[go: up one dir, main page]

WO2021244569A1 - Data transmission method and system, electronic device, and storage medium - Google Patents

Data transmission method and system, electronic device, and storage medium Download PDF

Info

Publication number
WO2021244569A1
WO2021244569A1 PCT/CN2021/097900 CN2021097900W WO2021244569A1 WO 2021244569 A1 WO2021244569 A1 WO 2021244569A1 CN 2021097900 W CN2021097900 W CN 2021097900W WO 2021244569 A1 WO2021244569 A1 WO 2021244569A1
Authority
WO
WIPO (PCT)
Prior art keywords
user plane
key
target user
functional entity
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2021/097900
Other languages
French (fr)
Chinese (zh)
Inventor
毛玉欣
闫新成
游世林
彭锦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2021244569A1 publication Critical patent/WO2021244569A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Definitions

  • the present disclosure relates to, but is not limited to, the field of communication security.
  • the present disclosure provides a data transmission method, which is applied to a first control plane functional entity, and the method includes: determining target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity; The target user equipment sends a first notification message, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity.
  • the present disclosure provides a data transmission method applied to a second control plane functional entity.
  • the method includes: receiving a second notification message sent by the first control plane functional entity, where the second notification message is used to notify the The second control plane functional entity generates a first key, the first key is used by the user plane functional entity to generate a second key, and the second key is used by the target user equipment Used with the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity; generate the first key, and transfer the first key Sent to the user plane functional entity.
  • the present disclosure provides a data transmission method, which is applied to a user plane functional entity, and the method includes: obtaining a first key, and generating a second key according to the first key; For being used by the target user equipment and the user plane functional entity, the target user plane data is securely protected between the target user equipment and the user plane functional entity; through the second key pair The target user plane data transmitted between the target user equipment and the user plane functional entity is subjected to security protection processing.
  • the present disclosure provides a data transmission method applied to a target user equipment.
  • the method includes: receiving a first notification message sent by a first control plane functional entity, where the first notification message is used to indicate The target user plane data is securely protected between the user equipment and the user plane functional entity.
  • the present disclosure provides an electronic device, which includes: at least one processor; a memory on which at least one program is stored.
  • the at least one program is executed by the at least one processor, the at least one Processor Any of the data transmission methods described in this article.
  • the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, any one of the data transmission methods described herein is implemented.
  • the present disclosure provides a data transmission system, including: a first control plane functional entity configured to determine target user plane data that needs to be securely protected between a target user equipment and a user plane functional entity; The user equipment sends a first notification message, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity; the target user equipment is configured to receive The first notification message sent by the first control plane functional entity.
  • Figure 1 is a schematic diagram of the security protection mechanism in the process of data transmission in the 5G network defined by the 3rd Generation Partnership Project (3GPP, The 3rd Generation Partnership Project) R15 in related technologies;
  • 3GPP 3rd Generation Partnership Project
  • R15 3rd Generation Partnership Project
  • Fig. 2 is a flowchart of a data transmission method provided by the present disclosure
  • FIG. 3 is a flowchart of a data transmission method provided by the present disclosure
  • Fig. 4 is a flowchart of a data transmission method provided by the present disclosure
  • FIG. 5 is a flowchart of a data transmission method provided by the present disclosure.
  • FIG. 6 is a flowchart of the data transmission method provided in Example 1 of the present disclosure.
  • FIG. 7 is a flowchart of the data transmission method provided in Example 2 of the present disclosure.
  • FIG. 8 is a flowchart of the data transmission method provided in Example 3 of the present disclosure.
  • FIG. 9 is a schematic diagram of the structure of the protocol stack provided in Example 4 of the present disclosure.
  • Fig. 10 is a block diagram of a data transmission device provided by the present disclosure.
  • Figure 11 is a block diagram of a data transmission device provided by the present disclosure.
  • FIG. 12 is a block diagram of a data transmission device provided by the present disclosure.
  • Figure 13 is a block diagram of a data transmission device provided by the present disclosure.
  • Fig. 14 is a block diagram of a data transmission system provided by the present disclosure.
  • 5G has carried out a deep reconstruction of the network architecture.
  • a service-oriented architecture is introduced.
  • virtualized network functions are built on demand according to application requirements, and network slicing is built to provide better Network service performance that meets application requirements. For example, for IoT applications with fixed terminal locations, there is no need to introduce mobility management functions when constructing network slicing to provide network services; for low-latency applications, it is necessary to construct network slicing.
  • the user plane function (UPF, User Plane Function) is deployed at the edge of the network to shorten the data transmission delay to meet the requirements of the application on the network delay.
  • UPF User Plane Function
  • 5G can provide network services with different characteristics for different applications with the help of emerging technologies such as virtualization and network slicing.
  • 5G networks provide network services for applications in various industries, they carry various high-value application data and sensitive data such as privacy. Attacks on networks to obtain or tamper with data have never stopped, and as the future 5G network bears business data continuously enriched, attack methods are still evolving. Therefore, protection measures such as integrity and ciphering protection of data during network transmission are indispensable.
  • Confidentiality refers to the encrypted transmission of data to prevent the data from being eavesdropped and illegally obtained during the transmission; integrity refers to the integrity of the transmitted data at the sending end and the integrity verification at the receiving end, thereby preventing the transmission process The data in it has been tampered with.
  • the data transmitted by the 5G network is divided into two categories: one is control plane signaling data, such as the signaling of users registering to the network, and the signaling of slicing sessions to access the network; the other is user plane data for users to carry out services. , Such as data for online video services.
  • Figure 1 is a schematic diagram of the security protection mechanism in the process of data transmission in the 5G network defined by the 3rd Generation Partnership Project (3GPP, The 3rd Generation Partnership Project) R15.
  • a in Figure 1 represents the confidentiality and/or integrity protection of control plane data between user equipment (UE, User Equipment) and access network (RAN, Radio Access Network)
  • Figure 1 B in the figure represents the confidentiality and/or integrity protection of the user plane data between the UE and the RAN
  • C in Figure 1 represents the control plane data between the UE and the 5G core network (5GC, 5G Core network) Confidentiality and/or integrity protection, but the confidentiality and/or integrity protection of the user plane data transmission between UE and 5GC has not yet been required.
  • User plane data is transmitted in plain text between RAN and 5GC, as shown in Figure 1. In the D.
  • 5G provides network services for vertical industries, based on the business characteristics of the vertical industries, it is necessary to provide user plane data with UE to 5GC transmission path for security protection requirements, mainly based on the following reasons:
  • the configuration of the access network functional entity is easier to expose, and the configuration of the access network functional entity side encryption, authentication, and user plane integrity protection is more vulnerable to attack.
  • the network nodes on the core network side have stronger computing capabilities, which helps to reduce the delay of data interaction, and vertical industries often attach great importance to low-latency experience.
  • Network slicing operators may lease RAN resources from other operators. From the perspective of network slicing operators or industry applications, the access network functional entity is not a device that is absolutely trusted. Therefore, network slicing operators or industry applications hope that data transmission is safely terminated on the core network rather than the access network functional entity of the access network. side.
  • the solution is to implement encryption and/or integrity protection for all data transmitted between the boundary network elements of the access network and the boundary network elements of the core network. Encryption protection is required for data regardless of whether there is an encryption requirement, which will reduce processing Efficiency, increase business delay.
  • the access network functional entity still participates in the process of data encryption and decryption and/or integrity verification, and there is still the risk that the access network functional entity is untrusted and the access network functional entity is attacked, resulting in data security.
  • the application itself provides protection mechanisms such as application layer encryption to ensure the security of user plane data.
  • application layer encryption For example, some applications use Secure Sockets Layer (SSL, Secure Sockets Layer) to encrypt and transmit application data.
  • SSL Secure Sockets Layer
  • not every application has the functions of encrypting, protecting and verifying user plane data at the application layer.
  • the above-mentioned solutions are specific to various applications and are not easy to promote.
  • Fig. 2 is a flowchart of a data transmission method of the present disclosure.
  • the present disclosure provides a data transmission method applied to a first control plane functional entity (for example, it can be executed by the first control plane functional entity).
  • the method may include step 200 and step 201.
  • step 200 the target user plane data that needs to be secured between the target user equipment and the user plane functional entity is determined.
  • the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may be determined according to the user subscription information.
  • the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may also be determined according to whether the first notification message sent by the second control plane functional entity is received, and the first notification The message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity. For example, receiving the first notification message sent by the second network control function entity indicates that the target user plane data needs to be securely protected between the target user equipment and the user plane function entity; the first notification message sent by the second network control function entity is not received. The notification message indicates that there is no need to securely protect the user plane data between the target user equipment and the user plane functional entity.
  • the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the registration process of the target UE to the core network, for example, after the authentication process is completed , To determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
  • the target user plane data is all user plane data transmitted between the target UE and the user plane functional entity.
  • PDU Protocol Data Unit
  • SMF Session Management Function
  • a first notification message is sent to the target user equipment, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity .
  • the first notification message may be sent to the target UE during the registration process of the target UE to the core network, for example, after the authentication process is completed, the first notification message is sent to the target UE.
  • the target UE After receiving the first notification message, the target UE confirms the target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
  • the target user plane data is all user plane data transmitted between the target UE and the user plane functional entity.
  • the first notification message may be sent to the target UE during the PDU session establishment process, for example, after receiving the PDU session context creation response from the SMF entity, the first notification message is sent to the target UE.
  • the target user plane data is the user plane data transmitted by the target UE to the user plane functional entity through the PDU session.
  • the first notification message is sent to the user equipment; for some UEs, the first notification message is sent to the user equipment; After all user plane data does not need to be secured between the user equipment and the user plane functional entity, the first notification message is not sent to the UE.
  • the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • the first notification message is sent to the user equipment; for other UEs In the PDU session, after determining that all user plane data transmitted through the PDU session does not require security protection between the user equipment and the user plane functional entity, the first notification message is not sent to the UE.
  • the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE.
  • the security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE.
  • the user can sign a contract with the operator according to their own needs. accomplish.
  • the method further includes: generating a first key, and sending to the user plane functional entity The first key; wherein the first key is used by the user plane functional entity to generate a second key, and the second key is used by the target user equipment and the user
  • the plane function entity is used to securely protect the target user plane data between the target user equipment and the user plane function entity.
  • the anchor key may be generated first, and then the first key may be generated according to the anchor key.
  • the first key is used for key isolation, preventing one key from being leaked and affecting the security of other keys, improving security.
  • the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.
  • the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity
  • the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.
  • the first key is the first key corresponding to the target UE
  • the second key is the second key corresponding to the target UE.
  • the first keys corresponding to different UEs may be the same or different.
  • the second keys corresponding to different target UEs may be the same or different.
  • the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU protocol data unit
  • one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key;
  • the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session.
  • one PDU session can correspond to one second secret.
  • the key may also correspond to a second key for two or more PDU sessions.
  • the method further includes: sending a second notification message to the second control plane functional entity, so The second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used by the user plane functional entity to generate a second key.
  • the key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment,
  • the target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
  • Fig. 3 is a flowchart of a data transmission method of the present disclosure.
  • the present disclosure provides a data transmission method applied to a second control plane functional entity (for example, it may be executed by the second control plane functional entity).
  • the method may include step 300 and step 301.
  • step 300 a second notification message sent by a first control plane functional entity is received, where the second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used to be
  • the user plane function entity uses the second key to generate a second key, and the second key is used by the target user equipment and the user plane function entity. Perform security protection with the user plane functional entity.
  • the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.
  • the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity
  • the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.
  • the first key is the first key corresponding to the target UE
  • the second key is the second key corresponding to the target UE.
  • the first keys corresponding to different UEs may be the same or different.
  • the second keys corresponding to different target UEs may be the same or different.
  • the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU protocol data unit
  • one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key;
  • the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session.
  • one PDU session can correspond to one second secret.
  • the key may also correspond to a second key for two or more PDU sessions.
  • step 301 the first key is generated, and the first key is sent to the user plane functional entity.
  • the first key may be generated according to the anchor key carried in the second notification message.
  • the first key is used for key isolation, preventing one key from being leaked and affecting the security of other keys, and improving security.
  • the method before receiving the second notification message sent by the first control plane functional entity, may further include: determining target user plane data that needs to be secured between the target user equipment and the user plane functional entity ; Send a first notification message to the first control plane functional entity, the first notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane functional entity .
  • the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may be determined according to the user subscription information.
  • the specific determination strategy is not used to limit the protection scope of the present disclosure, and will not be repeated here.
  • the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the registration process of the target UE to the core network, for example, after the authentication process is completed , To determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
  • the target user plane data is all user plane data of the target UE.
  • the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the establishment of the PDU session, for example, upon receiving the PDU session context creation from the SMF entity After responding, determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
  • the target user plane data is the user plane data transmitted by the target UE to the user plane functional entity through the PDU session.
  • the first notification message is sent to the user equipment; for some UEs, the first notification message is sent to the user equipment; After all user plane data does not need to be secured between the user equipment and the user plane functional entity, the first notification message is not sent to the UE.
  • the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • the first notification message is sent to the user equipment; for the UE
  • the first notification message is not sent to the UE. In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE.
  • the security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE.
  • the user can sign a contract with the operator according to their own needs. accomplish.
  • the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment,
  • the target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
  • Fig. 4 is a flowchart of a data transmission method of the present disclosure.
  • embodiments of the present disclosure provide a data transmission method, which is applied to a user plane functional entity (for example, it can be executed by a user plane functional entity).
  • the method may include step 400 and step 401.
  • step 400 a first key is obtained, and a second key is generated according to the first key; the second key is used to be used by the target user equipment and the user plane functional entity, The user plane data is securely protected between the target user equipment and the user plane functional entity.
  • obtaining the first key includes: receiving the first key sent by the first control plane functional entity.
  • obtaining the first key includes: receiving the first key sent by a second control plane functional entity.
  • the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.
  • the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity
  • the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.
  • the first key is the first key corresponding to the target UE
  • the second key is the second key corresponding to the target UE.
  • the first keys corresponding to different UEs may be the same or different.
  • the second keys corresponding to different target UEs may be the same or different.
  • the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU protocol data unit
  • one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key;
  • the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session.
  • one PDU session can correspond to one second secret.
  • the key may also correspond to a second key for two or more PDU sessions.
  • the first key corresponding to the UE if it is obtained, it means that all user plane data of the UE needs to be secured between the UE and the user plane function entity; for some UEs, if Failure to obtain the first key corresponding to the UE indicates that it is not necessary to perform security protection for all user plane data of the UE between the UE and the user plane functional entity. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • the first key corresponding to the PDU session if it is obtained, it means that all user plane data transmitted by the UE through the PDU session need to be protected between the UE and the user plane function entity. ; For other PDU sessions of the UE, if the first key corresponding to the PDU session is not obtained, it means that there is no need to securely protect all user plane data transmitted by the UE through the PDU session between the UE and the user plane functional entity . In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • the user plane data corresponding to which PDU sessions of the UE is specifically protected between the UE and the user plane functional entity can be determined according to the UE’s subscription data, and the user can sign with the operator according to their own needs. accomplish.
  • the second key can be generated in multiple ways.
  • the specific generation method is not used to limit the scope of protection of the present disclosure.
  • the present disclosure emphasizes that the second key is for user equipment and user plane functions.
  • the key used to securely protect user plane data between entities is different from the key used to securely protect user plane data or control plane data between UE and RAN functional entities.
  • RAN does not participate in UE and user plane functional entities. For the security protection of user plane data.
  • step 401 security protection processing is performed on the target user plane data transmitted between the target user equipment and the user plane functional entity through the second key.
  • the second key includes a confidentiality key and/or an integrity key
  • the target user plane transmitted between the target user equipment and the user plane functional entity is transferred through the second key.
  • Data security protection includes: using the confidentiality key to encrypt the target user plane data sent to the target user equipment; using the confidentiality key to encrypt the target user plane data received from the target user equipment Perform decryption; or, use the integrity key to perform integrity protection on the target user plane data sent to the target user equipment; use the integrity key to perform the integrity protection on the target user plane data received from the target user equipment Performing integrity verification; or, using the confidentiality key to encrypt the target user plane data sent to the target user equipment, and using the integrity key to perform integrity protection on the target user plane data;
  • the integrity key is used to perform integrity verification on the target user plane data received from the target user equipment, and after the verification is passed, the confidentiality key is used to decrypt the target user plane data.
  • the security protection of the target user plane data transmitted between the target user equipment and the user plane functional entity by using the second key includes: the downlink target user sent to the target user equipment Before the plane data is encapsulated in PDCP (Packet Data Convergence Protocol, Packet Data Convergence Protocol), the second key is used to perform the first security protection process on the downlink target user plane data, and the downlink target after the first security protection process
  • PDCP Packet Data Convergence Protocol
  • Packet Data Convergence Protocol Packet Data Convergence Protocol
  • the user plane data is sent to the target user equipment; after PDCP encapsulation is performed on the uplink target user plane data received from the target user equipment after the first security protection process, the second key is used to pair the second key
  • the uplink target user plane data after a security protection process is subjected to a second security protection process.
  • the second key is the second key corresponding to the target UE
  • the downlink target user plane data sent to the target UE is all downlink target user plane data sent by the user plane functional entity to the target UE.
  • the received uplink target user plane data from the target UE after the first security protection processing is all the uplink target user plane data from the target UE received by the user plane function entity.
  • the second key is used to perform the first security protection process on all downlink target user plane data sent by the user plane function entity to the target UE, and the second key is used to perform the first security protection process on all the uplink target user plane data received from the target UE.
  • the data undergoes second security protection processing.
  • the second key is the second key corresponding to the PDU session of the target UE.
  • one PDU session may correspond to one second key, or two or more PDU sessions may correspond to one second key.
  • the downlink user plane data sent to the UE is the downlink user plane data sent by the core network to the UE through the PDU session
  • the uplink user plane data received from the UE after the first security protection process is the core network The uplink user plane data from the UE received through the PDU session.
  • the second key is used to perform the first security protection process on the downlink target user plane data sent by the user plane function entity to the target UE through the PDU session corresponding to the second key.
  • the downlink target user plane data sent to the UE by the PDU session corresponding to the key does not require the first security protection process, but is performed according to the existing technology.
  • the security protection may be any one of the following three situations: confidentiality protection, integrity protection, confidentiality protection, and integrity protection. The three situations are described below respectively.
  • the second key only includes an encryption key
  • the using the second key to perform the first security protection processing on the downlink target user plane data includes: using the encryption key to perform the first security protection process on the downlink target Encrypting user plane data; and performing the second security protection process on the uplink target user data after the first security protection process by using the second key includes: decrypting the encrypted uplink target user data by using the encryption key.
  • the second key only includes the integrity key
  • the using the second key to perform the first security protection processing on the downlink target user plane data includes: using the integrity key to Performing integrity protection processing on the downlink target user plane data; said using the second key to perform the second security protection processing on the uplink target user plane data after the first security protection processing includes: using the integrity key to perform integrity protection
  • the processed uplink target user plane data is checked for integrity.
  • Security protection includes both confidentiality protection and integrity protection
  • the second key includes an encryption key and an integrity key.
  • the using the second key to perform the first security protection processing on the downlink target user plane data includes: using the encryption key pair Encrypting the downlink target user plane data, using the integrity key to perform integrity protection processing on the encrypted downlink target user plane data; using the second key to perform the integrity protection processing on the uplink target user after the first security protection processing Performing the second security protection processing on the plane data includes: using the integrity key to perform integrity verification on the uplink target user plane data after encryption and integrity protection processing, and after the verification is passed, the encryption key is used to encrypt the data.
  • the upstream target user data is decrypted.
  • the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment, Make the target user equipment and the user plane functional entity secure the target user plane data, and realize the security protection of the target user plane data between the target user equipment and the user plane functional entity; and the RAN does not participate in the UE and the core network
  • the RAN transparently transmits the user plane data transmitted between the UE and the core network, and does not maintain the second key, which is suitable for scenarios where the RAN is untrusted and vulnerable to attacks.
  • Fig. 5 is a flowchart of a data transmission method of the present disclosure.
  • the present disclosure provides a data transmission method applied to a target UE (for example, it may be executed by the target UE).
  • the method may include step 500.
  • step 500 a first notification message sent by a first control plane functional entity is received, where the first notification message is used to indicate that the target user plane data is performed between the target user equipment and the user plane functional entity. safety protection.
  • the first notification message from the first control plane functional entity is not received, and this process ends.
  • the UE receives the first notification message from the first control plane function entity during the registration process of the UE with the core network, it means that the UE and the user plane function entity need to deal with each other. All user plane data of the UE is secured; for some UEs, if the UE does not receive the first notification message from the first control plane functional entity during the registration process of the UE to the core network, it means that there is no need to connect the UE to the core network.
  • the user plane functional entities perform security protection for all user plane data of the UE.
  • the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • the first notification message from the first control plane functional entity is received during the establishment of the PDU session, it indicates that the UE needs to pass between the UE and the user plane functional entity.
  • the user plane data transmitted in the PDU session is secured; for other PDU sessions of the UE, if the first notification message from the first control plane functional entity is not received during the establishment of the PDU session, it means that there is no need for the UE Security protection is performed between the user plane function entity and the user plane data transmitted by the UE through the PDU session.
  • the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE.
  • the security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE.
  • the user can sign a contract with the operator according to their own needs. accomplish.
  • the method may further include: generating a first key, and generating a second key according to the first key; wherein, The second key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.
  • the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity
  • the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.
  • the first key is the first key corresponding to the target UE
  • the second key is the second key corresponding to the target UE.
  • the first keys corresponding to different target UEs may be the same or Different
  • the second keys corresponding to different target UEs may be the same or different.
  • the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU protocol data unit
  • one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key;
  • the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session.
  • one PDU session can correspond to one second secret.
  • the key may also correspond to a second key for two or more PDU sessions.
  • the method may further include: performing security protection processing on target user plane data transmitted between the target user equipment and the user plane functional entity through the second key.
  • the second key includes a confidentiality key and/or an integrity key; the second key is used to transmit data between the target user equipment and the user plane functional entity.
  • the security protection processing of the target user plane data includes: using the confidentiality key to encrypt the target user plane data sent to the user plane functional entity; using the confidentiality key to encrypt the target user plane data received from the user functional entity Data decryption; or, using the integrity key to perform integrity protection processing on the target user plane data sent to the user function entity; using the integrity key to perform integrity protection on the target user plane data received from the user functional entity Integrity verification; or, using the confidentiality key to encrypt the target user plane data sent to the user plane functional entity, and using the integrity key to perform integrity protection on the encrypted target user plane data Processing; use the integrity key to perform integrity verification on the target user plane data received from the user functional entity, and use the confidentiality key to decrypt the target user plane data after the verification is passed.
  • performing security protection processing on the target user plane data transmitted between the target user equipment and the user plane functional entity by using the second key includes: Before PDCP encapsulation of the uplink target user plane data, the second key is used to perform the first security protection process on the uplink target user plane data, and the uplink target user plane data after the first security protection process is sent to the user plane function Entity; after PDCP decapsulation is performed on the downlink target user plane data received from the user plane functional entity after the first security protection process, the second key is used to perform the first security protection process on the downlink target user The surface data undergoes second security protection processing.
  • the second key is the second key corresponding to the target UE
  • the uplink target user plane data sent to the user plane function entity is all uplink user plane data sent by the target UE to the user plane function entity
  • the received downlink target user plane data from the user plane functional entity after the first security protection processing is all downlink user plane data from the user plane functional entity received by the target UE.
  • the second key is used to perform the first security protection process on all uplink target user plane data sent by the target UE to the user plane functional entity, and the second key is used to perform the first security protection process on all downlink targets received from the user plane functional entity.
  • the user plane data undergoes the second security protection processing.
