WO2025153074A1 - Secure communication method and apparatus, and communication system - Google Patents

Abstract

A secure communication method and apparatus, and a communication system. The method comprises: in a session establishment process of a terminal device, a network device determining, on the basis of first information, whether to activate integrity security protection of a session, and sending to the terminal device first integrity security protection indication information, which is used for indicating an activation result, wherein the first information indicates whether the network device supports a store-and-forward operation. When the first information is taken into consideration, the integrity security protection of the session is enabled or activated to the maximum extent, so that data subsequently received by the network device is subjected to integrity security protection to the greatest extent, and in the scenario in which a feeder link is disconnected, the network device only stores user plane data passing integrity checking; thus, the potential attack risk of denial of service (DoS) is relieved, and the network communication security is ensured.

Description

A secure communication method, device and communication system

This application claims priority to a Chinese patent application filed with the State Intellectual Property Office of China on January 19, 2024, with application number 202410083047.2, and invention name “A secure communication method, device and communication system”, the entire contents of which are incorporated by reference into this application.

Technical Field

The present application relates to the field of communications, and more specifically, to a secure communication method, device and communication system.

Background Art

In a communication system, such as a fifth generation (5G) communication system or a satellite communication system, a terminal device can communicate with a base station through a new radio (NR), and a base station can communicate with a core network through a ground gateway.

Uplink and downlink messages between the terminal device and the core network can be transmitted through the base station and the ground gateway. At certain moments, the communication link between the terminal device and the base station, and the communication link between the base station and the core network may not be in a connected state at the same time. For example, when the communication link between the terminal device and the base station is in a connected state, and the communication link between the base station and the core network is in a disconnected state, the base station can perform a store and forward operation to store the uplink message from the terminal device, and after the communication link between the base station and the core network is restored, the stored uplink message is sent to the core network. In this case, if an attacker sends a large amount of malicious data or messages to the base station, network security may not be guaranteed, and there is a risk of denial of service (DoS) attacks on the base station. Therefore, additional measures are urgently needed to reduce potential security risks.

Summary of the invention

The present application provides a secure communication method, device and communication system, which can reduce potential security risks and improve network communication security.

In the first aspect, a secure communication method is provided. The method is applied to the network device side, for example, the method can be executed by the network device, or it can also be executed by a chip or circuit in the network device, or it can also be executed by a functional module in the network device that can call and execute a program, or it can also be executed by a centralized unit (CU) or a distributed unit (DU) in the network device. This application does not limit this. For the sake of ease of description, the following is an example of execution by a network device (such as a base station) for explanation.

The method includes: during the session establishment process of the terminal device, the network device determines whether to activate the integrity security protection of the session based on first information, the first information is used to indicate whether the network device supports storage and forwarding operations, and the session is used to transmit data between the terminal device and the core network; the network device sends first integrity security protection indication information to the terminal device, and the first integrity security protection indication information is used to indicate the activation result.

Exemplarily, the activation result is used to indicate whether to activate integrity security protection of the session, or in other words, the activation result is used to indicate whether to activate integrity security protection of one or more data radio bearers (DRBs) corresponding to the session. For example, the activation result includes activating integrity security protection of the session, or not activating integrity security protection of the session.

Exemplarily, the first information may also be used to indicate whether the network device is configured to enable a store-and-forward operation, and/or the first information may also be used to indicate whether the network device is deployed on a satellite.

It should be understood that the network equipment is deployed on the satellite, which can be understood as the network equipment (such as a base station) being physically deployed on the satellite, or the network equipment (such as a base station) and the satellite being co-located. In this case, the satellite has the capabilities of the network equipment, for example, the satellite supports the storage and forwarding operation of the network equipment.

According to the solution provided in the present application, taking the first information into consideration, the integrity security protection of the session is turned on or activated to the maximum extent possible, so that the data subsequently received by the network device is protected by integrity security as much as possible. This facilitates the scenario where the communication link (such as a feeder link) between the network device and the core network is disconnected. The network device only stores user-plane data that has passed the integrity check, thereby alleviating the risk of potential denial of service DoS attacks while ensuring network communication security.

In certain implementations, a network device determines whether to activate integrity security protection for a session based on first information, including: when the first information indicates that the network device supports store-and-forward operations, the network device determines to activate integrity security protection for the session; and/or when the first information indicates that the network device does not support store-and-forward operations, the network device determines not to activate integrity security protection for the session.

That is to say, when the network device supports store-and-forward operations, the network device activates the integrity security protection of the session; when the network device does not support store-and-forward operations, the network device does not activate the integrity security protection of the session, or may activate or not activate the integrity security protection of the session according to the user plane integrity security policy.

In some implementations, before a network device determines whether to activate integrity security protection for a session based on first information, the process includes: the network device obtains a user plane integrity security policy corresponding to the session, where the user plane integrity security policy is used to indicate whether integrity security protection is activated for the session; the network device determines whether to activate integrity security protection for the session based on the first information, including: the network device determines whether to activate integrity security protection for the session based on the first information and the user plane integrity security policy.

Based on the above scheme, the network device determines whether to activate the integrity security protection of the session according to the first information, and can also consider the user plane integrity security policy in addition, and turn on or activate the integrity security protection of the session as much as possible, so that the user plane data received by the network device is protected by integrity security to the greatest extent. In the scenario where the feeder link is disconnected, only the user plane data that has passed the integrity check is stored, which not only alleviates the potential risk of denial of service DoS attacks, but also ensures the security of network communications.

In certain implementations, a network device determines whether to activate integrity security protection for a session based on first information and a user plane integrity security policy, including: when the first information indicates that the network device does not support store-and-forward operations and the user plane integrity security policy indicates that the session is activated or integrity security protection is optionally activated, the network device determines to activate integrity security protection for the session; and/or when the first information indicates that the network device does not support store-and-forward operations and the user plane integrity security policy indicates that integrity security protection is not activated for the session, the network device determines not to activate integrity security protection for the session.

Based on the above scheme, when the network device does not support the store-and-forward operation, the network device determines whether to activate the integrity security protection of the session. It can be based on the user plane integrity security policy, or it can be based on whether the network device supports the store-and-forward operation. The integrity security protection of the session is turned on or activated to the maximum extent, so that the user plane data received by the network device is protected by integrity security to the greatest extent. In the scenario where the feeder link is disconnected, only the user plane data that has passed the integrity check is stored, which not only alleviates the potential risk of denial of service DoS attacks, but also ensures the security of network communications.

In certain implementations, a network device determines whether to activate integrity security protection for a session based on first information and a user plane integrity security policy, including: when the first information indicates that the network device supports store-and-forward operations and the user plane integrity security policy indicates that the session is activated or integrity security protection is optionally activated, the network device determines to activate integrity security protection for the session; and/or when the first information indicates that the network device supports store-and-forward operations and the user plane integrity security policy indicates that integrity security protection is not activated for the session, the network device determines to activate integrity security protection for the session.

Based on the above scheme, when the network device supports the store-and-forward operation, regardless of whether the user plane integrity security policy indicates that the session is activated or the integrity security protection is optionally activated or not activated, the network device determines to activate the integrity security protection of the session. That is, the network device determines whether to activate the integrity security protection of the session based on the first information, and turns on or activates the integrity security protection of the session to the maximum extent, so that the user plane data received by the network device is protected by integrity security to the maximum extent, so that in the scenario where the feeder link is disconnected, only the user plane data that passes the integrity check is stored, which not only alleviates the potential risk of DoS attacks, but also ensures the security of network communications.

In the second aspect, a secure communication method is provided. The method is applied to the terminal device side, for example, the method can be executed by the terminal device, or it can also be executed by a chip or circuit in the terminal device, or it can also be executed by a functional module in the terminal device that can call and execute a program. This application does not limit this. For ease of description, the following is an example of execution by a terminal device (such as a user equipment (UE)).

The method includes: during the session establishment process of the terminal device, the terminal device receives first integrity security protection indication information from the network device, the first integrity security protection indication information is used to indicate whether to activate the integrity security protection of the session, the first integrity security protection indication information is determined based on the first information, and the first information is used to indicate whether the network device supports the store-and-forward operation; the terminal device performs an integrity check on the first integrity security protection indication information, and the session is used to transmit data between the terminal device and the core network; when the integrity check passes, the terminal device determines whether to activate the integrity security protection of the session based on the first integrity security protection indication information.

Optionally, before the terminal device determines whether to activate the integrity security protection of the session according to the first integrity security protection indication information, the method further includes: the terminal device performs an integrity check on the first integrity security protection indication information. Further, if the integrity check passes, the terminal device determines whether to activate the integrity security protection of the session according to the first integrity security protection indication information.

Optionally, the first integrity security protection indication information is used to indicate whether to activate the integrity security protection of the session, which can be understood as: the first integrity security protection indication information is used to indicate the activation result, and the activation result is used to indicate whether to activate the integrity security protection of the session.

In some implementations, when the first information indicates that the network device supports store-and-forward operations, the first integrity security protection indication information is used to indicate that integrity security protection of the session is activated; and/or, when the first information indicates that the network device does not support store-and-forward operations, the first integrity security protection indication information is used to indicate that integrity security protection of the session is not activated.

In some implementations, the first integrity security protection indication information is determined according to the first information and a user plane integrity security policy, wherein the user plane integrity security policy is used to indicate whether integrity security protection is activated for the session.

In some implementations, when the first information indicates that the network device does not support the store-and-forward operation and the user plane integrity security policy indicates session activation or optional activation of integrity security protection, the first integrity security protection indication information is used to indicate activation of integrity security protection for the session; and/or, when the first information indicates that the network device does not support the store-and-forward operation and the user plane integrity security policy indicates that integrity security protection is not activated for the session, the first integrity security protection indication information is used to indicate deactivation of integrity security protection for the session.

In some implementations, when the first information indicates that the network device supports store-and-forward operations and the user plane integrity security policy indicates session activation or optional activation of integrity security protection, the first integrity security protection indication information is used to indicate the activation of integrity security protection for the session; and/or, when the first information indicates that the network device supports store-and-forward operations and the user plane integrity security policy indicates that integrity security protection is not activated for the session, the first integrity security protection indication information is used to indicate the activation of integrity security protection for the session.

The beneficial effects of the above-mentioned second aspect and certain implementation methods can be referred to the relevant description of the first aspect, and will not be repeated here.

In a third aspect, a secure communication method is provided. The method is applied to the network device side, for example, the method can be executed by the network device, or it can also be executed by a chip or circuit in the network device, or it can also be executed by a functional module in the network device that can call and execute a program, or it can also be executed by a CU or DU in the network device. This application is not limited to this. For the convenience of description, the following is an example of execution by a network device (such as a base station) for explanation.

The method includes: during the session establishment process of the terminal device, the network device obtains the user plane integrity security policy corresponding to the session, the user plane integrity security policy is used to indicate whether the session activates integrity security protection, and the session is used to transmit data between the terminal device and the core network; the network device determines first integrity security protection indication information according to the user plane integrity security policy, the first integrity security protection indication information is used to indicate whether to activate the integrity security protection of the first DRB, the session corresponds to the first DRB, and the first DRB is used to carry data between the terminal device and the network device; according to the first integrity security protection indication information, the integrity security protection of the first DRB is activated or not activated; in the case of a first link disconnection, the network device determines whether to release the first DRB according to whether the integrity security protection of the first DRB is activated, or the network device determines whether to modify the integrity security protection status of the first DRB according to whether the integrity security protection of the first DRB is activated, and the first link is a link between the network device and the core network; the network device sends a first message to the terminal device, and the first message is used to indicate the release result or modification result of the first DRB.

Exemplarily, in a satellite communication scenario, the first link may be a feeder link.

Optionally, when the first link is disconnected, the network device may also determine whether to release the first DRB based on the first integrity security protection indication information, or the network device may determine whether to modify the integrity security protection status of the first DRB based on the first integrity security protection indication information.

According to the solution provided in the present application, the network device determines whether to release the first DRB based on the user plane integrity security policy, or modifies the integrity security protection state of the first DRB to an activated state, so that the user plane data subsequently received by the network device is all protected by integrity security. In the scenario where the feeder link is disconnected, the satellite base station only stores the user plane data that has passed the integrity check, which can alleviate potential DoS risks and ensure network communication security.

In some implementations, the network device determines whether to release the first DRB based on whether the integrity security protection of the first DRB is activated, including: if the integrity security protection of the first DRB is not activated, the network device determines to release the first DRB.

