case, logical channel mapping restrictions are used to ensure that the original PDCP PDU and its replica are not sent to the same transport block.

5) The SDAP sublayer performs the following: i) mapping between the QoS flows and the data radio bearers; and ii) marking QoS flows in the downlink and uplink packets.

A single protocol object of SDAP is set up for each individual PDU session, but exceptionally, for SD (Dual Connectivity), two SDAP entities can be set.

6) The RRC sublayer is responsible for broadcasting system information related to AS (Access Stratum) and NAS (Non-Access Stratum); Paging initiated by the 5GC or NG-RAN; UTRAN and NR, as well as establishing, maintaining, and releasing RRC connections between the UE and the NG-RAN (additionally, modifying and releasing of carrier aggregation, Connectivity); Security functions including key management; Establish, set, maintain, and release SRB (s) and DRB (s); Handover and context delivery; Control of UE cell selection and disaster and cell selection / reselection; A mobility function including inter-RAT mobility; QoS management functions, UE measurement reporting and reporting control; Detection of radio link failure and recovery from radio link failure; NAS message delivery from the NAS to the UE and NAS message delivery from the UE to the NAS.

How to protect user data

The terms used in this document can be defined as follows.

- Subscription Identifier De-concealing Function (SIDF): A home for de-concealing a Subscription Permanent Identifier (SUPI) from a Subscription Concealed Identifier (SUCI) It is a function located in the network.

Subscription Concealment Identifier (SUCI): A concealment identifier (e.g., a mobile subscription identification number (MSIN) and a cleartext home network identifier (e.g., a mobile country code Country Code) and Mobile Network Code (MNC)). SUCI is used to protect the privacy of SUPI.

- UE 5G Security Capability: UE security capability for 5G AS (Access Stratum) and NAS (Non-Access Stratum)

3 illustrates an NG-RAN architecture in a wireless communication system to which the present invention may be applied.

NG-RAN includes a set of gNBs connected to 5GC (5G Core network) through NG. The gNB may support frequency-division duplex (FDD) mode, time-division duplex (TDD) mode, or dual mode operation. The gNBs may be interconnected via Xn.

The gNB may include a gNB Central Unit (gNB-CU) and one or more gNB Distributed Unit (s) (gNB-DU). The gNB-CU and gNB-DU are connected via the F1 logical interface. One gNB-DU is connected to only one gNB-CU.

The gNB-CU is a logical node hosting RRC, SDAP and PDCP protocols and controls the operation of one or more gNB-DU (s). The gNB-CU also terminates the F1 interface associated with gNB-DU.

The gNB-DU is a logical node hosting the RLC, MAC and PHY layers, and its operation is controlled in part by the gNB-CU. One gNB-DU supports one or more cells. One cell is only supported by a single gNB-DU. gNB-DU terminates the F1 interface associated with the gNB-CU.

In the case of NG-RAN, NG and Xn-C interfaces for gNBs including gNB-CU and gNB-DUs are terminated in the gNB-CU. For EN-DC (E-UTRA-NR Dual Connectivity), the S1-U and X2-C interfaces for gNBs including gNB-CU and gNB-DUs are terminated in the gNB-CU.

The NG-RAN is layered into a radio network layer (RNL) and a transport network layer (TNL). The NG-RAN architecture (i.e., the NG-RAN logical nodes and their interfaces) is defined as part of the RNL.

On the other hand, in the 5G RAN, in addition to the separation option of gNB-CU (simply referred to as CU) and gNB-DU (simply referred to as DU) as described above, the CU can be divided into a control plane and a user plane (User Plane) entities in order to improve the efficiency of deployment.

The Central Unit - Control Plane (CU-CP) corresponds to the control plane portion of the gNB-CU. The CU-CP hosts the control plane portion of the PDCP protocol and the RRC protocol. The Central Unit - User Plane (CU-UP) corresponds to the user plane portion of the gNB-CU. The CU-UP hosts the user plane portion of the PDCP protocol and the SDAP protocol.

