[go: up one dir, main page]

WO2025065970A1 - Procédé et appareil de communication - Google Patents

Procédé et appareil de communication Download PDF

Info

Publication number
WO2025065970A1
WO2025065970A1 PCT/CN2024/071585 CN2024071585W WO2025065970A1 WO 2025065970 A1 WO2025065970 A1 WO 2025065970A1 CN 2024071585 W CN2024071585 W CN 2024071585W WO 2025065970 A1 WO2025065970 A1 WO 2025065970A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
security
data session
data
protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/071585
Other languages
English (en)
Inventor
Bidi YING
Chenchen YANG
Hang Zhang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2025065970A1 publication Critical patent/WO2025065970A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • Embodiments of the present invention relate to the field of communications technologies, and more specifically, to a method and an apparatus for communication.
  • a security procedure may be involved when a user equipment requests a service from a service provider. However, it may lead data leakage when a keyis used for security protection on multiple communication sessionswhen the key is compromised.
  • Embodiments of this application provide a method and an apparatus for communication, which can improve security of communication.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a key management function or a chip installed in the key management function (KMF) .
  • KMF is a network function that is responsible for key management.
  • the method includes: determining a solution for security protection on a data sessionbetween a device and a first server and a level for security protection on the data session; and collecting a plurality of parameters based on the solution for security protection on the data session and the level for security protection on the data session, where the plurality of parameters are used to derive at least one key used for protection of the data session.
  • keys used for protection of a data session could be generated based on different solutions and different levels. It could improve security of communications. Moreover, it could bring more flexibility for different security requirements from different devices and different services.
  • the data session between the device and the first server includes a first communication between a first network function and the device and a second communication between the first network function and the first server.
  • the solution for security protection on the data session includes a first solution
  • the at least one key corresponds to the first solution and includes a first key and a second key
  • the first key is used for protection of the first communication
  • the second key is used for protection of the second communication.
  • security protection on the data session could be implemented by hop-to-hop.
  • the first network function includes a first gate way or a user plane function (UPF) .
  • UPF user plane function
  • the solution for security protection on the data session includes a second solution
  • the at least one key corresponds to the second solution and includes a third key
  • the third key is used at the device and the first server.
  • security protection on the data session could be implemented by end-to-end.
  • the data session is related to a service, an application or a session, or a mission or a device is related to the data session.
  • the level for security protection on the data session includes a first level, and keys related to the first level are used for protection on the service or the application.
  • the level for security protection on the data session includes a second level, and keys related to the second level are used for protection on the session.
  • the level for security protection on the data session includes a third level, and keys related to the third level are used for protection on the mission, and the mission includes at least one session.
  • the solution for security protection on the data session is a first solution
  • the plurality of parameters used to derive at least one key include a first parameter used to generate the first key and a second parameter used to generate the second key.
  • the first parameter includes: an identifier (ID) of the device, an ID of a first network function, an ID of an algorithm (s) for generating a first key, a time window and a shared key known by the device.
  • the second parameter includes: the ID of the first network function, an ID of the first server, a time window and a shared key known by the device.
  • the first parameter and the second parameter further include a service ID or an application ID.
  • the first parameter and the second parameter further include a session ID.
  • the first parameter and the second parameter further include a mission ID.
  • the solution for security protection on the data session is a second solution.
  • the plurality of parameters used to derive at least one key include: an ID of the device, an ID of the first server, a time window and a shared key known by the device.
  • the plurality of parameters When the level for security protection on the data session is a first level, the plurality of parameters further includes a service ID or an application ID. When the level for security protection on the data session is a second level, the plurality of parameters further includes a session ID. When the level for security protection on the data session is a third level, the plurality of parameters further includes a mission ID.
  • the method further includes: receiving a first message, where the first message includes at least one of: a security process capability of a first network function or a security process capability of the device.
  • the determining a solution for security protection on a data session between a device and a first server and a level for security protection on the data session includes: determining the solution for security protection on the data session and the level for security protection on the data session based on the first message.
  • the method further includes: transmitting a second message to the first server, where the second message is used to request a security process capability of the first server; and receiving a third message from the first server, where the third message include the security process capability of the first server.
  • the method further includes: transmitting a fourth message, where the fourth message includes a first security context, and the first security context includes at least one of: a security context for the device, a security context for the first server, or a security context for a first network function.
  • the method further includes: receiving a fifth message from a second network function, where the fifth message is used to request for refreshing the keys used for protection of the data session.
  • the method further includes: receiving a sixth message from a second network function, where the sixth message indicates a release of the data session; and transmitting a seventh message, where the seventh message includes an ID of at least one key that needs to be released, and the keys used for protection of the data session includes the at least one key.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a second network function or a chip installed in the second network function.
  • the method includes: receiving a fourth message, where the fourth message includes the first security context, the first security context is used to configure keys used for protection of a data session between a device and a first server.
  • the keysused for protection of the data session are generated based on a solution for security protection on the data session and a level for security protection on the data session.
  • the method further includes: transmitting a first message, where the first message includes at least one of: a security process capability of a first network function or a security process capability of the device, and the solution for security protection on the data session and the level for security protection on the data session is determined based on the first message.
  • the first security context includes a security context for the first server.
  • the method further includes: transmitting an eighth messageto the first server, where the eighth message includes the security context for the first server.
  • the first security context includes a security context for a first network function.
  • the method further includes: transmitting a ninth message to the first network function, where the ninth message includes the security context for the first network function.
  • the first security context includes a security context for the device.
  • the method further includes: transmitting a tenth message to the device, where the tenth message includes the security context for the device.
  • the method further includes: transmitting a fifth message to the KMF, where the fifth message is used to request for refreshing the keys used for protection of the data session.
  • the method further includes: transmitting a sixth message to the KMF, where the sixth message indicates a release of the data session; and receiving a seventh message from the KMF, where the seventh message includes an ID of at least one key that needs to be released, and the keys used for protection of the data session includes the at least one key.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a first server or a chip installed in the first server.
  • the method includes: receiving a second message from a KMF, where the second message is used to request a security process capability of the first server; and transmitting a third message to the KMF, where the third message include the security process capability of the first server, and the security process capability of the first server is used to determine a solution for security protection on a data sessionbetween a user device and a first server and a level for security protection on the data session.
  • the method further includes: receiving a fourth message from the KMF, where the fourth message includes a security context for the first server; orreceivingan eighth messagefrom a second network function, where the fifth message includes the security context for the first server.
  • the method further includes: receiving aseventh message from the KMF, where the seventh message includes an ID of at least one key that needs to be released among the keys used for protection of the data session; or receiving aneleventh message from a second network function, where the eleventh messageincludes an ID of at least one key that needs to be released among the keys used for protection of the data session.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a first network function or a chip installed in the first network function.
  • the method includes: receiving a fourth message from a KMF, and the fourth message includesa security context for the first network function; or receiving a ninth message from a second network function and the ninth message includes the security context for the first network function.
  • the security context for the first network function is used to configure keys at the first network function for used for protection of a data session between the device and a first server.
  • the keysused for protection of the data session are generated based on a solution for security protection on the data session and a level for security protection on the data session.
  • the method further includes: receiving a seventh message from a KMF, and seventh message includes an ID of at least one key that needs to be released among the keys used for protection of the data session; or receiving a twelfth message from a second network function, and the twelfth messageincludes an ID of at least one key that needs to be released among the keys used for protection of the data session.
  • a communication apparatus having a function or module to perform the method in any one of the first aspect to the fourth aspect, or any one of the implementations in these aspects.
  • a chip (or a chip system) .
  • the chip includes at least one processor, the at least one processor is coupled to at least one memory.
  • the at least one memory is configured to store one or more instructions and/or executable computer code.
  • the at least one processor is configured to invoke the one or more instructions and/or executable computer code, so that a communication apparatus installed the chip performs the method in any one of the first aspect to the fourth aspect, or any possible implementation in these aspects.
  • the chip may further include the at least one memory.
  • the chip may further include a communication interface, and the communication interface is configured to input and/or outputinformation or data.
  • the communication apparatus includes one or more circuits and one or more communication interfaces.
  • the one or more communication interfaces may include a first interface for receiving (that is, inputting) information and/or data that is to be processed by the one or more circuits and a second interface for transmitting (that is, outputting) information and/or data processed by the one or more circuit.
  • the one or more circuits are configured to process the information and/or data that is to be processed so that the communication apparatus performs the method in any one of the first aspect to thefourth aspect, or any one of the implementations in these aspects.
  • the communication system may include the communication apparatus according to the fifth aspect or the seventh aspect.
  • the communication system may include the one or more of: the KMF, the first network function, the second network function, or the first server.
  • the communication system may further include a device.
  • a computer storage medium that stores executable computer code, and the executable computer code is used to execute one or more instructions for the method in any one of the first aspect to thefourth aspect, or any one of the implementations in these aspects.
  • a computer program product including one or more instructions, and when the computer product program runs on a computer, the computer performs the method in any one of the first aspect to the fourth aspect, or any one of the implementations in these aspects.
  • FIG. 1 is a schematic illustration of a communication system.
  • FIG. 2 illustrates an example communication system
  • FIG. 3 illustrates another example of an ED and a base station.
  • FIG. 4 illustrates units or modules in a device.
  • FIG. 5 illustrates 6G System conceptual structure.
  • FIG. 6 is a network scenario according to some embodiments of the present application.
  • FIG. 7 is an architecture of security protection on a data session according to some embodiments of the present application.
  • FIG. 8 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 9 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 10 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 11 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 12 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 13 is a schematic block diagram of a communication apparatus according to an embodiment of the present application.
  • FIG. 14 is a schematic block diagram of a communication apparatus according to an embodiment of the present application.
  • the present application at least includes the following parts:
  • a basic concept is that a network function (we call it as a key management function (KMF) is used for selection on a solution for security protection on a data session, and a level for security protection on the data session. What’s more, the KMF collects parameters for key derivation according to the selected solution and the selected level and generates keys based on the selected solution/level of security protection on data session.
  • KMF key management function
  • the present disclosure relates generally to wireless communications.
  • 6G/future wireless networks a new network infrastructure capability (e.g., cloud natured/friendly infrastructures that are broadly deployed) ; new or relative matured techniques (e.g., artificial intelligence (AI) large scale models, data de-privacy, block chain, etc. ) that have made significant progresses and significantly impact on the entire society and human life; new applications and services (e.g., AI services, data or sensing service, digital world service, etc. ) that are broadly applied in industry/business and used by individual customers; and more global/open/collaborative operation trend (i.e., a more open and more collaborative operation mode are becoming common practice in many fields) .