In certain implementations, the network device determines whether to modify the integrity security protection state of the first DRB based on whether the integrity security protection of the first DRB is activated, including: when the integrity security protection of the first DRB is not activated, the network device determines to modify the integrity security protection state of the first DRB to an activated state.

In some implementations, the method also includes: when the first link resumes connection, the network device sends a second message to the terminal device, the second message is used to instruct the terminal device to establish a second DRB, the second message includes second integrity security protection indication information, the second integrity security protection indication information is used to indicate that the second DRB does not activate integrity security protection, and the second DRB is used to carry data between the terminal device and the network device.

In some implementations, the second DRB is the first DRB, and before sending the second message to the terminal device, and/or after sending the first message to the terminal device, the method further includes: the network device stores an identifier of the first DRB; and/or the network device records that the integrity security protection state of the first DRB before modification is in an inactivated state; wherein the second message includes the identifier of the first DRB, and/or the second integrity security protection indication information carried in the second message is determined based on the integrity security protection state of the first DRB before modification being in an inactivated state.

Optionally, the second DRB can be a DRB re-established between the terminal device and the network device, or it can be a first DRB determined based on the identifier of the first DRB. In addition, the present application does not limit the storage of the identifier of the first DRB; and/or the timing when the network device records that the integrity security protection state of the first DRB before modification is in an inactive state. This implementation method is to facilitate normal communication between subsequent terminal devices and network devices.

That is to say, the network device can determine not to activate or enable the integrity security protection of the second DRB based on the record that the integrity security protection state of the first DRB before modification is in an inactive state. Optionally, the network device can also determine not to activate or enable the integrity security protection of the second DRB based on the user plane integrity security policy of the session, which is not limited in this application.

Based on this implementation method, after releasing the first DRB or modifying the integrity security protection state of the first DRB to an activated state, by recording the identifier of the first DRB, and/or recording the integrity security protection state of the first DRB before modification as an inactivated state, it is convenient to re-establish the first DRB (i.e., an example of the second DRB) based on the recorded first DRB identifier after the subsequent first link is restored.

In some implementations, the method also includes: the network device receives first data from the terminal device through the first DRB; when the first integrity security protection indication information indicates activation of the integrity security protection of the first DRB, the network device performs an integrity check on the first data; if the integrity check passes and the first link is disconnected, the network device stores the first data; or, if the integrity check fails, the network device does not store the first data, or the network device discards the first data.

In some implementations, before storing the first data, the method further includes: if the integrity check passes, determining whether the first link is disconnected.

In some implementations, before performing integrity check on the first data, the method further includes: determining whether the first link is disconnected.

That is to say, the present application does not limit the execution order of determining whether the first link is disconnected and determining whether the integrity check of the first data is required. Exemplarily, the network device can determine whether the first link is disconnected by determining whether the network device and the core network are communicating normally. For example, the network device flies to the side away from the ground gateway station, such as the ground gateway station cannot receive the signal transmitted by the network device; or, the communication conditions between the network device and the core network deteriorate, such as encountering bad weather, or the signal quality is lower than a certain threshold, etc.;

In some implementations, the method also includes: the network device receives first data from the terminal device through the first DRB; when the first integrity security protection indication information indicates that the first DRB does not activate integrity security protection and the first link is disconnected, the network device does not perform integrity verification on the first data, or the network device discards the first data.

The beneficial effects of the third aspect and some implementation methods mentioned above can be referred to the relevant description of the first aspect, which will not be repeated here.

In a fourth aspect, a secure communication method is provided. The method is applied to a terminal device side, for example, the method can be executed by the terminal device, or it can also be executed by a chip or circuit in the terminal device, or it can also be executed by a functional module in the terminal device that can call and execute a program. This application is not limited to this. For ease of description, the following is an example of execution by a terminal device (such as a UE).

The method includes: when the first link is disconnected, the terminal device receives a first message from the network device, the first message is used to indicate the release result or modification result of the first DRB, the release result is used to indicate whether to activate the first DRB, the modification result is used to indicate whether to modify the integrity security protection status of the first DRB, the release result or the modification result is determined according to whether the integrity security protection of the first DRB is activated, the first DRB is used to carry data between the terminal device and the network device, and the first link is a link between the network device and the core network; the terminal device determines whether to release the first DRB according to the release result, or the terminal device determines whether to modify the integrity security protection status of the first DRB according to the modification result.

Exemplarily, whether the integrity security protection of the first DRB is activated is determined according to the user plane integrity security policy.

Optionally, before the terminal device determines whether to release the first DRB according to the release result, or before the terminal device determines whether to modify the integrity security protection state of the first DRB according to the modification result, the method further includes: the terminal device performs an integrity check on the first message. Furthermore, if the integrity check passes, the terminal device determines whether to release the first DRB according to the release result, or before the terminal device determines whether to modify the integrity security protection state of the first DRB according to the modification result.

In some implementations, when the first integrity security protection indication information indicates that integrity security protection is not activated for the first DRB, the release result indicates the release of the first DRB.

In some implementations, when the first integrity security protection indication information indicates that integrity security protection is not activated for the first DRB, the modification result indicates that the integrity security protection state of the first DRB is modified to an activated state.

In some implementations, the method also includes: when the first link restores connection, the terminal device receives a second message from the network device, the second message is used to indicate the establishment of a second DRB, the second message includes second integrity security protection indication information, the second integrity security protection indication information is used to indicate that the second DRB does not activate integrity security protection, the second DRB is used to carry data between the terminal device and the network device, and the first link is a link between the network device and the core network.

The beneficial effects of the fourth aspect and certain implementation methods mentioned above can be referred to the relevant description of the first aspect, and will not be repeated here.

In a fifth aspect, a secure communication method is provided. The method may be executed by a session management network element, or may be executed by a chip or circuit in the session management network element, or may be executed by a functional module in the session management network element that can call and execute a program. This application does not limit this. For ease of description, the following is an example of execution by a session management network element.

The method includes: during the session establishment process of the terminal device, the session management network element obtains indication information, the indication information is used to indicate that the network device is deployed on the satellite; the session management network element determines the user plane integrity security policy corresponding to the session according to the indication information, the user plane integrity security policy is used to indicate the session activation or optional activation of integrity security protection; the session management network element sends the user plane integrity security policy to the network device.

In some implementations, the indication information is further used to indicate that the network device supports a store-and-forward operation.

In some implementations, the method also includes: the session management network element obtains contract information, and the contract information is used to indicate whether the terminal device has signed a contract for a store-and-forward operation service; the session management network element determines a user plane integrity security policy based on the indication information, including: the session management network element determines a user plane integrity security policy based on the indication information and the contract information.

Optionally, the session management network element determines a user plane integrity security policy according to the subscription information.

In some implementations, the session management network element determines a user plane integrity security policy based on the indication information and the subscription information, including: when the subscription information indicates that the terminal device has subscribed to a store-and-forward operation service, the session management network element determines an integrity security policy to indicate that the session activates integrity security protection.

The beneficial effects of the fifth aspect and certain implementation methods mentioned above can be referred to the relevant description of the first aspect, and will not be repeated here.

In a sixth aspect, a communication device is provided, such as a network device. The communication device includes: a processing unit, used to determine whether to activate integrity security protection of a session according to first information during a session establishment process of a terminal device, the first information being used to indicate whether the network device supports a store-and-forward operation; and a transceiver unit, used to send first integrity security protection indication information to the terminal device, the first integrity security protection indication information being used to indicate an activation result.

The transceiver unit can perform the reception and transmission processing in the aforementioned first aspect, and the processing unit can perform other processing except reception and transmission in the aforementioned first aspect.

In a seventh aspect, a communication device is provided, such as a terminal device. The communication device includes: a transceiver unit, configured to receive first integrity security protection indication information from a network device during a session establishment process of the terminal device, the first integrity security protection indication information being used to indicate whether to activate integrity security protection of the session, the first integrity security protection indication information being determined based on first information, the first information being used to indicate whether the network device supports a store-and-forward operation; a processing unit, configured to perform an integrity check on the first integrity security protection indication information; and the processing unit is further configured to determine whether to activate integrity security protection of the session based on the first integrity security protection indication information when the integrity check passes.

The transceiver unit can perform the reception and transmission processing in the aforementioned second aspect, and the processing unit can perform other processing except reception and transmission in the aforementioned second aspect.

In an eighth aspect, a communication device is provided, such as a network device. The communication device includes: a transceiver unit, which is used to obtain a user plane integrity security policy corresponding to a session during a session establishment process of a terminal device, and the user plane integrity security policy is used to indicate whether integrity security protection is activated for the session; a processing unit, which is used to determine first integrity security protection indication information according to the user plane integrity security policy, and the first integrity security protection indication information is used to indicate whether to activate integrity security protection of a first DRB, and the session corresponds to a first data radio bearer DRB; the processing unit is also used to determine whether to release the first DRB according to whether the integrity security protection of the first DRB is activated when the first link is disconnected, or to determine whether to modify the integrity security protection state of the first DRB according to whether the integrity security protection of the first DRB is activated, and the first link is a link between the network device and the core network; the transceiver unit is also used to send a first message to the terminal device, and the first message is used to indicate a release result or a modification result of the first DRB.

The transceiver unit can perform the receiving and sending processing in the third aspect, and the processing unit can perform other processing except receiving and sending in the third aspect.

In the ninth aspect, a communication device is provided, such as a terminal device. The communication device includes: a transceiver unit, which is used to receive a first message from a network device when the first link is disconnected, the first message is used to indicate the release result or modification result of the first DRB, the first DRB is used to carry data between the terminal device and the network device, the release result is used to indicate whether to activate the first DRB, the modification result is used to indicate whether to modify the integrity security protection state of the first DRB, and the release result or modification result is determined according to whether the integrity security protection of the first DRB is activated; a processing unit, which is used to perform an integrity check on the first message; the processing unit is also used to determine whether to release the first DRB according to the release result when the integrity check passes, or to determine whether to modify the integrity security protection state of the first DRB according to the modification result.

Exemplarily, whether the integrity security protection of the first DRB is activated is determined according to the user plane integrity security policy.

The transceiver unit can perform the receiving and sending processing in the fourth aspect, and the processing unit can perform other processing except receiving and sending in the fourth aspect.

In a tenth aspect, a communication device is provided, such as a session management network element. The communication device includes: a transceiver unit, used to receive indication information during the session establishment process of a terminal device, the indication information is used to indicate that a network device is deployed on a satellite; a processing unit, used to determine a user plane integrity security policy according to the indication information, the user plane integrity security policy is used to indicate session activation or optional activation of integrity security protection; the transceiver unit is also used to send the user plane integrity security policy to the network device.

The transceiver unit can perform the receiving and sending processing in the fifth aspect, and the processing unit can perform other processing except receiving and sending in the fifth aspect.

In an eleventh aspect, a communication device is provided. The communication device includes a transceiver, a processor, and a memory, wherein the processor is used to control the transceiver to send and receive signals, the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory, so that the communication device performs the method in any possible implementation of the first to fifth aspects above.

Optionally, there are one or more processors and one or more memories.

Optionally, the memory may be integrated with the processor, or the memory may be provided separately from the processor.

Optionally, the communication device further includes a transmitter (transmitter) and a receiver (receiver).

In a twelfth aspect, a communication system is provided. The communication system includes a network device and a session management network element, wherein the network device is used to execute the method in the first aspect or the third aspect and any possible implementation thereof, and the session management network element is used to execute the method in any possible implementation of the fifth aspect.

Optionally, the communication system further includes a terminal device, wherein the terminal device is used to execute the method in the above-mentioned second aspect or fourth aspect and any possible implementation manner thereof.

In a thirteenth aspect, a computer-readable storage medium is provided. The computer-readable storage medium stores computer program code instructions, and when the computer program code or instructions are executed, the method in any possible implementation of the first to fifth aspects is executed.

In a fourteenth aspect, a chip is provided. The chip includes at least one processor, the at least one processor is coupled to a memory, the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory, so that a communication device equipped with the chip system performs the method in any possible implementation of the first to fifth aspects above.

The chip may include an input circuit or interface for sending information or data, and an output circuit or interface for receiving information or data.

In a fifteenth aspect, a computer program product is provided, which includes: a computer program code, and when the computer program code is executed, the method in any possible implementation manner of the first to fifth aspects is executed.

In a sixteenth aspect, a computer program is provided. When the computer program is executed, the method in any possible implementation manner of the first to fifth aspects is executed.