FIG. 4 illustrates a RAN architecture in which a CU-CP and a CU-UP are separated in a wireless communication system to which the present invention can be applied.

The gNB may include a CU-CP, multiple CU-UPs, and multiple DUs.

The CU-CP is connected to DU through the F1-C interface. The CU-UP is connected to DU through the F1-U interface. The CU-UP is connected to the CU-CP via the E1 interface. One DU is connected to only one CU-CP. One CU-UP is connected to only one CU-CP.

One DU can be connected to multiple CU-UPs under the control of the same CU-CP. One CU-UP can be connected to multiple DUs under the control of the same CU-CP.

Hereinafter, the key hierarchy of the 5G system will be described.

The requirements for 5GC and NG-RAN related keys are as follows:

a) 5GC and NG-RAN allow the use of encryption and integrity protection algorithms for AS and NAS protection with 128-bit length keys.

b) The keys used for UP, NAS and AS protection are dependent on the algorithm for which the keys are used.

Figure 5 illustrates a key hierarchy in a wireless communication system to which the present invention may be applied.

Referring to FIG. 5, the key system includes the following keys. K_SEAF, K_AMF, K_NASint, K_NASenc, K_N3IWF, K_gNB, K_RRCint, K_RRCenc, K_UPint, and K_UPenc.

The keys for NAS signaling are:

- K_NASint is a key used only for the protection of NAS signaling with a specific integrity algorithm.

- K_NASenc is a key used only for the protection of NAS signaling with a specific encryption algorithm.

The keys for user plane (UP) traffic are as follows:

- K_UPenc is a key used only to protect UP traffic with a specific encryption algorithm.

- K_UPint is a key used only for the protection of UP traffic between ME and gNB with a specific integrity algorithm.

The keys for RRC signaling are:

- K_RRCint is a key used only for protection of RRC signaling with a specific integrity algorithm.

- K_RRCenc is a key used only for protection of RRC signaling with a specific encryption algorithm.

Intermediate keys are as follows.

- NH is a key derived by ME and AMF to provide forward security.

- K * _gNB is the key derived by ME and gNB when performing horizontal or vertical key derivation using KDF.

Hereinafter, key derivation and distribution techniques will be described.

i) keys in the network entity

- keys in the Authentication credential Repository and Processing Function (ARPF)

ARPF stores K, a long-term key. The key K has a length of 128 bits or 256 bits. During the authentication and key agreement procedure, the ARPF generates a key material from K and forwards it to the AUSF.

- keys in AUSF (Authentication Function)

The AUSF generates an anchor key from the key material received from the ARPF during the authentication and key agreement procedure, which is referred to as K_SEAF. AUSF can generate an additional key K_AUSF from key material received from ARPF. This additional key is stored in the AUSF during the authentication and key agreement procedure.

- keys in Security Anchor Function (SEAF)

The SEAF receives an anchor key, K_SEAF, from the AUSF during a successful primary authentication procedure in each serving network. SEAF does not forward K_SEAF to external entities of SEAF. Following the authentication and key agreement procedure, SEAF generates K_AMF from K_SEAF and delivers it to AMF.

-AMF My keys

AMF receives K_AMF from SEAF or another AMF. The AMF derives the key K'_AMF from K_AMF for delivery to another AMF set for inter-AMF mobility. The receiving AMF uses K'_AMF as the key K_AMF. AMF creates K_NASint and K_NASenc, which are dedicated to protect the NAS layer. The AMF generates an access network specific key from the K_AMF. Specifically, AMF generates K_gNB and delivers it to gNB. In addition, the AMF generates NH and delivers it to the gNB along with the corresponding Next Hop Chaining Counter (NCC) value. The AMF may forward the NH key to another AMF along with the corresponding NCC value. AMF generates K_N3IWF and delivers it to N3IWF (Non-3GPP Inter-Working Function).