  • the second key is the second key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE.
  • PDU Protocol Data Unit
  • one second key may correspond to one PDU session, or two One or more PDU sessions correspond to a second key
  • the uplink target user plane data sent to the user plane functional entity is the uplink user plane data sent by the target UE to the user plane functional entity through the PDU session
  • the received data is from
  • the downlink target user plane data processed by the first security protection of the user plane function entity is the downlink user plane data from the user plane function entity received by the UE through the PDU session.
  • the second key is used to perform the first security protection process on the uplink target user plane data sent by the target UE to the user plane function entity through the PDU session corresponding to the second key, and the target UE is not connected with the second key.
  • the uplink user plane data sent by the corresponding PDU session (that is, the PDU session other than the PDU session corresponding to the second key) to the user plane function entity does not require the first security protection process, but is performed in accordance with the existing technology.
  • the security protection may be any one of the following three situations: confidentiality protection, integrity protection, confidentiality protection, and integrity protection. The three situations are described below respectively.
  • the second key only includes the encryption key. Accordingly, using the second key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key to perform the first security protection process on the uplink target user plane. Encrypting the data; the using the second key to perform the second security protection process on the downlink target user data after the first security protection process includes: using the encryption key to decrypt the encrypted downlink target user data.
  • the second key only includes the integrity key
  • the using the second key to perform the first security protection processing on the uplink target user plane data includes: using the integrity key to pair the Performing integrity protection processing on the uplink target user plane data; the using the second key to perform the second security protection processing on the downlink target user plane data after the first security protection processing includes: using the integrity key to perform integrity protection
  • the processed downlink target user plane data is checked for integrity.
  • Security protection includes both confidentiality protection and integrity protection
  • the second key includes an encryption key and an integrity key.
  • the using the second key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key pair Encrypting the uplink target user plane data, using the integrity key to perform integrity protection processing on the encrypted uplink target user plane data; using the second key to perform the integrity protection processing on the downlink target user after the first security protection processing Performing the second security protection processing on the plane data includes: using the integrity key to perform integrity verification on the downstream target user plane data after encryption and integrity protection processing, and after the verification is passed, the encryption key is used to encrypt the data.
  • the downlink target user data is decrypted.
  • the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment, Make the target user equipment and the user plane functional entity secure the target user plane data, and realize the security protection of the target user plane data between the target user equipment and the user plane functional entity; and the RAN does not participate in the UE and the core network
  • the RAN transparently transmits the user plane data transmitted between the UE and the core network, and does not maintain the second key, which is suitable for scenarios where the RAN is untrusted and vulnerable to attacks.
  • the first control plane functional entity, the second control plane functional entity, and the user plane functional entity are set in different devices in the core network.
  • the first control plane functional entity and the second control plane functional entity are control plane network functions responsible for user equipment access and service processing.
  • the user plane function entity is a forwarding plane network function that processes user application data.
  • the first control plane functional entity is an access management function (AMF, Access Management Function)
  • the second control plane functional entity is a session management function (SMF, Session Management Function)
  • the server is the user plane function (UPF, User Plane Function).
  • the first control plane functional entity is a mobility management entity (MME, Mobility Management Entity)
  • MME Mobility Management Entity
  • PGW Packet GateWay
  • the access equipment is not trustworthy for the application, and an encrypted channel needs to be established directly between the UE and the core network equipment; or in the following scenario, multiple core network operators Shared access network, in order to ensure data security, it is also necessary to establish an encrypted channel between the UE and each core network.
  • the key required for user plane data encryption can be generated during the registration and authentication phase of the UE accessing the core network, so that the user plane data can be encrypted for transmission when the UE conducts services.
  • the first control plane functional entity is an AMF entity
  • the user plane functional entity is a UPF entity.
  • the UE requests to access the 5G network and initiates a registration authentication request to the AMF entity.
  • the RAN functional entity routes the registration authentication request to the AMF entity according to the hidden subscription identifier (SUCI, Subscription Identifier) in the registration authentication request.
  • SUCI hidden subscription identifier
  • the authentication and authentication process is completed between the UE, AMF entity, Authentication Server Function (AUSF, Authentication Server Function) entity, and Unified Data Management (UDM, Unified Data Management) entity.
  • AUSF Authentication Server Function
  • UDM Unified Data Management
  • the AMF entity After the authentication process is completed, the AMF entity generates the anchor key K SEAF . If the AMF entity decides that the user plane data needs to be secured between the UE and the user plane function entity (for example, the operator policy or user subscription information stipulates that the user plane data needs to be secured between the UE and the user plane function entity Protection, the AMF entity needs to securely protect the user plane data between the UE and the user plane function entity according to the operator’s policy or user subscription information), the AMF entity uses the key generation algorithm to derive the key according to the K SEAF, and finally generates The first (intermediate) key K 1 .
  • the operator policy or user subscription information stipulates that the user plane data needs to be secured between the UE and the user plane function entity Protection
  • the AMF entity needs to securely protect the user plane data between the UE and the user plane function entity according to the operator’s policy or user subscription information
  • the AMF entity uses the key generation algorithm to derive the key according to the K SEAF, and finally generates The first (intermedi
  • the transmitting entity UPF process may be established by the AMF during transmission through the session management entity (SMF, Session Management Function) entity to the session in the PDU.
  • SMF Session Management Function
  • the UPF entity saves the first key K 1 .
  • the AMF entity notifies the UE that the user plane data needs to be secured between the UE and the user plane function entity.
  • the remaining registration procedures are completed between the UE, the RAN functional entity, and the AMF entity.
  • the UPF entity uses a key generation algorithm to generate a second key according to K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the UE uses a key generation algorithm to generate a second key according to K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the UE uses the anchor key K SEAF according to the same key generation algorithm on the network side, further generates the first key K 1 , and generates the encryption key according to the first key K 1 K 2 and integrity key K 3 .
  • the above solution describes the security protection of user plane data between the UE and the 5G core network after the UE is registered on the 5G network, that is, all user plane data interacting between the UE and the 5G core network are protected for confidentiality and integrity .
  • the above solution is also applicable to EPC.
  • the first control plane functional entity described in the solution is MME, and the user plane functional entity is SGW or PGW.
  • an encryption key K2 and an integrity key K3 are generated on the UE and SGW/PGW.
  • Example 1 describes the security protection of user plane data between the UE and the 5G core network.
  • the 5G network can also provide network services in the form of network slicing, that is, 5GC can include multiple network slices. After the UE is registered on the 5G network, it can access up to 8 network slices.
  • Example 2 describes the provision of security protection for user plane data between the UE and the core network at the network slicing level, and the implementation process is shown in FIG. 7.
  • the first network control function entity is an AMF entity
  • the second network control function entity is an SMF entity
  • the user plane function entity is a UPF entity:
  • the UE After the UE has successfully registered to the 5G network, the UE requests to access the network slice and initiates a PDU session establishment request.
  • the PDU session establishment request includes a NAS (Non-Access Stratum) message, and the NAS message includes: single Network slice selection assistance information (S-NSSAI, Single Network Slice Selection Assistance Information), etc.
  • S-NSSAI contains the network slice identifier that authorizes the UE to request access.
  • the AMF entity stores S-NSSAI and other information.
  • the AMF entity selects the SMF entity based on information such as S-NSSAI.
  • the AMF entity initiates a PDU session context creation request to the SMF entity, and the PDU session context creation request includes information such as the user's permanent identifier (SUPI, Subscription Permanent Identifier), S-NSSAI, and so on.
  • SUPI user's permanent identifier
  • S-NSSAI Service-Specific Identifier
  • the SMF entity uses SUPI, S-NSSAI and other information to obtain session management-related subscription data from the UDM entity; among them, the session management-related subscription data contains information indicating whether user plane data security protection is required between the UE and the core network .
  • step 5 If the PDU session establishment request in step 1 is sent for the first time, the SMF entity performs UPF entity selection; if the PDU session establishment request in step 1 is not sent for the first time, step 7 is directly executed.
  • An N4 session is established between the SMF entity and the UPF entity.
  • the SMF entity makes a decision based on the subscription data whether it is necessary to securely protect the user plane data between the UE and the user plane functional entity.
  • the SMF entity and the AMF entity exchange PDU session establishment messages or PDU session update messages.
  • the SMF entity sends information indicating whether the user plane data needs to be secured between the UE and the user plane function entity to the AMF entity.
  • the AMF entity After the AMF entity receives the information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity, it sends the anchor key (for example, K SEAF ) generated after the authentication is successful to the SMF entity .
  • the anchor key for example, K SEAF
  • the SMF entity saves the anchor key K SEAF and generates the first key K 1 according to the anchor key K SEAF using a key generation algorithm.
  • the SMF entity sends the first key K 1 to the UPF entity.
  • the UPF entity saves the first key K 1 .
  • the AMF entity returns to the UE information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity.
  • the UE, AMF entity, SMF entity, and UPF entity complete the rest of the PDU session establishment process.
  • the UE After the UE receives the information indicating whether the user plane data needs to be securely protected between the UE and the user plane functional entity, it uses the key generation algorithm to generate the first key K 1 , and generates the first key K 1 according to the first key K 1 Two keys (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the UPF entity uses the same key generation algorithm to generate a second key according to the first key K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the SMF entity decides to perform security protection for the user plane data between the UE and the core network for the network slice, and informs the AMF entity.
  • the SMF entity generates the first key K1 according to the anchor key K SEAF provided by the AMF entity and provides it to the UPF entity.
  • the above process can also be implemented as follows: The network slice decision corresponding to the S-NSSAI requested by the AMF entity for the UE is executed.
  • the user plane data is securely protected between the UE and the core network, and the first key K is generated according to the anchor key KSEAF. 1 is provided to the SMF entity, and the SMF entity provides K 1 to the UPF entity.
  • Example 1 describes the security protection of user plane data between the UE and the 5G core network.
  • the 5G network can also provide network services in the form of network slicing, that is, 5GC can include multiple network slices. After the UE is registered on the 5G network, it can access up to 8 network slices.
  • Example 3 describes the provision of security protection for user plane data between the UE and the core network at the network slicing level, and the implementation process is shown in Figure 8.
  • the first network control function entity is an AMF entity
  • the second network control function entity is an SMF entity
  • the user plane function entity is a UPF entity:
  • the UE After the UE has successfully registered to the 5G network, the UE requests to access the network slice and initiates a PDU session establishment request.
  • the PDU session establishment request contains a NAS message.
  • the NAS message includes: Single network slice selection auxiliary information (S-NSSAI, Single) Network Slice Selection Assistance Information) etc.
  • S-NSSAI contains the network slice identifier that authorizes the UE to request access.
  • the AMF entity stores S-NSSAI and other information.
  • the AMF entity selects the SMF entity based on information such as S-NSSAI.
  • the AMF entity initiates a PDU session context creation request to the SMF entity, and the PDU session context creation request includes information such as SUPI, S-NSSAI, etc.
  • the SMF entity uses SUPI, S-NSSAI and other information to obtain session management-related contract data from UDM; among them, the session management-related contract data contains information indicating whether user plane data needs to be secured between the UE and the user plane function entity. information.
  • step 5 If the PDU session establishment request in step 1 is sent for the first time, the SMF entity performs UPF entity selection; if the PDU session establishment request in step 1 is not sent for the first time, step 7 is directly executed.
  • An N4 session is established between the SMF entity and the UPF entity.
  • the SMF entity and the AMF entity exchange PDU session establishment messages or PDU session update messages.
  • the SMF entity sends information indicating whether user plane data security protection between the UE and the user plane function entity needs to be performed to the AMF entity.
  • the decision of the AMF entity requires the security protection of the user plane data between the UE and the user plane functional entity, and the first (intermediate) key is generated using the key generation algorithm according to the anchor key K SEAF generated after the authentication is successful K 1 , sending the first key K 1 to the SMF entity.
  • the SMF entity sends the first key K 1 to the UPF entity.
  • the UPF entity saves the first key K 1 .
  • the AMF entity returns to the UE information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity.
  • the remaining process of PDU session establishment is completed among UE, AMF entity, SMF entity, and UPF entity.
  • the UE After the UE receives the information indicating whether the user plane data needs to be securely protected between the UE and the user plane functional entity, it uses the key generation algorithm to generate the first key K 1 , and generates the first key K 1 according to the first key K 1 Two keys (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • the UPF entity uses the same key generation algorithm to generate a second key according to the first key K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).
  • Example 4 for the process of confidentiality and integrity protection of user plane data between the UE and the UPF entity.
  • security protection for user plane data is performed between the UE and the RAN functional entity, which is a prior art.
  • the AMF entity sends the first notification message to the UE, the user plane data is securely protected between the UE and the UPF entity, that is, the encryption key K 2 and the integrity key K 3 are used .
  • this example describes the schematic diagram of the protocol stack processing of the user plane data security endpoint in the UPF, as shown in Figure 9, that is, the PDCP connection is established between the UE and the UPF entity, and the PDCP connection is used Encryption and integrity protection of user plane data.
  • Intermediate network functional entities such as RAN functional entities, are not involved in the encryption and decryption processing and integrity protection of user plane data.
  • the specific implementation process is described as follows:
  • the UE completes the encapsulation of the sent uplink user plane data according to the UE protocol stack part shown in FIG. 9 and sends the encapsulated uplink user plane data.
  • the application layer encapsulation is performed on the uplink user plane data
  • the PDU layer encapsulation is performed on the uplink user plane data after the application layer encapsulation
  • the Simple Distributed File Transfer System Access Protocol (SDAP, Simple Distribution File System Access Protocol) encapsulation using the encryption key K 2 to encrypt the SDAP encapsulated uplink user plane data, and using the integrity key K 3 to perform integrity protection processing on the encrypted uplink user plane data.
  • SDAP Simple Distributed File Transfer System Access Protocol
  • PDCP encapsulation is performed on the uplink user plane data after sexual protection processing
  • the radio link control layer (RLC, Radio Link Control) encapsulation is performed on the uplink user plane data after PDCP encapsulation
  • the media access control is performed on the uplink user plane data after RLC encapsulation.
  • RLC Radio Link Control
  • MAC Medica Access Control
  • PHY Physical layer
  • the RAN entity completes the protocol conversion of the uplink user plane data.
  • the PHY encapsulated uplink user plane data is PHY decapsulated, and the PHY decapsulated uplink user The plane data is decapsulated at the MAC layer, the uplink user plane data after the MAC layer decapsulation is decapsulated, and then the uplink user plane data after the RLC decapsulation is converted into a general packet radio service (GPRS, General Packet Radio Service) tunnel Protocol (GTP, GPRS Tunnelling Protocol) encapsulation format.
  • GPRS General Packet Radio Service
  • the RAN entity does not perform any processing on the PDCP layer and above, that is, does not perform decryption and integrity verification processing on the uplink user plane data. After the RAN entity completes the protocol conversion processing on the uplink user plane data, it is sent to the UPF entity.
  • the UPF entity receives the upstream user plane data after protocol conversion, decapsulates the upstream user plane data after protocol conversion, decapsulates the upstream user plane data after the protocol conversion, decapsulates the upstream user plane data decapsulated at the L1 layer, decapsulates the upstream user plane data at the L2 layer, and decapsulates the L2 layer Decapsulate the upstream user plane data at the GTP-U/UDP/IP layer, decapsulate the upstream user plane decapsulated at the GTP-U/UDP/IP layer using PDCP, and decapsulate PDCP with the integrity key K 3 Integrity check is performed on the uplink user plane data.
  • the encapsulated uplink user plane data is decapsulated at the PDU layer.
  • the UPF entity completes the encapsulation of the sent downlink user plane data according to the UPF protocol stack part shown in FIG. 9, and sends the encapsulated downlink user plane data.
  • perform PDU layer encapsulation on the downlink user plane data perform SDAP encapsulation on the PDU layer encapsulated downlink user plane data, use encryption key K 2 to encrypt the SDAP encapsulated downlink user plane data, and use the integrity key K 3 performs integrity protection processing on the encrypted downlink user plane data, performs PDCP encapsulation on the downlink user plane data after integrity protection processing, and performs GTP-U/UDP/IP layer encapsulation on the PDCP encapsulated downlink user plane data , L2 layer encapsulation is performed on the downlink user plane data after the GTP-U/UDP/IP layer encapsulation, and the L1 layer encapsulation is performed on the downlink user plane data after the L2 layer encapsulation.
  • the RAN entity completes the protocol conversion of the downlink user plane data.
  • the L1 layer encapsulated downlink user plane data is decapsulated at the L1 layer
  • the L1 layer decapsulated downlink user plane data is decapsulated at the L2 layer.
  • Layer decapsulation decapsulate the downlink user plane data decapsulated at the L2 layer at the GTP-U/DPU/IP layer, and then convert the decapsulated downlink user plane data at the GTP-U/DPU/IP layer into an RLC encapsulation format .
  • the RAN entity does not perform any processing on the PDCP layer and above, that is, does not perform decryption and integrity verification processing on the downlink user plane data.
  • the RAN entity completes the protocol conversion processing on the downlink user plane data, it is sent to the UE.
  • the UE receives the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after PHY decapsulation, and decapsulates the downlink user plane data after the MAC layer decapsulation.
  • the plane data is decapsulated at the RLC layer
  • the downlink user plane decapsulated at the RLC layer is decapsulated with PDCP
  • the integrity key K 3 is used to verify the integrity of the downlink user plane data after the PDCP decapsulation.
  • the present disclosure provides an electronic device, which includes: at least one processor; a memory on which at least one program is stored.
  • the at least one processor implements any one of the foregoing.
  • Kind of data transmission method is:
  • the processor is a device with data processing capabilities, which includes but is not limited to a central processing unit (CPU), etc.;
  • the memory is a device with data storage capabilities, which includes but is not limited to random access memory (RAM, more specifically such as SDRAM). , DDR, etc.), read-only memory (ROM), charged erasable programmable read-only memory (EEPROM), flash memory (FLASH).
  • RAM random access memory
  • ROM read-only memory
  • EEPROM charged erasable programmable read-only memory
  • FLASH flash memory
  • the processor and the memory are connected to each other through a bus, and further connected to other components of the computing device.
  • the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, any one of the aforementioned data transmission methods is implemented.
  • FIG. 10 is a block diagram of the composition of a data transmission device of the present disclosure.
  • the present disclosure provides a data transmission device (such as a first control plane functional entity), including: a first determining module 1001 configured to determine that it needs to perform between the target user equipment and the user plane functional entity Security-protected target user plane data; the first notification message sending module 1002 is configured to send a first notification message to the target user equipment, where the first notification message is used to indicate that the target user equipment and the user plane
  • the functional entities perform security protection on the target user plane data.
  • the data transmission device further includes: a first key processing module 1003, configured to generate a first key, and send the first key to the user plane functional entity; wherein, the first key A key is used to be used by the user plane functional entity to generate a second key, and the second key is used to be used by the target user equipment and the user plane functional entity to perform data on the target user plane. Security protection is performed between the target user equipment and the user plane functional entity.
  • the first determining module 1001 is configured to receive the first notification message sent by the second control plane functional entity.
  • the data transmission apparatus further includes: a second notification message sending module 1004, configured to send a second notification message to a second control plane functional entity, where the second notification message is used to notify the second
  • the control plane function entity generates a first key
  • the first key is used by the user plane function entity to generate a second key
  • the second key is used by the target user equipment and the The user plane functional entity is used to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the data transmission method on the functional entity side of the first control plane in the foregoing embodiment, and will not be repeated here.
  • FIG. 11 is a block diagram of the composition of a data transmission device of the present disclosure.
  • the present disclosure provides a data transmission device (such as a second control plane functional entity), including: a first notification message receiving module 1101, configured to receive a second notification sent by the first control plane functional entity Message, the second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used by the user plane functional entity to generate a second key, the The second key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity; the second secret
  • the key processing module 1102 is configured to generate the first key, and send the first key to the user plane function entity.
  • the data transmission apparatus further includes: a third determining module 1103 configured to determine target user plane data that needs to be secured between the target user equipment and the user plane functional entity; and a third notification message sending module 1104. It is configured to send a first notification message to the first control plane functional entity, where the first notification message is used to indicate that the target user plane data is received between the target user equipment and the user plane functional entity. Carry out safety protection.
  • the specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the data transmission method on the functional entity side of the second control plane in the foregoing embodiment, and will not be repeated here.
  • FIG. 12 is a block diagram of the composition of a data transmission device of the present disclosure.
  • the present disclosure provides a data transmission device (such as a user plane functional entity), including: a third key processing module 1201, configured to obtain a first key, and generate The second key; the second key is used to be used by the target user equipment and the user plane functional entity, and the target user plane data is between the target user equipment and the user plane functional entity Perform security protection; the first data processing module 1202 is configured to perform security protection processing on target user plane data transmitted between the target user equipment and the user plane functional entity through the second key.
  • a data transmission device such as a user plane functional entity
  • the third key processing module 1201 is configured to obtain the first key in the following manner: receiving the first key sent by the first control plane functional entity.
  • the third key processing module 1201 is configured to obtain the first key in the following manner: receiving the first key sent by the second control plane functional entity.
  • the second key includes a confidentiality key and/or an integrity key
  • the first data processing module 1202 is configured to: use the confidentiality key pair to send to the target user equipment
  • the target user plane data is encrypted; the confidentiality key is used to decrypt the target user plane data received from the target user equipment; or the integrity key is used to send to the target user of the target user equipment Protect the integrity of the plane data; use the integrity key to verify the integrity of the target user plane data received from the target user equipment; or, use the confidentiality key pair to send to the target user equipment
  • To encrypt the target user plane data use the integrity key to perform integrity protection on the target user plane data; use the integrity key to perform integrity on the target user plane data received from the target user equipment After the verification is passed, the confidentiality key is used to decrypt the target user plane data.
  • the specific implementation process of the foregoing data transmission device is the same as the specific implementation process of the data transmission method on the user plane function entity side of the foregoing embodiment, and will not be repeated here.
  • FIG. 13 is a block diagram of the composition of a data transmission device of the present disclosure.
  • the present disclosure provides another data transmission device (such as a target UE), including: a second notification message receiving module 1301, configured to receive a first notification message sent by a first control plane functional entity, so The first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity.
  • a second notification message receiving module 1301 configured to receive a first notification message sent by a first control plane functional entity, so The first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity.
  • the data transmission device further includes: a fourth key processing module 1302, configured to generate a first key, and generate a second key according to the first key; wherein, the second key The key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • a fourth key processing module 1302 configured to generate a first key, and generate a second key according to the first key; wherein, the second key The key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the second key includes a confidentiality key and/or an integrity key
  • the data transmission device further includes: a second data processing module 1303 configured to: use the confidentiality key Encrypt the target user plane data sent to the user plane functional entity; use the confidentiality key to decrypt the target user plane data received from the user functional entity; or use the integrity key pair to send to the user plane Perform integrity protection processing on the target user plane data of the functional entity; use the integrity key to perform integrity verification on the target user plane data received from the user functional entity; or use the confidentiality key pair to send to the user Encrypt the target user plane data of the user plane function entity, use the integrity key to perform integrity protection processing on the encrypted target user plane data; use the integrity key to perform the integrity protection processing on the target user received from the user function entity The integrity check is performed on the plane data, and the confidentiality key is used to decrypt the target user plane data after the verification is passed.
  • the specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the data transmission method on the target UE side in the foregoing embodiment, and will not be repeated here.
  • FIG. 14 is a block diagram of the composition of a data transmission system of the present disclosure.
  • the present disclosure provides a data transmission system, including: a first control plane function entity 1401, configured to determine the target user plane that needs to be secured between the target user equipment and the user plane function entity Data; sending a first notification message to the target user equipment, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity; target The user equipment 1402 is configured to receive the first notification message sent by the first control plane functional entity.
  • the first control plane functional entity 1401 is further configured to: generate a first key, and send the first key to the user plane functional entity; wherein, the first key is used for Is used by the user plane functional entity to generate a second key, and the second key is used by the target user equipment and the user plane functional entity, and for the target user plane data in the target user Security protection is performed between the device and the user plane functional entity;
  • the data transmission system further includes: a user plane functional entity 1403 configured to receive the first key sent by the first control plane functional entity; according to the first secret Key to generate a second key; using the second key to perform security protection processing on the target user plane data transmitted between the target user equipment and the user plane functional entity;
  • the target user equipment 1402 is further configured to: generate a second key A key for generating a second key according to the first key; using the second key to perform security protection processing on target user plane data transmitted between the target user equipment and the user plane functional entity.
  • the first control plane functional entity 1401 is configured to determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity in the following manner: receiving the second control plane functional entity The first notification message sent; the data transmission system further includes: a second control plane functional entity 1404 configured to determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity; The control plane functional entity sends the first notification message.
  • the first control plane functional entity 1401 is further configured to send a second notification message to the second control plane functional entity, where the second notification message is used to notify the second control plane functional entity to generate A first key, the first key is used to be used by the user plane functional entity to generate a second key, the second key is used to be used by the target user equipment and the user plane functional entity ,
  • the data transmission system further includes: a second control plane functional entity 1404 configured to receive the first control plane functional entity The second notification message sent; the first key is generated, and the first key is sent to the user plane function entity;
  • the user plane function entity 1403 is configured to receive the first message sent by the second control plane function entity Key; generate a second key according to the first key; use the second key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity; target The user equipment 1402 is further configured to: generate a first key, and generate a second key according to the first key
  • Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or a non-transitory medium) and a communication medium (or a transitory medium).
  • the term computer storage medium includes volatile and non-volatile implementations in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media.
  • Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer.
  • a communication medium usually contains computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transmission mechanism, and may include any information delivery medium. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application provides a data transmission method, applied in a first control panel function entity. The method comprises: determining target user plane data that needs security protection between target user equipment and a user plane function entity; and sending a first notification message to the target user equipment, wherein the first notification message is used for instruction to perform security protection on the target user plane data between the target user equipment and the user plane function entity. The present application also provides a data transmission system, an electronic device, and a computer readable storage medium.