  • network infrastructure capability e.g., cloud natured/friendly infrastructures that are broadly deployed
  • new or relative matured techniques e.g., artificial intelligence (AI) large scale models, data de-privacy, block chain, etc.
  • new applications and services e.g., AI services, data or sensing service, digital world service, etc.
  • Requirements to 6G system network architecture design include:
  • FIGS. 1-4 For ease of understanding the embodiments of this application, a communication system shown in FIGS. 1-4 is firstly used as an example to describe in detail a communication system to which the embodiments of this application are applicable.
  • the communication system 100 comprises a radio access network 120.
  • the radio access network 120 may be a next generation (e.g. 6G or later) radio access network, or a legacy (e.g. fifth generation (5G) , orfourth generation (4G) ) radio access network.
  • One or more communication electronic devices (ED) 110a-110j (generically referred to as 110) may be interconnected to one another or connected to one or more network nodes (170a, 170b, generically referred to as 170) in the radio access network 120.
  • a core network 130 may be a part of the communication system and may be dependent or independent of the radio access technology used in the communication system 100.
  • the communication system 100 comprises a public switched telephone network (PSTN) 140, the internet 150, and other networks 160.
  • PSTN public switched telephone network
  • FIG. 2 illustrates an example communication system 100.
  • the communication system 100 enables multiple wireless or wired elements to communicate data and other content.
  • the purpose of the communication system 100 may be to provide content, such as voice, data, video, and/or text, via broadcast, multicast, groupcast, unicast, etc.
  • the communication system 100 may operate by sharing resources, such as carrier spectrum bandwidth, between its constituent elements.
  • the communication system 100 may include a terrestrial communication system and/or a non-terrestrial communication system.
  • the communication system 100 may provide a wide range of communication services and applications (such as earth monitoring, remote sensing, passive sensing and positioning, navigation and tracking, autonomous delivery and mobility, etc. ) .
  • the communication system 100 may provide a high degree of availability and robustness through a joint operation of a terrestrial communication system and a non-terrestrial communication system.
  • integrating a non-terrestrial communication system (or components thereof) into a terrestrial communication system can result in what may be considered a heterogeneous network comprising multiple layers.
  • the heterogeneous network may achieve better overall performance through efficient multi-link joint operation, more flexible functionality sharing, and faster physical layer link switching between terrestrial networks and non-terrestrial networks.
  • the communication system 100 includes electronic devices (ED) 110a-110d (generically referred to as ED 110) , radio access networks (RANs) 120a, 120b, a non-terrestrial communication network 120c, a core network 130, a public switched telephone network (PSTN) 140, the Internet 150, and other networks 160.
  • the RANs 120a, 120b include respective base stations (BSs) 170a, 170b, which may be generically referred to as terrestrial transmit and receive points (T-TRPs) 170a, 170b.
  • the non-terrestrial communication network 120c includes an access node 172, which may be generically referred to as a non-terrestrial transmit and receive point (NT-TRP) 172.
  • N-TRP non-terrestrial transmit and receive point
  • Any ED 110 may be alternatively or additionally configured to interface, access, or communicate with any T-TRP 170a, 170b and NT-TRP 172, the Internet 150, the core network 130, the PSTN 140, the other networks 160, or any combination of the preceding.
  • ED 110a may communicate an uplink and/or downlink transmission over a terrestrial air interface 190a with T-TRP 170a.
  • the EDs 110a-110d may also communicate directly with one another via one or more side-link air interfaces 190b.
  • ED 110d may communicate an uplink and/or downlink transmission over a non-terrestrial air interface 190c with NT-TRP 172.
  • the air interfaces 190a and 190b may use similar communication technology, such as any suitable radio access technology.
  • the communication system 100 may implement one or more channel access methods, such as code division multiple access (CDMA) , space division multiple access (SDMA) , time division multiple access (TDMA) , frequency division multiple access (FDMA) , orthogonal FDMA (OFDMA) , or single-carrier FDMA (SC-FDMA, also known as discrete Fourier transform spread OFDMA, DFT-s-OFDMA) in the air interfaces 190a and 190b.
  • CDMA code division multiple access
  • SDMA space division multiple access
  • TDMA time division multiple access
  • FDMA frequency division multiple access
  • OFDMA orthogonal FDMA
  • SC-FDMA single-carrier FDMA
  • the air interfaces 190a and 190b may utilize other higher dimension signal spaces, which may involve a combination of orthogonal and/or non-orthogonal dimensions.
  • the non-terrestrial air interface 190c can enable communication between the ED 110d and one or multiple NT-TRPs 172 via a wireless link or simply a link.
  • the link is a dedicated connection for unicast transmission, a connection for broadcast transmission, or a connection between a group of EDs 110 and one or multiple NT-TRPs 172 for multicast transmission.
  • the RANs 120a and 120b are in communication with the core network 130 to provide the EDs 110a 110b, and 110c with various services such as voice, data, and other services.
  • the RANs 120a and 120b and/or the core network 130 may be in direct or indirect communication with one or more other RANs (not shown) , which may or may not be directly served by core network 130, and may or may not employ the same radio access technology as RAN 120a, RAN 120b or both.
  • the core network 130 may also serve as a gateway access between (i) the RANs 120a and 120b or EDs 110a 110b, and 110c or both, and (ii) other networks (such as the PSTN 140, the Internet 150, and the other networks 160) .
  • the EDs 110a 110b, and 110c may include functionality for communicating with different wireless networks over different wireless links using different wireless technologies and/or protocols. Instead of wireless communication (or in addition thereto) , the EDs 110a 110b, and 110c may communicate via wired communication channels to a service provider or switch (not shown) , and to the Internet 150.
  • PSTN 140 may include circuit switched telephone networks for providing plain old telephone service (POTS) .
  • Internet 150 may include a network of computers and subnets (intranets) or both, and incorporate protocols, such as Internet Protocol (IP) , Transmission Control Protocol (TCP) , User Datagram Protocol (UDP) .
  • IP Internet Protocol
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • EDs 110a 110b, and 110c may be multimode devices capable of operation according to multiple radio access technologies, and incorporate multiple transceivers necessary to support such.
  • FIG. 3 illustrates another example of an ED 110 and a base station 170a, 170b and/or 170c.
  • the ED 110 is used to connect persons, objects, machines, etc.
  • the ED 110 may be widely used in various scenarios including, for example, cellular communications, device-to-device (D2D) , vehicle to everything (V2X) , peer-to-peer (P2P) , machine-to-machine (M2M) , machine-type communications (MTC) , internet of things (IoT) , virtual reality (VR) , augmented reality (AR) , mixed reality (MR) , metaverse, digital twin, industrial control, self-driving, remote medical, smart grid, smart furniture, smart office, smart wearable, smart transportation, smart city, drones, robots, remote sensing, passive sensing, positioning, navigation and tracking, autonomous delivery and mobility, etc.
  • D2D device-to-device
  • V2X vehicle to everything
  • P2P peer-to-
  • Each ED 110 represents any suitable end user device for wireless operation and may include such devices (or may be referred to) as a user equipment/device (UE) , a wireless transmit/receive unit (WTRU) , a mobile station, a fixed or mobile subscriber unit, a cellular telephone, a station (STA) , a machine type communication (MTC) device, a personal digital assistant (PDA) , a smartphone, a laptop, a computer, a tablet, a wireless sensor, a consumer electronics device, a smart book, a vehicle, a car, a truck, a bus, a train, or an IoT device, wearable devices (such as a watch, a pair of glasses, head mounted equipment, etc.
  • UE user equipment/device
  • WTRU wireless transmit/receive unit
  • MTC machine type communication
  • PDA personal digital assistant
  • the base station 170a and 170b is a T-TRP and will hereafter be referred to as T-TRP 170. Also shown in FIG. 3, a NT-TRP will hereafter be referred to as NT-TRP 172.
  • Each ED 110 connected to T-TRP 170 and/or NT-TRP 172 can be dynamically or semi-statically turned-on (i.e., established, activated, or enabled) , turned-off (i.e., released, deactivated, or disabled) and/or configured in response to one of more of: connection availability and connection necessity.
  • the ED 110 includes a transmitter 201 and a receiver 203 coupled to one or more antennas 204. Only one antenna 204 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas 204 may alternatively be panels.
  • the transmitter 201 and the receiver 203 may be integrated, e.g. as a transceiver.
  • the transceiver is configured to modulate data or other content for transmission by at least one antenna 204 or network interface controller (NIC) .
  • NIC network interface controller
  • the transceiver is also configured to demodulate data or other content received by the at least one antenna 204.
  • Each transceiver includes any suitable structure for generating signals for wireless or wired transmission and/or processing signals received wirelessly or by wire.
  • Each antenna 204 includes any suitable structure for transmitting and/or receiving wireless or wired signals.
  • the ED 110 includes at least one memory 208.
  • the memory 208 stores instructions and data used, generated, or collected by the ED 110.
  • the memory 208 could store software instructions or modules configured to implement some or all of the functionality and/or embodiments described herein and that are executed by one or more processing unit (s) (e.g., a processor 210) .
  • Each memory 208 includes any suitable volatile and/or non-volatile storage and retrieval device (s) . Any suitable type of memory may be used, such as random access memory (RAM) , read only memory (ROM) , hard disk, optical disc, subscriber identity module (SIM) card, memory stick, secure digital (SD) memory card, on-processor cache, and the like.
  • RAM random access memory
  • ROM read only memory
  • SIM subscriber identity module
  • SD secure digital
  • the ED 110 may further include one or more input/output devices (not shown) or interfaces (such as a wired interface to the Internet 150 in FIG. 1) .
  • the input/output devices or interfaces permit interaction with a user or other devices in the network.
  • Each input/output device or interface includes any suitable structure for providing information to or receiving information from a user, and/or for network interface communications. Suitable structures include, for example, a speaker, microphone, keypad, keyboard, display, touch screen, etc.
  • the ED 110 includes the processor 210 for performing operations including those operations related to preparing a transmission for uplink transmission to the NT-TRP 172 and/or the T-TRP 170; those operations related to processing downlink transmissions received from the NT-TRP 172 and/or the T-TRP 170; and those operations related to processing sidelink transmission to and from another ED 110.
  • Processing operations related to preparing a transmission for uplink transmission may include operations such as encoding, modulating, transmit beamforming, and generating symbols for transmission.
  • Processing operations related to processing downlink transmissions may include operations such as receive beamforming, demodulating and decoding received symbols.
  • a downlink transmission may be received by the receiver 203, possibly using receive beamforming, and the processor 210 may extract signaling from the downlink transmission (e.g. by detecting and/or decoding the signaling) .
  • An example of signaling may be a reference signal transmitted by the NT-TRP 172 and/or by the T-TRP 170.
  • the processor 210 implements the transmit beamforming and/or the receive beamforming based on the indication of beam direction, e.g. beam angle information (BAI) , received from the T-TRP 170.
  • the processor 210 may perform operations relating to network access (e.g.
  • the processor 210 may perform channel estimation, e.g. using a reference signal received from the NT-TRP 172 and/or from the T-TRP 170.
  • the processor 210 may form part of the transmitter 201 and/or part of the receiver 203.
  • the memory 208 may form part of the processor 210.
  • the processor 210, the processing components of the transmitter 201, and the processing components of the receiver 203 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory (e.g. in the memory 208) .
  • some or all of the processor 210, the processing components of the transmitter 201, and the processing components of the receiver 203 may each be implemented using dedicated circuitry, such as a programmed field-programmable gate array (FPGA) , an application-specific integrated circuit (ASIC) , or a hardware accelerator such as a graphics processing unit (GPU) or an artificial intelligence (AI) accelerator.
  • FPGA programmed field-programmable gate array
  • ASIC application-specific integrated circuit
  • AI artificial intelligence
  • the T-TRP 170 may be known by other names in some implementations, such as a base station, a base transceiver station (BTS) , a radio base station, a network node, a network device, a device on the network side, a transmit/receive node, a Node B, an evolved NodeB (eNodeB or eNB) , a Home eNodeB, a next Generation NodeB (gNB) , a transmission point (TP) , a site controller, an access point (AP) , a wireless router, a relay station, a terrestrial node, a terrestrial network device, a terrestrial base station, a base band unit (BBU) , a remote radio unit (RRU) , an active antenna unit (AAU) , a remote radio head (RRH) , a central unit (CU) , a distributed unit (DU) , a positioning node, among other possibilities.
  • BBU base band unit
  • RRU remote radio unit
  • the T-TRP 170 may be a macro BS, a pico BS, a relay node, a donor node, or the like, or combinations thereof.
  • the T-TRP 170 may refer to the forgoing devices or refer to apparatus (e.g. a communication module, a modem, or a chip) in the forgoing devices.
  • the parts of the T-TRP 170 may be distributed.
  • some of the modules of the T-TRP 170 may be located remote from the equipment that houses the antennas 256 for the T-TRP 170, and may be coupled to the equipment that houses the antennas 256 over a communication link (not shown) sometimes known as front haul, such as common public radio interface (CPRI) .
  • the term T-TRP 170 may also refer to modules on the network side that perform processing operations, such as determining the location of the ED 110, resource allocation (scheduling) , message generation, and encoding/decoding, and that are not necessarily part of the equipment that houses the antennas 256 of the T-TRP 170.
  • the modules may also be coupled to other T-TRPs.
  • the T-TRP 170 may actually be a plurality of T-TRPs that are operating together to serve the ED 110, e.g. through the use of coordinated multipoint transmissions.
  • the T-TRP 170 includes at least one transmitter 252 and at least one receiver 254 coupled to one or more antennas 256. Only one antenna 256 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas 256 may alternatively be panels.
  • the transmitter 252 and the receiver 254 may be integrated as a transceiver.
  • the T-TRP 170 further includes a processor 260 for performing operations including those related to: preparing a transmission for downlink transmission to the ED 110, processing an uplink transmission received from the ED 110, preparing a transmission for backhaul transmission to the NT-TRP 172, and processing a transmission received over backhaul from the NT-TRP 172.