- keys in gNB

The gNB receives K_gNB and NH from the AMF. The gNB generates all additional keys dedicated to protect 5G NR from K_gNB and / or NH.

- N3IWF keys

N3IWF receives K_N3IWF from AMF. N3IWF uses K_N3IWF as the key MSK for IKEv2 between the UE and N3IWF in the procedure for untrusted Non-3GPP access.

ii) keys in the UE

There is a corresponding key in the UE for all keys in the network entity.

- keys in a Universal Subscriber Identity Module (USIM)

The USIM stores the same long-term key K stored in the APRF.

During the authentication and key agreement procedure, the USIM creates a key material from K and forwards it to the ME.

- Keys in Mobile Equipment (ME)

Hereinafter, a method of key handling during handover will be described.

1) Access Stratum (AS: Access Stratum)

Upon handover with the derivation of the vertical key, NH is assigned to the target physical cell identity (PCI) and the corresponding absolute radio-frequency channel number (ARFCN) -DL before being used as K_gNB in the target gNB. to. Upon handover with the derivation of the horizontal key, the currently active K_gNB is bound to the target PCI and the corresponding frequency ARFCN-DL before the K_gNB is used as K_gNB in the target eNB.

FIG. 6 illustrates a handover key chaining model in a wireless communication system to which the present invention may be applied.

FIG. 6 illustrates a general principle of key processing for K * _gNB / NH in handover.

Referring to FIG. 6, an outline of a key processing model for clarifying a structure for deriving a key will be described.

Whenever an initial AS security context needs to be established between the UE and the gNB, the AMF and the UE derive the K_gNB and Next Hop (NH) parameters. K_gNB and NH are derived from K_AMF. An NH Chaining Counter (NCC) is associated with each of the K_gNB and NH parameters. Every K_gNB is associated with an NCC corresponding to the NH value from which it was derived. In the initial phase, K_gNB is derived directly from K_AMF and is considered to be associated with a virtual NH parameter with an NCC value of zero. In the initial stage, the derived NH value is associated with an NCC value of 1. [

At the UE, the NH derivation associated with NCC = 1 may be delayed until the initial handover performs the vertical key derivation.

The AMF does not send the NH value to the gNB during initial connection setup. The gNB initializes the NCC value to 0 after receiving the S1-AP Initial Context Setup Request message.

The NH value associated with the NCC value 1 can not be used in the next Xn handover or the next intra-gNB handover since the AMF does not transmit the NH value to the gNB at initial connection setup. Thus, only the horizontal key derivation of the next Xn handover or the next intra-gNB handover is applied.

The initial {NH, NCC} pair is not used to derive K_gNB and is only used as the initial value for the NH chain.

The UE and the gNB use K_gNB to protect communication with each other. In handover, the base for the K_gNB to be used between the UE and the target gNB, referred to as K * _gNB, is derived from the currently active K_gNB or NH parameters. If K * _gNB is derived from the currently active K_gNB, this scheme is called horizontal key derivation and if K * _gNB is derived from the NH parameter, this scheme is called vertical key derivation.

Since the NH parameters can only be calculated by the UE and the AMF, the NH parameters are arranged to be provided from the AMF to the gNB in such a way that forward security can be achieved.

2) Non-Access Stratum (NAS)

On the NAS side, it is necessary to consider changing the K_AMF and possibly changing the NAS algorithm when changing the AMF that may occur in handover. In gNB handovers with AMF relocation, the source AMF and target AMF may not support the same set of NAS algorithms, and the source AMF and target AMF may have different priorities for use of the NAS algorithm There is a possibility of having. In this case, the target AMF re-derives the NAS keys from the existing K_AMF (if unchanged). The target AMF then derives the NAS keys from the new K_AMF (if changed) using the NAS algorithm identifier and the NAS algorithm type as inputs to the NAS key derivation function and sends it to the NAS SMC (Security Mode Complete). When K_AMF is unchanged, all inputs (in particular, K_AMF), except for the NAS algorithm identifier, will be the same during re-derivation. On the other hand, when K_AMF is changed, new NAS keys are derived irrespective of NAS algorithm change.