Description

数据传输方法、系统、电子设备、存储介质Data transmission method, system, electronic equipment, storage medium

相关申请的交叉引用Cross-references to related applications

本申请要求2020年6月3日提交给中国专利局的第202010497412.6号专利申请的优先权,其全部内容通过引用合并于此。This application claims the priority of the patent application No. 202010497412.6 filed with the Chinese Patent Office on June 3, 2020, the entire content of which is incorporated herein by reference.

技术领域Technical field

本公开涉及但不限于通信安全领域。The present disclosure relates to, but is not limited to, the field of communication security.

背景技术Background technique

目前仅对用户设备(UE,User Equipment)与接入网(RAN,Radio Access Network)之间的用户面数据传输进行机密性和/或完整性保护,而未对RAN和核心网络之间的用户面数据传输进行机密性和/或完整性保护,某些场景下需要对用户设备(UE,User Equipment)和核心网络之间的用户面数据传输进行机密性和/或完整性保护,而上述保护方式无法满足这些场景的保护需求。At present, only the confidentiality and/or integrity protection of the user plane data transmission between the user equipment (UE, User Equipment) and the access network (RAN, Radio Access Network) is performed, but the user between the RAN and the core network is not protected. Confidentiality and/or integrity protection of plane data transmission. In some scenarios, confidentiality and/or integrity protection of user plane data transmission between user equipment (UE, User Equipment) and the core network is required, and the above protection The method cannot meet the protection requirements of these scenarios.

发明内容Summary of the invention

第一方面,本公开提供一种数据传输方法,应用于第一控制面功能实体,该方法包括:确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;向所述目标用户设备发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。In a first aspect, the present disclosure provides a data transmission method, which is applied to a first control plane functional entity, and the method includes: determining target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity; The target user equipment sends a first notification message, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity.

第二方面,本公开提供一种数据传输方法,应用于第二控制面功能实体,该方法包括:接收第一控制面功能实体发送的第二通知消息,所述第二通知消息用于通知所述第二控制面功能实体生成第一密钥,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护;生成所述第一密钥,将所述第一密钥发送给用户 面功能实体。In a second aspect, the present disclosure provides a data transmission method applied to a second control plane functional entity. The method includes: receiving a second notification message sent by the first control plane functional entity, where the second notification message is used to notify the The second control plane functional entity generates a first key, the first key is used by the user plane functional entity to generate a second key, and the second key is used by the target user equipment Used with the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity; generate the first key, and transfer the first key Sent to the user plane functional entity.

第三方面,本公开提供一种数据传输方法,应用于用户面功能实体,该方法包括:获取第一密钥,根据所述第一密钥生成第二密钥;所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护;通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理。In a third aspect, the present disclosure provides a data transmission method, which is applied to a user plane functional entity, and the method includes: obtaining a first key, and generating a second key according to the first key; For being used by the target user equipment and the user plane functional entity, the target user plane data is securely protected between the target user equipment and the user plane functional entity; through the second key pair The target user plane data transmitted between the target user equipment and the user plane functional entity is subjected to security protection processing.

第四方面,本公开提供一种数据传输方法,应用于目标用户设备,该方法包括:接收第一控制面功能实体发送的第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。In a fourth aspect, the present disclosure provides a data transmission method applied to a target user equipment. The method includes: receiving a first notification message sent by a first control plane functional entity, where the first notification message is used to indicate The target user plane data is securely protected between the user equipment and the user plane functional entity.

第五方面,本公开提供一种电子设备,其包括:至少一个处理器;存储器,其上存储有至少一个程序,当所述至少一个程序被所述至少一个处理器执行,使得所述至少一个处理器本文所述任意一种数据传输方法。In a fifth aspect, the present disclosure provides an electronic device, which includes: at least one processor; a memory on which at least one program is stored. When the at least one program is executed by the at least one processor, the at least one Processor Any of the data transmission methods described in this article.

第六方面,本公开提供一种计算机可读存储介质,其上存储有计算机程序,所述程序被处理器执行时实现本文所述任意一种数据传输方法。In a sixth aspect, the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, any one of the data transmission methods described herein is implemented.

第七方面,本公开提供一种数据传输系统,包括:第一控制面功能实体,配置为确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;向所述目标用户设备发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护;目标用户设备,配置为接收第一控制面功能实体发送的第一通知消息。In a seventh aspect, the present disclosure provides a data transmission system, including: a first control plane functional entity configured to determine target user plane data that needs to be securely protected between a target user equipment and a user plane functional entity; The user equipment sends a first notification message, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity; the target user equipment is configured to receive The first notification message sent by the first control plane functional entity.

附图说明Description of the drawings

图1为相关技术中第三代伙伴计划(3GPP,The 3rd Generation Partnership Project)R15定义的5G网络传输数据过程中安全保护机制的示意图;Figure 1 is a schematic diagram of the security protection mechanism in the process of data transmission in the 5G network defined by the 3rd Generation Partnership Project (3GPP, The 3rd Generation Partnership Project) R15 in related technologies;

图2为本公开提供的一种数据传输方法的流程图;Fig. 2 is a flowchart of a data transmission method provided by the present disclosure;

图3为本公开提供的一种数据传输方法的流程图;FIG. 3 is a flowchart of a data transmission method provided by the present disclosure;

图4为本公开提供的一种数据传输方法的流程图;Fig. 4 is a flowchart of a data transmission method provided by the present disclosure;

图5为本公开提供的一种数据传输方法的流程图;FIG. 5 is a flowchart of a data transmission method provided by the present disclosure;

图6为本公开的示例1提供的数据传输方法的流程图;FIG. 6 is a flowchart of the data transmission method provided in Example 1 of the present disclosure;

图7为本公开的示例2提供的数据传输方法的流程图;FIG. 7 is a flowchart of the data transmission method provided in Example 2 of the present disclosure;

图8为本公开的示例3提供的数据传输方法的流程图;FIG. 8 is a flowchart of the data transmission method provided in Example 3 of the present disclosure;

图9为本公开的示例4提供的协议栈结构示意图;FIG. 9 is a schematic diagram of the structure of the protocol stack provided in Example 4 of the present disclosure;

图10为本公开提供的一种数据传输装置的组成框图;Fig. 10 is a block diagram of a data transmission device provided by the present disclosure;

图11为本公开提供的一种数据传输装置的组成框图;Figure 11 is a block diagram of a data transmission device provided by the present disclosure;

图12为本公开提供的一种数据传输装置的组成框图;FIG. 12 is a block diagram of a data transmission device provided by the present disclosure;

图13为本公开提供的一种数据传输装置的组成框图;Figure 13 is a block diagram of a data transmission device provided by the present disclosure;

图14为本公开提供的一种数据传输系统的组成框图。Fig. 14 is a block diagram of a data transmission system provided by the present disclosure.

具体实施方式detailed description

为使本领域的技术人员更好地理解本公开的技术方案,下面结合附图对本公开提供的数据传输方法、系统、电子设备、计算机可读存储介质进行详细描述。In order to enable those skilled in the art to better understand the technical solutions of the present disclosure, the data transmission method, system, electronic device, and computer-readable storage medium provided by the present disclosure will be described in detail below with reference to the accompanying drawings.

在下文中将参考附图更充分地描述示例实施方式,但是所述示例实施方式可以以不同形式来体现且不应当被解释为限于本文阐述的实施方式。反之,提供这些实施方式的目的在于使本公开透彻和完整,并将使本领域技术人员充分理解本公开的范围。Hereinafter, example embodiments will be described more fully with reference to the accompanying drawings, but the example embodiments may be embodied in different forms and should not be construed as being limited to the embodiments set forth herein. On the contrary, the purpose of providing these embodiments is to make the present disclosure thorough and complete, and to enable those skilled in the art to fully understand the scope of the present disclosure.

在不冲突的情况下,本公开各实施方式及实施方式中的各特征可相互组合。In the case of no conflict, the embodiments of the present disclosure and the features in the embodiments can be combined with each other.

如本文所使用的,术语“和/或”包括至少一个相关列举条目的任何和所有组合。As used herein, the term "and/or" includes any and all combinations of at least one related listed item.

本文所使用的术语仅用于描述特定实施方式,且不意欲限制本公开。如本文所使用的,单数形式“一个”和“该”也意欲包括复数形式,除非上下文另外清楚指出。还将理解的是,当本说明书中使用术语“包括”和/或“由……制成”时,指定存在所述特征、整体、步骤、操作、元件和/或组件,但不排除存在或添加至少一个其它特征、整体、步 骤、操作、元件、组件和/或其群组。The terms used herein are only used to describe specific embodiments and are not intended to limit the present disclosure. As used herein, the singular forms "a" and "the" are also intended to include the plural forms, unless the context clearly dictates otherwise. It will also be understood that when the terms "comprise" and/or "made of" are used in this specification, it specifies the presence of the described features, wholes, steps, operations, elements and/or components, but does not exclude the presence or Add at least one other feature, whole, step, operation, element, component, and/or group thereof.

除非另外限定,否则本文所用的所有术语(包括技术和科学术语)的含义与本领域普通技术人员通常理解的含义相同。还将理解,诸如那些在常用字典中限定的那些术语应当被解释为具有与其在相关技术以及本公开的背景下的含义一致的含义,且将不解释为具有理想化或过度形式上的含义,除非本文明确如此限定。Unless otherwise defined, the meanings of all terms (including technical and scientific terms) used herein are the same as those commonly understood by those of ordinary skill in the art. It will also be understood that terms such as those defined in commonly used dictionaries should be interpreted as having meanings consistent with their meanings in the context of the related technology and the present disclosure, and will not be interpreted as having idealized or excessive formal meanings, Unless this article specifically defines it as such.

传统通信网络受制于软件和硬件深度绑定,网络性能单一,组网灵活性差,扩展受限。组建一张网络难以同时适应不同应用对带宽、时延、可靠性等网络服务性能的差异化要求。5G对网络架构进行了深度重构,基于虚拟化和软件定义技术,引入服务化架构,在共享统一硬件平台上,根据应用需求,按需构建虚拟化网络功能,通过构建网络切片以提供更贴合应用需求的网络服务性能,例如,对于终端位置固定的物联网应用,在构建为其提供网络服务的网络切片时无需引入移动性管理功能;对于低时延应用,在构建网络切片时需要将用户面功能(UPF,User Plane Function)下沉至网络边缘部署,以缩短数据传输时延满足应用对网络时延的要求。也就是说,5G借助于虚拟化、网络切片等新兴技术可以为不同的应用提供不同特性的网络服务。Traditional communication networks are subject to deep binding of software and hardware, with single network performance, poor networking flexibility, and limited expansion. It is difficult to build a network to simultaneously adapt to the differentiated requirements of different applications for network service performance such as bandwidth, delay, and reliability. 5G has carried out a deep reconstruction of the network architecture. Based on virtualization and software-defined technology, a service-oriented architecture is introduced. On a shared and unified hardware platform, virtualized network functions are built on demand according to application requirements, and network slicing is built to provide better Network service performance that meets application requirements. For example, for IoT applications with fixed terminal locations, there is no need to introduce mobility management functions when constructing network slicing to provide network services; for low-latency applications, it is necessary to construct network slicing. The user plane function (UPF, User Plane Function) is deployed at the edge of the network to shorten the data transmission delay to meet the requirements of the application on the network delay. In other words, 5G can provide network services with different characteristics for different applications with the help of emerging technologies such as virtualization and network slicing.

5G网络在为各行业应用提供网络服务时,承载各种高价值应用数据及诸如隐私等敏感数据。对网络实施攻击以获取或篡改数据的攻击行为从未停止,并且随着未来5G网络承载业务数据的不断丰富,攻击手段还在不断发展演进。因此,对数据在网络传输过程中的完整性(Integrity)、机密性(Ciphering)保护等防护措施必不可少。When 5G networks provide network services for applications in various industries, they carry various high-value application data and sensitive data such as privacy. Attacks on networks to obtain or tamper with data have never stopped, and as the future 5G network bears business data continuously enriched, attack methods are still evolving. Therefore, protection measures such as integrity and ciphering protection of data during network transmission are indispensable.

机密性是指对数据进行加密传输,从而防止传输过程中数据被窃听、被非法获取;完整性是指对传输数据在发送端进行完整性处理在接收端进行完整性校验,从而防止传输过程中数据被篡改。Confidentiality refers to the encrypted transmission of data to prevent the data from being eavesdropped and illegally obtained during the transmission; integrity refers to the integrity of the transmitted data at the sending end and the integrity verification at the receiving end, thereby preventing the transmission process The data in it has been tampered with.

5G网络传输的数据分为两大类:一类是控制面信令数据,例如用户注册到网络的信令、接入网络的切片会话信令等;另一类是用户开展业务的用户面数据,例如在线视频业务的数据。The data transmitted by the 5G network is divided into two categories: one is control plane signaling data, such as the signaling of users registering to the network, and the signaling of slicing sessions to access the network; the other is user plane data for users to carry out services. , Such as data for online video services.

图1为第三代伙伴计划(3GPP,The 3rd Generation Partnership  Project)R15定义的5G网络传输数据过程中安全保护机制的示意图。如图1所示,图1中的A表示对用户设备(UE,User Equipment)与接入网(RAN,Radio Access Network)之间的控制面数据进行机密性和/或完整性保护,图1中的B表示对UE与RAN之间的用户面数据进行机密性和/或完整性保护;图1中的C表示对UE和5G核心网络(5GC,5G Core network)之间的控制面数据进行机密性和/或完整性保护,但尚未要求对UE和5GC之间的用户面数据传输进行机密性和/或完整性保护,用户面数据在RAN与5GC之间是明文传输的,如图1中的D。Figure 1 is a schematic diagram of the security protection mechanism in the process of data transmission in the 5G network defined by the 3rd Generation Partnership Project (3GPP, The 3rd Generation Partnership Project) R15. As shown in Figure 1, A in Figure 1 represents the confidentiality and/or integrity protection of control plane data between user equipment (UE, User Equipment) and access network (RAN, Radio Access Network), Figure 1 B in the figure represents the confidentiality and/or integrity protection of the user plane data between the UE and the RAN; C in Figure 1 represents the control plane data between the UE and the 5G core network (5GC, 5G Core network) Confidentiality and/or integrity protection, but the confidentiality and/or integrity protection of the user plane data transmission between UE and 5GC has not yet been required. User plane data is transmitted in plain text between RAN and 5GC, as shown in Figure 1. In the D.

5G为垂直行业提供网络服务时,基于垂直行业自身的业务特性,需要对用户面数据提供UE到5GC传输路径上进行安全保护的需求,主要基于下列原因:When 5G provides network services for vertical industries, based on the business characteristics of the vertical industries, it is necessary to provide user plane data with UE to 5GC transmission path for security protection requirements, mainly based on the following reasons:

(1)接入网功能实体配置更容易暴露,进而接入网功能实体侧加密、认证和用户面的完整性保护等配置更容易被攻击。(1) The configuration of the access network functional entity is easier to expose, and the configuration of the access network functional entity side encryption, authentication, and user plane integrity protection is more vulnerable to attack.

(2)与接入网功能实体侧对比,位于核心网络侧的网络节点具备更强的计算能力,有助于减少数据交互时延,而垂直行业往往对低时延体验非常重视。(2) Compared with the functional entity side of the access network, the network nodes on the core network side have stronger computing capabilities, which helps to reduce the delay of data interaction, and vertical industries often attach great importance to low-latency experience.

(3)网络切片运营商(为垂直行业应用提供网络服务的运营商)可能从其他运营商处租用RAN资源。从网络切片运营商或行业应用的角度看,接入网功能实体并非绝对信任的设备,因此网络切片运营商或行业应用希望数据传输安全终结在核心网络而非接入网的接入网功能实体侧。(3) Network slicing operators (operators that provide network services for vertical industry applications) may lease RAN resources from other operators. From the perspective of network slicing operators or industry applications, the access network functional entity is not a device that is absolutely trusted. Therefore, network slicing operators or industry applications hope that data transmission is safely terminated on the core network rather than the access network functional entity of the access network. side.

针对上述安全需求,可通过如下方式达到部分安全保护的需求,但仍存在一些不足:In view of the above security requirements, part of the security protection requirements can be achieved through the following methods, but there are still some shortcomings:

(1)UE和接入网功能实体之间的防护参考图1中的B所示的方式,在接入网边界网元和核心网络边界网元之间,即图1中的D建立加密通道,例如互联网安全协议(IPSec,Internet Protocol Security),对接入网边界网元和核心网络边界网元之间传输的所有数据进行加密和/或完整性保护。这种方式虽然实现用户面数据在UE和5GC之间的安全保护,但是存在如下缺点:(1) For the protection between the UE and the access network functional entity, refer to the method shown in Figure 1 B, and establish an encrypted channel between the access network boundary network element and the core network boundary network element, that is, D in Figure 1 For example, Internet Protocol Security (IPSec, Internet Protocol Security) encrypts and/or protects the integrity of all data transmitted between the boundary network elements of the access network and the boundary network elements of the core network. Although this method realizes the security protection of user plane data between the UE and 5GC, it has the following disadvantages:

1)方案是对接入网边界网元和核心网络边界网元之间传输的所有数据实施加密和/或完整性保护,对于不管是否有加密需求的数据都要实施加密保护,这将降低处理效率,增加业务时延。1) The solution is to implement encryption and/or integrity protection for all data transmitted between the boundary network elements of the access network and the boundary network elements of the core network. Encryption protection is required for data regardless of whether there is an encryption requirement, which will reduce processing Efficiency, increase business delay.