  • Processing operations related to preparing a transmission for downlink or backhaul transmission may include operations such as encoding, modulating, precoding (e.g. multiple input multiple output (MIMO) precoding) , transmit beamforming, and generating symbols for transmission.
  • Processing operations related to processing received transmissions in the uplink or over backhaul may include operations such as receive beamforming, demodulating received symbols, and decoding received symbols.
  • the processor 260 may also perform operations relating to network access (e.g. initial access) and/or downlink synchronization, such as generating the content of synchronization signal blocks (SSBs) , generating the system information, etc.
  • the processor 260 also generates an indication of beam direction, e.g.
  • the processor 260 performs other network-side processing operations described herein, such as determining the location of the ED 110, determining where to deploy the NT-TRP 172, etc.
  • the processor 260 may generate signaling, e.g. to configure one or more parameters of the ED 110 and/or one or more parameters of the NT-TRP 172. Any signaling generated by the processor 260 is sent by the transmitter 252.
  • signaling may be transmitted in a physical layer control channel, e.g. a physical downlink control channel (PDCCH) , in which case the signaling may be known as dynamic signaling.
  • PDCCH physical downlink control channel
  • Signaling transmitted in a downlink physical layer control channel may be known as downlink control information (DCI) .
  • DCI downlink control information
  • UCI uplink control information
  • Siganling transmitted in an uplink physical layer control channel may be known as uplink control information (UCI) .
  • Signaling transmitted in a sidelink physical layer control channel may be known as sidelink control information (SCI) .
  • Signaling may be included in a higher-layer (e.g., higher than physical layer) packet transmitted in a physical layer data channel, e.g. in a physical downlink shared channel (PDSCH) , in which case the signaling may be known as higher-layer signaling, static signaling, or semi-static signaling.
  • Higher-layer signaling may also refer to radio resource control (RRC) protocol signaling or Media Access Control –Control Element (MAC-CE) signaling.
  • RRC radio resource control
  • MAC-CE Media Access Control –Control Element
  • the scheduler 253 may be coupled to the processor 260.
  • the scheduler 253 may be included within or operated separately from the T-TRP 170.
  • the scheduler 253 may schedule uplink, downlink, sidelink, and/or backhaul transmissions, including issuing scheduling grants and/or configuring scheduling-free (e.g., “configured grant” ) resources.
  • the T-TRP 170 further includes a memory 258 for storing information and data.
  • the memory 258 stores instructions and data used, generated, or collected by the T-TRP 170.
  • the memory 258 could store software instructions or modules configured to implement some or all of the functionality and/or embodiments described herein and that are executed by the processor 260.
  • the processor 260 may form part of the transmitter 252 and/or part of the receiver 254. Also, although not illustrated, the processor 260 may implement the scheduler 253. Although not illustrated, the memory 258 may form part of the processor 260.
  • the processor 260, the scheduler 253, the processing components of the transmitter 252, and the processing components of the receiver 254 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory, e.g. in the memory 258.
  • some or all of the processor 260, the scheduler 253, the processing components of the transmitter 252, and the processing components of the receiver 254 may be implemented using dedicated circuitry, such as a programmed FPGA, a hardware accelerator (e.g., a GPU or AI accelerator) , or an ASIC.
  • the NT-TRP 172 is illustrated as a drone only as an example, the NT-TRP 172 may be implemented in any suitable non-terrestrial form, such as satellites and highaltitude platforms, including international mobile telecommunication base stations and unmanned aerial vehicles, for example. Also, the NT-TRP 172 may be known by other names in some implementations, such as a non-terrestrial node, a non-terrestrial network device, or a non-terrestrial base station.
  • the NT-TRP 172 includes a transmitter 272 and a receiver 274 coupled to one or more antennas 280. Only one antenna 280 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas may alternatively be panels.
  • the transmitter 272 and the receiver 274 may be integrated as a transceiver.
  • the NT-TRP 172 further includes a processor 276 for performing operations including those related to: preparing a transmission for downlink transmission to the ED 110, processing an uplink transmission received from the ED 110, preparing a transmission for backhaul transmission to T-TRP 170, and processing a transmission received over backhaul from the T-TRP 170.
  • Processing operations related to preparing a transmission for downlink or backhaul transmission may include operations such as encoding, modulating, precoding (e.g. MIMO precoding) , transmit beamforming, and generating symbols for transmission.
  • precoding e.g. MIMO precoding
  • Processing operations related to processing received transmissions in the uplink or over backhaul may include operations such as receive beamforming, demodulating received symbols, and decoding received symbols.
  • the processor 276 implements the transmit beamforming and/or receive beamforming based on beam direction information (e.g. BAI) received from the T-TRP 170.
  • the processor 276 may generate signaling, e.g. to configure one or more parameters of the ED 110.
  • the NT-TRP 172 implements physical layer processing, but does not implement higher layer functions such as functions at the medium access control (MAC) or radio link control (RLC) layer. As this is only an example, more generally, the NT-TRP 172 may implement higher layer functions in addition to physical layer processing.
  • MAC medium access control
  • RLC radio link control
  • the NT-TRP 172 further includes a memory 278 for storing information and data.
  • the processor 276 may form part of the transmitter 272 and/or part of the receiver 274.
  • the memory 278 may form part of the processor 276.
  • the processor 276, the processing components of the transmitter 272, and the processing components of the receiver 274 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory, e.g. in the memory 278.
  • some or all of the processor 276, the processing components of the transmitter 272, and the processing components of the receiver 274 may be implemented using dedicated circuitry, such as a programmed FPGA, a hardware accelerator (e.g., a GPU or AI accelerator) , or an ASIC.
  • the NT-TRP 172 may actually be a plurality of NT-TRPs that are operating together to serve the ED 110, e.g. through coordinated multipoint transmissions.
  • the T-TRP 170, the NT-TRP 172, and/or the ED 110 may include other components, but these have been omitted for the sake of clarity.
  • FIG. 4 illustrates units or modules in a device, such as in the ED 110, in the T-TRP 170, or in the NT-TRP 172.
  • a signal may be transmitted by a transmitting unit or by a transmitting module.
  • a signal may be received by a receiving unit or by a receiving module.
  • a signal may be processed by a processing unit or a processing module.
  • Other steps may be performed by an AI or machine learning (ML) module.
  • the respective units or modules may be implemented using hardware, one or more components or devices that execute software, or a combination thereof.
  • one or more of the units or modules may be a circuit such as an integrated circuit.
  • Examples of an integrated circuit includes a programmed FPGA, a GPU, or an ASIC.
  • one or more of the units or modules may be logical such as a logical function performed by a circuit, by a portion of an integrated circuit, or by software instructions executed by a processor.
  • the modules may be retrieved by a processor, in whole or part as needed, individually or together for processing, in single or multiple instances, and that the modules themselves may include instructions for further deployment and instantiation.
  • next generation e.g. 6G or later
  • legacy e.g. 5G, or4G
  • the proposed 6G system architecture is defined to support 6G XaaS services by using techniques such as network function virtualization and network slicing.
  • the 6G system architecture utilizes service-based interactions between 6G services.
  • the 6G system leverages service-based architecture and XaaS concept.
  • XaaS services in the 6G system are categorized into three layers.
  • the 6G system conceptual structure is shown in FIG. 5.
  • An infrastructure layer includes infrastructures supporting 6G services.
  • wireless networks e.g., a RAN, and a core network (CN)
  • CN core network
  • cloud/data center infrastructures e.g., a RAN, and a core network (CN)
  • satellite networks e.g., a RAN, and a core network (CN)
  • sensing networks e.g., a RAN, and a core network (CN)
  • CN core network
  • Each of the infrastructures could have its control and management functions, denoted as C/M functions, for infrastructure management.
  • C/M functions for infrastructure management.
  • Each of these infrastructures is one type of infrastructure as a service.
  • a control and management (C/M) layer includes control and management services of the 6G system. They are developed and deployed by using slicing techniques and utilizing resource provided by infrastructure layer.
  • C/M control and management
  • RM resource management
  • MM mission management
  • a 6G mission is defined as a service provided to customers by the 6G system.
  • a mission can be a type of services which is provided by a single 6G XaaS service or a type of services that needs contributions from multiple XaaS services.
  • CONET confederation network
  • SPM service provisioning management
  • 6G service access by customers and provisioning of requested services provides a capability of control and management of 6G service access by customers and provisioning of requested services.
  • the capability is provided by unified mutual authentication, authorization and policy, key management, quality of service (QoS) assurance and charging between any pair of XaaS service provider and customer.
  • the customers include end-customers not only in physical world, but also digital representatives in digital world.
  • CM connectivity management
  • protocol as a service provides a capability to design service customized protocol stacks for identified interfaces.
  • the protocol stacks could be pre-defined for on-demand selection, or could be on-demand designed.
  • - XaaS services in C/M Layer support control and management of the 6G system itself and also provide support to verticals if requested.
  • RM service can serve RAN for over-the-air resource management and can also provide service to a vertical for the vertical’s over-the-air resource allocation to its end-customers.
  • the XaaS in C/M layer can be deployed by using slicing technique.
  • a service layer includes 6G services which provide services to customers.
  • 6G system conceptual structure:
  • NET4AI a service.
  • Artificial intelligence service provides AI capability to support a variety of AI applications.
  • DAM Service of data collection, data sanitization, data analysis and data delivery
  • This service provides a capability of lifecycle management of statistic data, including acquisition, de-privatization, analysis and delivery of data which are information statistic data from any types of sensors, devices, network functions, and etc.
  • NET4Data Service of storage and sharing of data
  • This service provides a capability to trustworthily storage and share data under the control of owners of data and following recognized authorities’ regulations on control of identified data.
  • NET4DW Digital world service to provide digital world
  • Digital world service provides a capability to construct, control and manage digital world.
  • Digital world is defined as digital realization of physical world.
  • NET4BC 6G block chain service
  • NET4CON Enhanced connectivity service
  • NET4CON network for connectivity
  • This service provides a capability to support exchange of messages and data among new 6G services.
  • All XaaS services at this layer are developed and deployed by using resource provided in infrastructure and utilizing network function virtualization and slicing techniques.
  • the capability of each of 6G services is provided by its control and management functions and service specific data process functions.
  • 6G system leverages 5G system for provisioning of vertical services.
  • the difference between 6G XaaS services and other verticals are that a vertical is a pure customer which needs other XaaS services to enable its operation, while each of XaaS services provide their capabilities to 6G customers.
  • Any pair of XaaS services of the 6G system could also be mutual customer and provider of each other.
  • an infrastructure owner provides its resource to XaaS services in service layer and C/M layer
  • RM services may need the capabilities provided by NET4AI, DAM and NET4DW for its resource management for vertical slicing
  • CONET service and NET4Data service may need the capability provided by NET4BC for their operation.
  • the key concepts of 6G system includes that:
  • a basic XaaS service provides unique capability to enable a specific type of service, such as NET4AI service, NET4DW service, DAM service, NET4Data service, block chain service, mission management service, etc.
  • data plane of the 6G system which includes processing functions of data plane of XaaS services. Programing the interconnection of these functions, by mission management service, enables to support a variety of customized customer services.
  • C/M Plane of the 6G system which includes C/M functions in XaaS services and may include 5G CP (e.g., AMF) depending on implementation options.
  • 5G CP e.g., AMF
  • BAS basic architecture structure
  • GWs trustworthy gateways
  • 5G users can use the 6G system to access 5G services.
  • a key hierarchy or key framework involved in the current security procedures could include: keys for protection of non-access stratum (NAS) signals with a particular integrity/encryption algorithm, keys for protection of user plane (UP) traffic with a particular integrity/encryption algorithm, and keys for protection of RRC signaling with a particular integrity/encryption algorithm.
  • NAS non-access stratum
  • UP user plane
  • RRC RRC signaling
  • keys for NAS integrity/ciphering keys for UP integrity/ciphering and keys for RRC integrity/ciphering, respectively.
  • keys for UP integrity/ciphering are derived from a long-term shared key known by the UE and the network. Keys for UP integrity/ciphering may be indirectly derived from the long-term shared key with UE’s information and serving network’s information. For example, the UE’s information may include PCI or UE’s ID.
  • keys for UP integrity/ciphering could be used for data protection from UE to RAN, after a PDU session is established. These keys for UP integrity/ciphering could be used for secure multiple PDU session. However, applying the same key to secure multiple communication sessions may lead to data leakage when the key is compromised.
  • the C/M functions are used for control and management and could exist in a service layer and C/M layer of XaaS.
  • a service provider of XaaS could also be referred to as a XaaS service.
  • a network function that could be used for processing data related to theXaaS service and be deployed by the XaaS service could be referred to as a XaaSprocessing service function.
  • FIG. 6 is a network scenario according to some embodiments of the present application.
  • the control/management trustworthy gateway C/M-TW-GW
  • C/M-TW-GW is a network function and could be defined as an endpoint of a C/M session at network side.
  • the setup of the C/M session is for the device or the XaaS service to transmit the control message.
  • the C/M session could be defined as a secured logical connection between a device (e.g., a UE) and its serving C/M-TW-GW.
  • the data trustworthy gateway (Data-TW-GW) is a network function could be defined as an endpoint of data session of a device.
  • the setup of the data session is for the device or the XaaS service to participate in processing data.
  • the data session could be defined as a secured logical connection between a device and its serving Data-TW-GW.
  • the radio bearer (RB) handler is a network function and could be implemented as a radio access network (RAN) .