If the target AMF has decided to use a different NAS algorithm than the NAS algorithm used by the source AMF, then the NAS SMC containing the ng KSI (new or current value depending on whether primary authentication has been enabled) Should be transmitted.

Such NAS key and algorithm processing also applies to other AMF changes (e.g., a registration procedure involving AMF modification).

The key system and derivation in LTE are as follows. The key system and derivation for the 5G RAN has not yet been established.

7 illustrates a key distribution and key derivation scheme for a network node in an E-UTRAN.

Figure 7 illustrates the dependencies between different keys and how keys are derived at a network node.

8 illustrates a key derivation scheme for an ME in an E-UTRAN.

Figure 8 illustrates the correlation and key derivation of keys in the ME.

In FIGS. 7 and 8, two dotted line inputs to the KDF indicate that one of the inputs is used depending on the key derivation status.

7 and 8, the lengths of K_ASME, K_eNB, and NH are 256 bits. And the 256-bit NAS, UP and RRC keys are always derived from K_ASME and K_eNB, respectively. If the encryption or integrity algorithm used to protect the NAS, UP and RRC requires a 128 bit key as input, then the key is truncated and 128 least significant bits are used. Figures 7 and 8 illustrate truncation to a 128 bit key.

Hereinafter, a user plane (UP) security mechanism will be described.

1) UP confidentiality mechanism

The user plane data is encrypted by the PDCP protocol between the UE and the eNB.

The input parameters to the 128-bit EEA (EPS Encryption Algorithm) algorithm are 128 bit cipher key 'K_UPenc', 5 bit bearer identifier 'BEARER', 1 bit transmission direction 'DIRECTION' ) 'LENGTH', a 32-bit input 'COUNT' (corresponding to a 32-bit PDCP COUNT) that is bearer-specific and dependent on time and direction.

2) UP integrity mechanism

The following description applies only to the user plane on the Uu interface between the relay node (RN) and the donor eNB (DeNB)

User plane data is integrity-protected by the PDCP protocol between RN and DeNB. When integrity protection is activated, replay protection is activated. Replay protection ensures that the receiver will only accept each specific incoming PDCP COUNT value when using the same AS security context.

The input parameters to the 128-bit EIA (EPS Integrity Algorithm) algorithm include a 128-bit integrity key K_UPint, a 5-bit bearer identifier BEARER, a 1-bit transmission direction DIRECTION, a desired keystream length ' LENGTH ', a 32-bit input' COUNT '(which corresponds to a 32-bit PDCP COUNT) that is bearer-specific and dependent on time and direction.

Supervision of failed UP integrity checks should be performed on both RN and DeNB. If a failed integrity check is detected after integrity protection has been initiated (ie MAC-1 is incorrect or missing), the message shall be discarded. This may occur on the DeNB side or the RN side.

As noted above, with respect to the access network key, the anchor key shared between the access network and the UE is K_eNB (K_gNB in 5G). K_RRCint, K_RRCenc, K_UPenc, and K_UPint are generated from these anchor keys and are used for signaling of control plane and user plane and integrity and confidentiality protection of user data, respectively.

As shown in FIG. 3, if a 5G RAN (or NG-RAN) is separated into a CU (Central Unit) and a DU (Distributed Unit) in 5G, a CU in which a PDCP is located will receive or maintain a K_gNB It is assumed in 3GPP TS 33.501.

However, as shown in FIG. 4, in addition to the separation options of CU and DU in the 5G RAN, a method of improving the deployment efficiency by dividing the CU into the control plane entity and the user plane entity is discussed. According to this, an entity that maintains an actual access network key together with the UE, performs signaling using the access network key, decrypts user data, and performs integrity check is a CU-CP (CU-Control Plane entity ) And CU-UP (CU User Plane entity). That is, K_RRCint and K_RRCenc are used in the CU-CP, and K_UPenc and K_UPint are used in the CU-UP.