2)接入网功能实体仍然参与数据加解密和/或完整性校验处理过程,仍然存在上述接入网功能实体非信任、接入网功能实体被攻击而导致数据安全的风险。2) The access network functional entity still participates in the process of data encryption and decryption and/or integrity verification, and there is still the risk that the access network functional entity is untrusted and the access network functional entity is attacked, resulting in data security.

3)通过应用自身提供应用层加密等防护机制保证用户面数据安全,例如,某些应用程序使用安全套接字层(SSL,Secure Sockets Layer)加密传输应用数据。但并非每个应用都具有在应用层对用户面数据进行加密、完整性保护和验证的功能,上述解决方案对各种应用程序都是特定专有的,并不容易推广。3) The application itself provides protection mechanisms such as application layer encryption to ensure the security of user plane data. For example, some applications use Secure Sockets Layer (SSL, Secure Sockets Layer) to encrypt and transmit application data. However, not every application has the functions of encrypting, protecting and verifying user plane data at the application layer. The above-mentioned solutions are specific to various applications and are not easy to promote.

图2为本公开的一种数据传输方法的流程图。Fig. 2 is a flowchart of a data transmission method of the present disclosure.

第一方面,参照图2,本公开提供一种数据传输方法,应用于第一控制面功能实体(例如可由第一控制面功能实体执行),该方法可以包括步骤200和步骤201。In the first aspect, referring to FIG. 2, the present disclosure provides a data transmission method applied to a first control plane functional entity (for example, it can be executed by the first control plane functional entity). The method may include step 200 and step 201.

在步骤200,确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。In step 200, the target user plane data that needs to be secured between the target user equipment and the user plane functional entity is determined.

在一些示例性实施方式中,确定出目标UE的所有目标用户面数据均不需要在目标UE与用户面功能实体之间进行安全保护,结束本流程。In some exemplary embodiments, it is determined that all target user plane data of the target UE does not require security protection between the target UE and the user plane functional entity, and this process ends.

在一些示例性实施方式中,可以根据用户签约信息确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。In some exemplary embodiments, the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may be determined according to the user subscription information.

在一些示例性实施方式中,也可以根据是否接收第二控制面功能实体发送的第一通知消息确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。例如,接收第二网络控制功能实体发送的第一通知消息,说明需要在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护;未接收第二网络控制功能实体发送的第一通知消 息,说明不需要在目标用户设备和用户面功能实体之间对用户面数据进行安全保护。In some exemplary embodiments, the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may also be determined according to whether the first notification message sent by the second control plane functional entity is received, and the first notification The message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity. For example, receiving the first notification message sent by the second network control function entity indicates that the target user plane data needs to be securely protected between the target user equipment and the user plane function entity; the first notification message sent by the second network control function entity is not received. The notification message indicates that there is no need to securely protect the user plane data between the target user equipment and the user plane functional entity.

当然,还有很多其他的方式,具体的确定策略不用于限定本公开的保护范围,这里不再赘述。Of course, there are many other ways, and the specific determination strategy is not used to limit the protection scope of the present disclosure, and will not be repeated here.

在一些示例性实施方式中,可以在目标UE向核心网络的注册过程中确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,例如,在鉴权认证过程完成后,确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。这种情况下,目标用户面数据为目标UE和用户面功能实体之间传输的所有用户面数据。In some exemplary embodiments, the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the registration process of the target UE to the core network, for example, after the authentication process is completed , To determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity. In this case, the target user plane data is all user plane data transmitted between the target UE and the user plane functional entity.

在一些示例性实施方式中,可以在协议数据单元(PDU,Protocol Data Unit)会话建立过程中确定是否需要在用户设备和核心网络之间针对用户面数据进行安全保护,例如,在接收到来自会话管理功能(SMF,Session Management Function)实体的PDU会话上下文创建响应后,确定是否需要在用户设备和核心网络之间针对用户面数据进行安全保护。这种情况下,确定是否需要在用户设备和核心网络之间针对PDU会话对应的用户面数据进行安全保护。In some exemplary embodiments, it may be determined during the establishment of a protocol data unit (PDU, Protocol Data Unit) session whether it is necessary to perform security protection for user plane data between the user equipment and the core network, for example, after receiving a session After the session management function (SMF, Session Management Function) entity creates a response to the PDU session context, it is determined whether the user plane data needs to be secured between the user equipment and the core network. In this case, it is determined whether it is necessary to perform security protection for the user plane data corresponding to the PDU session between the user equipment and the core network.

在步骤201,向所述目标用户设备发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。In step 201, a first notification message is sent to the target user equipment, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity .

在一些示例性实施方式中,可以在目标UE向核心网络的注册过程中向目标UE发送第一通知消息,例如,在鉴权认证过程完成后,向目标UE发送第一通知消息。目标UE接收到该第一通知消息后,确认需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。这种情况下,目标用户面数据为目标UE与用户面功能实体之间传输的所有用户面数据。In some exemplary embodiments, the first notification message may be sent to the target UE during the registration process of the target UE to the core network, for example, after the authentication process is completed, the first notification message is sent to the target UE. After receiving the first notification message, the target UE confirms the target user plane data that needs to be secured between the target user equipment and the user plane functional entity. In this case, the target user plane data is all user plane data transmitted between the target UE and the user plane functional entity.

在一些示例性实施方式中,可以在PDU会话建立过程中向目标UE发送第一通知消息,例如,在接收到来自SMF实体的PDU会话上下文创建响应后,向目标UE发送第一通知消息。这种情况下,目标用户面数据为目标UE通过PDU会话与用户面功能实体传输的用 户面数据。In some exemplary embodiments, the first notification message may be sent to the target UE during the PDU session establishment process, for example, after receiving the PDU session context creation response from the SMF entity, the first notification message is sent to the target UE. In this case, the target user plane data is the user plane data transmitted by the target UE to the user plane functional entity through the PDU session.

也就是说,对于某些UE,在确定需要在用户设备与用户面功能实体之间进行安全保护的目标用户面数据以后,向用户设备发送第一通知消息;对于某些UE,在确定UE的所有用户面数据均不需要在用户设备与用户面功能实体之间进行安全保护以后,不向UE发送第一通知消息。从而实现了不是对所有UE的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对部分UE的用户面数据在UE和用户面功能实体之间进行安全保护,具体对哪些UE的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。That is, for some UEs, after determining the target user plane data that needs to be secured between the user equipment and the user plane functional entity, the first notification message is sent to the user equipment; for some UEs, the first notification message is sent to the user equipment; After all user plane data does not need to be secured between the user equipment and the user plane functional entity, the first notification message is not sent to the UE. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity. The security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.

或者,对于某一个UE的某些PDU会话,在确定需要在用户设备与用户面功能实体之间进行安全保护的目标用户面数据以后,向用户设备发送第一通知消息;对于该UE的另一些PDU会话,在确定出通过PDU会话传输的所有用户面数据均不需要在用户设备与用户面功能实体之间进行安全保护以后,不向UE发送第一通知消息。从而实现了不是对UE的所有PDU会话对应的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对UE的部分PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护,具体对UE的哪些PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。Or, for some PDU sessions of a certain UE, after determining the target user plane data that needs to be secured between the user equipment and the user plane functional entity, the first notification message is sent to the user equipment; for other UEs In the PDU session, after determining that all user plane data transmitted through the PDU session does not require security protection between the user equipment and the user plane functional entity, the first notification message is not sent to the UE. In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity. Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE. The security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE. The user can sign a contract with the operator according to their own needs. accomplish.

在一些示例性实施方式中,确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据之后,该方法还包括:生成第一密钥,向所述用户面功能实体发送所述第一密钥;其中,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。In some exemplary embodiments, after determining the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity, the method further includes: generating a first key, and sending to the user plane functional entity The first key; wherein the first key is used by the user plane functional entity to generate a second key, and the second key is used by the target user equipment and the user The plane function entity is used to securely protect the target user plane data between the target user equipment and the user plane function entity.

在一些示例性实施方式中,可以先生成锚定密钥,然后根据锚定密钥生成第一密钥。第一密钥用于密钥隔离,防止一个密钥泄露而 影响到其他密钥的安全,提高了安全性。In some exemplary embodiments, the anchor key may be generated first, and then the first key may be generated according to the anchor key. The first key is used for key isolation, preventing one key from being leaked and affecting the security of other keys, improving security.

在一些示例性实施方式中,第二密钥包括加密密钥。在一些示例性实施方式中,第二密钥包括完整性密钥。在一些示例性实施方式中,第二密钥包括加密密钥和完整性密钥。In some exemplary embodiments, the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.

在一些示例性实施方式中,加密密钥用于UE和核心用户面功能实体之间针对用户面数据的机密性保护,完整性密钥用于UE和核心用户面功能实体之间针对用户面数据的完整性保护。In some exemplary embodiments, the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity, and the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.

在一些示例性实施方式中,第一密钥为目标UE对应的第一密钥,第二密钥为目标UE对应的第二密钥,不同UE对应的第一密钥可以相同,也可以不同,不同目标UE对应的第二密钥可以相同,也可以不同。In some exemplary embodiments, the first key is the first key corresponding to the target UE, and the second key is the second key corresponding to the target UE. The first keys corresponding to different UEs may be the same or different. , The second keys corresponding to different target UEs may be the same or different.

在一些示例性实施方式中,第一密钥为目标UE的协议数据单元(PDU,Protocol Data Unit)会话对应的第一密钥,例如,可以一个PDU会话对应一个第一密钥,也可以两个或两个以上PDU会话对应一个第一密钥;第二密钥为UE的协议数据单元(PDU,Protocol Data Unit)会话对应的第二密钥,例如,可以一个PDU会话对应一个第二密钥,也可以两个或两个以上PDU会话对应一个第二密钥。In some exemplary embodiments, the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE. For example, one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key; the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session. For example, one PDU session can correspond to one second secret. The key may also correspond to a second key for two or more PDU sessions.

在一些示例性实施方式中,确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据之后,该方法还包括:向第二控制面功能实体发送第二通知消息,所述第二通知消息用于通知所述第二控制面功能实体生成第一密钥,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。In some exemplary embodiments, after determining the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, the method further includes: sending a second notification message to the second control plane functional entity, so The second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used by the user plane functional entity to generate a second key. The key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.

本公开提供的数据传输方法,由第一控制面功能实体或第二控制面功能实体确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,然后通知目标用户设备,使得目标用户设备和用户面功能实体对目标用户面数据进行安全保护,实现了在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护。In the data transmission method provided by the present disclosure, the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment, The target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.

图3为本公开的一种数据传输方法的流程图。Fig. 3 is a flowchart of a data transmission method of the present disclosure.

第二方面,参照图3,本公开提供一种数据传输方法,应用于第二控制面功能实体(例如可以由第二控制面功能实体执行),该方法可以包括步骤300和步骤301。In the second aspect, referring to FIG. 3, the present disclosure provides a data transmission method applied to a second control plane functional entity (for example, it may be executed by the second control plane functional entity). The method may include step 300 and step 301.

在步骤300,接收第一控制面功能实体发送的第二通知消息,所述第二通知消息用于通知所述第二控制面功能实体生成第一密钥,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。In step 300, a second notification message sent by a first control plane functional entity is received, where the second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used to be The user plane function entity uses the second key to generate a second key, and the second key is used by the target user equipment and the user plane function entity. Perform security protection with the user plane functional entity.

在一些示例性实施方式中,第二密钥包括加密密钥。在一些示例性实施方式中,第二密钥包括完整性密钥。在一些示例性实施方式中,第二密钥包括加密密钥和完整性密钥。In some exemplary embodiments, the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.

在一些示例性实施方式中,加密密钥用于UE和核心用户面功能实体之间针对用户面数据的机密性保护,完整性密钥用于UE和核心用户面功能实体之间针对用户面数据的完整性保护。In some exemplary embodiments, the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity, and the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.

在一些示例性实施方式中,第一密钥为目标UE对应的第一密钥,第二密钥为目标UE对应的第二密钥,不同UE对应的第一密钥可以相同,也可以不同,不同目标UE对应的第二密钥可以相同,也可以不同。In some exemplary embodiments, the first key is the first key corresponding to the target UE, and the second key is the second key corresponding to the target UE. The first keys corresponding to different UEs may be the same or different. , The second keys corresponding to different target UEs may be the same or different.

在一些示例性实施方式中,第一密钥为目标UE的协议数据单元(PDU,Protocol Data Unit)会话对应的第一密钥,例如,可以一个PDU会话对应一个第一密钥,也可以两个或两个以上PDU会话对应一个第一密钥;第二密钥为UE的协议数据单元(PDU,Protocol Data Unit)会话对应的第二密钥,例如,可以一个PDU会话对应一个第二密钥,也可以两个或两个以上PDU会话对应一个第二密钥。In some exemplary embodiments, the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE. For example, one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key; the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session. For example, one PDU session can correspond to one second secret. The key may also correspond to a second key for two or more PDU sessions.

在步骤301,生成所述第一密钥,将所述第一密钥发送给用户面功能实体。In step 301, the first key is generated, and the first key is sent to the user plane functional entity.

在一些示例性实施方式中,可以根据第二通知消息中携带的锚定密钥生成第一密钥。第一密钥用于密钥隔离,防止一个密钥泄露而影响到其他密钥的安全,提高了安全性。In some exemplary embodiments, the first key may be generated according to the anchor key carried in the second notification message. The first key is used for key isolation, preventing one key from being leaked and affecting the security of other keys, and improving security.

在一些示例性实施方式中,接收第一控制面功能实体发送的第二通知消息之前,该方法还可以包括:确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;向所述第一控制面功能实体发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。In some exemplary embodiments, before receiving the second notification message sent by the first control plane functional entity, the method may further include: determining target user plane data that needs to be secured between the target user equipment and the user plane functional entity ; Send a first notification message to the first control plane functional entity, the first notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane functional entity .

在一些示例性实施方式中,可以根据用户签约信息确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。当然,还有很多其他的方式,具体的确定策略不用于限定本公开的保护范围,这里不再赘述。In some exemplary embodiments, the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may be determined according to the user subscription information. Of course, there are many other ways, and the specific determination strategy is not used to limit the protection scope of the present disclosure, and will not be repeated here.

在一些示例性实施方式中,可以在目标UE向核心网络的注册过程中确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,例如,在鉴权认证过程完成后,确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。这种情况下,目标用户面数据为目标UE的所有用户面数据。In some exemplary embodiments, the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the registration process of the target UE to the core network, for example, after the authentication process is completed , To determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity. In this case, the target user plane data is all user plane data of the target UE.

在一些示例性实施方式中,可以在PDU会话建立过程中确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,例如,在接收到来自SMF实体的PDU会话上下文创建响应后,确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。这种情况下,目标用户面数据为目标UE通过PDU会话与用户面功能实体传输的用户面数据。In some exemplary embodiments, the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the establishment of the PDU session, for example, upon receiving the PDU session context creation from the SMF entity After responding, determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity. In this case, the target user plane data is the user plane data transmitted by the target UE to the user plane functional entity through the PDU session.

也就是说,对于某些UE,在确定需要在用户设备与用户面功能实体之间进行安全保护的目标用户面数据以后,向用户设备发送第一通知消息;对于某些UE,在确定UE的所有用户面数据均不需要在用户设备与用户面功能实体之间进行安全保护以后,不向UE发送第一通知消息。从而实现了不是对所有UE的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对部分UE的用户面数据在UE和用户面功能实体之间进行安全保护,具体对哪些UE的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。That is, for some UEs, after determining the target user plane data that needs to be secured between the user equipment and the user plane functional entity, the first notification message is sent to the user equipment; for some UEs, the first notification message is sent to the user equipment; After all user plane data does not need to be secured between the user equipment and the user plane functional entity, the first notification message is not sent to the UE. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity. The security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.

或者,对于某一个UE的某些PDU会话,在确定通过PDU会话传输的用户面数据需要在用户设备与用户面功能实体之间进行安全保护以后,向用户设备发送第一通知消息;对于该UE的另一些PDU会话,在确定通过PDU会话传输的用户面数据均不需要在用户设备与用户面功能实体之间进行安全保护以后,不向UE发送第一通知消息。从而实现了不是对UE的所有PDU会话对应的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对UE的部分PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护,具体对UE的哪些PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。Or, for some PDU sessions of a certain UE, after it is determined that the user plane data transmitted through the PDU session needs to be secured between the user equipment and the user plane functional entity, the first notification message is sent to the user equipment; for the UE For some other PDU sessions, after determining that the user plane data transmitted through the PDU session does not require security protection between the user equipment and the user plane functional entity, the first notification message is not sent to the UE. In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity. Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE. The security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE. The user can sign a contract with the operator according to their own needs. accomplish.

本公开提供的数据传输方法,由第一控制面功能实体或第二控制面功能实体确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,然后通知目标用户设备,使得目标用户设备和用户面功能实体对目标用户面数据进行安全保护,实现了在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护。In the data transmission method provided by the present disclosure, the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment, The target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.

图4为本公开的一种数据传输方法的流程图。Fig. 4 is a flowchart of a data transmission method of the present disclosure.

第三方面,参照图4,本公开实施方式提供一种数据传输方法,应用于用户面功能实体(例如可以由用户面功能实体执行),该方法可以包括步骤400和步骤401。In the third aspect, referring to FIG. 4, embodiments of the present disclosure provide a data transmission method, which is applied to a user plane functional entity (for example, it can be executed by a user plane functional entity). The method may include step 400 and step 401.

在步骤400,获取第一密钥,根据所述第一密钥生成第二密钥;所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。In step 400, a first key is obtained, and a second key is generated according to the first key; the second key is used to be used by the target user equipment and the user plane functional entity, The user plane data is securely protected between the target user equipment and the user plane functional entity.

在一些示例性实施方式中,获取第一密钥包括:接收第一控制面功能实体发送的所述第一密钥。In some exemplary embodiments, obtaining the first key includes: receiving the first key sent by the first control plane functional entity.

在一些示例性实施方式中,获取第一密钥包括:接收第二控制面功能实体发送的所述第一密钥。In some exemplary embodiments, obtaining the first key includes: receiving the first key sent by a second control plane functional entity.

在一些示例性实施方式中,第二密钥包括加密密钥。在一些示例性实施方式中,第二密钥包括完整性密钥。在一些示例性实施方式 中,第二密钥包括加密密钥和完整性密钥。In some exemplary embodiments, the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.

在一些示例性实施方式中,加密密钥用于UE和核心用户面功能实体之间针对用户面数据的机密性保护,完整性密钥用于UE和核心用户面功能实体之间针对用户面数据的完整性保护。In some exemplary embodiments, the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity, and the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.

在一些示例性实施方式中,第一密钥为目标UE对应的第一密钥,第二密钥为目标UE对应的第二密钥,不同UE对应的第一密钥可以相同,也可以不同,不同目标UE对应的第二密钥可以相同,也可以不同。In some exemplary embodiments, the first key is the first key corresponding to the target UE, and the second key is the second key corresponding to the target UE. The first keys corresponding to different UEs may be the same or different. , The second keys corresponding to different target UEs may be the same or different.

在一些示例性实施方式中,第一密钥为目标UE的协议数据单元(PDU,Protocol Data Unit)会话对应的第一密钥,例如,可以一个PDU会话对应一个第一密钥,也可以两个或两个以上PDU会话对应一个第一密钥;第二密钥为UE的协议数据单元(PDU,Protocol Data Unit)会话对应的第二密钥,例如,可以一个PDU会话对应一个第二密钥,也可以两个或两个以上PDU会话对应一个第二密钥。In some exemplary embodiments, the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE. For example, one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key; the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session. For example, one PDU session can correspond to one second secret. The key may also correspond to a second key for two or more PDU sessions.

需要说明的是,对于某些UE,如果获得该UE对应的第一密钥,说明需要在该UE和用户面功能实体之间对UE的所有用户面数据进行安全保护;对于某些UE,如果没有获得该UE对应的第一密钥,说明不需要在该UE和用户面功能实体之间针对UE的所有用户面数据进行安全保护。从而实现了不是对所有UE的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对部分UE的用户面数据在UE和用户面功能实体之间进行安全保护,具体对哪些UE的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。It should be noted that for some UEs, if the first key corresponding to the UE is obtained, it means that all user plane data of the UE needs to be secured between the UE and the user plane function entity; for some UEs, if Failure to obtain the first key corresponding to the UE indicates that it is not necessary to perform security protection for all user plane data of the UE between the UE and the user plane functional entity. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity. The security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.

或者,对于某一个UE的某些PDU会话,如果获得该PDU会话对应的第一密钥,说明需要在该UE和用户面功能实体之间针对UE通过PDU会话传输的所有用户面数据进行安全保护;对于该UE的另一些PDU会话,如果没有获得该PDU会话对应的第一密钥,说明不需要在该UE和用户面功能实体之间针对UE通过PDU会话传输的所有用户面数据进行安全保护。从而实现了不是对UE的所有PDU会话对应的用户面数据均在UE和用户面功能实体之间进行安全保 护,而是对UE的部分PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护,具体对UE的哪些PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。Or, for some PDU sessions of a certain UE, if the first key corresponding to the PDU session is obtained, it means that all user plane data transmitted by the UE through the PDU session need to be protected between the UE and the user plane function entity. ; For other PDU sessions of the UE, if the first key corresponding to the PDU session is not obtained, it means that there is no need to securely protect all user plane data transmitted by the UE through the PDU session between the UE and the user plane functional entity . In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity. The user plane data corresponding to which PDU sessions of the UE is specifically protected between the UE and the user plane functional entity can be determined according to the UE’s subscription data, and the user can sign with the operator according to their own needs. accomplish.