Among them, the technical effects of the technical solutions of the sixth to sixteenth aspects can refer to the description of the corresponding technical effects of the first to fifth aspects and will not be repeated here.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a communication system applicable to an embodiment of the present application;

FIG2 is a schematic diagram of another communication system applicable to an embodiment of the present application;

FIG3 is a schematic flow chart of a method for establishing a session of a terminal device;

FIG4 is a schematic flow chart of a communication method provided in an embodiment of the present application;

FIG5 is a schematic flow chart of another communication method provided in an embodiment of the present application;

FIG6 is a schematic flow chart of another communication method provided in an embodiment of the present application;

FIG7 is a schematic flow chart of another communication method provided in an embodiment of the present application;

FIG8 is a schematic flow chart of another communication method provided in an embodiment of the present application;

FIG9 is a schematic flow chart of another communication method provided in an embodiment of the present application;

FIG10 is a schematic block diagram of a communication device provided in an embodiment of the present application;

FIG. 11 is a schematic block diagram of another communication device provided in an embodiment of the present application.

DETAILED DESCRIPTION

The technical solution in this application will be described below in conjunction with the accompanying drawings.

The technical solution of the present application can be applied to satellite communication systems, high altitude platform station (HAPS) communications and other non-terrestrial network (NTN) systems, for example, integrated communication and navigation (ICaN) systems, global navigation satellite systems (GNSS), etc.

Satellite communication systems can be integrated with traditional mobile communication systems. Among them, the mobile communication system can be a 5G or NR system, a long term evolution (LTE) system, an LTE frequency division duplex (FDD) system, an LTE time division duplex (TDD) system, a universal mobile telecommunication system (UMTS), etc. The technical solution provided in this application can also be applied to future communication systems, such as the sixth generation (6G) mobile communication system. The technical solution provided in this application can also be applied to device to device (D2D) communication, vehicle to everything (V2X) communication, machine to machine (M2M) communication, machine type communication (MTC), Internet of things (IoT) communication system, non-terrestrial network (NTN) communication system or other communication systems.

Fig. 1 is a schematic diagram of a communication system applicable to an embodiment of the present application. As shown in Fig. 1, the architecture 100 may include a terminal device 110, a network device 120, a core network (CN) 130, and an external network 140.

(1) The terminal device 110 may be referred to as a user equipment UE. The terminal device 110 in the present application is a device with wireless transceiver functions, which can communicate with one or more CN 130 through the network device 120. The terminal device 110 may also be referred to as an access terminal, a terminal, a user unit, a user station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a user agent or a user device, etc. The terminal device 110 may be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; it may also be deployed on the water surface (such as a ship, etc.); it may also be deployed in the air (such as an airplane, a balloon, and a satellite, etc.). The terminal device 110 may be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a smart phone, a mobile phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), etc. Alternatively, the terminal device 110 may also be a handheld device with wireless communication function, a computing device or other device connected to a wireless modem, an in-vehicle device, a wearable device, an unmanned aerial vehicle (UAV) device or a terminal in the Internet of Things or Internet of Vehicles, a terminal in any form in a 5G network and future networks, a relay user device or a terminal in a future evolved 6G network, etc. Among them, the relay user device may be, for example, a 5G residential gateway (RG). For example, the terminal device 110 may be a virtual reality (VR) terminal, an augmented reality (AR) terminal, a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in telemedicine, a wireless terminal in a smart grid, a wireless terminal in transportation safety, a wireless terminal in a smart city, a wireless terminal in a smart home, etc. Alternatively, the terminal device 110 may also be a terminal device such as a logical entity, a smart device (such as a mobile phone), a smart terminal, or a communication device such as a server, a gateway, a base station, a controller, or an IoT device such as an IoT device, a sensor, an electric meter, a water meter, etc. The embodiment of the present application does not limit the type or category of the terminal device.

In the embodiment of the present application, the device for realizing the function of the terminal device can be the terminal device, or it can be a device that can support the terminal device to realize the function, such as a chip system or a chip, which can be installed in the terminal device. In the embodiment of the present application, the chip system can be composed of a chip, or it can include a chip and other discrete devices.

(2) The network device 120 may be any device with a wireless transceiver function for communicating with a terminal device. The network device may also be referred to as an access network device or a wireless access network device, such as a base station. The network device in the embodiment of the present application may refer to a radio access network (RAN) node (or RAN device, or RAN entity) that connects the terminal device to a wireless network. (R)AN may be regarded as a subnetwork of an operator network, and is an implementation system between a service node in the operator network and the terminal device 110. For example, if the terminal device 110 wants to access the operator network, it first passes through the network device 120, and then can connect to the service node of the operator network through the network device 120. The above-mentioned RAN may be a cellular system related to the third generation partnership project (3GPP), such as a 5G mobile communication system, or a future-oriented evolution system (such as a 6G mobile communication system). RAN may also be an open radio access network (open RAN, O-RAN or ORAN), a cloud radio access network (cloud radio access network, CRAN), or a wireless fidelity (WiFi) system. RAN can also be a communication system that integrates two or more of the above systems. The network device 120 includes, but is not limited to: a next generation node base station (gNB) in a 5G system, an evolved node B (eNB) in LTE, a radio network controller (RNC), a node B (NB), a base station controller (BSC), a base transceiver station (BTS), a home base station (e.g., home evolved node B, or home node B, HNB), a base band unit (BBU), a transmission point (TRP), a transmitting point (TP), a small base station device (pico), a mobile switching center, or a network device in a future network. In systems using different wireless access technologies, the names of devices with access network device functions may be different. For the convenience of description, in all embodiments of the present application, the above-mentioned device providing wireless communication function for the terminal device 110 is collectively referred to as access network equipment or RAN or AN for short. It should be understood that the specific type of access network equipment is not limited herein.

In some deployments, multiple RAN nodes collaborate to assist the terminal in achieving wireless access, and different RAN nodes implement part of the functions of the base station. For example, the RAN node can be a CU, DU, central unit-control plane (CU-CP), central unit-user plane (CU-UP), or radio unit (RU). The CU and DU can be set separately, or they can also be included in the same network element, such as the BBU. The functions of the RU can be implemented by the radio frequency equipment of the base station. For example, the radio frequency equipment of the base station can be a remote radio unit (RRU), a pico remote radio unit (pRRU), an active antenna unit (AAU), or other units, modules or devices with radio frequency processing functions. The communication interface protocol between the BBU and the radio frequency equipment can be the common public radio interface (CPRI) interface protocol, the enhanced common public radio interface (eCPRI) interface protocol, or the fronthaul interface protocol between the DU and RU in the O-RAN system, etc., without restriction.

In different systems, CU (or CU-CP and CU-UP), DU or RU may also have different names, but those skilled in the art can understand their meanings. For example, in the ORAN system, CU may also be called O-CU (open CU), DU may also be called O-DU, CU-CP may also be called O-CU-CP, CU-UP may also be called O-CU-UP, and RU may also be called O-RU. Any unit in the CU (or CU-CP, CU-UP), DU and RU in this application may be implemented by a software module, a hardware module, or a combination of a software module and a hardware module. For the convenience of description, CU, CU-CP, CU-UP, DU and RU are used as examples for description in this application.

The network device 120 may be fixed or mobile. For example, a helicopter or drone may be configured to act as a mobile base station, and one or more cells may move according to the location of the mobile base station. In other examples, a helicopter or drone may be configured to act as a device that communicates with another base station.

In the embodiment of the present application, the device for implementing the function of the access network device may be a network device, or a device capable of supporting the access network device to implement the function, such as a chip system or a chip, which may be installed in the access network device. In the embodiment of the present application, the chip system may be composed of a chip, or may include a chip and other discrete devices.

Network devices and terminal devices can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on the water; they can also be deployed on aircraft, balloons and satellites in the air. The scenarios in which network devices and terminal devices are located are not limited in the embodiments of the present application. In addition, terminal devices and network devices can be hardware devices, or they can be software functions running on dedicated hardware, software functions running on general-purpose hardware, such as virtualization functions instantiated on a platform (e.g., a cloud platform), or entities including dedicated or general-purpose hardware devices and software functions. The present application does not limit the specific forms of terminal devices and network devices.

(3) The core network CN may include but is not limited to the following network functions (NF): user plane function (UPF), network exposure function (NEF), network function repository function (NRF), policy control function (PCF), unified data management function (UDM), unified data repository function (UDR), application function (AF), authentication server function (AUSF), access and mobility management function (AMF), and session management function (SMF).

The following is a brief description of the NF functions included in CN.

1. UPF is a gateway provided by the operator. It is the gateway for the operator network to communicate with DN. It is mainly responsible for packet routing and transmission, packet detection, service usage reporting, quality of service (QoS) processing, legal monitoring, uplink packet detection, downlink packet storage, etc. UPF can also be called user plane equipment. It can receive user data from DN 240 and transmit it to terminal device 110 through network device 120; UPF can also receive user data from terminal device 110 through network device 120 and forward it to DN. The transmission resources and scheduling functions in UPF that provide services for terminal device 110 are managed and controlled by SMF.

2. NEF is a control plane function provided by the operator, which mainly enables third parties to use the services provided by the network, supports the network to open its capabilities, event and data analysis, provide PLMN security configuration information from external applications, and convert the interactive information inside and outside the PLMN. NEF can also be called a network open device, which can provide Nnef services.

3. NRF is a control plane function provided by the operator, which can be used to maintain real-time information of network functions and services in the network. For example, it supports network service discovery, maintains the services supported by the NF configuration data (NF profile) of the NF instance, supports service discovery of the communication proxy (SCP), maintains the SCP configuration data (SCP profile) of the SCP instance, sends notifications about newly registered, deregistered, and updated NFs and SCPs, and maintains the health status of NF and SCP operations.

4. PCF is a control plane function provided by the operator. It supports a unified policy framework to govern network behavior, provide policy rules to other control functions, and contract information related to policy decisions.

5. UDM is a control plane function provided by the operator, responsible for storing the subscriber permanent identifier (SUPI), the generic public subscription identifier (GPSI), and credentials of the subscribers in the operator network. This information can be used for authentication and authorization of the terminal device 110 to access the operator network. Among them, SUPI will be encrypted during transmission, and the encrypted SUPI is called a hidden user subscription identifier (SUCI). UDM can also be called a unified data management device, a unified data management network element, a data management device, a unified data management entity, etc.

6. UDR is a control plane function provided by the operator, which provides the functions of storing and obtaining subscription data for UDM, storing and obtaining policy data for PCF, storing and obtaining user's NF group ID (group ID) information, etc. UDR can also be called user database equipment, user database entity, user database network element, etc. Among them, the user database mainly includes the following functions: storage and access functions of subscription data, policy data, application data and other types of data.

7. AF is a control plane function provided by the operator. It mainly provides corresponding services by interacting with other NFs in the PLMN, such as providing roaming UE with access network selection information, guiding the routing of data flows, accessing NEF, etc. AF can be deployed by the operator inside the PLMN or outside the operator network.

8. AUSF is a control plane function provided by the operator, which is usually used for primary authentication, that is, authentication between the terminal device 110 (subscriber) and the operator network. After receiving the authentication request initiated by the subscriber, AUSF can authenticate and/or authorize the subscriber through the authentication information and/or authorization information stored in the UDM, or generate the authentication and/or authorization information of the subscriber through the UDM. AUSF can feedback the authentication information and/or authorization information to the subscriber.

9. AMF is a control plane network function provided by the operator network, responsible for access control and mobility management of the terminal device 110 accessing the operator network, including, for example, mobility status management, allocation of user temporary identity, authentication and authorization of users, etc. Exemplarily, AMF may also be referred to as access and mobility management equipment, access and mobility management function entity, access and mobility management function network element, mobile management equipment, mobile management network element, mobile management entity, etc., and may provide Namf services.

10. SMF is a control plane network function provided by the operator network, responsible for managing the protocol data unit (PDU) session of the terminal device 110. The terminal device transmits PDU to each other with the DN through the PDU session. The PDU session is established, maintained and deleted by SMF. SMF includes session management (such as session establishment, modification and release, including tunnel maintenance between the user plane function UPF and the network device 120), UPF selection and control, service and session continuity (SSC) mode selection, roaming and other session-related functions. SMF can also be called a session management device, which can provide Nsmf services.

(4) The external network 140 may be a data network (DN), also known as a packet data network (PDN), which is usually a network located outside the operator's network, such as a third-party network. In some implementations, the DN may also be deployed by the operator, that is, the DN is part of the public land mobile network (PLMN). This application does not restrict whether the DN belongs to the PLMN. A variety of services may be deployed on the DN, which may provide data and/or voice services to the terminal device 110.