Also, there may be several CU-UPs for one UE and CU-CP. According to the conventional method, several CU-UPs have the same keys K_UPenc and K_UPint, and the same C_-CP is fixed and the same K_UPenc and K_UPint are used even when the CU-UP is changed or added. In this case, even if only one CU-UP is attacked to a certain UE, security of all CU-UPs is invalidated. Therefore, a method of separating the security context between each CU-UP is required.

That is, it is necessary to separate the security context of the user data between the CU-UPs to reduce the exposure risk from the external attack.

In order to solve such a problem, the present invention proposes a method of safely and efficiently configuring and using a UP key in a situation where a 5G access network is separated into a CP entity and an UP entity.

First, the CU-CP responsible for the control signaling of the access network, which can perform the role of security setup between the UE and the access network with the help of the AMF, transmits a K_gNB serving as an anchor key of the access network Management.

The CU-CP generates K_RRCint and K_RRCenc from K_gNB. At this time, for example, a method of generating K_RRCint and K_RRCenc from K_eNB in the 3GPP TS (Technical Specification) 33.501 (or 3GPP TS 33.401) may be used equally or similarly.

If a separate CU-UP is assigned to the corresponding UE (for example, before or during the transmission of user data), the CU-CP transmits a K_gNB-UP key, which is a key for generating K_UPint and K_UPenc for the corresponding UE by CU- It can be created using KDF. At this time, add CU-UP Counter as input. That is, FC (Function Code) = "value to be assigned later for K_gNB-UP", P0 = CU-UP counter (0 or a positive integer) as a key derivation function (KDF: Key Derivation Function) L0 = CU-UP Counter length can be used, and K_gNB can be used as key input value. For example, the KDF described in 3GPP TS 33.501, 3GPP TS 33.220 may be used. Here, FC is a value for identifying a key, P0 is a first value (initial value), and L0 is a value indicating the length of P0.

Here, adding / changing the CU-UP of the UE means that a bearer for the corresponding UE is added / changed.

The CU-UP counter is a value held while the UE and the security context are maintained in the CU-CP. The CU-UP counter is incremented by 1 every time the CU-UP is added or changed starting from 0. Accordingly, the K_gNB- -UP can be generated differently. Also, whenever a CU-UP counter is generated, it is delivered to the UE via RRC signaling. At this time, a confidentiality algorithm to be used in the CU-UP, and an integrity algorithm are transmitted. When the K_gNB is regenerated / refreshed in the CU-CP, the CU-UP counter starts again from zero. For example, when the range for the counter value is predetermined, the K_gNB may be regenerated / refreshed when the maximum value within the range is reached as the counter value is incremented by one. Alternatively, if the NAS key is changed, the K_gNB may be regenerated / refreshed.

The CU-UP generates K_UPenc and K_UPint from the K_gNB-UP and uses it to protect the integrity and confidentiality of the user plane data between the UE and the CU-UP. At this time, as a method of generating K_UPenc and K_UPint, a method of generating K_eNB, K_gNB, K_UPenc, and K_UPint from the existing 3GPP TS 33.401 and 3GPP TS 33.501 can be used equally. That is, it is different from using K_gNB-UP as a key instead of K_eNB and K_gNB.

The CU-CP does not need to maintain the K_gNB-UP after generating it and forwarding it to the CU-UP. Only the current CU-UP counter values need to be maintained. When the CU-CP is fixed and the CU-UP is changed (i.e., the intra CU-CP and the inter CU-UP handover), the CU-CP uses the increased CU-UP Counter value And transmits the new K_gNB-UP to the new CU-UP. Then, the CU-CP deletes the K_gNB-UP of the CU-UP (i.e., for the CU-UP before the intra CU-CP and the inter CU-UP handover) CU-UP deletes all existing K_gNB-UP, K_UPenc, and K_UPint.