  • the RB handler could be connected both other infrastructures (e.g., a core network and/or a third-part cloud) and C/M-TW-GW. Communications between the device and the RB handler could include a C/M RB or a data RB.
  • the C/M RB could be defined as an over-the-air connection for carrying control signaling for over-the-air interface management and C/M plane messages.
  • the data RB could be an over-the-air connection for carrying data plane traffic. In this scenario, there may be more network functions, e.g., authentication server, authorization server.
  • the interface I could be defined as a set of security features that enables a deviceto authenticate and access services via the network securely, and to protect against attacks on the radio interfaces.
  • the interface II could be defined as a set of security features that enables the system shown in FIG. 6 to securely exchange C/M session between a device and a C/M-TW-GW or securely exchange data session between thedevice and theData-TW-GW.
  • the interface III could be defined as a set of security features that enables the system to securely exchange C/M session between the XaaS service and the C/M-TW-GW or securely exchange data session between the XaaS service and a Data-TW-GW.
  • the interface I could support a connection between a device and an RB handler;
  • the interface II could support a connection between a device and a C/M-TW-GW/Data-TW-GW;
  • the interface III could support a connection between a XaaS service and a C/M-TW-GW/Data-TW-GW.
  • the interface IV could support a connection between the RB handler and the C/M-TW-GW/Data-TW-GW.
  • NAS interface between a UE and an AMF could be switch to a C/M session interface II between a UE and a serving C/M-TW-GW.
  • security procedures between a device e.g., aUE
  • network functions would be involved when the device is capable of connecting to a network.
  • the security procedures may include a primary authentication and key agreement procedures.
  • the purpose of the primary authentication and key agreement procedures is to enable mutual authentication between the device and a severing network and to provide keying materials that can be used between the device and the severing network.
  • the keying materials can be used for signaling security protection on the interface I and interface II in subsequent security procedures.
  • the security procedures may include a secondary primary authentication and key agreement procedures.
  • the purpose of the secondary authentication and key agreement procedures is to enable mutual authentication between the device and the XaaS service, and to provide keying materials that can be used between the device and the XaaS service in subsequent security procedures.
  • the keying materials can be used for data security protection on an interface I and an interface II in subsequent security procedures.
  • a data session of a device could be a connection between a device and its serving Data-TW-GW; a data session of a XaaS service could be a connection between a serving Data-TW-GW and a XaaS service.
  • an end-to end data session could be introduced.
  • the end-to end data session could connect from a device to a serving Data-TW-GW, and connect from the serving Data-TW-GW and a XaaS.
  • the current security protection doesn’ t involve a security protection on the data-session.
  • a Data-TW-GW is introduced to a 6G system, and a new interface II between a device and a Data-TW-GW is proposed.
  • a serving Data-TW-GW of a device is defined as an endpoint of data session of a device.
  • a serving Data-TW-GW could be deployed in the domain of RAN.
  • the serving Data-TW-GW could be deployed in the domain of CN.
  • XaaS services e.g. DAM service, AI service
  • a data session of a device is secured connection between a device and its serving Data-TW-GW (i.e., the interface II) .
  • a data session of a XaaS service is secured connection between a serving Data-TW-GW and XaaS service (i.e., the interface III) .
  • the end-to-end data session includes a data session of a device, and a data session of a XaaS Service.
  • security protection on NAS interface, RRC interface, and data from UE to RAN uses keys for NAS ciphering/integrity, keys for RRC ciphering/integrity, keys for UP ciphering/integrity. These keys are derived from a long-term shared key which known by UE and the network. Keys for UP ciphering/integrity may be indirectly derived from the long-term shared key with UE’s information (e.g. PCI, UE ID) and serving network’s information (e.g. name of the serving network) . These keys for UP ciphering/integrity are used for data protection from UE to RAN, after a PDU session establishment.
  • UE s information
  • serving network serving network
  • Allowing a UE to directly communicate with a serving Data-TW-GW (without the involvement of the RAN node ciphering data) , is proposed in 6G.
  • NAS interface between UE and AMF is switched to C/M session interface II between UE and a serving C/M-TW-GW, and data session interface II between UE and a serving Data-TW-GW.
  • C/M session interface II between UE and a serving C/M-TW-GW
  • data session interface II between UE and a serving Data-TW-GW.
  • IPsec protocol or TLS protocol can be used to implement on an interface between AMF to other NF for secure communications, or on an interface among UPFs or from a UPF to a DN-AAA. How to manage these keys for IPsec protocol or TLS protocol is out of the scope of 3GPP.
  • DN-AAA may be deployed by the network (e.g, XaaS service) , how to provide secure communications from a Data-TW-GW and a XaaS service should be addressed by the network.
  • the network e.g, XaaS service
  • the following technical issues appear: which function is responsible for providing keys for secure communications between a Data-TW-GW and a XaaS service. What level of security protection on an end-to-end data session?
  • the keys shall be used for multiple PDU sessions. These may lead to data leakage. If the keys shall be applied only once in every communication or should be unique to each session, what the new issues will appear? For example, the keys are associated with the session? Which function provides the session’s information for key generation? If session changes, how to update these keys? If the session is released, how to deactivate these keys or release these keys?
  • keys for UP encryption/integrity are used for multiple secure PDU sessions, but these keys are associated with a specific device.
  • the keys may be per session, per service, per device.
  • the keys may be used for hop-to-hop security protections (e.g., security protection on communications from a device to a serving Data-TW-GW and security protection on communication from the serving Data-TW-GW to a XaaS service) .
  • the keys may be used for end-to-end security protection (e.g. security protection on communications from the device to the XaaS service) . So, which function selects or determine what kind of keys will be used, and how does the function make a choice? How are these keys configurated to a Data-TW-GW, or a device, or a XaaS service?
  • the present application provides a system and method on security protection on data session in a network, for example, the future network, which could improve security protection on data session.
  • FIG. 7 is an architecture of security protection on a data session according to some embodiments of the present application.
  • the objective of these embodiment is to provide a method of security protection on a data session.
  • This data session includes communications between a device to a Data-TW-GW and communications between the Data-TW-GW to a XaaS service (shown in FIG. 7) .
  • a mission management could be a network function that is responsible for mission management.
  • a mission may be a type of service that is provided by a single XaaS service or a type of services that needs contributions from multiple XaaS services.
  • a mission could include at least one session, and a session could include at least one service or application.
  • a MM could support a service that provides a capability to a program provisioning of XaaS services to provide mission services.
  • a KMF is a network function that is responsible for key generations and key configurations. Moreover, the KMF could be responsible for keys refresh and key revocation.
  • These keys would be generated by one or more KMFs and be configured to related network functions, such as C/M-TW-GW, and Data-TW-GW. Therefore, for the related network functions, these keys could not be generated by themselves.
  • the KMF could also be responsible for management on device’s security context.
  • the security context is a state that shall be established locally at a device and a serving network domain.
  • security contexts for a Data-TW-GW could include keys configured to the Data-TW-GW.
  • the security contexts for theData-TW-GW could further include a set of identifiers or names corresponding to ciphering algorithms and integrity algorithms implemented in the Data-TW-GW.
  • security contexts for a XaaS service could include keys configured to the XaaS service.
  • the security contexts for a XaaS service could further include a set of identifiers or names corresponding to ciphering algorithms and integrity algorithms implemented in the XaaS service.
  • security contexts for a device could include inputs of generating keys that shall be configured to the device, and algorithms for generating these keys shall be configured to the device.
  • the security contexts for a device could further include a set of identifiers or names corresponding to ciphering algorithms and integrity algorithms implemented in the device.
  • a communication between a device and a XaaS service could include a communication between the device and a Data-TW-GW and a communication between the data TW-GW and the XaaS service.
  • the data session between a device and a XaaS service could include a data session of the device and a data session of the XaaS service.
  • thesecurity protection on data session could include an end-to-end security protection on data session.
  • keys for protection of the data session are used at the device and the XaaS service. These keys could also be referred to as keys for theXaaS service and thedevice.
  • the security protection on data session could include a hop-to-hop security protection on data session.
  • keys for protection on data session could include keys for protection of data session on an interface II (also be referred to as keys for a Data-TW-GW and a device) and keys for protection of data session on aninterface III (also be referred to as keys for a Data-TW-GW and a XaaS service) .
  • Keys for protection of data session on the interface II could be known by the device and the Data-TW-GW.
  • Keys for protection of data session on the interface III could be known by the Data-TW-GW and the XaaS service.
  • the KMF could be used for selecting a solution for the security protection on the data session from different solutions.
  • the data session (s) betweenthe device and theXaaSservice could be related to at least one service/application, at least one session, at least one mission, or at least one device.
  • keys for security protection on data session could have different levels, e.g., keys for service/application, keys for session or keys for missions.
  • a key for service/application could be used for protection of a service/application related to a data session.
  • a key for session could be used for protection of a session related to a data session.
  • a key for mission could be used for protection of all data session (s) belonging to a mission.
  • the keys for security protection on data session may include keys for device.
  • a key for a device could be used for protection of all data session (s) belonging to the device.
  • security protection of data sessions may be performed per service/application, per session, per mission or per device.
  • the KMF could select a level for the security protection of each data session.
  • Keys for protection of these data sessions may include: keys for service/application, keys for per session, keys for per mission or keys for per device.
  • C/M-TW-GW C/M-TW-GW
  • Data-TW-GW Data-TW-GW
  • KMF KMF
  • a key management function may be referred to as a key generation and configuration function.
  • a control/management trustworthy gateway may be referred to as a control/management gateway.
  • FIG. 8 is a schematic flowchart of a method 300 according to some embodiments of the present application. The following separately describes steps involved in the method 300 in detail.
  • a second network function transmits a first message to a KMF.
  • the first message could include at least one of: a security process capability of a first network function or a security process capability of the device.
  • the security capability could indicate process capabilities that could be provided to perform the security protection on the data session.
  • the security process capability of the device could indicate encryption algorithms/integrity algorithms that could be implemented by the device.
  • the security process capability of the first network function could indicate encryption algorithms/integrity algorithms that could be implemented by the first network function.
  • the security process capability of the device could further indicate the algorithms for key derivation able to be implemented by the device.
  • the first message could be used to request for security contexts associated with a data session between the device and a first server.
  • the KMF transmits a second message to the first server.
  • the second message could be used to request a security process capability of the first server.
  • the first server transmits a third message to the KMF.
  • the third message includes the security process capability of the first server.
  • steps S302 and S303 could be skipped.
  • a KMF determines a solution for security protection on a data session between a device and a first server and a level for security protection on the data session.
  • the data session between the device and the first server could include a first communication and a second communication.
  • the first communication could be a communication between the device and a first network function
  • the second communication could be a communication between the first network function and the first server.
  • theXaaS service could be taken as an example of the first server
  • theData-TW-GW could be taken as the first network function.
  • a data session of the device i.e., a data session on the interface II
  • a data session of the XaaS service i.e., a data session on the interface III
  • the first network function could be a user plane function (UPF) .
  • the solution for the security protection could indicate a network function (s) that is capable to use the keys for protection of the data session between the device and the first server.
  • the solution for the security protection could indicate whether the keys for protection of the data session are used at the first network function.
  • the solution for security protection on the data session includes a first solution.
  • At least one key corresponding to the first solution could include a first key and a second key.
  • the first key is used for protection of the first communication and the second key is used for protection of the second communication.
  • the first key could be configured to the device and the first network function, while the second key could be configured to the first network function and the first server.
  • the first key could be used at the device and the first network function, and the second key could be used at the first network function and the first server.
  • keys for protection of data session on the interface II could be taken as examples of the first keys
  • keys for protection of data session on the interface III could be taken as examples of the second keys.
  • the hop-to-hop security protection on data session could be taken as an example of the first solution for the security protection.
  • the solution for security protection on the data session includes a second solution.
  • At least one key corresponding to the second solution could include a third key, where the third key is used at the device and the first server.
  • the end-to-end security protection on data session could be taken as an example of the second solution for the security protection.
  • the data session is related to: at least one service/application, at least one session, at least one mission, or at least one device.
  • the level for the security protection include a first level.