It is understandable that the above network elements or functions can be physical entities in hardware devices, software instances running on dedicated hardware, or virtualized functions instantiated on a shared platform (e.g., a cloud platform). In short, an NF can be implemented by hardware or software.

It should be understood that the above naming is only defined for the convenience of distinguishing different functions and should not constitute any limitation to this application. This application does not exclude the possibility of using other naming in 5G networks and other future networks. For example, in a 6G network, some or all of the above network elements may use the terminology in 5G, or may use other names.

NTN communication system includes integrated communication and navigation (IcaN) system, global navigation satellite system (GNSS) and ultra-dense low-orbit satellite communication system. For example, NTN communication system includes satellite network, high-altitude platform and drone nodes, with significant advantages such as global coverage, long-distance transmission, flexible networking, convenient deployment and no geographical restrictions. It has been widely used in maritime communication, positioning navigation, disaster relief, scientific experiments, video broadcasting and earth observation. Ground communication network (for example, LTE network, 5G communication network, future 6G communication network, etc.) and satellite network are integrated to form a global seamless coverage of sea, land, air, space and ground integrated integrated communication network, which can meet the various business needs of users. The current 5G network supports the regenerated satellite mode, that is, the NTN communication system provides seamless coverage for terminal devices by deploying the functions of access network devices or part of the access network devices on non-ground (for example, high-altitude platforms or satellites, etc.), which can also be called the access network device using the new air interface NR to provide satellite access to terminal devices. For ease of description, in the embodiments of the present application, the satellite deployed with the access network function is referred to as a satellite access network device, or the base station deployed on the satellite is referred to as a satellite base station.

FIG2 is a schematic diagram of a network architecture applicable to an embodiment of the present application. The satellite communication system includes a satellite base station 201 and a satellite base station 202, each of which can provide services to terminal devices through multiple beams, such as communication services, navigation services, and positioning services. The satellite in this scenario can be a low earth orbit (LEO) satellite, a medium earth orbit (MEO) satellite, a high elliptical orbit (HEO) satellite, a geostationary earth orbit (GEO) satellite, etc., and the embodiment of the present application does not specifically limit this. The satellite base station 202 is connected to a ground gateway station (such as NTN Gateway), which can also be called a gateway station, a signal gateway station, a ground station device, etc. The satellite uses multiple beams to cover the service area, and different beams can communicate through one or more of time division, frequency division, and space division.

As shown in FIG. 2 , taking the 5G network as an example, the terminal equipment on the ground can use the 5G new air interface to communicate with the satellite base station. For example, the satellite base station can communicate wirelessly with the terminal equipment through broadcast communication signals and navigation signals. Among them, the connection between the terminal equipment and the satellite base station can be called a service link. The satellite base station can communicate wirelessly with the ground station (also called a gateway station, a ground gateway station, a signal gateway station, etc.) through the NG interface (for example, for signaling such as NAS for interactive core network, and user business data), and the satellite base station can also communicate with the core network through the ground gateway station. Among them, the ground station is mainly responsible for forwarding the signaling and business data between the satellite base station and the core network, and the connection between the satellite base station and the ground station can be called a feeder link. At the same time, there is an inter-satellite link (ISL) between satellites, which is used to complete the signaling interaction and user data transmission between 5G access network equipment and 5G access network equipment. For example, the satellite base station 201 can communicate wirelessly with the satellite base station 202 through the Xn interface (for example, for signaling interaction such as switching).

It should be noted that the communication system shown in Figure 2 is illustrated by taking the satellite communication system combined with the 5G system as an example. When the satellite communication system is combined with other terrestrial communication systems, the network elements and interfaces involved may have other names, and the embodiments of the present application do not specifically limit this.

Normally, the service link between the terminal device and the satellite base station and the feeder link between the satellite base station and the ground station are connected, that is, the uplink message and the downlink message between the terminal device and the core network can be transmitted through the satellite base station and the ground station. Below, the session establishment between the terminal device and the core network is explained in conjunction with Figure 3.

FIG3 is a flow chart of a method for establishing a session of a terminal device. The method 300 can be applied to the network architecture of FIG1 and FIG2 , and is mainly used for the user plane session establishment process in the satellite communication system, and for indicating the user plane security protection policy between the terminal device and the satellite base station in the user plane session establishment process. As shown in FIG3 , taking the terminal device as UE, the access network device as a satellite base station, and the core network element as a session management element, such as AMF and SMF as an example, the method includes the following multiple steps, and the parts not described in detail can refer to the existing protocol.

S301, UE registers to the network.

Exemplarily, the UE registers with the network and completes authentication and activates non-access stratum (NAS) and access stratum (AS) layer security.

For example, the UE sends a registration request message to the network to request registration with the network, and the registration request message includes the UE ID. Further, the UE and the network perform authentication, including: AMF triggers authentication of the UE. For example, the AMF sends an authentication request #1 to the AUSF, and the AUSF sends an authentication request #2 to the UDM, and the authentication request #1 and the authentication request #2 are used to request authentication of the UE, and the UDM generates an authentication vector and sends an authentication response #1 to the AUSF, and the AUSF sends an authentication response #2 to the AMF, and the authentication response #1 and the authentication response #2 include an authentication vector, such as an authentication vector of 5G-AKA or an authentication vector of EAP-AKA’. Among them, the authentication method includes but is not limited to: 5G Authentication and Key Agreement (5G-AKA) authentication method, Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA’) authentication method. Taking the authentication vector of EAP-AKA’ as an example, AMF sends EAP Request/AKA′-Challenge message to UE through NAS message. After UE completes authentication and authentication of the network, it sends EAP-Response/AKA'-Challenge message to AMF through NAS message. AMF then sends Nausf_UE Authentication_Authenticate Request message to AUSF, carrying EAP-Response/AKA'-Challenge message. AUSF verifies the EAP-Response/AKA'-Challenge message. If the verification is successful, the authentication of the UE is completed, and EAP Success is sent to the UE through AMF to indicate that the authentication is successful. For the specific authentication implementation method, please refer to the relevant description of the existing protocol TS 33.501.

It should be understood that after the above authentication process, the UE and the AMF side usually generate or obtain a new NAS layer key (such as KAMF), wherein the NAS layer key (such as KAMF subkey) is activated for use by triggering the NAS SMC process, that is, the AMF sends a NAS SMC message to the UE, and the UE sends a NAS SMP message to the AMF. Among them, the NAS SMC message includes but is not limited to: integrity security protection algorithm identifier and/or confidentiality security protection algorithm identifier, ngKSI, replayed UE security capabilities, MAC#1. The NAS SMP message includes MAC#2. Among them, ngKSI is used to identify a specific NAS security context, and the NAS security context includes: key identifier, UE security capability, uplink and downlink NAS count value, confidentiality security protection key, integrity security protection key, selected integrity security protection algorithm identifier, confidentiality security protection algorithm identifier One or more.

S302, the UE sends a session establishment request message to the AMF, and correspondingly, the AMF receives the session establishment request message from the UE.

The session establishment request message includes a session identifier for identifying the UE's session, and optionally, may also carry information such as session type and/or slice. Exemplarily, the UE initiates a PDU session establishment request message, such as a PDU Session Establishment Request message, to the AMF via a satellite base station. It should be understood that the session request message is a NAS message, which is transparently transmitted through the satellite base station, and the satellite base station does not parse the session establishment request message.

S303, AMF sends a session creation context request message to SMF, and correspondingly, SMF receives the session creation context request message from AMF.

The session creation context request message includes a session identifier, and the session creation context request message may be an Nsmf_PDUSession_createSMContext Request message. Correspondingly, the SMF may search for a corresponding user plane security policy (which may be referred to as a security protection policy or a user plane security protection policy) from the UDM or PCF or network management function network element according to the session identifier, to indicate whether the transport layer requires security protection.

Exemplarily, the user plane security policy includes a confidentiality security policy and/or an integrity security policy, wherein the confidentiality security policy is used to indicate whether the transport layer requires confidentiality security protection, and the integrity security policy is used to indicate whether the transport layer requires integrity security protection.

In one implementation, the values of the security policy include required, preferred, and not needed. For example, when the value of the security policy is required, it indicates that the sender needs to perform security protection on the message and/or data to be sent; when the value of the security policy is not needed, it indicates that the sender does not need to perform security protection on the message and/or data to be sent; when the value of the security policy is preferred, it indicates that the sender needs to perform optional security protection on the message and/or data to be sent, that is, the sender can perform security protection on the message and/or data to be sent, or can perform no security protection on the message and/or data to be sent, and the security protection here includes confidentiality security protection and/or integrity security protection. For example, when the value of the integrity security policy is required, it means that integrity security protection needs to be performed on the messages and/or data to be sent; when the value of the integrity security policy is not needed, it means that integrity security protection does not need to be performed on the messages and/or data to be sent; when the value of the integrity security policy is preferred, it means that integrity security protection can be performed on the messages and/or data to be sent, that is, integrity security protection can be performed on the messages and/or data to be sent, or integrity security protection can be omitted. For another example, when the value of the confidentiality security policy is required, it means that confidentiality security protection needs to be performed on the messages and/or data to be sent; when the value of the confidentiality security policy is not needed, it means that confidentiality security protection does not need to be performed on the messages and/or data to be sent; when the value of the confidentiality security policy is preferred, it means that confidentiality security protection can be performed on the messages and/or data to be sent, that is, confidentiality security protection can be performed on the messages and/or data to be sent, or confidentiality security protection can be omitted.

It should be understood that integrity protection can be achieved by physical means or cryptographic methods to ensure that information and/or data are not tampered with or modified without authorization during generation, transmission, storage, and thereafter. There are many ways to perform integrity protection on information through cryptographic methods, such as using a one-way function (such as a hash function) with a symmetric key (integrity security protection key) and a message as input parameters to generate a message authentication code (MAC) to achieve integrity protection of messages and/or data. Exemplarily, integrity protection can refer to performing integrity protection on messages to be sent according to a selected integrity protection algorithm and integrity protection key. For example, for NAS messages, the integrity security protection key may be the NAS integrity key (NAS Integrity Key, Knasint), which is used to perform integrity security protection on the messages to be sent; for RRC messages, the integrity security protection key may be the RRC integrity key (RRC Integrity Key, Krrcint), which is used to perform integrity security protection on the messages to be sent; for user plane messages and/or data, the integrity security protection key may be the UP Integrity Key (Kupint), which is used to perform integrity security protection on the messages to be sent.

It should also be understood that confidentiality security protection may refer to encrypting messages and/or data to be sent according to a confidentiality security protection algorithm and a confidentiality security protection key.

Optionally, the security policy may be explicitly indicated, for example, using an independent information element (IE). For example, by indicating with 2 bits of indication information, "00" indicates that the value of the security policy is required, "01" indicates that the value of the security policy is not needed, and "10" indicates that the value of the security policy is preferred; or, "true" indicates that the value of the security policy is required, and "false" indicates that the value of the security policy is not needed, which is not limited in this application.

Exemplarily, the security algorithm includes an integrity security algorithm and/or a confidentiality security protection algorithm. The integrity security algorithm includes one or more of the following: AES integrity security protection algorithm, SNOW integrity security protection algorithm, ZUC integrity security protection algorithm, or null integrity security protection algorithm, and the confidentiality security protection algorithm includes one or more of the following: ZUC confidentiality security protection algorithm, AES confidentiality security protection algorithm, SNOW confidentiality security protection algorithm, or null integrity security protection algorithm.

S304, SMF sends a session creation context response message to AMF, and correspondingly, AMF receives a session creation context response message from SMF.

The session creation context response message includes a session identifier, a user plane security policy, and a session acceptance message. For example, the session creation context response message may be an Nsmf_PDUSession_createSMContext Response message. The session acceptance message is carried in an N1 container.

S305, AMF sends a session resource establishment request message to the satellite base station, and correspondingly, the satellite base station receives the session resource establishment request message from AMF.

Among them, the session resource establishment request message includes a session identifier, a user plane security policy and a session acceptance message, and the session resource establishment request message can be a PDU Session Resource Setup Request message.

S306, the satellite base station determines whether to activate security protection of the DRB corresponding to the session according to the user plane security policy.

Among them, a session corresponds to one or more DRBs. In other words, one or more data #1 transmitted by a session can be carried by the one or more DRBs respectively, and usually one DRB carries one data #1. It should be noted that the user plane security policy is used to indicate whether to enable security protection of the DRB corresponding to the session.