The UE receives RRC signaling (e.g., via an RRC Connection Reconfiguration Request message), CU-UP counter, integrity, and confidentiality algorithm type / type information from the CU-CP. The UE generates a K_gNB-UP based on the K_gNB and the CU-UP counter value. Then, the UE generates K_UPenc and K_UPint based on the K_gNB-UP. The UE uses the generated K_UPenc and K_UPint for user data integrity and confidentiality protection, respectively. The method of generating the K_gNB-UP, K_UPenc, and K_UPint by the UE is the same as the method used in the CU-CP and CU-UP of the gNB.

As described above, the CU-CP separates the K_UPenc and K_UPint keys between multiple CU-UPs for the same UE and CU-CP. However, the CU-CP adds or deletes the access network anchor key K_gNB or the control plane keys K_RRCint and K_RRCenc, Since it is not necessary to newly generate a new key every time the key is changed, it is possible to efficiently manage the key and to separate the security context of the user data between the CU-UPs, thereby reducing the exposure risk from the external attack.

The method proposed in the present invention uses a function code (FC), a parameter (P0) and a parameter length (L0) as input values as defined in 3GPP TS 33.220, and a string generated by the HMAC Keyed-Hashing for Message Authentication (KDF).

Although the above description has been made on the assumption that the CU is divided into the CU-CP and the CU-UP for the sake of convenience of explanation, the above method is the same even when the access network is separated into CP and UP entities Key generation and use method.

9 is a diagram illustrating a method of protecting user data according to an embodiment of the present invention.

As shown in FIG. 9, a base station (i.e., access network) can be separated into one CP and one or more UP entities. Also, as described above, the base station is divided into a CU and a DU, and a CU can be separated into one CU-CP and one or more CU-UP entities.

9, when a CP entity (or a CU-CP entity) of a base station is allocated a UP entity (or a CU-UP entity) for the UE, the CP entity transmits a counter value (K_gNB) The base station UP key K_gNB-UP for the UP entity is generated based on the base station UP key (S901).

At this time, the base station key K_gNB may be generated by the AMF, and the CP entity of the base station may be received from the AMF. Alternatively, the base station CP entity may preliminarily receive and generate values necessary for base station key generation from the AMF.

Also, the UP entity of one or more base stations may be assigned to the UE. In this case, the CP entity may include a base station UP key (K_gNB-UP) based on the base station key (K_gNB) Can be generated.

At this time, when a plurality of UP entities are allocated to the UE, the counter values may be generated differently for each UP entity. As described above, the counter value is maintained while the CP entity maintains the security context for the UE, and can be incremented by one each time the UP entity is added or changed. Also, if the base station key K_gNB is regenerated / refreshed, the counter value may be initialized to zero.

Also, when the CP entity for the UE is fixed and the UP entity is changed, a base station UP key (K_gNB-UP) for the new UP entity may be generated based on the base station key K_gNB and the counter value for the new UP entity have.

The CP entity transmits (K_gNB-UP) to the UP entity (S902).

The UP entity generates an integrity key K_UPint for protecting the integrity of the UE data and an encryption key K_UPenc for protecting the confidentiality based on the base station UP key K_gNB-UP in operation S903.

Then, the integrity protection of the user data is performed using the generated integrity key K_UPint, and the confidentiality protection of the user data is performed using the generated encryption key K_UPenc.

Meanwhile, the CP entity may generate a counter value for the UP entity, and may transmit the generated counter value and the type / type information of the security algorithm (for example, integrity algorithm and encryption (confidentiality) algorithm) to the UE via RRC signaling . The operation of the UE that has received it will be described with reference to the following drawings.

10 is a diagram illustrating a method of protecting user data according to an embodiment of the present invention.

10, the CP entity of the base station generates a counter value for the UP entity of the base station and transmits the generated counter value and the type / type information of the security algorithm (for example, integrity algorithm and encryption (confidentiality) algorithm) And transmits it to the UE through signaling (S1001).