  • the keys corresponding to the first level could be used for protection of the data session by a protection of the at least one service/application.
  • a service #1 to a service #3 are related to a data session #1.
  • Keys for protection of data session could include a key #1 to a key #3.
  • the key #1 to the key #3 could beused to protect the service #1 to the service #3, respectively.
  • security protection on data session could be performed per service/application.
  • the level for the security protection includes a second level.
  • the keys corresponding to the second level could be used for protection of the data session by a protection of the at least one session.
  • security protection on data sessions could be performed per session.
  • the level for the security protection includes a third level.
  • the keys corresponding to the third level could be used for protection of all data session (s) related to each mission of the at least one mission.
  • security protection on data session could be performed per mission.
  • a mission #1 could include a data session #1
  • a mission #2 could include a data session #2 and a data session #3.
  • keys for protection of data sessions could include a key #4 to a key #6.
  • the key #4 to the key #6 could be used to secure the data session #1 to the data session #3, respectively.
  • keys for protection of data sessions could include a key #7 and a key #8.
  • the key #7 and the key #8 could be used to securethe data session (s) related to themission #1 and the mission #2, respectively.
  • the level for the security protection include a fourth level.
  • the keys corresponding to the fourth level could be used for protection of all data sessions related to each device of the at least one device.
  • a data session #4 and a data session #5 are related to a UE #1
  • a data session #6 is related to a UE #2.
  • Keys for protection of data sessions could include a key #9 and a key #10.
  • the key #9 and the key #10 could be used for protection on data session (s) related to the UE #1 and the UE #2, respectively.
  • security protection on data sessions could be performed per device.
  • keys for security protection on a data session there have two solutions for security protection on a data session.
  • One is end-to-end security protection on data session, where keys for data protection are known by the device and the XaaS service.
  • Another is hop-to-hop security protection on data session, where keys for data protection on interface II, and keys for data protection on interface III.
  • keys for security protection on data session could have different levels, e.g., keys per device, keys per service (or application) , keys per session (or mission) .
  • a mission or a session could include at least one service or one application. Keys could be used for data encryption, or data integrity.
  • the KMF shall determine a solution and a level for security protection of a data session.
  • the KMF collects a plurality of parameters based on the solution for security protection on the data session and the level for security protection on the data session.
  • the plurality of parameters are used to derive at least one key used for protection of the data session.
  • the plurality of parameters may include at least one of: information from the device, information from the first network function, information from the first server, or information from the KMF.
  • the second network function could be configured to manage a plurality of missions.
  • the MM could be taken as an example of the second network function.
  • Parameters for key derivation could include: information from the MM, information from the device, information from the Data-TW-GW, information from the KMF and information from the XaaS service.
  • the information from the MM could include a service ID/application ID, or a session ID/mission ID.
  • a mission or a session could include at least one service or one application.
  • information from the device could include a device and an ID of an algorithm used for generating keys.
  • the information from Data-TW-GW could include an ID of the Data-TW-GW.
  • information from the KMF may include a shared key that is known by the device and the KMF, a time window indicating key’s validation period.
  • the shared key could be a root key.
  • the information from the XaaSservice may include an ID of a XaaSprocession service function (PSF) .
  • the XaaS PSF is a network function that deployed by the XaaS service and is used for processing data related to the XaaS service.
  • the plurality of parameters when the first solution for security protection is used to secure the data session between the device and the first server, the plurality of parametersinclude a first parameter used to generate the first key and a second parameter used to generate the second key.
  • the first parameter may include at least one of: an ID of the device, an ID of the first network function, an ID of an algorithm (s) for generating the first key, a time window or a shared key that is known by the device and the KMF.
  • the second parameter may include at least one of: an ID of the first server, an ID of the first network function, an ID of an algorithm (s) for generating the second key, a time window or a shared key.
  • the first parameter and the second parameter when the first level for security protection is used to secure the data session between the first server and the device, the first parameter and the second parameter further include a service ID/application ID.
  • the first parameter and the second parameter when the second level for security protection is used to secure the data session between the first server and the device, the first parameter and the second parameter further include a session ID.
  • the first parameter and the second parameter when the third level for security protection is used to secure the data session between the first server and the device, the first parameter and the second parameter includes a mission ID.
  • the plurality of parameters includes at least one of: an ID of the device, an ID of the first server, a time window or a shared key that is known by the device and the KMF.
  • the plurality of parameters when the first level for security protection is used to secure the data session between the first server and the device, the plurality of parametersinclude a service ID/application ID.
  • the plurality of parameters when the second level for security protection is used to secure the data session between the first server and the device, the plurality of parameters includes a session ID.
  • the plurality of parameters when the third level for security protection is used to secure the data session between the first server and the device, the plurality of parameters includes a mission ID.
  • the KMF determines the solution for security protection and the level for the security protection based on at least one of: a local policy from a network operator or security requirement for the data session.
  • the solution for security protection and the level for the security protection could be determined based on at least one of: the security process capability of the first server, the security process capability of the device or the security process capability of the network function.
  • the KMF generate security contexts.
  • At least one of: a security context for the device, a security context for the first network function, or a security context for the first server could be generated based on collected parameters.
  • the KMF transmits a fourth message to configure security contexts.
  • the key configuration could be implemented by the KMF or the second network function.
  • the KMF is responsible for key configuration.
  • the fourth message could be used to configure these security contexts.
  • the KMF could transmit a message to the first network function.
  • the message could include the security context for the first network function.
  • the KMF could transmit a message to the first server.
  • the message could include the security context for the first server.
  • the KMF could transmit a message to the second network function.
  • the message includes the security context for the device.
  • the messages could be taken as examples of the fourth message.
  • the second network function is responsible for key configuration.
  • the KMF could transmit a message to the second network function, and the message includes the security context for the device and the security context for the first server.
  • the message could further include the security context for the first network function.
  • steps S307a and S307b could be skipped.
  • the message in S307c could be taken as an example of the fourth message.
  • the step S307 include the step S307c. Moreover, in some embodiments, the step S307 further include steps S307a and S307b.
  • keys used for protection of the data session could be refreshed or updated.
  • the second network function transmits a fifth message to the KMF to request refreshing the keys used for protection of the data session.
  • the KMF could refresh these keys.
  • New keys could be generated and be configured to related entities.
  • one or more keys could be released when the data session is released.
  • the KMF could transmit a sixth message for key release.
  • the message could include an ID of at least one key needed to be released.
  • a release of key could be implemented by the KMF or the second network function.
  • the KMF is responsible for key release.
  • the KMF could transmit a message to the first network function. This message could includean ID of one or more keys needed to be released at the first network function.
  • the KMF could transmit a message to the first server. This messagecould include an ID of one or more keys needed to be released at the first server.
  • the KMF could transmit a message to the second network function. This messagecould include an ID of one or more keys needed to be released at the device.
  • the messages could be taken as examples of the sixth message.
  • the second network function is responsible for key configuration.
  • the KMF could transmit a message to the second network function.
  • This message could include an ID of one or more keys needed to be released at the first server and an ID of one or more keys needed to be released at the device.
  • the message could further include an ID of one or more keys needed to be released at the first network function.
  • the method 300 when the second network function is responsible for key configuration, the method 300 further includes step S308 and S309.
  • the second network function transmit an eighth message to the first server, and the eighth message includes the security context for the first server.
  • the second network function transmit a ninth message to the first network function, and ninth message includesthe security context for the first network function.
  • the second network function transmit a tenth message to the device, and tenth message includesthe security context for the device.
  • the second network function when the second network function is responsible for key release, transmits aneleventh message to the first server, and the message includes an ID of one or more keys needed to be released at the first server.
  • the second network function transmits a twelfth message to the first network function, and the twelfth message includes an ID of one or more keys needed to be released at the first network function.
  • the second network function transmits a thirteenth message to the device, and the thirteenth message includes an ID of one or more keys needed to be released at the device.
  • FIG. 9 is a schematic flowchart of a method400 according to some embodiments of the present application.
  • the method 400 shown in FIG. 9could include steps S402to S412. The following separately describes the steps in detail.
  • a MM determines security protection on a data session.
  • a MM When receiving a service request from a device, a MM could determine whether a security protection on a data session is needed. When the security protection on the data session is needed, the MM may transmit a request for security protection provision from aKMF. Correspondingly, the KMF could receive the request.
  • a KMF determines a solution and a level for security protection on the data session.
  • the KMF collects inputs for key derivation.
  • the KMF could collect parameters based on the solution and the level for security protection, and these parameters could be used as input for key derivation.
  • the KMF select algorithms for key derivation and algorithm for key activation.
  • the KMF could select algorithms for key derivation.
  • the algorithms for key derivation could be used to generate keys for protection of the data session.
  • KMF could select algorithms for generating keys for Data-TW-GW and device, keys for Data-TW-GW and XaaS service, or keys for XaaS service and device.
  • Keys for protection of the data session could include a key used for protectionof the data session with a particular encryption algorithm, and/or a key used for protection with a particular integrity algorithm.
  • the KMF could determine the particular encryption algorithm and the particular integrity algorithm.
  • the keys for Data-TW-GW and device could include a key used for protection of the data session on interface II with a particular encryption algorithm, and a key used for protection of the data session on interface II with a particular integrity algorithm. These encryption algorithm and integrity algorithm could be determined by the KMF.
  • the KMF generates security contexts.
  • the KMF could generate a key for data encryption and a key for data integrity.
  • the KMF could generatesecurity contexts for the device, security contexts for the Data-TW-GW and security contexts for theXaaS service.
  • FIG. 9 illustrates a principle of security protection on data session corresponding to the FIG. 7.
  • a MM When receiving a service request from a device, a MM shall determine whether it needs a security protection on a data session. If it needs a security protection on a data session, MM shall request for security protection provision from a KMF.
  • the KMF shall select a solution for security protection on a data session, and a level for security protection on the data session. After that, the KMF collects parameters for key derivation according to the selected solution and the selected level. Then, the KMF selects algorithms for key derivation, an algorithm for data encryption, an algorithm for data integrity.
  • the KMF generates a key for data encryption and a key for data integrity, and security contexts for a device, security contexts for a Data-TW-GW, security contexts for a XaaS service.
  • these security contexts are configurated to the device, the Data-TW-GW, the XaaS service.
  • the method of security protection on data session could have the following new features compared to prior arts in 3GPP 33.501.1) Communication between a device and a serving Data-GW should be secured. When the communication is secured, communication content is ciphered and not readable by RAN and other Data-TW-GWs. 2) KMF has new features of determination which solution/level of security protection on a data session, and of collection inputs for key generations.
  • FIG. 10 is a schematic flowchart of a method for communication according to some embodiments of the present application. These embodiments provide more details about key generation according to FIG. 9.
  • the key points about in the security protection on data session are as followers:
  • a KMF shall determine which solution/level of security protection on data session according to service security requirements from a MM, local policy from a network operator, security process capabilities from a device, serving Data-TW-GW, and XaaS service.
  • security requirements from a MM shall include service security requirements from a device, network security performances from the MM.
  • the security process capabilities shall indicate what process capabilities could be provided to run security protection on a data session, for example, algorithms for data encryption/data integrity, algorithms for key derivation.
  • Parameters for key derivation may include information from a MM, information from a device, information from a Data-TW-GW, information from a KMF, and information from a XaaS service.
  • information from the MM may include a service ID/application ID, or a mission ID/session ID.
  • a mission or a session may include at least one service or one application.
  • Information from the device may include at least a device ID, an algorithm ID for generating keys.