在一些示例性实施方式中,第二密钥可以采用多种方式生成,具体的生成方式不用于限定本公开的保护范围,本公开强调的是该第二密钥是对用户设备和用户面功能实体之间对用户面数据进行安全保护的密钥,与UE和RAN功能实体之间对用户面数据或控制面数据进行安全保护的密钥是不同的,RAN是不参与UE和用户面功能实体之间针对用户面数据的安全保护的。In some exemplary embodiments, the second key can be generated in multiple ways. The specific generation method is not used to limit the scope of protection of the present disclosure. The present disclosure emphasizes that the second key is for user equipment and user plane functions. The key used to securely protect user plane data between entities is different from the key used to securely protect user plane data or control plane data between UE and RAN functional entities. RAN does not participate in UE and user plane functional entities. For the security protection of user plane data.

在步骤401,通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理。In step 401, security protection processing is performed on the target user plane data transmitted between the target user equipment and the user plane functional entity through the second key.

在一些示例性实施方式中,第二密钥包括机密性密钥和/或完整性密钥,所述通过所述第二密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护,包括:使用所述机密性密钥对发往所述目标用户设备的目标用户面数据进行加密;使用所述机密性密钥对接收自所述目标用户设备的目标用户面数据进行解密;或者,使用所述完整性密钥对发往所述目标用户设备的目标用户面数据进行完整性保护;使用所述完整性密钥对接收自所述目标用户设备的目标用户面数据进行完整性校验;或者,使用所述机密性密钥对发往所述目标用户设备的目标用户面数据进行加密,使用所述完整性密钥对所述目标用户面数据进行完整性保护;使用所述完整性密钥对接收自所述目标用户设备的目标用户面数据进行完整性校验,校验通过后使用所述机密性密钥对所述目标用户面数据进行解密。In some exemplary embodiments, the second key includes a confidentiality key and/or an integrity key, and the target user plane transmitted between the target user equipment and the user plane functional entity is transferred through the second key. Data security protection includes: using the confidentiality key to encrypt the target user plane data sent to the target user equipment; using the confidentiality key to encrypt the target user plane data received from the target user equipment Perform decryption; or, use the integrity key to perform integrity protection on the target user plane data sent to the target user equipment; use the integrity key to perform the integrity protection on the target user plane data received from the target user equipment Performing integrity verification; or, using the confidentiality key to encrypt the target user plane data sent to the target user equipment, and using the integrity key to perform integrity protection on the target user plane data; The integrity key is used to perform integrity verification on the target user plane data received from the target user equipment, and after the verification is passed, the confidentiality key is used to decrypt the target user plane data.

在一些示例性实施方式中,所述通过所述第二密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护,包括:对向目标用户设备发送的下行目标用户面数据进行PDCP(Packet Data Convergence Protocol,分组数据汇聚协议)封装之前,使用所述第二密钥对所述下行目标用户面数据进行第一安全保护处理,将第一安全保护处理后的下行目标用户面数据发送给所述目标用户设备;对 接收到的来自所述目标用户设备的第一安全保护处理后的上行目标用户面数据进行PDCP封装之后,使用所述第二密钥对所述第一安全保护处理后的上行目标用户面数据进行第二安全保护处理。In some exemplary embodiments, the security protection of the target user plane data transmitted between the target user equipment and the user plane functional entity by using the second key includes: the downlink target user sent to the target user equipment Before the plane data is encapsulated in PDCP (Packet Data Convergence Protocol, Packet Data Convergence Protocol), the second key is used to perform the first security protection process on the downlink target user plane data, and the downlink target after the first security protection process The user plane data is sent to the target user equipment; after PDCP encapsulation is performed on the uplink target user plane data received from the target user equipment after the first security protection process, the second key is used to pair the second key The uplink target user plane data after a security protection process is subjected to a second security protection process.

在一些示例性实施方式中,第二密钥为目标UE对应的第二密钥,向目标UE发送的下行目标用户面数据为用户面功能实体向目标UE发送的所有下行目标用户面数据,接收到的来自目标UE的第一安全保护处理后的上行目标用户面数据为用户面功能实体接收到的来自目标UE的所有上行目标用户面数据。In some exemplary embodiments, the second key is the second key corresponding to the target UE, and the downlink target user plane data sent to the target UE is all downlink target user plane data sent by the user plane functional entity to the target UE. The received uplink target user plane data from the target UE after the first security protection processing is all the uplink target user plane data from the target UE received by the user plane function entity.

也就是说,使用第二密钥对用户面功能实体向目标UE发送的所有下行目标用户面数据进行第一安全保护处理,使用第二密钥对接收到的来自目标UE的所有上行目标用户面数据进行第二安全保护处理。That is, the second key is used to perform the first security protection process on all downlink target user plane data sent by the user plane function entity to the target UE, and the second key is used to perform the first security protection process on all the uplink target user plane data received from the target UE. The data undergoes second security protection processing.

在一些示例性实施方式中,第二密钥为目标UE的PDU会话对应的第二密钥,例如,可以一个PDU会话对应一个第二密钥,也可以两个或两个以上PDU会话对应一个第二密钥,那么,向UE发送的下行用户面数据为核心网络通过PDU会话向UE发送的下行用户面数据,接收到的来自UE的第一安全保护处理后的上行用户面数据为核心网络通过PDU会话接收到的来自UE的上行用户面数据。In some exemplary embodiments, the second key is the second key corresponding to the PDU session of the target UE. For example, one PDU session may correspond to one second key, or two or more PDU sessions may correspond to one second key. The second key, then, the downlink user plane data sent to the UE is the downlink user plane data sent by the core network to the UE through the PDU session, and the uplink user plane data received from the UE after the first security protection process is the core network The uplink user plane data from the UE received through the PDU session.

也就是说,使用第二密钥对用户面功能实体通过第二密钥对应的PDU会话向目标UE发送的下行目标用户面数据进行第一安全保护处理,对于用户面功能实体通过不与第二密钥对应的PDU会话(也就是第二密钥对应的PDU会话之外的其他PDU会话)向UE发送的下行目标用户面数据则不需要进行第一安全保护处理,而是按照现有技术进行处理;同样的,使用第二密钥对通过第二密钥对应的PDU会话接收到的来自目标UE的上行目标用户面数据进行第二安全保护处理,对于通过不与第二密钥对应的PDU会话(也就是第二密钥对应的PDU会话之外的其他PDU会话)接收到的来自目标UE的上行目标用户面数据则不需要进行第二安全保护处理,而是按照现有技术进行处理。That is to say, the second key is used to perform the first security protection process on the downlink target user plane data sent by the user plane function entity to the target UE through the PDU session corresponding to the second key. The downlink target user plane data sent to the UE by the PDU session corresponding to the key (that is, the PDU session other than the PDU session corresponding to the second key) does not require the first security protection process, but is performed according to the existing technology. Processing; similarly, using the second key to perform the second security protection processing on the uplink target user plane data from the target UE received through the PDU session corresponding to the second key, for the PDU that is not corresponding to the second key The uplink target user plane data from the target UE received by the session (that is, the PDU session other than the PDU session corresponding to the second key) does not need to undergo the second security protection process, but is processed in accordance with the prior art.

上述示例性实施方式中,仅对通过部分PDU会话与UE传输的 用户面数据进行安全保护,而不是对UE所有的用户面数据进行安全保护,从而对于不需要进行的用户面数据提高了处理效率,减少了业务时延。In the above exemplary embodiment, only the user plane data transmitted with the UE through a partial PDU session is secured, rather than all the user plane data of the UE is secured, thereby improving the processing efficiency for the user plane data that is not required. , Reduce business delay.

在一些示例性实施方式中,安全保护可以是以下三种情况中的任意一种情况:机密性保护、完整性保护、机密性保护和完整性保护。以下分别对这三种情况进行描述。In some exemplary embodiments, the security protection may be any one of the following three situations: confidentiality protection, integrity protection, confidentiality protection, and integrity protection. The three situations are described below respectively.

(一)安全保护仅包括机密性保护的情况(1) Security protection only includes confidentiality protection

这种情况下,第二密钥仅包括加密密钥,相应的,所述使用第二密钥对下行目标用户面数据进行第一安全保护处理包括:使用所述加密密钥对所述下行目标用户面数据进行加密;所述使用第二密钥对第一安全保护处理后的上行目标用户数据进行第二安全保护处理包括:使用所述加密密钥对加密后的上行目标用户数据进行解密。In this case, the second key only includes an encryption key, and correspondingly, the using the second key to perform the first security protection processing on the downlink target user plane data includes: using the encryption key to perform the first security protection process on the downlink target Encrypting user plane data; and performing the second security protection process on the uplink target user data after the first security protection process by using the second key includes: decrypting the encrypted uplink target user data by using the encryption key.

(二)安全保护仅包括完整性保护的情况(2) Security protection only includes integrity protection

这种情况下,第二密钥仅包括完整性密钥,相应的,所述使用第二密钥对下行目标用户面数据进行第一安全保护处理包括:使用所述完整性密钥对所述下行目标用户面数据进行完整性保护处理;所述使用第二密钥对第一安全保护处理后的上行目标用户面数据进行第二安全保护处理包括:使用所述完整性密钥对完整性保护处理后的上行目标用户面数据进行完整性校验。In this case, the second key only includes the integrity key, and accordingly, the using the second key to perform the first security protection processing on the downlink target user plane data includes: using the integrity key to Performing integrity protection processing on the downlink target user plane data; said using the second key to perform the second security protection processing on the uplink target user plane data after the first security protection processing includes: using the integrity key to perform integrity protection The processed uplink target user plane data is checked for integrity.

(三)安全保护既包括机密性保护又包括完整性保护的情况(3) Security protection includes both confidentiality protection and integrity protection

这种情况下,第二密钥包括加密密钥和完整性密钥,相应的,所述使用第二密钥对下行目标用户面数据进行第一安全保护处理包括:使用所述加密密钥对所述下行目标用户面数据进行加密,使用所述完整性密钥对加密后的下行目标用户面数据进行完整性保护处理;所述使用第二密钥对第一安全保护处理后的上行目标用户面数据进行第二安全保护处理包括:使用所述完整性密钥对加密和完整性保护处理后的上行目标用户面数据进行完整性校验,校验通过后使用所述加密密钥对加密后的上行目标用户数据进行解密。In this case, the second key includes an encryption key and an integrity key. Correspondingly, the using the second key to perform the first security protection processing on the downlink target user plane data includes: using the encryption key pair Encrypting the downlink target user plane data, using the integrity key to perform integrity protection processing on the encrypted downlink target user plane data; using the second key to perform the integrity protection processing on the uplink target user after the first security protection processing Performing the second security protection processing on the plane data includes: using the integrity key to perform integrity verification on the uplink target user plane data after encryption and integrity protection processing, and after the verification is passed, the encryption key is used to encrypt the data. The upstream target user data is decrypted.

本公开提供的数据传输方法,由第一控制面功能实体或第二控制面功能实体确定需要在目标用户设备与用户面功能实体之间进行 安全保护的目标用户面数据,然后通知目标用户设备,使得目标用户设备和用户面功能实体对目标用户面数据进行安全保护,实现了在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护;并且,RAN不参与在UE和核心网络之间针对用户面数据的安全保护,RAN透传在UE和核心网络之间传输的用户面数据,也不维护第二密钥,适用于RAN非信任、易被攻击的场景。In the data transmission method provided by the present disclosure, the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment, Make the target user equipment and the user plane functional entity secure the target user plane data, and realize the security protection of the target user plane data between the target user equipment and the user plane functional entity; and the RAN does not participate in the UE and the core network For the security protection of user plane data, the RAN transparently transmits the user plane data transmitted between the UE and the core network, and does not maintain the second key, which is suitable for scenarios where the RAN is untrusted and vulnerable to attacks.

图5为本公开的一种数据传输方法的流程图。Fig. 5 is a flowchart of a data transmission method of the present disclosure.

第四方面,参照图5,本公开提供一种数据传输方法,应用于目标UE(例如可以由目标UE执行),该方法可以包括步骤500。In the fourth aspect, referring to FIG. 5, the present disclosure provides a data transmission method applied to a target UE (for example, it may be executed by the target UE). The method may include step 500.

在步骤500,接收第一控制面功能实体发送的第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。In step 500, a first notification message sent by a first control plane functional entity is received, where the first notification message is used to indicate that the target user plane data is performed between the target user equipment and the user plane functional entity. safety protection.

在一些示例性实施方式中,未接收到来自第一控制面功能实体的第一通知消息,结束本流程。In some exemplary embodiments, the first notification message from the first control plane functional entity is not received, and this process ends.

需要说明的是,对于某些UE,如果在该UE向核心网络的注册过程中,接收到来自第一控制面功能实体的第一通知消息,说明需要在该UE和用户面功能实体之间针对UE的所有用户面数据进行安全保护;对于某些UE,如果在该UE向核心网络的注册过程中,没有接收到来自第一控制面功能实体的第一通知消息,说明不需要在该UE和用户面功能实体之间针对UE的所有用户面数据进行安全保护。从而实现了不是对所有UE的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对部分UE的用户面数据在UE和用户面功能实体之间进行安全保护,具体对哪些UE的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。It should be noted that, for some UEs, if the UE receives the first notification message from the first control plane function entity during the registration process of the UE with the core network, it means that the UE and the user plane function entity need to deal with each other. All user plane data of the UE is secured; for some UEs, if the UE does not receive the first notification message from the first control plane functional entity during the registration process of the UE to the core network, it means that there is no need to connect the UE to the core network. The user plane functional entities perform security protection for all user plane data of the UE. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity. The security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.

或者,对于某一个UE的某些PDU会话,如果在PDU会话建立过程中,接收到来自第一控制面功能实体的第一通知消息,说明需要在该UE和用户面功能实体之间针对UE通过PDU会话传输的用户面数据进行安全保护;对于该UE的另一些PDU会话,如果在PDU会话建立过程中,没有接收到来自第一控制面功能实体的第一通知消 息,说明不需要在该UE和用户面功能实体之间针对UE通过PDU会话传输的用户面数据进行安全保护。从而实现了不是对UE的所有PDU会话对应的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对UE的部分PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护,具体对UE的哪些PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。Or, for some PDU sessions of a certain UE, if the first notification message from the first control plane functional entity is received during the establishment of the PDU session, it indicates that the UE needs to pass between the UE and the user plane functional entity. The user plane data transmitted in the PDU session is secured; for other PDU sessions of the UE, if the first notification message from the first control plane functional entity is not received during the establishment of the PDU session, it means that there is no need for the UE Security protection is performed between the user plane function entity and the user plane data transmitted by the UE through the PDU session. In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity. Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE. The security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE. The user can sign a contract with the operator according to their own needs. accomplish.

在一些示例性实施方式中,接收第一控制面功能实体发送的第一通知消息之后,该方法还可以包括:生成第一密钥,根据所述第一密钥生成第二密钥;其中,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。In some exemplary embodiments, after receiving the first notification message sent by the first control plane functional entity, the method may further include: generating a first key, and generating a second key according to the first key; wherein, The second key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.

在一些示例性实施方式中,第二密钥包括加密密钥。在一些示例性实施方式中,第二密钥包括完整性密钥。在一些示例性实施方式中,第二密钥包括加密密钥和完整性密钥。In some exemplary embodiments, the second key includes an encryption key. In some exemplary embodiments, the second key includes an integrity key. In some exemplary embodiments, the second key includes an encryption key and an integrity key.

在一些示例性实施方式中,加密密钥用于UE和核心用户面功能实体之间针对用户面数据的机密性保护,完整性密钥用于UE和核心用户面功能实体之间针对用户面数据的完整性保护。In some exemplary embodiments, the encryption key is used for confidentiality protection of user plane data between the UE and the core user plane functional entity, and the integrity key is used for user plane data between the UE and the core user plane functional entity. Integrity protection.

在一些示例性实施方式中,第一密钥为目标UE对应的第一密钥,第二密钥为目标UE对应的第二密钥,不同目标UE对应的第一密钥可以相同,也可以不同,不同目标UE对应的第二密钥可以相同,也可以不同。In some exemplary embodiments, the first key is the first key corresponding to the target UE, and the second key is the second key corresponding to the target UE. The first keys corresponding to different target UEs may be the same or Different, the second keys corresponding to different target UEs may be the same or different.

在一些示例性实施方式中,第一密钥为目标UE的协议数据单元(PDU,Protocol Data Unit)会话对应的第一密钥,例如,可以一个PDU会话对应一个第一密钥,也可以两个或两个以上PDU会话对应一个第一密钥;第二密钥为UE的协议数据单元(PDU,Protocol Data Unit)会话对应的第二密钥,例如,可以一个PDU会话对应一个第二密钥,也可以两个或两个以上PDU会话对应一个第二密钥。In some exemplary embodiments, the first key is the first key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE. For example, one PDU session may correspond to one first key, or two One or more PDU sessions correspond to one first key; the second key is the second key corresponding to the UE’s Protocol Data Unit (PDU, Protocol Data Unit) session. For example, one PDU session can correspond to one second secret. The key may also correspond to a second key for two or more PDU sessions.

在一些示例性实施方式中,该方法还可以包括:通过所述第二 密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理。In some exemplary embodiments, the method may further include: performing security protection processing on target user plane data transmitted between the target user equipment and the user plane functional entity through the second key.

在一些示例性实施方式中,所述第二密钥包括机密性密钥和/或完整性密钥;通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理包括:使用所述机密性密钥对发往用户面功能实体的目标用户面数据进行加密;使用所述机密性密钥对接收自用户功能实体的目标用户面数据进行解密;或者,使用所述完整性密钥对发往用户面功能实体的目标用户面数据进行完整性保护处理;使用所述完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验;或者,使用所述机密性密钥对发往用户面功能实体的目标用户面数据进行加密,使用所述完整性密钥对加密后的所述目标用户面数据进行完整性保护处理;使用所述完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验,校验通过后使用所述机密性密钥对所述目标用户面数据进行解密。In some exemplary embodiments, the second key includes a confidentiality key and/or an integrity key; the second key is used to transmit data between the target user equipment and the user plane functional entity. The security protection processing of the target user plane data includes: using the confidentiality key to encrypt the target user plane data sent to the user plane functional entity; using the confidentiality key to encrypt the target user plane data received from the user functional entity Data decryption; or, using the integrity key to perform integrity protection processing on the target user plane data sent to the user function entity; using the integrity key to perform integrity protection on the target user plane data received from the user functional entity Integrity verification; or, using the confidentiality key to encrypt the target user plane data sent to the user plane functional entity, and using the integrity key to perform integrity protection on the encrypted target user plane data Processing; use the integrity key to perform integrity verification on the target user plane data received from the user functional entity, and use the confidentiality key to decrypt the target user plane data after the verification is passed.

在一些示例性实施方式中,通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理包括:对向用户面功能实体发送的上行目标用户面数据进行PDCP封装之前,使用所述第二密钥对所述上行目标用户面数据进行第一安全保护处理,将第一安全保护处理后的上行目标用户面数据发送给用户面功能实体;对接收到的来自用户面功能实体的第一安全保护处理后的下行目标用户面数据进行PDCP解封装之后,使用所述第二密钥对所述第一安全保护处理后的下行目标用户面数据进行第二安全保护处理。In some exemplary embodiments, performing security protection processing on the target user plane data transmitted between the target user equipment and the user plane functional entity by using the second key includes: Before PDCP encapsulation of the uplink target user plane data, the second key is used to perform the first security protection process on the uplink target user plane data, and the uplink target user plane data after the first security protection process is sent to the user plane function Entity; after PDCP decapsulation is performed on the downlink target user plane data received from the user plane functional entity after the first security protection process, the second key is used to perform the first security protection process on the downlink target user The surface data undergoes second security protection processing.

在一些示例性实施方式中,第二密钥为目标UE对应的第二密钥,向用户面功能实体发送的上行目标用户面数据为目标UE向用户面功能实体发送的所有上行用户面数据,接收到的来自用户面功能实体的第一安全保护处理后的下行目标用户面数据为目标UE接收到的来自用户面功能实体的所有下行用户面数据。In some exemplary embodiments, the second key is the second key corresponding to the target UE, and the uplink target user plane data sent to the user plane function entity is all uplink user plane data sent by the target UE to the user plane function entity, The received downlink target user plane data from the user plane functional entity after the first security protection processing is all downlink user plane data from the user plane functional entity received by the target UE.

也就是说,使用第二密钥对目标UE向用户面功能实体发送的所有上行目标用户面数据进行第一安全保护处理,使用第二密钥对接收 到的来自用户面功能实体的所有下行目标用户面数据进行第二安全保护处理。In other words, the second key is used to perform the first security protection process on all uplink target user plane data sent by the target UE to the user plane functional entity, and the second key is used to perform the first security protection process on all downlink targets received from the user plane functional entity. The user plane data undergoes the second security protection processing.

在一些示例性实施方式中,第二密钥为目标UE的协议数据单元(PDU,Protocol Data Unit)会话对应的第二密钥,例如,可以一个PDU会话对应一个第二密钥,也可以两个或两个以上PDU会话对应一个第二密钥,那么,向用户面功能实体发送的上行目标用户面数据为目标UE通过PDU会话向用户面功能实体发送的上行用户面数据,接收到的来自用户面功能实体的第一安全保护处理后的下行目标用户面数据为UE通过PDU会话接收到的来自用户面功能实体的下行用户面数据。In some exemplary embodiments, the second key is the second key corresponding to the protocol data unit (PDU, Protocol Data Unit) session of the target UE. For example, one second key may correspond to one PDU session, or two One or more PDU sessions correspond to a second key, then the uplink target user plane data sent to the user plane functional entity is the uplink user plane data sent by the target UE to the user plane functional entity through the PDU session, and the received data is from The downlink target user plane data processed by the first security protection of the user plane function entity is the downlink user plane data from the user plane function entity received by the UE through the PDU session.