As described above, when a plurality of UP entities are allocated to the UE, the counter values may be generated differently for each UP entity. Also, the counter value is maintained while the CP entity maintains the security context for the UE, and may be incremented by one each time the UP entity is added or changed. Also, if the base station key K_gNB is regenerated / refreshed, the counter value may be initialized to zero.

The UE generates a base station UP key (K_gNB-UP) for the UP entity of the base station based on the base station key (K_gNB) and the counter value for the UP entity (S1002).

At this time, the base station key K_gNB is generated by the AMF or the base station CP entity, and the UE can directly generate based on the values received from the AMF.

The UE generates an integrity key K_UPint for protecting the integrity of the UE's data and an encryption key K_UPenc for confidentiality protection based on the base station UP key K_gNB-UP in operation S1003. Then, the integrity protection of the user data is performed using the generated integrity key K_UPint, and the confidentiality protection of the user data is performed using the generated encryption key K_UPenc.

11 illustrates a block diagram of a network node according to an embodiment of the present invention.

11, a network node 1110 includes a processor 1111, a memory 1112, and a transceiver 1113.

The processor 1111 implements the functions, processes and / or methods suggested in FIGS. 1 to 10 above. The layers of the wired and wireless interface protocol may be implemented by the processor 1111. The memory 1112 is connected to the processor 1111 and stores various information for driving the processor 1111. [ The transceiver 1113 is coupled to the processor 1111 to transmit and / or receive wireless signals.

The memory 1112 can be internal or external to the processor 1111 and can be coupled to the processor 1111 in a variety of well known means.

In one example of network node 1110, a new network entity may be included or included in the network entity (e.g., base station, AMF, ARPF, UDM, etc.) illustrated in FIG.

The memory 1112 stores the various keys described above.

The network node 1110 may correspond to a base station. Also, as described above, the base station may be divided into one CU entity and one or more UP entities. In this case, the network node 1110 may be a CP entity of a base station or an UP entity of a base station.

When the network node 1110 is the CP entity of the base station, the processor 1111 determines whether the UP entity (or the CU-UP entity) of the base station for the UE is allocated the base station key K_gNB and the counter value And generates a base station UP key (K_gNB-UP) for the UP entity based on the base station UP key. Then, the processor 1111 transmits the base station UP key (K_gNB-UP) to the UP entity. In addition, the processor 1111 may transmit the counter value and the security algorithm type information for the UP entity (or the CU-UP entity) of the base station to the UE through the transceiver 1113.

Or if the network node 1110 is the UP entity of the base station, the processor 1111 determines integrity of the UE data based on the base station UP key (K_gNB-UP) received from the CP entity of the base station And generates an encryption key (K_UPenc) for protecting the key (K_UPINT) and confidentiality. The processor 1111 performs integrity protection of the user data using the generated integrity key K_UPint and protects confidentiality of the user data using the generated encryption key K_UPenc.

12 illustrates a block diagram of a user equipment according to an embodiment of the present invention.

12, a user device 1110 includes a processor 1211, a memory 1212, and a transceiver 1213. [

The processor 1211 implements the functions, processes and / or methods suggested in FIGS. 1 to 10 above. The layers of the wired and wireless interface protocol may be implemented by the processor 1211. The memory 1212 is coupled to the processor 1211 and stores various information for driving the processor 1211. The transceiver 1213 is coupled to the processor 1211 to transmit and / or receive wireless signals.

The memory 1212 may be internal or external to the processor 1211 and may be coupled to the processor 1211 by various well known means.

The memory 1212 stores the various keys described above.

The processor 1211 receives the counter value and the security algorithm type information for the UP entity (or the CU-UP entity) of the base station through the transceiver 1213.

The processor 1211 generates a base station UP key (K_gNB-UP) for the UP entity of the base station based on the base station key K_gNB and the counter value for the UP entity.

The processor 1211 generates an integrity key K_UPint for protecting the integrity of the UE data and an encryption key K_UPenc for protecting the confidentiality based on the base station UP key K_gNB-UP .