Exemplarily, when the value of the user plane security policy is required, the satellite base station determines that the security protection of the DRB needs to be activated, that is, the security protection of the DRB is configured to be turned on; when the value of the user plane security policy is not needed, the satellite base station determines that the security protection of the DRB does not need to be activated, that is, the security protection of the DRB is configured to be not turned on; when the value of the user plane security policy is preferred, the satellite base station can determine whether to activate the security protection of the DRB according to the local policy, that is, determine whether to turn on the security protection according to the local policy. For example, the local policy indicates that when the value of the user plane security policy is preferred, the satellite base station can choose to turn on the security protection, or the local policy indicates that when the value of the user plane security policy is preferred, the satellite base station can choose to turn on or not turn on the security protection according to its own load situation.

In one implementation, when the value of the integrity security policy is required, the satellite base station activates the integrity security protection of the DRB corresponding to the session; when the value of the integrity security policy is not needed, the satellite base station activates the integrity security protection of the DRB corresponding to the session; when the value of the integrity security policy is preferred, the satellite base station activates or does not activate the integrity security protection of the DRB corresponding to the session according to the local policy.

In another implementation, when the value of the confidentiality security policy is required, the satellite base station activates the confidentiality security protection of the DRB corresponding to the session; when the value of the confidentiality security policy is not needed, the satellite base station activates the confidentiality security protection of the DRB corresponding to the session; when the value of the confidentiality security policy is preferred, the satellite base station activates or does not activate the confidentiality security protection of the DRB corresponding to the session according to the local policy.

It should be noted that if the user plane security policy indicates that the integrity security protection of the DRB does not need to be activated (or turned on), the satellite base station and the UE can set the MAC to all 0s, which means that the satellite base station and the UE do not perform integrity security protection on the user plane messages and/or data carried on the DRB, and do not need to perform integrity verification on the user plane messages and/or data carried on the DRB. Optionally, the MAC may not be included in the Packet Data Convergence Protocol (PDCP) data packet.

S307, the satellite base station sends an RRC reconfiguration message to the UE, and correspondingly, the UE receives the RRC reconfiguration message from the satellite base station.

Exemplarily, the RRC reconfiguration message may be an RRC Reconfiguration message.

Among them, the RRC reconfiguration message includes a DRB identifier (e.g., DRB ID) and its corresponding user plane security indication (UP sec indication), such as an integrity security protection indication and/or a confidentiality security protection indication. The integrity security protection indication is used to indicate whether the integrity security protection of the DRB is enabled, or whether the integrity security protection of the DRB needs to be activated. The confidentiality security protection indication is used to indicate whether the confidentiality security protection of the DRB is enabled, or whether the confidentiality security protection of the DRB needs to be activated.

In addition, the RRC reconfiguration message also includes the session acceptance message.

Optionally, the size of the integrity security protection indication and/or confidentiality security protection indication can be 1 bit. For example, the value of the confidentiality indication information is "1", indicating that the confidentiality security protection of the DRB is enabled; the value of the confidentiality indication information is "0", indicating that the confidentiality security protection of the DRB is not enabled. For another example, the value of the integrity indication information is "1", indicating that the integrity security protection of the DRB is enabled; the value of the integrity indication information is "0", indicating that the integrity security protection of the DRB is not enabled.

Optionally, the values of the integrity security protection indicator and the confidentiality security protection indicator may be determined according to a user plane security policy received by the satellite base station.

For example, if the UE's session corresponds to two DRBs (e.g., DRB#1 and DRB#2), it means that the data used for transmission in the session is carried in DRB#1 and DRB#2, for example, data#1 is carried in DRB#1, and data#2 is carried in DRB#2. If the user plane security policy indicates that integrity security protection is activated but confidentiality security protection is not activated, the satellite base station can set the value of the integrity security protection indication corresponding to DRB#1 and DRB#2 to "1" and the value of the confidentiality security protection indication to "0", which are carried in the RRC reconfiguration message of step S307.

Optionally, after determining whether to activate security protection of the DRB, or after determining the user plane security protection policy, the satellite base station configures the PDCP entity of the DRB corresponding to the session. Exemplarily, if the user plane security policy indicates to activate integrity security protection and not to activate confidentiality security protection, the user plane security indication in the RRC reconfiguration message is used to instruct DRB#1 and DRB#2 to enable integrity security protection and not to enable confidentiality security protection. Correspondingly, the satellite base station configures the integrity security protection key and integrity security protection algorithm corresponding to DRB#1 and DRB#2 in the PDCP entity, and activates the integrity check of the uplink user plane messages and/or data on the DRB#1 and DRB#2, and activates the integrity security protection of the downlink user plane messages and/or data on the DRB#1 and DRB#2.

S308, the UE performs an integrity check on the RRC reconfiguration message.

Exemplarily, the UE performs an integrity check on the received RRC reconfiguration message. For example, the UE compares the MAC#3 value carried in the RRC reconfiguration message with the MAC#4 calculated locally by the UE. If the two are the same, it can be considered that the integrity check has passed; otherwise, the integrity check has failed.

Further, in the case where the integrity verification is successful, the UE configures the PDCP entity corresponding to the DRB. Exemplarily, if DRB#1 indicated in the RRC reconfiguration message has integrity security protection activated, the UE configures the integrity security protection key and integrity security protection algorithm corresponding to DRB#1 in the PDCP entity, and activates the integrity security protection of the uplink user plane message on the DRB#1, and activates the integrity check of the downlink user plane message on the DRB#1. If DRB#2 indicated in the RRC reconfiguration message has confidentiality security protection activated, the UE configures the confidentiality security protection key and confidentiality security protection algorithm corresponding to DRB#2 in the PDCP entity, and activates the confidentiality security protection of the uplink user plane message on the DRB#2, and activates the decryption operation of the downlink user plane message on the DRB#2.

S309, the UE sends an RRC reconfiguration completion message to the satellite base station, and correspondingly, the satellite base station receives the RRC reconfiguration completion message from the UE.

Exemplarily, if the UE successfully verifies the integrity of the RRC reconfiguration message in step S309, the UE sends an RRC reconfiguration complete message to the satellite base station. For example, the RRC reconfiguration complete message may be an RRC Reconfiguration Complete message. Optionally, if the UE fails to successfully activate security protection for the DRB, or the UE fails to configure the PDCP entity of the DRB, the UE may send a failure cause value to the satellite base station, which may indicate that the integrity check of the RRC reconfiguration message has failed.

S310, the satellite base station sends a session resource establishment response message to the AMF, and correspondingly, the AMF receives a session resource establishment response message from the satellite base station.

The session resource establishment response message is used to inform the session resource establishment result, such as success or failure. Exemplarily, the session resource establishment response message can be a PDU Session Resource Setup Response message. It should be understood that the technical solution of the present application is based on the successful establishment of the session resource.

Optionally, in an LTE network, the core network element in the above method 300 may be a mobility management entity (Mobility Management Entity, MME), a serving gateway (Serving GateWays, S-GWs), or a public data network (Public Data Network, PDN GWs or P-GWs). The specific implementation method is similar and will not be described here.

Since the ground coverage of the satellite is limited, at certain moments, the service link and the feeder link may not be connected at the same time. For example, when the satellite moves over geographical location A, it can establish a service link with the UE in geographical location B, but at this time it may not be able to establish a feeder link with the ground gateway in geographical location C. At this time, the satellite base station can perform a store-and-forward operation (Store and Forward), that is, the satellite base station can store the received uplink message, that is, cache the uplink message on the satellite base station, and wait until the feeder link is restored, and then forward the stored uplink information to the ground network. It should be understood that the store-and-forward operation is mainly suitable for delay-insensitive or non-real-time IoT satellite services. The object of the store-and-forward operation can be signaling plane data or user plane data. For ease of description and understanding, this application takes user plane data as an example for illustration.

In the storage and forwarding operation scenario, if an attacker sends a large amount of malicious data or messages to the satellite base station, the storage area of the satellite base station may be filled up, and the control plane data and/or user plane data of normal UEs may not be cached. There is a risk of the satellite base station being maliciously attacked, and network security cannot be guaranteed. Therefore, additional measures are urgently needed to reduce potential security risks.

In view of this, the present application provides a secure communication method and a communication device, which can reduce the risk of satellite base stations being maliciously attacked and improve network communication security.

The communication method provided by the embodiment of the present application will be described in detail below with reference to the accompanying drawings. The embodiment provided by the present application can be applied to a communication scenario where a transmitting device and a receiving device communicate, such as being applied to the communication system shown in the above-mentioned Figures 1 and 2.

Figure 4 is a flow chart of the communication method provided by an embodiment of the present application. The method 400 can be executed by the terminal device side, the network device side and the core network side. For example, the method can be executed by the terminal device, the network device and the core network element (such as the session management element), or it can also be executed by the chip or circuit of the terminal device, the network device and the core network element (such as the session management element), or it can also be implemented by a logic module or software that can realize all or part of the functions of the communication device, and the present application does not limit this. The following is an example of the execution subject being the terminal device, the network device and the session management element. As shown in Figure 4, the method includes the following multiple steps. The part that is not described in detail can refer to the above method 300 or the existing protocol.

S410, during the session establishment process of the terminal device, the network device determines whether to activate the integrity security protection of the session according to the first information, and the first information is used to indicate whether the network device supports the store-and-forward operation (which may be referred to as capability information).

It should be understood that the session is used to transmit data between the terminal device and the core network. For example, a session corresponds to one or more DRBs, which means that one or more data transmitted by a session can be carried by the one or more DRBs respectively. Usually, one DRB carries one data, and the DRB is used to carry data between the terminal device and the network device.

It should be noted that whether to activate the integrity security protection of the session can be understood as: whether to activate the integrity security protection of one or more DRBs corresponding to the session, and can also be understood as: whether the integrity security protection of the data transmitted between the terminal device and the network device is enabled.

Among them, the specific implementation method of the session establishment process of the terminal device and the meaning of the store and forward operation (Store and Forward) can be referred to the relevant description of the above method 300 and will not be explained here.

Optionally, before executing step S410, the method further includes: the network device acquires first information.

Exemplarily, the first information may be predefined, or configured or preconfigured through signaling. Predefinition may include predefinition, such as protocol definition, and preconfiguration may be implemented by pre-saving corresponding codes, tables, strings or other methods that can be used to indicate the first information in the network device, and the present application does not limit the specific implementation method thereof.

Optionally, the first information may also be used to indicate whether the network device is configured to enable a store-and-forward operation (which may be referred to as configuration information), and/or the first information may also be used to indicate whether the network device is deployed on a satellite (which may be referred to as location information). For ease of description, the present application may refer to a network device deployed on a satellite as a satellite base station, and a network device not deployed on a satellite as a ground base station.

That is, the first information in the present application may include one or more of capability information, configuration information, or location information of the network device.

Below, an example is given for a network device to determine whether to activate integrity security protection of a session based on first information, or a satellite base station to activate or not activate integrity security protection of a session based on a first message, including one or more of the following.

(1) The network device determines whether to activate the integrity security protection of the session according to the capability information. In other words, the network device determines whether to activate or not activate the integrity security protection of the session according to the capability information.

For example, when the capability information indicates that the network device supports the store-and-forward operation, the network device determines to activate the integrity security protection of the session, that is, the integrity security protection of the session can be directly activated without considering the integrity security policy; for another example, when the capability information indicates that the network device does not support the store-and-forward operation, the network device determines not to activate the integrity security protection of the session. Optionally, the network device can determine whether to activate the integrity security protection of the session according to the user plane integrity security policy obtained in step S403.

That is to say, when the network device supports store-and-forward operations, the network device activates the integrity security protection of the session; when the network device does not support store-and-forward operations, the network device does not activate the integrity security protection of the session, or may activate or not activate the integrity security protection of the session according to the user plane integrity security policy.

(2) The network device determines whether to activate the integrity security protection of the session according to the configuration information, or in other words, the network device activates or does not activate the integrity security protection of the session according to the configuration information.

For example, when the configuration information indicates that the network device is configured to enable the store-and-forward operation, the network device determines to activate the integrity security protection of the session, that is, the integrity security protection of the session can be directly activated without considering the integrity security policy; for another example, when the configuration information indicates that the network device does not enable the store-and-forward operation, the network device determines not to activate the integrity security protection of the session. Optionally, the network device can determine whether to activate the integrity security protection of the session according to the user plane integrity security policy obtained in step S403.