也就是说,使用第二密钥对目标UE通过第二密钥对应的PDU会话向用户面功能实体发送的上行目标用户面数据进行第一安全保护处理,对于目标UE通过不与第二密钥对应的PDU会话(也就是第二密钥对应的PDU会话之外的其他PDU会话)向用户面功能实体发送的上行用户面数据则不需要进行第一安全保护处理,而是按照现有技术进行处理;同样的,使用第二密钥对通过第二密钥对应的PDU会话接收到的来自用户面功能实体的下行目标用户面数据进行第二安全保护处理,对于通过不与第二密钥对应的PDU会话(也就是第二密钥对应的PDU会话之外的其他PDU会话)接收到的来自用户面功能实体的下行用户面数据则不需要进行第二安全保护处理,而是按照现有技术进行处理。That is, the second key is used to perform the first security protection process on the uplink target user plane data sent by the target UE to the user plane function entity through the PDU session corresponding to the second key, and the target UE is not connected with the second key. The uplink user plane data sent by the corresponding PDU session (that is, the PDU session other than the PDU session corresponding to the second key) to the user plane function entity does not require the first security protection process, but is performed in accordance with the existing technology. Processing; similarly, use the second key to perform the second security protection processing on the downlink target user plane data from the user plane functional entity received through the PDU session corresponding to the second key, and for the second key that does not correspond to the second key The downlink user plane data received from the user plane function entity in the PDU session (that is, the PDU session other than the PDU session corresponding to the second key) does not need to be subjected to the second security protection process, but in accordance with the prior art To process.

上述示例性实施方式中,仅对通过部分PDU会话与用户面功能实体传输的用户面数据进行安全保护,而不是对UE所有的用户面数据进行安全保护,从而对于不需要进行的用户面数据提高了处理效率,减少了业务时延。In the above exemplary embodiment, only the user plane data transmitted through a part of the PDU session and the user plane function entity is secured, instead of the security protection of all the user plane data of the UE, thereby improving the user plane data that does not need to be performed. Improve processing efficiency and reduce business delay.

在一些示例性实施方式中,安全保护可以是以下三种情况中的任意一种情况:机密性保护、完整性保护、机密性保护和完整性保护。以下分别对这三种情况进行描述。In some exemplary embodiments, the security protection may be any one of the following three situations: confidentiality protection, integrity protection, confidentiality protection, and integrity protection. The three situations are described below respectively.

(一)安全保护仅包括机密性保护的情况(1) Security protection only includes confidentiality protection

这种情况下,第二密钥仅包括加密密钥,相应的,使用第二密 钥对上行目标用户面数据进行第一安全保护处理包括:使用所述加密密钥对所述上行目标用户面数据进行加密;所述使用第二密钥对第一安全保护处理后的下行目标用户数据进行第二安全保护处理包括:使用所述加密密钥对加密后的下行目标用户数据进行解密。In this case, the second key only includes the encryption key. Accordingly, using the second key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key to perform the first security protection process on the uplink target user plane. Encrypting the data; the using the second key to perform the second security protection process on the downlink target user data after the first security protection process includes: using the encryption key to decrypt the encrypted downlink target user data.

(二)安全保护仅包括完整性保护的情况(2) Security protection only includes integrity protection

这种情况下,第二密钥仅包括完整性密钥,相应的,所述使用第二密钥对上行目标用户面数据进行第一安全保护处理包括:使用所述完整性密钥对所述上行目标用户面数据进行完整性保护处理;所述使用第二密钥对第一安全保护处理后的下行目标用户面数据进行第二安全保护处理包括:使用所述完整性密钥对完整性保护处理后的下行目标用户面数据进行完整性校验。In this case, the second key only includes the integrity key, and accordingly, the using the second key to perform the first security protection processing on the uplink target user plane data includes: using the integrity key to pair the Performing integrity protection processing on the uplink target user plane data; the using the second key to perform the second security protection processing on the downlink target user plane data after the first security protection processing includes: using the integrity key to perform integrity protection The processed downlink target user plane data is checked for integrity.

(三)安全保护既包括机密性保护又包括完整性保护的情况(3) Security protection includes both confidentiality protection and integrity protection

这种情况下,第二密钥包括加密密钥和完整性密钥,相应的,所述使用第二密钥对上行目标用户面数据进行第一安全保护处理包括:使用所述加密密钥对所述上行目标用户面数据进行加密,使用所述完整性密钥对加密后的上行目标用户面数据进行完整性保护处理;所述使用第二密钥对第一安全保护处理后的下行目标用户面数据进行第二安全保护处理包括:使用所述完整性密钥对加密和完整性保护处理后的下行目标用户面数据进行完整性校验,校验通过后使用所述加密密钥对加密后的下行目标用户数据进行解密。In this case, the second key includes an encryption key and an integrity key. Correspondingly, the using the second key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key pair Encrypting the uplink target user plane data, using the integrity key to perform integrity protection processing on the encrypted uplink target user plane data; using the second key to perform the integrity protection processing on the downlink target user after the first security protection processing Performing the second security protection processing on the plane data includes: using the integrity key to perform integrity verification on the downstream target user plane data after encryption and integrity protection processing, and after the verification is passed, the encryption key is used to encrypt the data. The downlink target user data is decrypted.

本公开提供的数据传输方法,由第一控制面功能实体或第二控制面功能实体确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,然后通知目标用户设备,使得目标用户设备和用户面功能实体对目标用户面数据进行安全保护,实现了在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护;并且,RAN不参与在UE和核心网络之间针对用户面数据的安全保护,RAN透传UE和核心网络之间传输的用户面数据,也不维护第二密钥,适用于RAN非信任、易被攻击的场景。In the data transmission method provided by the present disclosure, the first control plane functional entity or the second control plane functional entity determines the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and then notifies the target user equipment, Make the target user equipment and the user plane functional entity secure the target user plane data, and realize the security protection of the target user plane data between the target user equipment and the user plane functional entity; and the RAN does not participate in the UE and the core network For the security protection of user plane data, the RAN transparently transmits the user plane data transmitted between the UE and the core network, and does not maintain the second key, which is suitable for scenarios where the RAN is untrusted and vulnerable to attacks.

在一些示例性实施方式中,第一控制面功能实体、第二控制面功能实体和用户面功能实体设置在核心网络的不同设备中。In some exemplary embodiments, the first control plane functional entity, the second control plane functional entity, and the user plane functional entity are set in different devices in the core network.

在一些示例性实施方式中,第一控制面功能实体和第二控制面功能实体为负责用户设备接入、业务处理的控制面网络功能。In some exemplary embodiments, the first control plane functional entity and the second control plane functional entity are control plane network functions responsible for user equipment access and service processing.

在一些示例性实施方式中,用户面功能实体为处理用户应用数据的转发面网络功能。In some exemplary embodiments, the user plane function entity is a forwarding plane network function that processes user application data.

在一些示例性实施方式中,在5G网络中,第一控制面功能实体为接入管理功能(AMF,Access Management Function),第二控制面功能实体为会话管理功能(SMF,Session Management Function),服务器为用户面功能(UPF,User Plane Function)。In some exemplary embodiments, in a 5G network, the first control plane functional entity is an access management function (AMF, Access Management Function), and the second control plane functional entity is a session management function (SMF, Session Management Function), The server is the user plane function (UPF, User Plane Function).

在一些示例性实施方式中,在演进的分组核心网络(EPC,Evolved Packet Core network)中,第一控制面功能实体为移动性管理实体(MME,Mobility Management Entity),用户面功能实体为服务网关(SGW,Serving GateWay)或分组网关(PGW,Packet GateWay)。In some exemplary embodiments, in an evolved packet core network (EPC, Evolved Packet Core network), the first control plane functional entity is a mobility management entity (MME, Mobility Management Entity), and the user plane functional entity is a service gateway (SGW, Serving GateWay) or packet gateway (PGW, Packet GateWay).

下面通过几个具体示例详细说明上述实施方式的具体实现过程,需要说明的是,所列举的示例仅仅是为了说明方便,不能用于限定本公开的保护范围。The following specific examples are used to describe the specific implementation process of the foregoing embodiments in detail. It should be noted that the examples listed are only for convenience of description and cannot be used to limit the protection scope of the present disclosure.

示例1Example 1

如果虚拟网络运营商提供网络服务,其租借接入设备,对应用而言,接入设备不可信,需要在UE和核心网络设备之间直接建立加密通道;或者如下场景,多个核心网运营商共享接入网络,为保证数据安全,也需要在UE和每个核心网络之间建立加密通道。对于上述场景,可以在UE接入核心网络的注册认证阶段,产生用户面数据加密所需密钥,以便UE开展业务时,对用户面数据进行加密传输。以5G网络为例,实施流程如图6描述。发明方案中的所述第一控制面功能实体为AMF实体,所述用户面功能实体为UPF实体。If a virtual network operator provides network services and it leases access equipment, the access equipment is not trustworthy for the application, and an encrypted channel needs to be established directly between the UE and the core network equipment; or in the following scenario, multiple core network operators Shared access network, in order to ensure data security, it is also necessary to establish an encrypted channel between the UE and each core network. For the above scenario, the key required for user plane data encryption can be generated during the registration and authentication phase of the UE accessing the core network, so that the user plane data can be encrypted for transmission when the UE conducts services. Taking the 5G network as an example, the implementation process is described in Figure 6. In the inventive solution, the first control plane functional entity is an AMF entity, and the user plane functional entity is a UPF entity.

1.UE请求接入到5G网络,向AMF实体发起注册认证请求,RAN功能实体根据注册认证请求中的隐藏的签约标识(SUCI,Subscription Concealed Identifier)将注册认证请求路由到AMF实体。1. The UE requests to access the 5G network and initiates a registration authentication request to the AMF entity. The RAN functional entity routes the registration authentication request to the AMF entity according to the hidden subscription identifier (SUCI, Subscription Identifier) in the registration authentication request.

2.UE、AMF实体、认证服务器功能(AUSF,Authentication Server Function)实体和统一数据管理(UDM,Unified Data Management) 实体之间完成鉴权认证过程。UE、RAN功能实体、AMF实体之间进行其他注册流程,具体可参考3GPP TS 23.502注册认证流程。2. The authentication and authentication process is completed between the UE, AMF entity, Authentication Server Function (AUSF, Authentication Server Function) entity, and Unified Data Management (UDM, Unified Data Management) entity. For other registration procedures among UE, RAN functional entities, and AMF entities, please refer to 3GPP TS 23.502 registration and authentication procedures for details.

3.鉴权认证过程完成后,AMF实体生成锚定密钥K SEAF。如果AMF实体决策需要在UE和用户面功能实体之间对用户面数据进行安全保护(例如,运营商策略或者用户签约信息中规定了需要在UE和用户面功能实体之间对用户面数据进行安全保护,则AMF实体根据运营商策略或者用户签约信息决策需要在UE和用户面功能实体之间对用户面数据进行安全保护),AMF实体根据K SEAF使用密钥生成算法进行密钥衍生,最终生成第一(中间)密钥K 13. After the authentication process is completed, the AMF entity generates the anchor key K SEAF . If the AMF entity decides that the user plane data needs to be secured between the UE and the user plane function entity (for example, the operator policy or user subscription information stipulates that the user plane data needs to be secured between the UE and the user plane function entity Protection, the AMF entity needs to securely protect the user plane data between the UE and the user plane function entity according to the operator’s policy or user subscription information), the AMF entity uses the key generation algorithm to derive the key according to the K SEAF, and finally generates The first (intermediate) key K 1 .

4.AMF实体将所述第一密钥K 1发送给UPF实体,所述发送过程可在PDU会话建立过程中由AMF实体经过会话管理功能(SMF,Session Management Function)实体发送给UPF实体。 4.AMF entity transmits the first key K 1 to UPF entity, the transmitting entity UPF process may be established by the AMF during transmission through the session management entity (SMF, Session Management Function) entity to the session in the PDU.

5.UPF实体保存所述第一密钥K 15. The UPF entity saves the first key K 1 .

6.AMF实体通知UE需要在UE和用户面功能实体之间对用户面数据进行安全保护。6. The AMF entity notifies the UE that the user plane data needs to be secured between the UE and the user plane function entity.

7.UE和RAN功能实体、AMF实体之间完成其余注册过程。7. The remaining registration procedures are completed between the UE, the RAN functional entity, and the AMF entity.

8.UPF实体根据K 1使用密钥产生算法生成第二密钥(第二密钥包括加密密钥K 2和完整性密钥K 3)。在UE侧,根据步骤6的指示,UE按照网络侧相同的密钥生成算法,生成锚定密钥K SEAF,进一步生成第一密钥K 1,并根据第一密钥K 1生成加密密钥K 2和完整性密钥K 38. The UPF entity uses a key generation algorithm to generate a second key according to K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ). On the UE side, according to the instructions in step 6, the UE generates the anchor key K SEAF according to the same key generation algorithm on the network side, further generates the first key K 1 , and generates the encryption key according to the first key K 1 K 2 and integrity key K 3 .

9.当UE开展业务时,在UE和UPF实体之间对用户面数据进行机密性和完整性保护,相关过程可参考示例4的描述。9. When the UE conducts services, confidentiality and integrity protection of user plane data are performed between the UE and the UPF entity. For the related process, please refer to the description of Example 4.

上述方案描述的是UE注册到5G网络后,在UE和5G核心网络之间针对用户面数据进行安全保护,即UE和所述5G核心网络交互的所有用户面数据都进行机密性和完整性保护。上述方案也同样适用于EPC,方案所述的第一控制面功能实体是MME,用户面功能实体是SGW或PGW。在UE注册阶段,在UE和SGW/PGW上生成加密密钥K2和完整性密钥K3。The above solution describes the security protection of user plane data between the UE and the 5G core network after the UE is registered on the 5G network, that is, all user plane data interacting between the UE and the 5G core network are protected for confidentiality and integrity . The above solution is also applicable to EPC. The first control plane functional entity described in the solution is MME, and the user plane functional entity is SGW or PGW. In the UE registration phase, an encryption key K2 and an integrity key K3 are generated on the UE and SGW/PGW.

示例2Example 2

示例1描述的是在UE和5G核心网络之间针对用户面数据进行安全保护。5G网络还可以网络切片形式提供网络服务,即5GC可以包括多个网络切片,UE注册到5G网络之后,最多可以接入8个网络切片。示例2描述的是提供针对网络切片级别的在UE和核心网之间针对用户面数据进行安全保护,实现过程如图7所示。方案中所述第一网络控制功能实体为AMF实体,第二网络控制功能实体为SMF实体,用户面功能实体为UPF实体:Example 1 describes the security protection of user plane data between the UE and the 5G core network. The 5G network can also provide network services in the form of network slicing, that is, 5GC can include multiple network slices. After the UE is registered on the 5G network, it can access up to 8 network slices. Example 2 describes the provision of security protection for user plane data between the UE and the core network at the network slicing level, and the implementation process is shown in FIG. 7. In the solution, the first network control function entity is an AMF entity, the second network control function entity is an SMF entity, and the user plane function entity is a UPF entity:

1.在UE成功注册到5G网络之后,UE请求接入网络切片,发起PDU会话建立请求,PDU会话建立请求中包含NAS(Non-Access Stratum,非接入层)消息,NAS消息中包括:单一网络切片选择辅助信息(S-NSSAI,Single Network Slice Selection Assistance Information)等。S-NSSAI包含授权UE请求接入的网络切片标识。AMF实体保存S-NSSAI等信息。1. After the UE has successfully registered to the 5G network, the UE requests to access the network slice and initiates a PDU session establishment request. The PDU session establishment request includes a NAS (Non-Access Stratum) message, and the NAS message includes: single Network slice selection assistance information (S-NSSAI, Single Network Slice Selection Assistance Information), etc. The S-NSSAI contains the network slice identifier that authorizes the UE to request access. The AMF entity stores S-NSSAI and other information.

2.AMF实体根据S-NSSAI等信息进行SMF实体选择。2. The AMF entity selects the SMF entity based on information such as S-NSSAI.

3.AMF实体向SMF实体发起PDU会话上下文创建请求,PDU会话上下文创建请求中包含用户永久标识(SUPI,Subscription Permanent Identifier),S-NSSAI等信息。3. The AMF entity initiates a PDU session context creation request to the SMF entity, and the PDU session context creation request includes information such as the user's permanent identifier (SUPI, Subscription Permanent Identifier), S-NSSAI, and so on.

4.SMF实体使用SUPI,S-NSSAI等信息向UDM实体获取会话管理相关签约数据;其中,会话管理相关签约数据中包含表示是否需要在UE和核心网络之间针对用户面数据进行安全保护的信息。4. The SMF entity uses SUPI, S-NSSAI and other information to obtain session management-related subscription data from the UDM entity; among them, the session management-related subscription data contains information indicating whether user plane data security protection is required between the UE and the core network .

5.如果步骤1中的PDU会话建立请求是第一次发送,则SMF实体进行UPF实体选择;如果步骤1中的PDU会话建立请求不是第一次发送,则直接执行步骤7。5. If the PDU session establishment request in step 1 is sent for the first time, the SMF entity performs UPF entity selection; if the PDU session establishment request in step 1 is not sent for the first time, step 7 is directly executed.

6.SMF实体和UPF实体之间建立N4会话。6. An N4 session is established between the SMF entity and the UPF entity.

7.SMF实体根据签约数据决策是否需要在UE和用户面功能实体之间对用户面数据进行安全保护。7. The SMF entity makes a decision based on the subscription data whether it is necessary to securely protect the user plane data between the UE and the user plane functional entity.

8.SMF实体和AMF实体之间进行PDU会话建立消息或者PDU会话更新消息交互,SMF实体将表示是否需要在UE和用户面功能实体之间对用户面数据进行安全保护的信息发送给AMF实体。8. The SMF entity and the AMF entity exchange PDU session establishment messages or PDU session update messages. The SMF entity sends information indicating whether the user plane data needs to be secured between the UE and the user plane function entity to the AMF entity.

9.AMF实体接收表示是否需要在UE和用户面功能实体之间对 用户面数据进行安全保护的信息后,将鉴权认证成功后生成的锚定密钥(例如,K SEAF)发送给SMF实体。 9. After the AMF entity receives the information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity, it sends the anchor key (for example, K SEAF ) generated after the authentication is successful to the SMF entity .

10.SMF实体保存锚定密钥K SEAF,并根据锚定密钥K SEAF使用密钥产生算法生成第一密钥K 110. The SMF entity saves the anchor key K SEAF and generates the first key K 1 according to the anchor key K SEAF using a key generation algorithm.

11.SMF实体将第一密钥K 1发送给UPF实体。 11. The SMF entity sends the first key K 1 to the UPF entity.

12.UPF实体保存第一密钥K 112. The UPF entity saves the first key K 1 .

13.根据步骤8,AMF实体向UE返回表示是否需要在UE和用户面功能实体之间对用户面数据进行安全保护的信息。13. According to step 8, the AMF entity returns to the UE information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity.

14.UE、AMF实体、SMF实体、UPF实体之间完成PDU会话建立的其余过程。14. The UE, AMF entity, SMF entity, and UPF entity complete the rest of the PDU session establishment process.

15.UE接收表示是否需要在UE和用户面功能实体之间对用户面数据进行安全保护的信息之后,使用密钥生成算法生成第一密钥K 1,并根据第一密钥K 1生成第二密钥(第二密钥包括加密密钥K 2和完整性密钥K 3)。UPF实体根据第一密钥K 1使用相同的密钥生成算法生成第二密钥(第二密钥包括加密密钥K 2和完整性密钥K 3)。 15. After the UE receives the information indicating whether the user plane data needs to be securely protected between the UE and the user plane functional entity, it uses the key generation algorithm to generate the first key K 1 , and generates the first key K 1 according to the first key K 1 Two keys (the second key includes an encryption key K 2 and an integrity key K 3 ). The UPF entity uses the same key generation algorithm to generate a second key according to the first key K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).

16.在UE和UPF实体之间针对用户面数据进行机密和完整性保护的过程参考示例4。16. Refer to Example 4 for the process of confidentiality and integrity protection of user plane data between the UE and the UPF entity.

上述实施方式中由SMF实体决策为所述网络切片执行在UE和核心网络之间针对用户面数据进行安全保护,并告知AMF实体。由SMF实体根据AMF实体提供的锚定密钥K SEAF产生第一密钥K1提供给UPF实体。上述过程也可以如下实现:由AMF实体为UE请求的S-NSSAI对应的网络切片决策执行在UE和核心网络之间针对用户面数据进行安全保护,根据锚定密钥KSEAF产生第一密钥K 1提供给SMF实体,SMF实体将K 1提供给UPF实体。 In the foregoing embodiment, the SMF entity decides to perform security protection for the user plane data between the UE and the core network for the network slice, and informs the AMF entity. The SMF entity generates the first key K1 according to the anchor key K SEAF provided by the AMF entity and provides it to the UPF entity. The above process can also be implemented as follows: The network slice decision corresponding to the S-NSSAI requested by the AMF entity for the UE is executed. The user plane data is securely protected between the UE and the core network, and the first key K is generated according to the anchor key KSEAF. 1 is provided to the SMF entity, and the SMF entity provides K 1 to the UPF entity.

示例3Example 3

示例1描述的是在UE和5G核心网络之间针对用户面数据进行安全保护。5G网络还可以网络切片形式提供网络服务,即5GC可以包括多个网络切片,UE注册到5G网络之后,最多可以接入8个网络切片。示例3描述的是提供针对网络切片级别的UE和核心网之间针对用户面数据进行安全保护,实现过程如图8所示。方案中所述第 一网络控制功能实体为AMF实体,第二网络控制功能实体为SMF实体,用户面功能实体为UPF实体:Example 1 describes the security protection of user plane data between the UE and the 5G core network. The 5G network can also provide network services in the form of network slicing, that is, 5GC can include multiple network slices. After the UE is registered on the 5G network, it can access up to 8 network slices. Example 3 describes the provision of security protection for user plane data between the UE and the core network at the network slicing level, and the implementation process is shown in Figure 8. In the solution, the first network control function entity is an AMF entity, the second network control function entity is an SMF entity, and the user plane function entity is a UPF entity:

1.在UE成功注册到5G网络之后,UE请求接入网络切片,发起PDU会话建立请求,PDU会话建立请求中包含NAS消息,NAS消息中包括:单一网络切片选择辅助信息(S-NSSAI,Single Network Slice Selection Assistance Information)等。S-NSSAI包含授权UE请求接入的网络切片标识。AMF实体保存S-NSSAI等信息。1. After the UE has successfully registered to the 5G network, the UE requests to access the network slice and initiates a PDU session establishment request. The PDU session establishment request contains a NAS message. The NAS message includes: Single network slice selection auxiliary information (S-NSSAI, Single) Network Slice Selection Assistance Information) etc. The S-NSSAI contains the network slice identifier that authorizes the UE to request access. The AMF entity stores S-NSSAI and other information.

2.AMF实体根据S-NSSAI等信息进行SMF实体选择。2. The AMF entity selects the SMF entity based on information such as S-NSSAI.