  • Information from the Data-TW-GW may include at least an ID of the Data-TW-GW.
  • Information from the KMF may include at least, a root key that is known by the device and the KMF, a time window that indicates a time window for the key’s validation period.
  • Information from a XaaS service may include at least an ID of a XaaS PSF that is used for process on data.
  • Table 1 illustrates parameters for key derivation according to some embodiments of the present application.
  • keys for Data-TW-GW and device in Table 1 mean that these keys are configured to both of a Data-TW-GW and a device.
  • Keys for Data-TW-GW and XaaS service in Table 1 mean that these keys are configured to both of a Data-TW-GW and a XaaS PSF that is used for data procession.
  • Keys for device and XaaS service in Table 1 mean that these keys are configured to both of a device and a XaaS PSF.
  • keys for Data-TW-GW and device could be taken as examples of the first key
  • keys for Data-TW-GW and XaaS service could be taken as examples of the second key
  • keys for XaaS service and key could be taken as examples of the third key.
  • a “hop-to-hop” in Table 1 means a KMF selects a hop-to-hop security protection of data session
  • the end-to-end security protection of data session could be represented by the “end-to-end” in Table 1.
  • the “per device” , “per mission/session” and “per service/application” in Table 1 could represent the security protection on data session performed per device, per mission/session and per service/application, respectively.
  • the ID of XaaS PSF could be taken as an example of the first server.
  • Table 1 inputs for key derivation.
  • a XaaS service is taken as an example of the first server
  • the Data-TW-GW is taken as an example of the first network function.
  • a device transmits a message 1 to a MM.
  • the message 1 is used to request a service supported by the XaaS service.
  • the message 1 may include an ID of the device, security requirement of the service and a security capability of the device.
  • the MM determines whether the service needs to be protected.
  • the MM could determine whether the service needs to be protected according to the security requirement of the service.
  • the MM transmits a message 3 to a KMF.
  • the message 3 is used to request security configuration.
  • the message 3 could include an ID of the device, security requirements, the security capability of the device and a security capability of a Data-TW-GW.
  • the security requirements received from the MM could include at least one of: security requirements from the device (e.g., security requirements of the service, security requirement of the device) , network security performance from the MM.
  • the message 3 could be considered as an example of the first message mentioned in the method 300.
  • the message 3 further includes a security capability of a XaaS service, an ID of XaaS PSF, and an ID of the Data-TW-GW.
  • the message 3 could also be considered as an example of the third message mentioned in the method 300.
  • the KMF transmits a message 4 to the XaaS service.
  • the message 4 is used to request the security capability of the XaaS service.
  • the message 4 could include indication for request for security process capability of the XaaS service.
  • the message 4 could be considered as an example of the second message mentioned in the method 300.
  • the XaaS service transmits a message 5 to the KMF.
  • the message 5 includes the security capability of the XaaS service.
  • the message 5 could be a response of the message 4.
  • the message 5 could be considered as an example of the third message mentioned in the method 300.
  • the KMF determines a level and a solution for security protection on adata session.
  • the level and the solution for security protection on the data session could be determined based on at least one of: security requirements from the MM, local policy from the network operator, the security process capability of the device, the security process capability of the Data-TW-GW or the security process capability of the XaaS service.
  • the KMF collects inputs for key derivation.
  • the KMF may send a request to the MM for collecting information from the MM, or collecting information from the Data-TW-GW.
  • the MM could transmit a response according to the request.
  • the response may include a service ID/application ID, or a session ID/mission ID.
  • the KMF may send a request to the XaaS service for collecting information from the service.
  • theXaaS service could transmit a response according to the request.
  • the response may include an ID of the XaaSPSF.
  • the collected information could be used as input for generating keys used for protection of the data session.
  • the KMF generates security contexts.
  • the KMF could generate keysused for protection of the data session according to the selected level and solution for security protection of the data session.
  • the KMF could generate at least one of: the security context for the device, the security context for the Data-TW-GWor the security context for the XaaS service.
  • the KMF is responsible for keys configuration.
  • the MM is responsible for keys configuration.
  • the KMF transmits a message 9 to the Data-TW-GW.
  • the message 9 could include the security context for the Data-TW-GW and IDs of keys used at the Data-TW-GW for protection of the data session. The message 9 could be used to configure these keys.
  • the message 9 could be considered as an example of the fourth messagementioned in the method 300.
  • the Data-TW-GW transmits a message 10 to the KMF.
  • the Data-TW-GW could keep or maintain its security context.
  • the message 10 could indicate a successful configuration for the keys used at the Data-TW-GW.
  • the KMF transmits a message 11 to the XaaS service.
  • the message 11 could include the security context for theXaaS service and IDs of keys used at XaaS service for protection of the data session.
  • the message 11 could be considered as an example of the fourth messagementioned in the method 300.
  • the XaaS service transmit a message 12 to the KMF.
  • the XaaS service could keep or maintain its security context.
  • the message 12 could indicate a successful configuration for the keys used at the XaaS service.
  • the KMF could configure keys to the XaaS service and the Data-TW-GW according to S509 to S512.
  • the KMF transmits a message 13 to the MM.
  • the message 13 may include the security context for the device and IDs of keys used at the device for protection of the data session.
  • the MM could further transmit message that includes the security context for the device to the device.
  • keys used at device could be generated according to the message.
  • the message 13 could be considered as an example of the fourth messagementioned in the method 300.
  • the message 13 further includes the security context for the Data-TW-GW and the security context for the XaaS service.
  • the MM transmit a message 14 to the XaaS service.
  • the message 14 could include the security context for the XaaS service and IDs of keys used at XaaS service for protection of the data session.
  • the message 14 could be considered as an example of the eighth message mentioned in the method 300.
  • the XaaS service transmits a message 15 to the MM.
  • the XaaS service could keep or maintain its security context.
  • the message 12 could indicate a successful configuration for the keys used at the XaaS service.
  • the MM could configure keys to the XaaS service according to S514 and S515.
  • the MM transmits a message 16 to the Data-TW-GW.
  • the message 16 could include the security context for the Data-TW-GW and IDs of keys used at the Data-TW-GW for protection of the data session.
  • the message 16 could be considered as an example of the ninth message mentioned in the method 300.
  • the Data-TW-GW transmits a message 17 to the MM.
  • the Data-TW-GW could keep or maintain its security context.
  • the message 17 could indicate a successful configuration for the keys used at the Data-TW-GW.
  • the MM could configure keys to the Data-TW-GW according to S516 and S517.
  • the Data-TW-GW maintains security context for the Data-TW-GW.
  • the XaaS service maintains security context for the XaaS service.
  • the MM transmit message 20 to the device.
  • the message 20 includes the security context for the device and ID of keys used at the device.
  • the message 20 could be considered as an example of the tenth message mentioned in the method 300.
  • the device generates keys and maintain the security context for the device.
  • the MM determines whether the service needs to be protected or not according to the service requirements
  • the MM If the service needs to be protected, the MM, the MM sends a message3 to a KMF.
  • the message 3 could be considered as an example of the first message mentioned in the method 300.
  • the KMF may request for a security process capability of a XaaS service if the message3 does not include it.
  • the KMF sends a message4 to a XaaS service.
  • the message 4 could be considered as an example of the second message mentioned in the method 300.
  • the XaaS service sends a message5 to the KMF.
  • the message 5 could be considered as an example of the third message mentioned in the method 300.
  • the KMF determines which level/solution of security protection on data session.
  • the KMF may collect inputs for key derivation. For example, the KMF may send a request for information from a MM, information from a Data-TW-GW, to a MM. The MM sends the response according to the request. In some embodiments, the KMF may send a request for information from a XaaS service, to a XaaS service. The XaaS service sends the response according to the request. In some embodiments, information from the XaaS service may be sent to the KMF via MM.In some embodiments, information from a MM, information from a XaaS service, information from a Data-TW-GW, may be included in the message3.
  • the KMF generates keys according to the select solution/level of security protection on the data session.
  • the KMF generates security contexts for the device, security contexts for the Data-TW-GW, security contexts for the XaaS service.
  • the KMF sets an ID of these keys.
  • the KMF may configure these security contexts to the Data-TW-GW and the XaaS service.
  • the KMF sends a message9 to the Data-TW-GW.
  • the message 9 could be considered as an example of the fourth message mentioned in the method 300.
  • the Data-TW-GW keeps the security contexts for the Data-TW-GW, and sends a message10 to the KMF.
  • the KMF sends a message11 to the XaaS service.
  • the message 11 could be considered as an example of the fourth message mentioned in the method 300.
  • the XaaS service keeps the security contexts for the XaaS service, and sends a message12 to the KMF.
  • the KMF sends a message13 to the MM.
  • the message 13 could be considered as an example of the fourth message mentioned in the method 300.
  • the MM may configure these security contexts to the Data-TW-GW and the XaaS service.
  • the MM sends a message14 to the XaaS service.
  • the message 14 could be considered as an example of the eighth message mentioned in the method 300.
  • the XaaS service keeps the security contexts for the XaaS service, and sends a message15 to the MM.
  • the MM sends a message16 to the Data-TW-GW.
  • the message 16 could be considered as an example of the ninth message mentioned in the method 300.
  • the Data-TW-GW keeps the security contexts for the Data-TW-GW, and sends a message17 to the KMF.
  • the Data-TW-GW maintains the security contexts for the Data-TW-GW.
  • the XaaS service maintains the security contexts for the XaaS service.
  • the MM sends a message20 to the device.
  • the message 20 could be considered as an example of the tenth message mentioned in the method 300.
  • the device generates keys, and maintains security contexts for the device.
  • This embodiment provides the factors that effect on how to determine which solution/level of security protection on a data session.
  • 3GPP 33.501 there has only one solution for key generation, without the selection on solutions/levels. But, the present application could provide multiple customized security protection on data session.
  • the inputs of key derivation include a device ID, name of the serving network, root key, and information related to accessing gNB (e.g., PCI) .
  • the present application adds information from a MM (e.g., session ID, service ID) into the above inputs of key derivation.
  • keys for data encryption/data integrity could be per session, or per service, or per device. This could improve security protection on a data session.
  • keys used for protection of a data session may need to be updated.
  • a procedure of key update could be trigged by a MM when a mission/session is changed due to a change of the Data-TW-GW and a XaaS PSF.
  • the procedure of key update could be trigged by a KMF when a time window is expired or a root key is changed.
  • FIG. 11 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • the XaaS service is taken as an example of the first server
  • the Data-TW-GW is taken as an example of the first network function.
  • a MM transmit a message 1 to a KMF.
  • the message 1 is used to request for an update of keys used for protection on the data session (e.g., keys for protection of the data session on interface II, keys for protection of the data session on interface III, or keys used at the device and the XaaS service) .
  • the message 1 could include an ID of the device, an ID of the XaaS PSF and an ID of the Data-TW-GW.
  • the message 1 could be considered as an example of the fifth message mentioned in the method 300.
  • the KMF generates new security contexts.
  • the KMF could generate new keys according to the selected solution/level for security protection on the data session.
  • the KMF could set an ID of these keys.
  • the KMF could generate at least one of: the security context for the device, the security context for the Data-TW-GW, and the security context for the XaaS service.
  • the KMF transmits a message 3 to the Data-TW-GW.
  • the message 3 could include the security context for the Data-TW-GW and IDs of keys used at the Data-TW-GW for protection of the data session. The message 3 could be used to configure these keys.
  • the message 3 could be considered as an example of the fourth message mentioned in the method 300.
  • the Data-TW-GW transmits a message 4 to the KMF.
  • the Data-TW-GW could keep or maintain its security context.
  • the message 4 could indicate a successful configuration for the keys used at the Data-TW-GW.
  • the KMF transmits a message 5 to the XaaS service.
  • the message 5 could include the security context for the XaaS service and IDs of keys used at XaaS service for protection of the data session.
  • the message 5 could be considered as an example of the fourth message mentioned in the method 300.
  • the XaaS service transmit a message 6 to the KMF.
  • the XaaS service could keep or maintain its security context.
  • the message 6 could indicate a successful configuration for the keys used at the XaaS service.
  • the KMF transmits a message 7 to the MM.
  • the message 7 may include the security context for the device and IDs of keys used at the device for protection of the data session.
  • the message 7 could be considered as an example of the fourth message mentioned in the method 300.
  • the MM could further transmit message that includes the security context for the device to the device.
  • keys used at device could be generated according to the message.
  • the MM could be responsible for the key configuration.
  • the MM transmit a message 8 to the XaaS service.
  • the message 8 could include the security context for the XaaS service and IDs of keys used at XaaS service for protection of the data session.
  • the message 8 could be considered as an example of the eighth message mentioned in the method 300.
  • the XaaS service transmits a message 9 to the MM.
  • the XaaS service could keep or maintain its security context.
  • the message 9 could indicate a successful configuration for the keys used at the XaaS service.
  • the MM transmits a message 10 to the Data-TW-GW.
  • the message 10 could include the security context for the Data-TW-GW and IDs of keys used at the Data-TW-GW for protection of the data session.
  • the message 10 could be considered as an example of the ninth message mentioned in the method 300.
  • the Data-TW-GW transmits a message 11 to the MM.
  • the Data-TW-GW could keep or maintain its security context.
  • the message 11 could indicate a successful configuration for the keys used at the Data-TW-GW.