The processor 1211 performs integrity protection of the user data using the generated integrity key K_UPint and protects confidentiality of the user data using the generated encryption key K_UPenc.

The embodiments described above are those in which the elements and features of the present invention are combined in a predetermined form. Each component or feature shall be considered optional unless otherwise expressly stated. Each component or feature may be implemented in a form that is not combined with other components or features. It is also possible to construct embodiments of the present invention by combining some of the elements and / or features. The order of the operations described in the embodiments of the present invention may be changed. Some configurations or features of certain embodiments may be included in other embodiments, or may be replaced with corresponding configurations or features of other embodiments. It is clear that the claims that are not expressly cited in the claims may be combined to form an embodiment or be included in a new claim by an amendment after the application.

Embodiments in accordance with the present invention may be implemented by various means, for example, hardware, firmware, software, or a combination thereof. In the case of hardware implementation, an embodiment of the present invention may include one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs) field programmable gate arrays, processors, controllers, microcontrollers, microprocessors, and the like.

In the case of an implementation by firmware or software, an embodiment of the present invention may be implemented in the form of a module, a procedure, a function, or the like which performs the functions or operations described above. The software code can be stored in memory and driven by the processor. The memory is located inside or outside the processor and can exchange data with the processor by various means already known.

It will be apparent to those skilled in the art that the present invention may be embodied in other specific forms without departing from the essential characteristics thereof. Accordingly, the foregoing detailed description is to be considered in all respects illustrative and not restrictive. The scope of the present invention should be determined by rational interpretation of the appended claims, and all changes within the scope of equivalents of the present invention are included in the scope of the present invention.

Although the present invention has been described with reference to the example applied to the 5G system, it can be applied to various wireless communication systems other than the 3GPP 5G system.

Claims (9)

CLAIMS What is claimed is: 1. A method for protecting user data in a wireless communication system, the base station comprising a control plane (CP) entity and at least one user plane (UP) When the UP entity for a user equipment (UE) is allocated, the CP entity generates a base station UP key for the UP entity based on a base station key and a counter value for the UP entity; The CP entity transmitting the base station UP key to the UP entity; The UP entity generating an encryption key for integrity key and confidentiality protection for integrity protection of data of the UE based on the base station UP key; And Wherein the UP entity performs integrity and confidentiality protection of data of the UE using the integrity key and the encryption key, Wherein when the plurality of UP entities are allocated to the UE, the counter values are generated differently for each UP entity. The method according to claim 1, Wherein the counter value is maintained while the CP entity maintains a security context for the UE and is incremented by one each time the UP entity is added or changed. The method according to claim 1, And the CP entity transmits the counter value and the security algorithm type information to the UE through Radio Resource Control (RRC) signaling. The method according to claim 1, Wherein the counter value is initialized to zero when the base station key is refreshed. The method according to claim 1, Wherein the CP entity for the UE is fixed and a base station UP key for the new UP entity is generated based on the base station key and a counter value for a new UP entity when the UP entity is changed. 1. A method for protecting user data and a base station in a wireless communication system in which a user equipment (UE) comprises a control plane (CP) entity and at least one user plane (UP) , Receiving, from the CP entity, a counter value for the UP entity and security algorithm type information through radio resource control (RRC) signaling when the UP entity for the UE is allocated; Generating a base station UP key for the UP entity based on the base station key and the counter value; Generating an encryption key for protecting an integrity key and confidentiality for integrity protection of data of the UE based on the base station UP key; And And performing integrity and confidentiality protection of data of the UE using the integrity key and the encryption key. The method according to claim 6, Wherein when the plurality of UP entities are allocated to the UE, the counter values are generated differently for each UP entity. The method according to claim 6, Wherein the counter value is maintained while the CP entity maintains a security context for the UE and is incremented by one each time the UP entity is added or changed. The method according to claim 6, Wherein the counter value is initialized to zero when the base station key is refreshed.

Images