It can be understood that when the network device is configured to enable the store-and-forward operation, the network device activates the integrity security protection of the session; when the network device is configured not to enable the store-and-forward operation, the network device does not activate the integrity security protection of the session, or can activate or not activate the integrity security protection of the session according to the user plane integrity security policy.

(3) The network device determines whether to activate the integrity security protection of the session based on the location information. In other words, the network device activates or does not activate the integrity security protection of the session based on the location information.

For example, when the location information indicates that the network device is deployed on a satellite, that is, the network device is a satellite base station, the network device determines to activate the integrity security protection of the session, that is, there is no need to consider the integrity security policy, and the integrity security protection of the session can be directly activated; for another example, when the location information indicates that the network device is deployed on a non-satellite, such as the network device is a ground base station, the network device does not activate the integrity security protection of the session, or can determine whether to activate the integrity security protection of the session according to the user plane integrity security policy obtained in step S403.

It can be understood that when the network device is deployed on a satellite, the network device activates the integrity security protection of the session; when the network device is deployed on the ground, the network device does not activate the integrity security protection of the session, or may activate or not activate the integrity security protection of the session according to the user plane integrity security policy.

It should be understood that in the above (1)-(3), the network device determines whether to activate the integrity security protection of the session based on the first information, or in other words, the network device activates or does not activate the integrity security protection of the session based on the first information. The technical logic of the above (1)-(3) is the same, that is, the network device can activate or not activate the integrity security protection of the session based on the first information without considering the user plane integrity security policy. This method allows the user plane data to have integrity security protection as much as possible, which facilitates the subsequent network device to perform integrity verification on the received uplink message and/or data, thereby ensuring the security of network communications and reducing the risk of denial of service attacks.

Optionally, when determining whether to activate the integrity security protection of the session, the network device may also consider the user plane integrity security policy corresponding to the session, that is, the network device may determine whether to activate the integrity security protection of the session based on the first information and the user plane integrity security policy. At this time, the method also includes the following step S404.

S404: The network device determines whether to activate integrity security protection of the session according to the first information and the user plane integrity security policy.

Among them, the user plane integrity security policy is used to indicate whether to activate the integrity security protection of the session. For specific interpretation, please refer to the relevant description of the above step S410 and the above method 300.

Optionally, before executing step S404, the session management network element obtains a user plane integrity security policy for the session, for example, see the following step S403.

S403: The network device obtains a user plane integrity security policy corresponding to the session.

Exemplarily, the values of the user plane integrity security policy include required, preferred, and not needed. For example, when the value of the user plane integrity security policy is required, it means that integrity security protection is enabled for the session; when the value of the user plane integrity security policy is not needed, it means that integrity security protection is not enabled for the session; when the value of the user plane integrity security policy is preferred, it means that integrity security protection can be enabled optionally for the session.

Optionally, the user plane integrity security policy can be explicitly indicated, for example, using an independent information element IE. For example, through 2 bits of indication information, "00" indicates that the value of the user plane integrity security policy is required, "01" indicates that the value of the user plane integrity security policy is not needed, and "10" indicates that the value of the user plane integrity security policy is preferred; or, "true" indicates that the value of the user plane integrity security policy is required, and "false" indicates that the value of the user plane integrity security policy is not needed. This application does not limit its expression form.

In one implementation, the network device obtains the user plane integrity security policy corresponding to the session from the session management network element, for example, see the following step S402.

S402, the session management network element sends a user plane integrity security policy corresponding to the session to the network device, and correspondingly, the network device receives the user plane integrity security policy corresponding to the session from the session management network element.

In one example, the session management network element sends a user plane integrity security policy to a mobile access management network element (eg, AMF), and the mobile access management network element then sends the user plane integrity security policy to a network device.

Optionally, the session management network element may actively send the user plane integrity security policy corresponding to the session to the network device, or may send it based on a request from the network device. For example, the network device sends a request message to the session management network element, and the request message is used to obtain the user plane integrity security policy corresponding to the session. Correspondingly, the session management network element may send the user plane integrity security policy corresponding to the session to the network device after receiving the request message.

Optionally, before executing step S402, the session management network element determines the user plane integrity security policy of the session. For example, the session management network element may determine the user plane integrity security policy of the session through the acquired indication information, for example, see the following step S401.

S401, the session management network element obtains indication information.

The indication information is used to indicate that the network device is deployed on a satellite. Optionally, the indication information is also used to indicate that the network device supports a store-and-forward operation and/or that the network device is configured to enable a store-and-forward feature.

It should be understood that the network equipment is deployed on the satellite, which can be understood as the network equipment (such as a base station) being physically deployed on the satellite, or the network equipment (such as a base station) and the satellite being co-located. In this case, the satellite has the capabilities of the network equipment, for example, the satellite supports the storage and forwarding operation of the network equipment.

In one example, the session management network element receives indication information from the mobile access management network element (such as AMF). For example, during the session establishment process of the terminal device, the mobile access management network element sends a session creation context request message to the session management network element, and the session creation context request message carries the indication information.

In another example, the session management network element obtains indication information from Operation Administration and Maintenance (OAM) or UDM. For example, the session management network element sends a query message to OAM or UDM to obtain one or more of the capability information, location information or configuration information of the network device, and correspondingly, OAM or UDM sends the indication information to the session management network element. The specific interpretation of the capability information, location information and configuration information can be referred to the relevant description above, which will not be explained here.

Exemplarily, the user plane integrity security policy corresponding to the session is determined according to the indication information, or the session management network element can determine the user plane integrity security policy corresponding to the session according to the indication information. For example, when the indication information determines that the network device is deployed on a satellite, or the network device supports store-and-forward operations, or the network device is configured to enable the store-and-forward feature, then considering the limited storage resources of the network device and to avoid potential DoS risks, the session management network element can set the value of the user integrity security policy to required, that is, the session management network element can determine to enable or activate integrity security protection according to the indication information, that is, the data subsequently transmitted between the terminal device and the network device are all protected by integrity security, that is, the data transmitted between the terminal device and the network device need to be integrity checked, and then the data that passes the integrity check is stored and forwarded.

Optionally, the user plane integrity security policy corresponding to the session can also be determined according to the contract information, or the session management network element can determine the user plane integrity security policy corresponding to the session according to the contract information. The contract information is used to indicate whether the terminal device has signed a contract for the store-and-forward operation service. For example, if the contract information indicates that the terminal device has signed a contract for the store-and-forward operation service, the session management network element can set the value of the user plane integrity security policy corresponding to the session to required, that is, the session management network element can enable the integrity security protection of the session according to the contract information, that is, the subsequent uplink and downlink data transmitted between the terminal device and the network device are all protected by integrity security, that is, the terminal device and the network device need to perform integrity verification on the received user plane data; for another example, if the contract information indicates that the terminal device has not signed a contract for the store-and-forward operation service, the session management network element can set the value of the user plane integrity security policy corresponding to the session to preferred, that is, the session management network element can determine the optional opening of the integrity security protection of the session according to the contract information, and then the network device determines whether to open or not the integrity security protection of the session according to the local policy.

Optionally, the user plane integrity security policy corresponding to the session can also be determined based on the contract information and the indication information, or in other words, the session management network element can determine the user plane integrity security policy corresponding to the session based on the indication information and the contract information. For example, if the indication information determines that the network device is deployed on a satellite, or the network device supports store-and-forward operations, or the network device is configured to enable the store-and-forward feature, and the contract information indicates that the terminal device has signed a contract for the store-and-forward operation service, then the session management network element can set the value of the user plane integrity security policy corresponding to the session to required, indicating that integrity security protection for the session is enabled; for another example, if the indication information determines that the network device is not deployed on a satellite, or the network device does not support store-and-forward operations, or the network device is configured to disable the store-and-forward feature, and the contract information indicates that the terminal device has not signed a contract for the store-and-forward operation service, then the session management network element The user plane integrity security policy corresponding to the session may be set to a value of not needed, indicating that integrity security protection for the session is not enabled. For example, if the indication information determines that the network device is not deployed on a satellite, or the network device does not support store-and-forward operations, or the network device is configured not to enable the store-and-forward feature, or the contract information indicates that the terminal device has not signed a contract for the store-and-forward operation service, then the session management network element may set the user plane integrity security policy corresponding to the session to a value of preferred, indicating that enabling integrity security protection for the session is optional, and the network device then determines whether to enable integrity security protection for the session based on local policies.

In one implementation, the session management network element may obtain the above-mentioned subscription information from the UDM or PCF. For example, the session management network element sends a query message to the UDM or PCF to obtain the subscription information of the terminal device, and correspondingly, the UDM or PCF sends the subscription information of the terminal device to the session management network element.

Optionally, the present application does not limit the order in which the session management network element obtains the above-mentioned signing information and indication information.

Below, an example is given of the network device determining whether to activate the integrity security protection of the session based on the first information and the user plane integrity security policy in the above step S404, or the satellite base station activating or not activating the integrity security protection of the session based on the first message and the user plane integrity security policy, including one or more of the following.

(1) The network device determines whether to activate the integrity security protection of the session based on the capability information and the user plane integrity security policy. In other words, the network device activates or does not activate the integrity security protection of the session based on the capability information and the user plane integrity security policy.

For example, when the capability information indicates that the network device supports store-and-forward operations and the value of the user-plane integrity security policy is required or preferred, the network device determines to activate the integrity security protection of the session; for another example, when the capability information indicates that the network device supports store-and-forward operations and the value of the user-plane integrity security policy is not needed, the network device determines not to activate the integrity security protection of the session. In this implementation, the network device determines whether to activate the integrity security protection of the session, mainly based on the user-plane integrity security policy; for another example, when the capability information indicates that the network device supports store-and-forward operations and the value of the user-plane integrity security policy is not needed, the network device determines to activate the integrity security protection of the session. In this implementation, the network device determines whether to activate the integrity security protection of the session, mainly based on whether the network device supports store-and-forward operations; for another example, when the capability information indicates that the network device does not support store-and-forward operations, regardless of the value of the user-plane integrity security policy is required, preferred or not needed, the network device determines not to activate the integrity security protection of the session.

(2) The network device determines whether to activate the integrity security protection of the session based on the configuration information of the network device and the user plane integrity security policy. In other words, the network device activates or does not activate the integrity security protection of the session based on the configuration information of the network device and the integrity security policy.

For example, when the configuration information indicates that the network device is configured to enable a store-and-forward operation, and the value of the user-plane integrity security policy is required or preferred, the network device determines to activate the integrity security protection of the session; for another example, when the configuration information indicates that the network device is configured to enable a store-and-forward operation, and the value of the user-plane integrity security policy is not needed, the network device determines not to activate the integrity security protection of the session. In this implementation, the network device determines whether to activate the integrity security protection of the session, mainly based on the user-plane integrity security policy; for another example, when the configuration information indicates that the network device is configured to enable a store-and-forward operation, and the value of the user-plane integrity security policy is not needed, the network device determines to activate the integrity security protection of the session. In this implementation, the network device determines whether to activate the integrity security protection of the session, mainly based on whether the network device is configured to enable the store-and-forward operation; for another example, when the configuration information indicates that the network device is configured not to enable a store-and-forward operation, regardless of the value of the user-plane integrity security policy is required, preferred or not needed, the network device determines not to activate the integrity security protection of the session.

(3) The network device determines whether to activate the integrity security protection of the session based on the location information and the user plane integrity security policy. In other words, the network device activates or does not activate the integrity security protection of the session based on the location information and the user plane integrity security policy.

For example, when the location information indicates that the network device is deployed on a satellite (for example, the network device is a satellite base station) and the value of the user-plane integrity security policy is required or preferred, the network device determines to activate the integrity security protection of the session; for another example, when the location information indicates that the network device is deployed on a satellite and the value of the user-plane integrity security policy is not needed, the network device determines not to activate the integrity security protection of the session. In this implementation, the network device determines whether to activate the integrity security protection of the session, mainly based on the user-plane integrity security policy; for another example, when the location information indicates that the network device is deployed on a satellite and the value of the user-plane integrity security policy is not needed, the network device determines not to activate the integrity security protection of the session. In this implementation, the network device determines whether to activate the integrity security protection of the session, mainly based on the network device being a satellite base station; for another example, when the location information indicates that the network device is deployed on a non-satellite (for example, the network device is a ground base station), regardless of the value of the user-plane integrity security policy is required, preferred or not needed, the network device determines not to activate the integrity security protection of the session.