  • the Data-TW-GW maintains security context for the Data-TW-GW.
  • the XaaS service maintains security context for the XaaS service.
  • the MM transmit message 14 to the device.
  • the message 14 includes the security context for the device, and ID of keys used at the device.
  • the message 14 could be considered as an example of the tenth message mentioned in the method 300.
  • the device generates keys and maintain the security context for the device.
  • the device transmits a message 16 to the MM.
  • the message 16 could indicate a successful configuration for the keys used at the device.
  • a MM sends a message1 to a KMF.
  • the message 1 could be considered as an example of the fifth message mentioned in the method 300.
  • the KMF generates keys according to the select solution/level of security protection on the data session.
  • the KMF generates security contexts for the device, security contexts for the Data-TW-GW, security contexts for the XaaS service.
  • the KMF sets an ID for these keys.
  • the KMF may configure these security contexts to the Data-TW-GW and the XaaS service.
  • the KMF sends a message3 to the Data-TW-GW.
  • the message 3 could be considered as an example of the fourth message mentioned in the method 300.
  • the Data-TW-GW keeps the security contexts for the Data-TW-GW, and sends a message4 to the KMF.
  • the KMF sends a message5 to the XaaS service.
  • the message 5 could be considered as an example of the fourth message mentioned in the method 300.
  • the XaaS service keeps the security contexts for the XaaS service, and sends a message5 to the KMF.
  • the KMF sends a message7 to the MM.
  • the message 7 could be considered as an example of the fourth message mentioned in the method 300.
  • the MM may configure these security contexts to the Data-TW-GW and the XaaS service.
  • the MM sends a message8 to the XaaS service.
  • the message 8 could be considered as an example of the eighth message mentioned in the method 300.
  • the XaaS service keeps the security contexts for the XaaS service, and sends a message9 to the MM.
  • the MM sends a message10 to the Data-TW-GW.
  • the message 10 could be considered as an example of the ninth message mentioned in the method 300.
  • the Data-TW-GW keeps the security contexts for the Data-TW-GW, and sends a message11 to the KMF.
  • the Data-TW-GW maintains the security contexts for the Data-TW-GW.
  • the XaaS service maintains the security contexts for the XaaS service.
  • the MM sends a message14 to the device.
  • the message 14 could be considered as an example of the tenth message mentioned in the method 300.
  • the device generates keys, and maintains security contexts for the device.
  • the device sends a message16 to the MM.
  • keys for protection of a data session may need to be released.
  • a procedure of key release could be trigged by a MM when the MM releases a session.
  • FIG. 12 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • the XaaS service is taken as an example of the first server
  • the Data-TW-GW is taken as an example of the first network function.
  • the MM transmits a message 1 to a KMF.
  • the message 1 is used to notifya release of a data session.
  • the message 1 could include an ID of the device, and an ID of a session or a service.
  • the message 1 could be considered as an example of the sixth message mentioned in the method 300.
  • the KMF determines whether keys for protection of the data session is needed to be released.
  • the KMF could notify the related network functions to release the keys used for protection of the data session.
  • the KMF transmits a message 3 to the Data-TW-GW.
  • the message 3 could include an ID of at least one key needed to be released among keys used at the Data-TW-GWfor protection of the data session.
  • the message 3 could be considered as an example of the seventh message mentioned in the method 300.
  • the Data-TW-GW transmits a message 4 to the KMF.
  • the message 4 could indicate a successful release for the at least one key needed to be released.
  • the KMF transmits a message 5 to the XaaS service.
  • the message 5 could include an ID of at least one key needed to be released among the keys used at the XaaS servicefor protection ofthe data session.
  • the message 5 could be considered as an example of the seventh message mentioned in the method 300.
  • the XaaS service transmit a message 6 to the KMF.
  • the message 6 could indicate a successful release for the at least one key needed to be released.
  • the KMF transmits a message 7 to the MM.
  • the message 7 is used to acknowledge the notification of the release of the data session.
  • the message 7 could include an ID of at least one key needed to be released among the keys used at the device service for protection of the data session.
  • the message 7 could be considered as an example of the seventh message mentioned in the method 300.
  • the message 7 could further include: at least one key needed to be released among the keys used at the XaaS, and at least one key needed to be released among keys used at the Data-TW-GW.
  • the MM could be responsible for the key release.
  • the MM transmit a message 8 to the XaaS service.
  • the message 8 could include an ID of at least one key needed to be released among the keys used at the XaaS servicefor protection ofthe data session.
  • the message 8 could be considered as an example of the eleventh message mentioned in the method 300.
  • the XaaS service transmits a message 9 to the MM.
  • the message 9 could indicate a successful release for the at least one key needed to be released.
  • the MM transmits a message 10 to the Data-TW-GW.
  • the message 10 could include an ID of at least one key needed to be released among keys used at the Data-TW-GWfor protection of the data session.
  • the message 10 could be considered as an example of the twelfth message mentioned in the method 300.
  • the Data-TW-GW transmits a message 11 to the MM.
  • the message 11 could indicate a successful release for the at least one key needed to be released.
  • the MM transmit message 12 to the device.
  • the message 12 could include an ID of at least one key needed to be released among keys used at the devicefor protection of the data session.
  • the message 12 could be considered as an example of the thirteenth message mentioned in the method 300.
  • the device transmits a message 13 to the MM.
  • the message 11 could indicate a successful release for the at least one key needed to be released.
  • a MM sends a message1 to a KMF.
  • the message 1 could be considered as an example of the sixth message mentioned in the method 300.
  • the KMF determines whether release keys or not according to the message1. If these keys are per mission/session, or per service/application, the KMF shall notify to release these keys.
  • the KMF may release these keys.
  • the KMF sends a message3 to a Data-TW-GW.
  • the message 3 could be considered as an example of the seventh message mentioned in the method 300.
  • the Data-TW-GW sends a message4 to the KMF.
  • the KMF sends a message5 to a XaaS service.
  • the message 5 could be considered as an example of the seventh message mentioned in the method 300.
  • the XaaS service sends a message5 to the KMF.
  • the KMF sends a message7 to the MM.
  • the message 7 could be considered as an example of the seventh message mentioned in the method 300.
  • the MM may release these keys.
  • the MM sends a message8 to a XaaS service.
  • the message 8 could be considered as an example of the eleventh message mentioned in the method 300.
  • the XaaS service sends a message9 to the MM.
  • the MM sends a message10 to a Data-TW-GW.
  • the message 10 could be considered as an example of the twelfth message mentioned in the method 300.
  • the Data-TW-GW sends a message1 to the MM.
  • the MM sends a message12 to a device.
  • the message 12 could be considered as an example of the thirteenth message mentioned in the method 300.
  • the device sends a message13 to the MM.
  • security protection on a data session especially in communications between a device and a serving Data-GW is provided.
  • communication content is ciphered and not readable by RAN and other Data-TW-GWs.
  • KMF has a new feature of determination which level/method of security protection on a data session, and collection inputs for key generations.
  • keys are used for multiple communication sessions.
  • keys could be per session, per service. That could improve security of communications.
  • FIG. 13 is a schematic block diagram of a communication apparatus 10 according to some embodiments of the present application.
  • the communication apparatus may be a communication device or an apparatus applied to the communication device and capable of realizing corresponding functions of any one of the network functions in the embodiments of the present application, for example, the apparatus may be a chip, a chip system or a circuit, which is not limited.
  • the communication device may be a KMF, a first network function, a second network function or a first server, or the chip installed in any one of these network functions.
  • the communication apparatus 10 includes a processing module 11.
  • the processing module 11 may be a processor, a processing circuit, a processing board, a processing unit, or a processing device, et al.
  • the processing module 11 is configured to implement processing and/or operations implemented inside the communication apparatus except sending the receiving actions.
  • the communication apparatus 10 may further include a communication module 12.
  • the communication unit 12 is configured to implement a sending action and/or a receiving action.
  • the communication module 12 also may be called a transceiver module, a transceiver, or a transceiver device, et al, and is configured to implement operations of receiving (which may be referred to as inputting) and/or sending (which may be referred to as an outputting) .
  • the communication module 12 could be configured to receive the first message.
  • the communication module 12 could further be configured to transmit the second message to the second KMF.
  • the communication module 12 could be configured to receive the fourth message.
  • the communication module 12 could be configured to receive the second message.
  • FIG. 14 is a schematic block diagram of a communication apparatus according to an embodiment of the present application.
  • the communication apparatus 20 includes at least one processor 21.
  • the at least one processor 21 is coupled to at least one memory 22.
  • the at least one memory 22 is configured to store one or more instructions and/or executable computer code.
  • the at least one processor 21 is configured to invoke the one or more instructions and/or executable computer code, so that the communication apparatus 20 implements the method provided in the embodiments of the present application.
  • the communication apparatus 20 may further include the at least one memory 22.
  • the communication apparatus 20 may further include at least one communication interface 23, and the at least one communication interface 23 is configured to input and/or output information or data.
  • the communication apparatus 20 may be any one of the network functions in the method embodiments.
  • the communication apparatus 20 may be a KMF, a first network function, a second network function or a first server.
  • the processor 21 may be a baseband apparatus, and the communication interface 23 may be a radio frequency apparatus.
  • the communication apparatus 20 may be a chip (or a chip system) installed at a communication device such as a KMF, a first network function, a second network function or a first server.
  • the processor 21 may be a circuit, for example, a logic circuit, an integrated circuit, etc.
  • the communication interface 23 may be a transceiver, an interface circuit, an input/output interface, a bus, a module, a pin, or other types of interfaces.
  • An embodiment of the present application further provides a communication system.
  • the communication system may include any one of communication apparatuses according to any one of the method embodiments.
  • the communication system may include one or more of the following network functions: aKMF, a first network function, a second network function or a first server.
  • the communication system may further include a device (e.g., a UE) or other network functions, which is not limited.
  • An embodiment of the present application further provides a computer storage medium, and the computer storage medium may store one or more instructions for executing any of the foregoing methods.
  • An embodiment of the present application further provides a computer program product, and the computer program product may store one or more instructions for executing any of the foregoing methods.
  • a and/or B may represent the following three cases: Only A exists, both A and B exist, and only B exists.
  • the character “/” generally indicates an “or” relationship between the associated objects.
  • At least one means one or more.
  • At least one of A and B similar to “A and/or B” , describes an association relationship between associated objects and represents that three relationships may exist.
  • at least one of A and B may represent the following three cases: Only A exists, both A and B exist, and only B exists.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the described apparatus embodiment is merely an example.
  • the unit division is a logical function division and other methods of division may be used in an actual embodiment.
  • a plurality of units or components may be combined or integrated into another system, or some features may be ignored or not performed.
  • the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented using various communication interfaces.
  • the indirect couplings or communication connections between the apparatuses or units may be implemented in electronic, mechanical, or other forms.
  • function units in the embodiments of this application may be integrated into one processing unit, each of the units may exist alone physically, or two or more units may be integrated into one unit.
  • the functions When the functions are implemented in the form of a software functional unit and sold or used as an independent product, the functions may be stored in a computer-readable storage medium.
  • the technical solutions of this application may be implemented in the form of a software product.
  • the software product is stored in a storage medium, and includes several instructions for instructing a computer device (which may be a personal computer, a server, a network device, or the like) to perform all or some of the steps of the methods described in the embodiments of this application.
  • the foregoing storage medium includes any medium that can store program code, such as a USB flash drive, a removable hard disk, a ROM, a RAM, a magnetic disk, an optical disc or the like.
  • the units described as separate parts may be or may not be physically separate, and parts displayed as units may be or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units may be selected based on actual requirements to achieve the objectives of the solutions of the embodiments.
  • functional units in the embodiments of this application may be integrated into one processing unit, or each of the units may exist alone physically, or two or more units are integrated into one unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Des modes de réalisation de cette demande divulguent un procédé et un appareil. Le procédé consiste : à déterminer une solution de protection de sécurité sur une session de données entre un dispositif et un premier serveur et un niveau de protection de sécurité sur la session de données ; et à collecter une pluralité de paramètres sur la base de la solution de protection de sécurité sur la session de données et du niveau de protection de sécurité sur la session de données, la pluralité de paramètres étant utilisés pour dériver au moins une clé utilisée pour la protection de la session de données. Des clés utilisées pour la protection d'une session de données pourraient être générées sur la base de différentes solutions et de différents niveaux. Cela pourrait améliorer la sécurité de la communication. De plus, cela pourrait apporter plus de flexibilité pour différentes exigences de sécurité de différents dispositifs et de différents services.
PCT/CN2024/071585 2023-09-29 2024-01-10 Procédé et appareil de communication Pending WO2025065970A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202363586707P 2023-09-29 2023-09-29
US63/586,707 2023-09-29