3.AMF实体向SMF实体发起PDU会话上下文创建请求,PDU会话上下文创建请求中包含SUPI,S-NSSAI等信息。3. The AMF entity initiates a PDU session context creation request to the SMF entity, and the PDU session context creation request includes information such as SUPI, S-NSSAI, etc.

4.SMF实体使用SUPI,S-NSSAI等信息向UDM获取会话管理相关签约数据;其中,会话管理相关签约数据中包含表示是否需要在UE和用户面功能实体之间对用户面数据进行安全保护的信息。4. The SMF entity uses SUPI, S-NSSAI and other information to obtain session management-related contract data from UDM; among them, the session management-related contract data contains information indicating whether user plane data needs to be secured between the UE and the user plane function entity. information.

5.如果步骤1中的PDU会话建立请求是第一次发送,则SMF实体进行UPF实体选择;如果步骤1中的PDU会话建立请求不是第一次发送,则直接执行步骤7。5. If the PDU session establishment request in step 1 is sent for the first time, the SMF entity performs UPF entity selection; if the PDU session establishment request in step 1 is not sent for the first time, step 7 is directly executed.

6.SMF实体和UPF实体之间建立N4会话。6. An N4 session is established between the SMF entity and the UPF entity.

7.SMF实体和AMF实体之间进行PDU会话建立消息或者PDU会话更新消息交互,SMF实体将表示是否需要在UE和用户面功能实体之间对用户面数据进行安全保护的信息发送给AMF实体。7. The SMF entity and the AMF entity exchange PDU session establishment messages or PDU session update messages. The SMF entity sends information indicating whether user plane data security protection between the UE and the user plane function entity needs to be performed to the AMF entity.

8.AMF实体决策需要在UE和用户面功能实体之间对用户面数据进行安全保护,根据鉴权认证成功后生成的锚定密钥K SEAF使用密钥生成算法生成第一(中间)密钥K 1,将第一密钥K 1发送给SMF实体。 8. The decision of the AMF entity requires the security protection of the user plane data between the UE and the user plane functional entity, and the first (intermediate) key is generated using the key generation algorithm according to the anchor key K SEAF generated after the authentication is successful K 1 , sending the first key K 1 to the SMF entity.

9.SMF实体将第一密钥K 1发送给UPF实体。 9. The SMF entity sends the first key K 1 to the UPF entity.

10.UPF实体保存第一密钥K 110. The UPF entity saves the first key K 1 .

11.根据步骤8,AMF实体向UE返回表示是否需要在UE和用户面功能实体之间对用户面数据进行安全保护的信息。11. According to step 8, the AMF entity returns to the UE information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity.

12.UE、AMF实体、SMF实体、UPF实体之间完成PDU会话建立的其余过程。12. The remaining process of PDU session establishment is completed among UE, AMF entity, SMF entity, and UPF entity.

13.UE接收表示是否需要在UE和用户面功能实体之间对用户面数据进行安全保护的信息之后,使用密钥生成算法生成第一密钥K 1,并根据第一密钥K 1生成第二密钥(第二密钥包括加密密钥K 2和完整性密钥K 3)。UPF实体根据第一密钥K 1使用相同的密钥生成算法生成第二密钥(第二密钥包括加密密钥K 2和完整性密钥K 3)。 13. After the UE receives the information indicating whether the user plane data needs to be securely protected between the UE and the user plane functional entity, it uses the key generation algorithm to generate the first key K 1 , and generates the first key K 1 according to the first key K 1 Two keys (the second key includes an encryption key K 2 and an integrity key K 3 ). The UPF entity uses the same key generation algorithm to generate a second key according to the first key K 1 (the second key includes an encryption key K 2 and an integrity key K 3 ).

14.在UE和UPF实体之间针对用户面数据进行机密和完整性保护的过程参考示例4。14. Refer to Example 4 for the process of confidentiality and integrity protection of user plane data between the UE and the UPF entity.

示例4Example 4

结合上述实施方式,根据AMF实体是否向UE发送第一通知消息,决定在UE和RAN实体或者UE和UPF实体之间针对用户面数据进行安全保护。In combination with the foregoing implementation manners, it is decided to perform security protection for user plane data between the UE and the RAN entity or the UE and the UPF entity according to whether the AMF entity sends the first notification message to the UE.

如果AMF实体未向UE发送第一通知消息,则在UE和RAN功能实体之间针对用户面数据进行安全保护,为现有技术。If the AMF entity does not send the first notification message to the UE, security protection for user plane data is performed between the UE and the RAN functional entity, which is a prior art.

如果AMF实体向UE发送第一通知消息,则在UE和UPF实体之间针对用户面数据进行安全保护,即使用加密密钥K 2和完整性密钥K 3If the AMF entity sends the first notification message to the UE, the user plane data is securely protected between the UE and the UPF entity, that is, the encryption key K 2 and the integrity key K 3 are used .

结合上述示例1、示例2和示例3,本示例描述了用户面数据安全终结点在UPF的协议栈处理示意图,如图9所示,即由UE与UPF实体之间建立PDCP连接,用PDCP连接对用户面数据实施加密和完整性保护。中间网络功能实体,例如RAN功能实体,不涉及用户面数据的加解密处理和完整性保护。具体实施过程如下描述:Combining the above example 1, example 2 and example 3, this example describes the schematic diagram of the protocol stack processing of the user plane data security endpoint in the UPF, as shown in Figure 9, that is, the PDCP connection is established between the UE and the UPF entity, and the PDCP connection is used Encryption and integrity protection of user plane data. Intermediate network functional entities, such as RAN functional entities, are not involved in the encryption and decryption processing and integrity protection of user plane data. The specific implementation process is described as follows:

对于上行用户面数据:For uplink user plane data:

UE按照图9所示的UE协议栈部分完成对发送的上行用户面数据的封装,发送封装后的上行用户面数据。具体的,对上行用户面数据进行应用层封装,对应用层封装后的上行用户面数据进行PDU层封装,对PDU层封装后的上行用户面数据进行简单分布式文件传输系统访问协议(SDAP,Simple Distribution File System Access Protocol)封装,使用加密密钥K 2对SDAP封装后的上行用户面数据进行加密,使用完整性密钥K 3对加密后的上行用户面数据进行完整性保护处理,对完整性保护处理后的上行用户面数据进行PDCP封装,对PDCP封 装后的上行用户面数据进行无线链路控制层(RLC,Radio Link Control)封装,对RLC封装后的上行用户面数据进行媒体访问控制(MAC,Medica Access Control)层封装,对MAC层封装后的上行用户面数据进行物理层(PHY,Physical layer)封装。 The UE completes the encapsulation of the sent uplink user plane data according to the UE protocol stack part shown in FIG. 9 and sends the encapsulated uplink user plane data. Specifically, the application layer encapsulation is performed on the uplink user plane data, the PDU layer encapsulation is performed on the uplink user plane data after the application layer encapsulation, and the Simple Distributed File Transfer System Access Protocol (SDAP, Simple Distribution File System Access Protocol) encapsulation, using the encryption key K 2 to encrypt the SDAP encapsulated uplink user plane data, and using the integrity key K 3 to perform integrity protection processing on the encrypted uplink user plane data. PDCP encapsulation is performed on the uplink user plane data after sexual protection processing, the radio link control layer (RLC, Radio Link Control) encapsulation is performed on the uplink user plane data after PDCP encapsulation, and the media access control is performed on the uplink user plane data after RLC encapsulation. (MAC, Medica Access Control) layer encapsulation, physical layer (PHY, Physical layer) encapsulation is performed on the uplink user plane data after MAC layer encapsulation.

当PHY封装后的上行用户面数据发送至RAN实体时,RAN实体完成对上行用户面数据的协议转换,首先对PHY封装后的上行用户面数据进行PHY解封装,对PHY解封装后的上行用户面数据进行MAC层解封装,对MAC层解封装后的上行用户面数据进行RLC解封装,然后将RLC解封装后的上行用户面数据转换成通用分组无线服务(GPRS,General Packet Radio Service)隧道协议(GTP,GPRS Tunnelling Protocol)封装格式。在所述协议转换处理过程中,RAN实体对PDCP层及以上不作任何处理,即不对上行用户面数据进行解密和完整性校验处理。RAN实体对上行用户面数据完成协议转换处理后,发送给UPF实体。When the PHY-encapsulated uplink user plane data is sent to the RAN entity, the RAN entity completes the protocol conversion of the uplink user plane data. First, the PHY encapsulated uplink user plane data is PHY decapsulated, and the PHY decapsulated uplink user The plane data is decapsulated at the MAC layer, the uplink user plane data after the MAC layer decapsulation is decapsulated, and then the uplink user plane data after the RLC decapsulation is converted into a general packet radio service (GPRS, General Packet Radio Service) tunnel Protocol (GTP, GPRS Tunnelling Protocol) encapsulation format. In the protocol conversion process, the RAN entity does not perform any processing on the PDCP layer and above, that is, does not perform decryption and integrity verification processing on the uplink user plane data. After the RAN entity completes the protocol conversion processing on the uplink user plane data, it is sent to the UPF entity.

UPF实体接收协议转换后的上行用户面数据,对协议转换后的上行用户面数据进行L1层解封装,对L1层解封装后的上行用户面数据进行L2层解封装,对L2层解封装后的上行用户面数据进行GTP-U/UDP/IP层解封装,对GTP-U/UDP/IP层解封装后的上行用户面进行PDCP解封装,使用完整性密钥K 3对PDCP解封装后的上行用户面数据进行完整性校验,校验通过后,使用加密密钥K 2对PDCP解封装后的上行用户面数据解密,对解密后的上行用户面数据进行SDAP解封装,对SDAP解封装后的上行用户面数据进行PDU层解封装。 The UPF entity receives the upstream user plane data after protocol conversion, decapsulates the upstream user plane data after protocol conversion, decapsulates the upstream user plane data after the protocol conversion, decapsulates the upstream user plane data decapsulated at the L1 layer, decapsulates the upstream user plane data at the L2 layer, and decapsulates the L2 layer Decapsulate the upstream user plane data at the GTP-U/UDP/IP layer, decapsulate the upstream user plane decapsulated at the GTP-U/UDP/IP layer using PDCP, and decapsulate PDCP with the integrity key K 3 Integrity check is performed on the uplink user plane data. After the verification is passed, use the encryption key K 2 to decrypt the uplink user plane data after PDCP decapsulation, and perform SDAP decapsulation on the decrypted uplink user plane data. The encapsulated uplink user plane data is decapsulated at the PDU layer.

对于下行用户面数据:For downlink user plane data:

UPF实体按照图9所示的UPF协议栈部分完成对发送的下行用户面数据的封装,发送封装后的下行用户面数据。具体的,对下行用户面数据进行PDU层封装,对PDU层封装后的下行用户面数据进行SDAP封装,使用加密密钥K 2对SDAP封装后的下行用户面数据进行加密,使用完整性密钥K 3对加密后的下行用户面数据进行完整性保护处理,对完整性保护处理后的下行用户面数据进行PDCP封装, 对PDCP封装后的下行用户面数据进行GTP-U/UDP/IP层封装,对GTP-U/UDP/IP层封装后的下行用户面数据进行L2层封装,对L2层封装后的下行用户面数据进行L1层封装。 The UPF entity completes the encapsulation of the sent downlink user plane data according to the UPF protocol stack part shown in FIG. 9, and sends the encapsulated downlink user plane data. Specifically, perform PDU layer encapsulation on the downlink user plane data, perform SDAP encapsulation on the PDU layer encapsulated downlink user plane data, use encryption key K 2 to encrypt the SDAP encapsulated downlink user plane data, and use the integrity key K 3 performs integrity protection processing on the encrypted downlink user plane data, performs PDCP encapsulation on the downlink user plane data after integrity protection processing, and performs GTP-U/UDP/IP layer encapsulation on the PDCP encapsulated downlink user plane data , L2 layer encapsulation is performed on the downlink user plane data after the GTP-U/UDP/IP layer encapsulation, and the L1 layer encapsulation is performed on the downlink user plane data after the L2 layer encapsulation.

当数据发送至RAN实体时,RAN实体完成对下行用户面数据的协议转换,首先对L1层封装后的下行用户面数据进行L1层解封装,对L1层解封装后的下行用户面数据进行L2层解封装,对L2层解封装后的下行用户面数据进行GTP-U/DPU/IP层解封装,然后将GTP-U/DPU/IP层解封装后的下行用户面数据转换成RLC封装格式。在所述协议转换处理过程中,RAN实体对PDCP层及以上不作任何处理,即不对下行用户面数据进行解密和完整性校验处理。RAN实体对下行用户面数据完成协议转换处理后,发送给UE。When the data is sent to the RAN entity, the RAN entity completes the protocol conversion of the downlink user plane data. First, the L1 layer encapsulated downlink user plane data is decapsulated at the L1 layer, and the L1 layer decapsulated downlink user plane data is decapsulated at the L2 layer. Layer decapsulation, decapsulate the downlink user plane data decapsulated at the L2 layer at the GTP-U/DPU/IP layer, and then convert the decapsulated downlink user plane data at the GTP-U/DPU/IP layer into an RLC encapsulation format . In the protocol conversion process, the RAN entity does not perform any processing on the PDCP layer and above, that is, does not perform decryption and integrity verification processing on the downlink user plane data. After the RAN entity completes the protocol conversion processing on the downlink user plane data, it is sent to the UE.

UE接收协议转换后的下行用户面数据,对协议转换后的下行用户面数据进行PHY解封装,对PHY解封装后的下行用户面数据进行MAC层解封装,对MAC层解封装后的下行用户面数据进行RLC层解封装,对RLC层解封装后的下行用户面进行PDCP解封装,使用完整性密钥K 3对PDCP解封装后的下行用户面数据进行完整性校验,校验通过后,使用加密密钥K 2对PDCP解封装后的下行用户面数据解密,对解密后的下行用户面数据进行SDAP解封装,对SDAP解封装后的下行用户面数据进行PDU层解封装,对PDU层解封装后的下行用户面数据进行应用层解封装。 The UE receives the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after PHY decapsulation, and decapsulates the downlink user plane data after the MAC layer decapsulation. The plane data is decapsulated at the RLC layer, the downlink user plane decapsulated at the RLC layer is decapsulated with PDCP, and the integrity key K 3 is used to verify the integrity of the downlink user plane data after the PDCP decapsulation. After the verification is passed , Use the encryption key K 2 to decrypt the downlink user plane data after PDCP decapsulation, perform SDAP decapsulation on the decrypted downlink user plane data, decapsulate the downlink user plane data after SDAP decapsulation, and decapsulate the PDU layer. The downstream user plane data after layer decapsulation is decapsulated at the application layer.

第五方面,本公开提供一种电子设备,其包括:至少一个处理器;存储器,其上存储有至少一个程序,当至少一个程序被至少一个处理器执行,使得至少一个处理器实现上述任意一种数据传输方法。In a fifth aspect, the present disclosure provides an electronic device, which includes: at least one processor; a memory on which at least one program is stored. When the at least one program is executed by at least one processor, the at least one processor implements any one of the foregoing. Kind of data transmission method.

其中,处理器为具有数据处理能力的器件,其包括但不限于中央处理器(CPU)等;存储器为具有数据存储能力的器件,其包括但不限于随机存取存储器(RAM,更具体如SDRAM、DDR等)、只读存储器(ROM)、带电可擦可编程只读存储器(EEPROM)、闪存(FLASH)。Among them, the processor is a device with data processing capabilities, which includes but is not limited to a central processing unit (CPU), etc.; the memory is a device with data storage capabilities, which includes but is not limited to random access memory (RAM, more specifically such as SDRAM). , DDR, etc.), read-only memory (ROM), charged erasable programmable read-only memory (EEPROM), flash memory (FLASH).

在一些实施方式中,处理器、存储器通过总线相互连接,进而与计算设备的其它组件连接。In some embodiments, the processor and the memory are connected to each other through a bus, and further connected to other components of the computing device.

第六方面,本公开提供一种计算机可读存储介质,其上存储有计算机程序,程序被处理器执行时实现上述任意一种数据传输方法。In a sixth aspect, the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, any one of the aforementioned data transmission methods is implemented.

图10为本公开的一种数据传输装置的组成框图。FIG. 10 is a block diagram of the composition of a data transmission device of the present disclosure.

第七方面,参照图10,本公开提供一种数据传输装置(如第一控制面功能实体),包括:第一确定模块1001,配置为确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;第一通知消息发送模块1002,配置为向所述目标用户设备发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。In a seventh aspect, referring to FIG. 10, the present disclosure provides a data transmission device (such as a first control plane functional entity), including: a first determining module 1001 configured to determine that it needs to perform between the target user equipment and the user plane functional entity Security-protected target user plane data; the first notification message sending module 1002 is configured to send a first notification message to the target user equipment, where the first notification message is used to indicate that the target user equipment and the user plane The functional entities perform security protection on the target user plane data.

在一些示例性实施方式中,数据传输装置还包括:第一密钥处理模块1003,配置为生成第一密钥,向所述用户面功能实体发送所述第一密钥;其中,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。In some exemplary embodiments, the data transmission device further includes: a first key processing module 1003, configured to generate a first key, and send the first key to the user plane functional entity; wherein, the first key A key is used to be used by the user plane functional entity to generate a second key, and the second key is used to be used by the target user equipment and the user plane functional entity to perform data on the target user plane. Security protection is performed between the target user equipment and the user plane functional entity.

在一些示例性实施方式中,第一确定模块1001配置为:接收第二控制面功能实体发送的第一通知消息。In some exemplary embodiments, the first determining module 1001 is configured to receive the first notification message sent by the second control plane functional entity.

在一些示例性实施方式中,数据传输装置还包括:第二通知消息发送模块1004,配置为向第二控制面功能实体发送第二通知消息,所述第二通知消息用于通知所述第二控制面功能实体生成第一密钥,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。In some exemplary embodiments, the data transmission apparatus further includes: a second notification message sending module 1004, configured to send a second notification message to a second control plane functional entity, where the second notification message is used to notify the second The control plane function entity generates a first key, and the first key is used by the user plane function entity to generate a second key, and the second key is used by the target user equipment and the The user plane functional entity is used to securely protect the target user plane data between the target user equipment and the user plane functional entity.

上述数据传输装置的具体实现过程与前述实施方式第一控制面功能实体侧的数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the data transmission method on the functional entity side of the first control plane in the foregoing embodiment, and will not be repeated here.

图11为本公开的一种数据传输装置的组成框图。FIG. 11 is a block diagram of the composition of a data transmission device of the present disclosure.

第八方面,参照图11,本公开提供一种数据传输装置(如第二控制面功能实体),包括:第一通知消息接收模块1101,配置为接收第一控制面功能实体发送的第二通知消息,所述第二通知消息用于 通知所述第二控制面功能实体生成第一密钥,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护;第二密钥处理模块1102,配置为生成所述第一密钥,将所述第一密钥发送给用户面功能实体。In an eighth aspect, referring to FIG. 11, the present disclosure provides a data transmission device (such as a second control plane functional entity), including: a first notification message receiving module 1101, configured to receive a second notification sent by the first control plane functional entity Message, the second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used by the user plane functional entity to generate a second key, the The second key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity; the second secret The key processing module 1102 is configured to generate the first key, and send the first key to the user plane function entity.

在一些示例性实施方式中,数据传输装置还包括:第三确定模块1103,配置为确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;第三通知消息发送模块1104,配置为向所述第一控制面功能实体发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。In some exemplary embodiments, the data transmission apparatus further includes: a third determining module 1103 configured to determine target user plane data that needs to be secured between the target user equipment and the user plane functional entity; and a third notification message sending module 1104. It is configured to send a first notification message to the first control plane functional entity, where the first notification message is used to indicate that the target user plane data is received between the target user equipment and the user plane functional entity. Carry out safety protection.

上述数据传输装置的具体实现过程与前述实施方式第二控制面功能实体侧的数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the data transmission method on the functional entity side of the second control plane in the foregoing embodiment, and will not be repeated here.

图12为本公开的一种数据传输装置的组成框图。FIG. 12 is a block diagram of the composition of a data transmission device of the present disclosure.

第九方面,参照图12,本公开提供一种数据传输装置(如用户面功能实体),包括:第三密钥处理模块1201,配置为获取第一密钥,根据所述第一密钥生成第二密钥;所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护;第一数据处理模块1202,配置为通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理。In a ninth aspect, referring to FIG. 12, the present disclosure provides a data transmission device (such as a user plane functional entity), including: a third key processing module 1201, configured to obtain a first key, and generate The second key; the second key is used to be used by the target user equipment and the user plane functional entity, and the target user plane data is between the target user equipment and the user plane functional entity Perform security protection; the first data processing module 1202 is configured to perform security protection processing on target user plane data transmitted between the target user equipment and the user plane functional entity through the second key.

在一些示例性实施方式中,第三密钥处理模块1201配置为采用以下方式实现获取第一密钥:接收第一控制面功能实体发送的所述第一密钥。In some exemplary embodiments, the third key processing module 1201 is configured to obtain the first key in the following manner: receiving the first key sent by the first control plane functional entity.

在一些示例性实施方式中,第三密钥处理模块1201配置为采用以下方式实现获取第一密钥:接收第二控制面功能实体发送的所述第一密钥。In some exemplary embodiments, the third key processing module 1201 is configured to obtain the first key in the following manner: receiving the first key sent by the second control plane functional entity.

在一些示例性实施方式中,第二密钥包括机密性密钥和/或完整性密钥,第一数据处理模块1202配置为:使用所述机密性密钥对发 往所述目标用户设备的目标用户面数据进行加密;使用所述机密性密钥对接收自所述目标用户设备的目标用户面数据进行解密;或者,使用所述完整性密钥对发往所述目标用户设备的目标用户面数据进行完整性保护;使用所述完整性密钥对接收自所述目标用户设备的目标用户面数据进行完整性校验;或者,使用所述机密性密钥对发往所述目标用户设备的目标用户面数据进行加密,使用所述完整性密钥对所述目标用户面数据进行完整性保护;使用所述完整性密钥对接收自所述目标用户设备的目标用户面数据进行完整性校验,校验通过后使用所述机密性密钥对所述目标用户面数据进行解密。In some exemplary embodiments, the second key includes a confidentiality key and/or an integrity key, and the first data processing module 1202 is configured to: use the confidentiality key pair to send to the target user equipment The target user plane data is encrypted; the confidentiality key is used to decrypt the target user plane data received from the target user equipment; or the integrity key is used to send to the target user of the target user equipment Protect the integrity of the plane data; use the integrity key to verify the integrity of the target user plane data received from the target user equipment; or, use the confidentiality key pair to send to the target user equipment To encrypt the target user plane data, use the integrity key to perform integrity protection on the target user plane data; use the integrity key to perform integrity on the target user plane data received from the target user equipment After the verification is passed, the confidentiality key is used to decrypt the target user plane data.