It should be understood that in the above (4)-(6), the network device determines whether to activate the integrity security protection of the session according to the first information user plane integrity security policy, or in other words, the network device activates or does not activate the integrity security protection of the session according to the first information user plane integrity security policy. Among them, the technical logic of the above (4)-(6) is the same, that is, the network device supports maximally activating the integrity security protection of the session, which can ensure that the integrity security protection of the user plane data is activated to the maximum extent, so that the subsequent network device can perform integrity verification on the received uplink message and/or data, ensure the security of network communication, and reduce the risk of denial of service attacks.

It should be noted that the present application does not specifically limit the execution order of the above steps S401-S404. For example, steps S401-S404 may be executed before step S410, or steps S401-S404 may be executed after step S410, or steps S401-S403 may be executed before step S410 and step S404 may be completed after step S410, as long as steps S401-S404 are executed before the following step S420.

S420, the network device sends first integrity security protection indication information to the terminal device, and correspondingly, the terminal device receives the first integrity security protection indication information from the network device.

The first integrity security protection indication information is used to indicate an activation result. Exemplarily, the activation result is used to indicate whether to activate the integrity security protection of the session, or in other words, the activation result is used to indicate whether to activate the integrity security protection of one or more DRBs corresponding to the session. For example, the activation result includes activating the integrity security protection of the session, or not activating the integrity security protection of the session.

Optionally, the network device sends an RRC reconfiguration message to the terminal device, such as an RRC Reconfiguration message, where the RRC reconfiguration message carries first integrity security protection indication information.

Optionally, the first integrity security protection indication information may be explicitly indicated, for example, using an independent information element IE to indicate. For example, through 1-bit indication information, "1" indicates that the integrity security protection of the session is activated, and "0" indicates that the integrity security protection of the session is not activated; or, "true" indicates that the integrity security protection of the session is activated, and "false" indicates that the integrity security protection of the session is not activated. This application does not limit its expression form.

In one implementation, the first integrity security protection indication information is determined based on the first information. For example, based on the above step S410, if the network device determines to activate the integrity security protection of the session based on the first information, the first integrity security protection indication information is used to indicate the activation of the integrity security protection of the session; if the network device determines not to activate the integrity security protection of the session based on the first information, the first integrity security protection indication information is used to indicate not to activate the integrity security protection of the session.

In another implementation, the first integrity security protection indication information is determined according to the first information and the user plane security protection policy. For example, based on the above step S404, if the network device determines to activate the integrity security protection of the session according to the first information and the user plane security protection policy, the first integrity security protection indication information is used to indicate the integrity security protection of the activated session; if the network device determines not to activate the integrity security protection of the session according to the first information and the user plane security protection policy, the first integrity security protection indication information is used to indicate the integrity security protection of the not activated session.

Optionally, the size of the first integrity security protection indication information can be 1 bit. For example, the value of the first integrity security protection indication information is "1", indicating that the integrity security protection corresponding to the session is turned on, or one or more DRBs corresponding to the session have integrity security protection turned on, that is, one or more data carried on the one or more DRBs between the terminal device and the network device are integrity-protected, and the terminal device or the network device needs to perform an integrity check after receiving the one or more data; for another example, the value of the first integrity security protection indication information is "0", indicating that the integrity security protection corresponding to the session is not turned on, or one or more DRBs corresponding to the session do not have integrity security protection turned on, that is, one or more data carried on the one or more DRBs between the terminal device and the network device are not integrity-protected, and the terminal device or the network device does not need to perform an integrity check after receiving the one or more data.

Optionally, after determining whether to activate integrity security protection for the session, or after determining the first integrity security protection indication information, or after sending the first integrity security protection indication information to the terminal device, the network device may configure the PDCP entity of one or more DRBs corresponding to the session. Exemplarily, if it is determined to activate integrity security protection for the session, the network device configures the integrity security protection key and integrity security protection algorithm of the one or more DRBs in the PDCP entity, and activates the integrity check of the uplink user plane messages and/or data carried by the one or more DRBs, and activates the integrity security protection of the downlink user plane messages and/or data carried by the one or more DRBs; if it is determined not to activate integrity security protection for the session, the network device does not need to configure the integrity security protection key and integrity security protection algorithm of the one or more DRBs in the PDCP entity, and does not need to activate the integrity check of the uplink user plane messages and/or data carried by the one or more DRBs, and does not need to activate the integrity security protection of the downlink user plane messages and/or data carried by the one or more DRBs.

S430, the terminal device performs an integrity check on the first integrity security protection indication information.

Exemplarily, the terminal device may determine whether the integrity check passes by comparing the MAC value. The specific implementation method may refer to the relevant description of the above method 300 and will not be described again here.

S440: When the integrity check passes, the terminal device determines whether to activate integrity security protection for the session according to the first integrity security protection indication information.

That is to say, after the terminal device receives the first integrity security protection indication information, when the integrity check of the first integrity security protection indication information passes, the terminal device can further determine whether to turn on or off the integrity security protection of the session. For example, if the first integrity security protection indication information indicates to activate the integrity security protection of the session, the terminal device turns on the integrity security protection of the session, that is, the subsequent uplink messages and/or data sent by the terminal device to the network device need to be subject to integrity security protection, and the subsequent uplink messages and/or data received by the terminal device from the network device need to be integrity checked; for another example, if the first integrity security protection indication information indicates not to activate the integrity security protection of the session, the terminal device does not turn on the integrity security protection of the session, that is, the subsequent uplink messages and/or data sent by the terminal device to the network device do not need to be subject to integrity security protection, and the subsequent uplink messages and/or data received by the terminal device from the network device do not need to be integrity checked.

Optionally, when the integrity verification passes, after determining whether to activate the integrity security protection of the session, the terminal device can configure the PDCP entity of one or more DRBs corresponding to the session. Exemplarily, if the first integrity security protection indication information indicates to activate the integrity security protection of the session, the terminal device configures the integrity security protection key and integrity security protection algorithm of the one or more DRBs corresponding to the session in the PDCP entity, and activates the integrity security protection of the uplink user plane messages and/or data carried by the one or more DRBs, and activates the integrity check of the downlink user plane messages and/or data carried by the one or more DRBs; if the first integrity security protection indication information indicates not to activate the integrity security protection of the session, the terminal device does not need to configure the integrity security protection key and integrity security protection algorithm of the one or more DRBs corresponding to the session in the PDCP entity, and does not need to activate the integrity security protection of the uplink user plane messages and/or data carried by the one or more DRBs, and does not need to activate the integrity check of the downlink user plane messages and/or data carried by the one or more DRBs.

Optionally, the terminal device may send a response message to the network device to indicate whether the terminal device has successfully activated the integrity security protection of the session. For example, if the terminal device successfully activates the integrity security protection of the session, the terminal device sends a response message #1 to the network device to indicate that the terminal device has successfully activated the integrity security protection of the session. Optionally, if the first integrity security protection indication information of the above step S420 is carried in the RRC reconfiguration message, the terminal device may send an RRC reconfiguration completion message to the network device to indicate that the terminal device has successfully activated the integrity security protection of the session, or in other words, to indicate that the terminal device has successfully configured the PDCP entity of one or more DRBs corresponding to the session. For another example, if the terminal device fails to successfully activate the integrity security protection of the session, the terminal device sends a response message #2 to the network device to indicate that the terminal device has failed to successfully activate the integrity security protection of the session. Optionally, the response message #2 may carry a failure cause value, for example, the failure cause value may be used to indicate that the verification of the first integrity security protection indication information has failed.

Optionally, in the scenario where the connection between the network device and the ground core network is disconnected, the network device performs an integrity check on the received uplink message and/or data, and stores the uplink data if the integrity check passes, and does not store the uplink data or discards the uplink data if the integrity check fails. This can ensure the security of network communications while reducing the risk of DoS attacks. The specific implementation method can refer to the relevant description of the following method 500, which will not be explained here.

It should be noted that the above method 300 is described by taking user plane integrity security protection, user plane integrity security policy, or integrity verification as an example, which is only an example given for ease of understanding and does not constitute a limitation on the technical solution of the present application. Optionally, the technical solution of the present application is also applicable to user plane confidentiality security protection, user plane confidentiality security policy, or decryption operation, etc. The specific implementation method can refer to the above related description, which will not be described here.

In the solution provided above in the present application, the network device determines whether to activate the integrity security protection of the session based on the first information, and can also consider the user plane integrity security policy and/or the local policy of the network device in addition, and turn on or activate the integrity security protection of the session as much as possible, so that the user plane data received by the network device is protected by integrity security to the greatest extent, so that in the scenario where the feeder link is disconnected, only the user plane data that has passed the integrity check is stored, which not only alleviates the potential risk of denial of service DoS attacks, but also ensures the security of network communications.

FIG5 is a flow chart of a communication method 500 provided in an embodiment of the present application. As shown in FIG5, the terminal device is UE, the network device is base station, and the core network element is AMF or SMF as the execution subject to interact. For the convenience of description, the present application may refer to the base station deployed on the satellite as a satellite base station, and the base station deployed on a non-satellite, such as a base station deployed on the ground as a ground base station. This method can be regarded as a further refinement of the above-mentioned method 400. It should be understood that the embodiment shown in FIG5 and the embodiment shown in FIG4 can be coupled with each other and can be used as a reference to each other. Therefore, the relevant description in the above-mentioned method 400 is also applicable to this implementation method. The same or similar technical means may exist between the two. The content described in the embodiment shown in FIG4 will not be repeated. The method includes the following multiple steps. The part not described in detail can refer to the above-mentioned method 400 or the existing protocol.

S501, UE registers to the network.

Optionally, the embodiment of the present application does not limit the number of UEs registered to the same network. It should be understood that for the scenario where multiple UEs are registered to the network, the process of each UE establishing a session and the specific implementation of activating or not activating the user plane integrity security protection of the session are similar. For ease of description, this implementation is described by taking an example of a UE registering to the network, establishing a session, and determining whether to activate or not activate the user plane integrity security protection of the session.

S502, the UE sends a session establishment request message to the AMF, and correspondingly, the AMF receives the session establishment request message from the UE.

Among them, one session can correspond to one or more DRBs. It should be understood that the session is used to transmit data between the UE and the core network. For example, one session is used to transmit one or more data. The one or more data can be carried by the one or more DRBs respectively, and usually one DRB carries one data.

S503, AMF sends a session creation context request message to SMF, and correspondingly, SMF receives the session creation context request message from AMF.

S504, SMF sends a session creation context response message to AMF, and correspondingly, AMF receives a session creation context response message from SMF.

S505, AMF sends a session resource establishment request message to the satellite base station, and correspondingly, the satellite base station receives the session resource establishment request message from the AMF.

The specific implementation of the above steps S501 to S505 may refer to the relevant description of the above method 300.

S506: The satellite base station determines whether to activate the integrity security protection of the session according to the first information. In other words, the satellite base station activates or does not activate the integrity security protection of the session according to the first information.

It should be understood that whether to activate the integrity security protection of the session can be understood as whether to activate the integrity security protection of one or more DRBs corresponding to the session, or whether integrity security protection is enabled for the data transmitted between the terminal device and the network device.

Optionally, before executing step S506, the satellite base station obtains first information, for example, the first information includes one or more of capability information, configuration information, or location information of the network device. The specific implementation of obtaining the first information and the meaning of the first information can refer to the relevant description of step S410 of the above method 400.

Below, an example is given for a satellite base station to determine whether to activate the integrity security protection of a session based on the first information, or in other words, the satellite base station to activate or not activate the integrity security protection of a session based on the first information, including one or more of the following. The specific implementation method can refer to the relevant description of the above method 400.

(1) The satellite base station determines whether to activate the integrity security protection of the session according to the capability information. In other words, the satellite base station determines whether to activate or not activate the integrity security protection of the session according to the capability information.

(2) The satellite base station determines whether to activate the integrity security protection of the session according to the configuration information. In other words, the satellite base station activates or does not activate the integrity security protection of the session according to the configuration information.

(3) The base station determines whether to activate the integrity security protection of the session according to the location information. In other words, the base station activates or does not activate the integrity security protection of the session according to the location information.

Optionally, the satellite base station may determine whether to activate the integrity security protection of the session based on the first information and the user plane integrity security policy carried in the above step S505. In other words, the satellite base station activates or does not activate the integrity security protection of the session based on the first information and the user plane integrity security policy. An example illustration includes one or more of the following. The specific implementation method may refer to the relevant description of step S404 of the above method 400.