Publications (1)

Publication Number Publication Date
WO2025065970A1 true WO2025065970A1 (fr) 2025-04-03

Family

ID=95204582

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/071585 Pending WO2025065970A1 (fr) 2023-09-29 2024-01-10 Procédé et appareil de communication

Country Status (1)

Country Link
WO (1) WO2025065970A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150200919A1 (en) * 2013-11-25 2015-07-16 Space Micro, Inc. Object level encryption system inlcuding encryption key management system
CN108347410A (zh) * 2017-01-24 2018-07-31 华为技术有限公司 安全实现方法、设备以及系统
CN108377495A (zh) * 2016-10-31 2018-08-07 华为技术有限公司 一种数据传输方法、相关设备及系统
US20210297853A1 (en) * 2020-03-17 2021-09-23 Qualcomm Incorporated Secure communication of broadcast information related to cell access
US20220030425A1 (en) * 2020-07-27 2022-01-27 Samsung Electronics Co., Ltd. Methods and systems for deriving cu-up security keys for disaggregated gnb architecture
CN114007220A (zh) * 2021-10-20 2022-02-01 武汉大学 短期阶段会话密钥生成方法、认证密钥协商方法及系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150200919A1 (en) * 2013-11-25 2015-07-16 Space Micro, Inc. Object level encryption system inlcuding encryption key management system
CN108377495A (zh) * 2016-10-31 2018-08-07 华为技术有限公司 一种数据传输方法、相关设备及系统
CN108347410A (zh) * 2017-01-24 2018-07-31 华为技术有限公司 安全实现方法、设备以及系统
US20210297853A1 (en) * 2020-03-17 2021-09-23 Qualcomm Incorporated Secure communication of broadcast information related to cell access
US20220030425A1 (en) * 2020-07-27 2022-01-27 Samsung Electronics Co., Ltd. Methods and systems for deriving cu-up security keys for disaggregated gnb architecture
CN114007220A (zh) * 2021-10-20 2022-02-01 武汉大学 短期阶段会话密钥生成方法、认证密钥协商方法及系统

Similar Documents

Publication Publication Date Title
CN113038528B (zh) 用于在无线通信系统中将数据分组路由到用户设备的基站
EP3817422A1 (fr) Procédé et dispositif de communication
US12185395B2 (en) Communications method and apparatus to reduce a data transmission latency between an IAB node and IAB donor
WO2024040476A1 (fr) Conception de procédure rrc pour ia/ml sans fil
US20240107558A1 (en) Method and apparatus for adaptive security application in communication system
WO2019158117A1 (fr) Système et procédé pour assurer la sécurité dans un système de communication sans fil avec séparation de plan utilisateur
CN116391397A (zh) 网络互通的方法及装置
WO2025065970A1 (fr) Procédé et appareil de communication
US10412056B2 (en) Ultra dense network security architecture method
WO2025065974A1 (fr) Procédé et appareil de communication
WO2025065972A1 (fr) Procédé et appareil de communication
WO2025065976A1 (fr) Procédé et appareil de communication
WO2025065975A1 (fr) Procédé et appareil de communication
WO2025065973A1 (fr) Procédé et appareil de communication
WO2025065977A1 (fr) Procédé et appareil d'authentification
CN106256110B (zh) 通信系统中的住宅本地突破
WO2025044065A1 (fr) Procédé de configuration et produits associés
WO2025156453A1 (fr) Procédé, appareil et système de communication
WO2025044063A1 (fr) Procédé de traitement de données et produits associés
WO2025081774A1 (fr) Procédé et appareil de commande de trafic d'utilisateur avec un utilisateur numérique
WO2025044064A1 (fr) Système de communication et produits associés
WO2025066064A1 (fr) Procédé, appareil et système de communication pour session de mission
WO2025065969A1 (fr) Procédé et appareil de communication
WO2025044062A1 (fr) Procédé de communication et produits associés
WO2025065989A1 (fr) Procédé, appareil et système d'acheminement de trafic

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24869542

Country of ref document: EP

Kind code of ref document: A1