上述数据传输装置的具体实现过程与前述实施方式用户面功能实体侧的数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the foregoing data transmission device is the same as the specific implementation process of the data transmission method on the user plane function entity side of the foregoing embodiment, and will not be repeated here.

图13为本公开的一种数据传输装置的组成框图。FIG. 13 is a block diagram of the composition of a data transmission device of the present disclosure.

第十方面,参照图13,本公开提供另一种数据传输装置(如目标UE),包括:第二通知消息接收模块1301,配置为接收第一控制面功能实体发送的第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。In the tenth aspect, referring to FIG. 13, the present disclosure provides another data transmission device (such as a target UE), including: a second notification message receiving module 1301, configured to receive a first notification message sent by a first control plane functional entity, so The first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity.

在一些示例性实施方式中,数据传输装置还包括:第四密钥处理模块1302,配置为生成第一密钥,根据所述第一密钥生成第二密钥;其中,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。In some exemplary embodiments, the data transmission device further includes: a fourth key processing module 1302, configured to generate a first key, and generate a second key according to the first key; wherein, the second key The key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity.

在一些示例性实施方式中,第二密钥包括机密性密钥和/或完整性密钥;数据传输装置还包括:第二数据处理模块1303,其被配置为:使用所述机密性密钥对发往用户面功能实体的目标用户面数据进行加密;使用所述机密性密钥对接收自用户功能实体的目标用户面数据进行解密;或者,使用所述完整性密钥对发往用户面功能实体的目标用户面数据进行完整性保护处理;使用所述完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验;或者,使用所述机密性密钥对发往用户面功能实体的目标用户面数据进行加密,使用所述 完整性密钥对加密后的所述目标用户面数据进行完整性保护处理;使用所述完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验,校验通过后使用所述机密性密钥对所述目标用户面数据进行解密。In some exemplary embodiments, the second key includes a confidentiality key and/or an integrity key; the data transmission device further includes: a second data processing module 1303 configured to: use the confidentiality key Encrypt the target user plane data sent to the user plane functional entity; use the confidentiality key to decrypt the target user plane data received from the user functional entity; or use the integrity key pair to send to the user plane Perform integrity protection processing on the target user plane data of the functional entity; use the integrity key to perform integrity verification on the target user plane data received from the user functional entity; or use the confidentiality key pair to send to the user Encrypt the target user plane data of the user plane function entity, use the integrity key to perform integrity protection processing on the encrypted target user plane data; use the integrity key to perform the integrity protection processing on the target user received from the user function entity The integrity check is performed on the plane data, and the confidentiality key is used to decrypt the target user plane data after the verification is passed.

上述数据传输装置的具体实现过程与前述实施方式目标UE侧的数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the data transmission method on the target UE side in the foregoing embodiment, and will not be repeated here.

图14为本公开的一种数据传输系统的组成框图。FIG. 14 is a block diagram of the composition of a data transmission system of the present disclosure.

第十一方面,参照图14,本公开提供一种数据传输系统,包括:第一控制面功能实体1401,配置为确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;向所述目标用户设备发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护;目标用户设备1402,配置为接收第一控制面功能实体发送的第一通知消息。In an eleventh aspect, referring to FIG. 14, the present disclosure provides a data transmission system, including: a first control plane function entity 1401, configured to determine the target user plane that needs to be secured between the target user equipment and the user plane function entity Data; sending a first notification message to the target user equipment, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity; target The user equipment 1402 is configured to receive the first notification message sent by the first control plane functional entity.

在一些示例性实施方式中,第一控制面功能实体1401还配置为:生成第一密钥,向所述用户面功能实体发送所述第一密钥;其中,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护;数据传输系统还包括:用户面功能实体1403,配置为接收第一控制面功能实体发送的所述第一密钥;根据所述第一密钥生成第二密钥;通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理;目标用户设备1402还配置为:生成第一密钥,根据所述第一密钥生成第二密钥;通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理。In some exemplary embodiments, the first control plane functional entity 1401 is further configured to: generate a first key, and send the first key to the user plane functional entity; wherein, the first key is used for Is used by the user plane functional entity to generate a second key, and the second key is used by the target user equipment and the user plane functional entity, and for the target user plane data in the target user Security protection is performed between the device and the user plane functional entity; the data transmission system further includes: a user plane functional entity 1403 configured to receive the first key sent by the first control plane functional entity; according to the first secret Key to generate a second key; using the second key to perform security protection processing on the target user plane data transmitted between the target user equipment and the user plane functional entity; the target user equipment 1402 is further configured to: generate a second key A key for generating a second key according to the first key; using the second key to perform security protection processing on target user plane data transmitted between the target user equipment and the user plane functional entity.

在一些示例性实施方式中,第一控制面功能实体1401配置为采用以下方式实现确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据:接收第二控制面功能实体发送的第一通知消息;数据传输系统还包括:第二控制面功能实体1404,配置 为确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;向所述第一控制面功能实体发送第一通知消息。In some exemplary embodiments, the first control plane functional entity 1401 is configured to determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity in the following manner: receiving the second control plane functional entity The first notification message sent; the data transmission system further includes: a second control plane functional entity 1404 configured to determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity; The control plane functional entity sends the first notification message.

在一些示例性实施方式中,第一控制面功能实体1401还配置为:向第二控制面功能实体发送第二通知消息,所述第二通知消息用于通知所述第二控制面功能实体生成第一密钥,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护;数据传输系统还包括:第二控制面功能实体1404,配置为接收第一控制面功能实体发送的第二通知消息;生成所述第一密钥,将所述第一密钥发送给用户面功能实体;用户面功能实体1403,配置为接收第二控制面功能实体发送的所述第一密钥;根据所述第一密钥生成第二密钥;通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理;目标用户设备1402还配置为:生成第一密钥,根据所述第一密钥生成第二密钥;通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理。In some exemplary embodiments, the first control plane functional entity 1401 is further configured to send a second notification message to the second control plane functional entity, where the second notification message is used to notify the second control plane functional entity to generate A first key, the first key is used to be used by the user plane functional entity to generate a second key, the second key is used to be used by the target user equipment and the user plane functional entity , To perform security protection on the target user plane data between the target user equipment and the user plane functional entity; the data transmission system further includes: a second control plane functional entity 1404 configured to receive the first control plane functional entity The second notification message sent; the first key is generated, and the first key is sent to the user plane function entity; the user plane function entity 1403 is configured to receive the first message sent by the second control plane function entity Key; generate a second key according to the first key; use the second key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity; target The user equipment 1402 is further configured to: generate a first key, and generate a second key according to the first key; use the second key to transfer data between the target user equipment and the user plane functional entity The target user plane data is processed for security protection.

上述数据传输系统的具体实现过程与前述实施方式数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the above-mentioned data transmission system is the same as the specific implementation process of the data transmission method of the foregoing embodiment, and will not be repeated here.

本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技 术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其它数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其它存储器技术、CD-ROM、数字多功能盘(DVD)或其它光盘存储、磁盒、磁带、磁盘存储或其它磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其它的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其它传输机制之类的调制数据信号中的其它数据,并且可包括任何信息递送介质。A person of ordinary skill in the art can understand that all or some of the steps, functional modules/units in the system, and apparatus in the methods disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof. In the hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may consist of several physical components. The components are executed cooperatively. Certain physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or a non-transitory medium) and a communication medium (or a transitory medium). As is well known by those of ordinary skill in the art, the term computer storage medium includes volatile and non-volatile implementations in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media. Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer. In addition, it is well known to those of ordinary skill in the art that a communication medium usually contains computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transmission mechanism, and may include any information delivery medium. .

本文已经公开了示例实施方式,并且虽然采用了具体术语,但它们仅用于并仅应当被解释为一般说明性含义,并且不用于限制的目的。在一些实例中,对本领域技术人员显而易见的是,除非另外明确指出,否则可单独使用与特定实施方式相结合描述的特征、特性和/或元素,或可与其它实施方式相结合描述的特征、特性和/或元件组合使用。因此,本领域技术人员将理解,在不脱离由所附的权利要求阐明的本公开的范围的情况下,可进行各种形式和细节上的改变。Example embodiments have been disclosed herein, and although specific terms are adopted, they are used and should only be interpreted as general descriptive meanings, and are not used for the purpose of limitation. In some examples, it is obvious to those skilled in the art that, unless expressly indicated otherwise, the features, characteristics, and/or elements described in combination with a particular embodiment can be used alone, or features, characteristics, and/or elements described in combination with other embodiments can be used, Combination of features and/or components. Therefore, those skilled in the art will understand that various changes in form and details can be made without departing from the scope of the present disclosure as set forth by the appended claims.

Claims (16)

一种数据传输方法,应用于第一控制面功能实体,包括:A data transmission method, applied to a first control plane functional entity, includes: 确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;Determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity; 向所述目标用户设备发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。Send a first notification message to the target user equipment, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity. 根据权利要求1所述的数据传输方法,所述确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据之后,还包括:The data transmission method according to claim 1, after determining the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, the method further comprises: 生成第一密钥,向所述用户面功能实体发送所述第一密钥;其中,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。Generate a first key, and send the first key to the user plane functional entity; wherein, the first key is used by the user plane functional entity to generate a second key, and the second key is The key is used by the target user equipment and the user plane functional entity to securely protect the target user plane data between the target user equipment and the user plane functional entity. 根据权利要求1所述的方法,其中,所述确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据包括:The method according to claim 1, wherein the determining the target user plane data that needs to be secured between the target user equipment and the user plane functional entity comprises: 接收第二控制面功能实体发送的第一通知消息。Receive the first notification message sent by the second control plane functional entity. 根据权利要求1所述的方法,所述确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据之后,该方法还包括:The method according to claim 1, after determining the target user plane data that needs to be secured between the target user equipment and the user plane functional entity, the method further comprises: 向第二控制面功能实体发送第二通知消息,所述第二通知消息用于通知所述第二控制面功能实体生成第一密钥,所述第一密钥用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。A second notification message is sent to the second control plane functional entity, the second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used to be used by the user plane function The entity uses it to generate a second key, the second key being used by the target user equipment and the user plane function entity, and for the target user plane data on the target user equipment and the user plane Security protection between functional entities. 一种数据传输方法,应用于第二控制面功能实体,包括:A data transmission method applied to a second control plane functional entity, including: 接收第一控制面功能实体发送的第二通知消息,所述第二通知消息用于通知所述第二控制面功能实体生成第一密钥,所述第一密钥 用于被所述用户面功能实体使用,生成第二密钥,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护;Receive a second notification message sent by a first control plane functional entity, where the second notification message is used to notify the second control plane functional entity to generate a first key, and the first key is used to be used by the user plane The functional entity uses it to generate a second key, and the second key is used by the target user equipment and the user plane functional entity. Security protection between surface functional entities; 生成所述第一密钥,将所述第一密钥发送给用户面功能实体。The first key is generated, and the first key is sent to the user plane function entity. 根据权利要求5所述的方法,所述接收第一控制面功能实体发送的第二通知消息之前,还包括:The method according to claim 5, before the receiving the second notification message sent by the first control plane functional entity, the method further comprises: 确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;Determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity; 向所述第一控制面功能实体发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。Send a first notification message to the first control plane functional entity, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity. 一种数据传输方法,应用于用户面功能实体,包括:A data transmission method applied to user plane functional entities, including: 获取第一密钥,根据所述第一密钥生成第二密钥;所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护;Obtain a first key, and generate a second key according to the first key; the second key is used by the target user equipment and the user plane functional entity to access the target user plane data Performing security protection between the target user equipment and the user plane functional entity; 通过所述第二密钥对所述目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护处理。Security protection processing is performed on the target user plane data transmitted between the target user equipment and the user plane functional entity by using the second key. 根据权利要求7所述的方法,其中,所述获取第一密钥包括:The method according to claim 7, wherein said obtaining the first key comprises: 接收第一控制面功能实体发送的所述第一密钥。Receiving the first key sent by the first control plane functional entity. 根据权利要求7所述的方法,其中,所述获取第一密钥包括:The method according to claim 7, wherein said obtaining the first key comprises: 接收第二控制面功能实体发送的所述第一密钥。Receiving the first key sent by the second control plane functional entity. 根据权利要求7所述的方法,其中,所述第二密钥包括机密性密钥和/或完整性密钥,所述通过所述第二密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护,包括:The method according to claim 7, wherein the second key includes a confidentiality key and/or an integrity key, and the second key is used to communicate between the target user equipment and the user plane functional entity. The transmitted target user plane data is protected by security, including: 使用所述机密性密钥对发往所述目标用户设备的目标用户面数据进行加密;使用所述机密性密钥对接收自所述目标用户设备的目标用户面数据进行解密;Use the confidentiality key to encrypt the target user plane data sent to the target user equipment; use the confidentiality key to decrypt the target user plane data received from the target user equipment; 或者,or, 使用所述完整性密钥对发往所述目标用户设备的目标用户面数 据进行完整性保护;使用所述完整性密钥对接收自所述目标用户设备的目标用户面数据进行完整性校验;Use the integrity key to perform integrity protection on the target user plane data sent to the target user equipment; use the integrity key to perform integrity verification on the target user plane data received from the target user equipment ; 或者,or, 使用所述机密性密钥对发往所述目标用户设备的目标用户面数据进行加密,使用所述完整性密钥对所述目标用户面数据进行完整性保护;Use the confidentiality key to encrypt the target user plane data sent to the target user equipment, and use the integrity key to perform integrity protection on the target user plane data; 使用所述完整性密钥对接收自所述目标用户设备的目标用户面数据进行完整性校验,校验通过后使用所述机密性密钥对所述目标用户面数据进行解密。The integrity key is used to perform integrity verification on the target user plane data received from the target user equipment, and after the verification is passed, the confidentiality key is used to decrypt the target user plane data. 一种数据传输方法,应用于目标用户设备,包括:A data transmission method applied to target user equipment, including: 接收第一控制面功能实体发送的第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。Receiving a first notification message sent by a first control plane functional entity, where the first notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity. 根据权利要求11所述的方法,所述接收第一控制面功能实体发送的第一通知消息之后,还包括:The method according to claim 11, after the receiving the first notification message sent by the first control plane functional entity, the method further comprises: 生成第一密钥,根据所述第一密钥生成第二密钥;其中,所述第二密钥用于被所述目标用户设备和所述用户面功能实体使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。A first key is generated, and a second key is generated according to the first key; wherein, the second key is used by the target user equipment and the user plane functional entity to perform a reference to the target user plane Data is secured between the target user equipment and the user plane functional entity. 根据权利要求12所述的方法,其中,所述第二密钥包括机密性密钥和/或完整性密钥;该方法还包括:The method according to claim 12, wherein the second key comprises a confidentiality key and/or an integrity key; the method further comprises: 使用所述机密性密钥对发往用户面功能实体的目标用户面数据进行加密;使用所述机密性密钥对接收自用户功能实体的目标用户面数据进行解密;Use the confidentiality key to encrypt the target user plane data sent to the user function entity; use the confidentiality key to decrypt the target user plane data received from the user function entity; 或者,or, 使用所述完整性密钥对发往用户面功能实体的目标用户面数据进行完整性保护处理;使用所述完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验;Using the integrity key to perform integrity protection processing on the target user plane data sent to the user functional entity; using the integrity key to perform integrity verification on the target user plane data received from the user functional entity; 或者,or, 使用所述机密性密钥对发往用户面功能实体的目标用户面数据 进行加密,使用所述完整性密钥对加密后的所述目标用户面数据进行完整性保护处理;Use the confidentiality key to encrypt the target user plane data sent to the user plane functional entity, and use the integrity key to perform integrity protection processing on the encrypted target user plane data; 使用所述完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验,校验通过后使用所述机密性密钥对所述目标用户面数据进行解密。The integrity key is used to perform integrity verification on the target user plane data received from the user functional entity, and after the verification is passed, the confidentiality key is used to decrypt the target user plane data. 一种电子设备,其包括:An electronic device, which includes: 至少一个处理器;At least one processor; 存储装置,其上存储有至少一个程序,当所述至少一个程序被所述至少一个处理器执行,使得所述至少一个处理器实现根据权利要求1~13任意一项所述的数据传输方法。A storage device having at least one program stored thereon, and when the at least one program is executed by the at least one processor, the at least one processor realizes the data transmission method according to any one of claims 1-13. 一种计算机可读存储介质,其上存储有计算机程序,所述程序被处理器执行时实现根据权利要求1~13任意一项所述的数据传输方法。A computer-readable storage medium having a computer program stored thereon, and when the program is executed by a processor, the data transmission method according to any one of claims 1-13 is realized. 一种数据传输系统,包括:A data transmission system includes: 第一控制面功能实体,配置为确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;向所述目标用户设备发送第一通知消息,所述第一通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护;The first control plane functional entity is configured to determine target user plane data that needs to be secured between the target user equipment and the user plane functional entity; send a first notification message to the target user equipment, and the first notification message is used Instructing to perform security protection on the target user plane data between the target user equipment and the user plane functional entity; 目标用户设备,配置为接收第一控制面功能实体发送的第一通知消息。The target user equipment is configured to receive the first notification message sent by the first control plane functional entity.
PCT/CN2021/097900 2020-06-03 2021-06-02 Data transmission method and system, electronic device, and storage medium Ceased WO2021244569A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010497412.6A CN112838925B (en) 2020-06-03 2020-06-03 Data transmission method, device and system, electronic equipment and storage medium
CN202010497412.6 2020-06-03

Publications (1)

Publication Number Publication Date
WO2021244569A1 true WO2021244569A1 (en) 2021-12-09

Family

ID=75923173

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/097900 Ceased WO2021244569A1 (en) 2020-06-03 2021-06-02 Data transmission method and system, electronic device, and storage medium

Country Status (2)

Country Link
CN (1) CN112838925B (en)
WO (1) WO2021244569A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112838925B (en) * 2020-06-03 2023-04-18 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112788594B (en) * 2020-06-03 2023-06-27 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN113872752B (en) * 2021-09-07 2023-10-13 哲库科技(北京)有限公司 Security engine module, security engine device, and communication apparatus

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108235300A (en) * 2017-12-22 2018-06-29 中国科学院信息工程研究所 The guard method of mobile communications network secure user data and system
CN108810884A (en) * 2017-05-06 2018-11-13 华为技术有限公司 Key configuration method, device and system
CN109560929A (en) * 2016-07-01 2019-04-02 华为技术有限公司 Cipher key configuration and security strategy determine method, apparatus
CN110830991A (en) * 2018-08-10 2020-02-21 华为技术有限公司 Secure session method and apparatus
CN112788594A (en) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112838925A (en) * 2020-06-03 2021-05-25 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012129135A1 (en) * 2011-03-18 2012-09-27 Alcatel-Lucent Usa Inc. System and method for session resiliancy at geo-redundant gateways
CN108632308B (en) * 2017-03-17 2020-07-14 电信科学技术研究院 Control method, device, SMF, UPF, UE, PCF and AN
CN109462847B (en) * 2017-07-28 2019-08-02 华为技术有限公司 Security implementation method, related device and system
CN109413005A (en) * 2017-08-17 2019-03-01 中兴通讯股份有限公司 Data stream transmitting method of controlling security and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109560929A (en) * 2016-07-01 2019-04-02 华为技术有限公司 Cipher key configuration and security strategy determine method, apparatus
CN108810884A (en) * 2017-05-06 2018-11-13 华为技术有限公司 Key configuration method, device and system
CN108235300A (en) * 2017-12-22 2018-06-29 中国科学院信息工程研究所 The guard method of mobile communications network secure user data and system
CN110830991A (en) * 2018-08-10 2020-02-21 华为技术有限公司 Secure session method and apparatus
CN112788594A (en) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112838925A (en) * 2020-06-03 2021-05-25 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112838925B (en) 2023-04-18
CN112838925A (en) 2021-05-25

Similar Documents

Publication Publication Date Title
US12052350B2 (en) Quantum resistant secure key distribution in various protocols and technologies
US10785653B2 (en) Secure short message service over non-access stratum
CN113630773B (en) Safety implementation method, equipment and system
KR102818272B1 (en) Data transmission method and system, electronic device and computer-readable storage medium
JP5480890B2 (en) Control signal encryption method
US20110305339A1 (en) Key Establishment for Relay Node in a Wireless Communication System
CN110769420B (en) Network access method, device, terminal, base station and readable storage medium
EP3510803B1 (en) Secure link layer connection over wireless local area networks
CN110808830A (en) A 5G network slicing-based IoT security verification framework and its service method
CN108353279A (en) An authentication method and authentication system
CN112738800A (en) Method for realizing data security transmission of network slice
WO2021244569A1 (en) Data transmission method and system, electronic device, and storage medium
JP7192107B2 (en) Method and apparatus for handling security context during intersystem changes
US20100161958A1 (en) Device for Realizing Security Function in Mac of Portable Internet System and Authentication Method Using the Device
CN113784351B (en) Slice service verification methods, entities and equipment
WO2015165250A1 (en) Method, device and communication system for terminal to access communication network
CN120050800A (en) Communication method and device
KR20100092371A (en) Method and apparatus for traffic count key management and key count management
WO2017070973A1 (en) Internet protocol security tunnel establishing method, user equipment and base station
KR102780207B1 (en) Method and system for communicating over overlay networks
CN115278660B (en) Access authentication method, device and system
WO2025026232A1 (en) Session establishment method and related apparatus
Abdel-Sattar et al. Rigorous Assessment of 5G O-RAN Security Protocol Stack
WO2025140141A1 (en) Communication method and apparatus
CN121037843A (en) Access authentication method and network equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21819011

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21819011

Country of ref document: EP

Kind code of ref document: A1