(1) The satellite base station determines whether to activate the integrity security protection of the session based on the capability information and the user plane integrity security policy. In other words, the satellite base station activates or does not activate the integrity security protection of the session based on the capability information and the user plane integrity security policy.

(2) The satellite base station determines whether to activate the integrity security protection of the session based on the configuration information and the user plane integrity security policy. In other words, the satellite base station activates or does not activate the integrity security protection of the session based on the configuration information of the base station and the user plane integrity security policy.

(3) The base station determines whether to activate the integrity security protection of the session based on the location information and the user plane integrity security policy. In other words, the satellite base station activates or does not activate the integrity security protection of the session based on the location information and the user plane integrity security policy.

S507, the satellite base station sends an RRC reconfiguration message to the UE, and correspondingly, the UE receives the RRC reconfiguration message from the satellite base station.

Exemplarily, the RRC reconfiguration message may be an RRC Reconfiguration message.

The RRC reconfiguration message includes one or more DRB identifiers (e.g., DRB ID) corresponding to the session, and an integrity security protection indication of the one or more DRBs, wherein the integrity security protection indication is used to indicate whether integrity security protection is enabled for the one or more DRBs, or whether integrity security protection needs to be activated for the one or more DRBs.

In addition, the RRC reconfiguration message may also include the session acceptance message carried in step S505.

S508: The UE performs an integrity check on the RRC reconfiguration message.

Optionally, if the integrity check passes, the UE configures the PDCP entity of the one or more DRBs.

S509, the UE sends an RRC reconfiguration completion message to the satellite base station, and correspondingly, the satellite base station receives the RRC reconfiguration completion message from the UE.

Exemplarily, the RRC reconfiguration completion message may be an RRC Reconfiguration Complete message.

S510, the satellite base station sends a session resource establishment response message to the AMF, and correspondingly, the AMF receives a session resource establishment response message from the satellite base station.

The specific implementation of the above steps S509 to S510 may refer to the relevant description of the above method 300.

In the following steps S511-S514, for the scenario where the connection between the satellite base station and the ground core network is disconnected, the satellite base station performs an integrity check on the received uplink data to determine whether to store the uplink data, thereby reducing the risk of DoS attacks while ensuring network communication security.

S511, the connection between the satellite base station and the ground core network is disconnected, such as the feeder link is disconnected.

Exemplarily, the triggering condition for the feeder link disconnection includes one or more of the following:

(1) The satellite base station flies to the side away from the ground gateway station, that is, the ground gateway station cannot receive the signal transmitted by the satellite base station;

(2) The communication conditions between the satellite base station and the ground gateway station deteriorate, such as encountering bad weather or the signal quality falling below a certain threshold;

(3)Other conditions.

S512, the UE sends uplink data to the satellite base station, and correspondingly, the satellite base station receives the uplink data from the UE.

It should be noted that if the integrity security protection indication carried in the RRC reconfiguration message of the above step S507 is used to indicate that one or more DRBs corresponding to the session have integrity security protection enabled, the UE needs to perform integrity security protection on the uplink data before sending the uplink data; or, if the integrity security protection indication carried in the RRC reconfiguration message is used to indicate that one or more DRBs corresponding to the session do not have integrity security protection enabled, the UE does not need to perform integrity security protection on the uplink data before sending the uplink data.

S513, the satellite base station performs integrity check on the uplink data.

Exemplarily, the triggering conditions for the satellite base station to perform integrity check on uplink data include one or more of the following:

(1) The satellite base station supports store-and-forward operation and the feeder link is disconnected;

(2) The satellite base station starts the store-and-forward operation and the feeder link is disconnected.

Optionally, the above triggering conditions may also include:

(3) The load of the satellite base station is greater than a first threshold. The first threshold may be predefined, such as defined by a protocol, or the first threshold may be configured or preconfigured, which is not limited in the present application.

The specific implementation method of integrity verification includes any of the following:

(1) The satellite base station performs integrity check on all received uplink data;

(2) The satellite base station determines whether to perform integrity check on the received uplink data based on the session granularity.

Exemplarily, if the satellite base station determines in step S506 to activate the user plane integrity security protection of the session, the satellite base station needs to perform integrity check on the one or more uplink data received by the satellite base station through one or more DRBs corresponding to the session; or, if the satellite base station determines in step S506 not to activate the user plane integrity security protection of the session, the satellite base station does not need to perform integrity check on the one or more uplink data received by the satellite base station through one or more DRBs corresponding to the session, and optionally, the satellite base station may directly discard the one or more uplink data.

(3) The satellite base station determines whether to perform integrity check on the received uplink data based on the DRB granularity.

Exemplarily, if the satellite base station determines in step S506 that the user plane integrity security protection of the session can be optionally activated, the satellite base station can further determine whether to activate the user plane integrity security protection of the one or more DRBs based on local policies, such as its own load conditions. Assuming that the session corresponds to two DRBs (such as DRB#1 and DRB#2), when it is determined according to the first information and/or the user plane integrity security policy that the user plane integrity security protection of the session can be optionally enabled, the satellite base station determines according to its own load that DRB#1 enables user plane integrity security protection, and DRB#2 does not enable user plane integrity security protection. For uplink data #1 received by the satellite base station through DRB#1, the satellite base station needs to perform integrity check on uplink data #1, and for uplink data #2 received by the satellite base station through DRB#2, the satellite base station does not need to perform integrity check on uplink data #2. Optionally, the satellite base station can directly discard uplink data #2.

Among them, the MAC value calculation and judgment method involved in the integrity verification process can refer to the relevant description of the above method 300, which will not be repeated here.

S514, the satellite base station determines whether to store the uplink data according to the verification result.

The check result is used to indicate whether the integrity check of the received uplink data by the satellite base station in the above step S513 is passed, including whether the check is successful (passed) or failed (failed).

Exemplarily, the satellite base station stores uplink data that passes the integrity check, does not store or discards uplink data without integrity security protection, or does not store or discards uplink data that fails the integrity check.

Based on the above-provided solution, the satellite base station determines whether to activate the integrity security protection of the session based on one or more of the user plane integrity security policy, local policy, capability information, configuration information, or location information of the satellite base station, and turns on the session integrity security protection as much as possible, so that the user plane data received by the satellite base station is protected by integrity security to the greatest extent. In the scenario where the feeder link is disconnected, the satellite base station only stores data that has passed the integrity check, which can alleviate potential DoS risks and ensure network communication security.

It should be understood that the above Figures 4 and 5 are in the process of establishing a session of the terminal device, and the satellite base station activates the integrity security protection of the session to the maximum extent according to the first information, thereby alleviating potential DoS risks and ensuring network communication security. Compared with Figures 4 and 5, the schemes shown in Figures 6 and 7 below, when the feeder link is disconnected, the satellite base station and the UE release the session and/or DRB for which the integrity security protection is not activated, or the satellite base station and the UE modify the integrity security protection state of the session and/or DRB to an activated state, thereby reducing the processing load of the UE and the satellite base station, avoiding potential DoS risks, and ensuring network communication security.

FIG6 is a flow chart of a communication method provided by an embodiment of the present application. The method 600 can be executed by a terminal device, a network device, and a core network element (such as a session management element), or it can also be executed by a chip or circuit of a terminal device, a network device, and a core network element (such as a session management element), or it can also be implemented by a logic module or software that can realize all or part of the functions of the communication device, and the present application does not limit this. The following is an example of an execution subject being a terminal device, a network device, and a session management element. As shown in FIG6, the method includes the following multiple steps, and the part not described in detail can refer to the above methods 300-500, or the existing protocol.

S610: The network device obtains a user plane integrity security policy corresponding to the session.

Among them, the user plane integrity security policy is used to indicate whether integrity security protection is activated for the session, or whether the data transmitted by the session needs to have integrity security protection enabled. The value of the user plane integrity security policy, its specific meaning, and its expression form can be referred to the relevant description of the above method 300 or 400, which will not be repeated here.

In one implementation, the network device obtains the user plane integrity security policy corresponding to the session from the session management network element, for example, see the following step S602.

S602, the session management network element sends a user plane integrity security policy corresponding to the session to the network device, and correspondingly, the network device receives the user plane integrity security policy corresponding to the session from the session management network element.

The specific implementation method may refer to the relevant description of step S402 of the above method 400, which will not be described again here.

Optionally, before executing step S602, the session management network element determines the user plane integrity security policy of the session. For example, the session management network element may determine the user plane integrity security policy of the session through the acquired indication information, for example, see the following step S601.

S601: The session management network element obtains instruction information.

The specific meaning of the indication information and the specific implementation method of obtaining the indication information can refer to the relevant description of step S402 of the above method 400, which will not be described here.

In a first implementation manner, the session management network element may determine the user plane integrity security policy corresponding to the session according to the indication information.

In the second implementation, the session management network element may enable session integrity security protection based on the contract information of the terminal device.

In a third implementation, the session management network element may determine the user plane integrity security policy corresponding to the session based on the indication information and the subscription information of the terminal device.

Among them, the specific meaning of the contract information, the method of obtaining the contract information, and examples of the above three implementation methods can refer to the relevant description of step S401 of method 400.

S620: The network device determines first integrity security protection indication information according to the user plane integrity security policy.

The first integrity security protection indication information is used to indicate whether to activate the integrity security protection of the first DRB, that is, the first integrity security protection indication information is used to indicate whether to turn on the integrity security protection of the session. The first DRB corresponds to the session of step S610 above. It should be understood that the session is used to transmit data between the terminal device and the core network, and the first DRB is used to transmit data between the terminal device and the network device.

Exemplarily, the values of the user plane integrity security policy include required, preferred, and not needed. For example, when the value of the user plane integrity security policy is required, the network device can determine that the first integrity security protection indication information is used to indicate that the session turns on integrity security protection; when the value of the user plane integrity security policy is not needed, the network device can determine that the first integrity security protection indication information is used to indicate that the session does not turn on integrity security protection; when the value of the user plane integrity security policy is preferred, the network device can determine that the first integrity security protection indication information is used to indicate that the session can optionally turn on integrity security protection. For specific implementation methods, please refer to the relevant description of the above method 300.

Optionally, the present application does not specifically limit the form of expression of the first integrity security protection indication information, and specific reference may be made to the relevant description of step S420 of the above method 400.

S621, the network device activates or deactivates the integrity security protection of the first DRB according to the first integrity security protection indication information.

Exemplarily, when the first integrity security protection indication information indicates that integrity security protection is enabled for the session, the network device activates the integrity security protection of the first DRB; when the first integrity security protection indication information indicates that integrity security protection is not enabled for the session, the network device does not activate the integrity security protection of the first DRB; when the first integrity security protection indication information indicates that integrity security protection is optionally enabled for the session, the network device may activate the integrity security protection of the first DRB according to local policies. For specific implementation methods, please refer to the relevant description of the above method 300.

Among them, activating the integrity security protection of the first DRB can be understood as: the network device configures the PDCP entity of the first DRB, configures the integrity security protection key and integrity security protection algorithm of the first DRB in the PDCP entity, and activates the integrity verification of the uplink user plane messages and/or data carried by the first DRB, and activates the integrity security protection of the downlink user plane messages and/or data carried by the first DRB; not activating the integrity security protection of the first DRB can be understood as: the network device configures the PDCP entity of the first DRB, but there is no need to configure the integrity security protection key and integrity security protection algorithm of the first DRB in the PDCP entity, and there is no need to activate the integrity verification of the uplink user plane messages and/or data carried by the first DRB, and there is no need to activate the integrity security protection of the downlink user plane messages and/or data carried by the first DRB.

S630, when the first link is disconnected, the network device determines whether to release the first DRB according to whether the integrity security protection of the first DRB is activated, or the network device determines whether to modify the integrity security protection status of the first DRB according to whether the integrity security protection of the first DRB is activated.

Exemplarily, when the integrity security protection of the first DRB is activated or turned on, the network device determines that there is no need to release the session and/or the first DRB.

Exemplarily, when the integrity security protection of the first DRB is not activated or turned on, the network device determines to release the session and/or the first DRB.

Exemplarily, when the integrity security protection of the first DRB is activated or turned on, the network device determines that there is no need to modify the integrity security protection status of the session and/or the first DRB, that is, at this time the integrity security protection status of the session and/or the first DRB is activated.

Exemplarily, when the integrity security protection activated by the first DRB is not activated or turned on, the network device determines to modify the integrity security protection state of the session and/or the first DRB, that is, to change it from an inactivated state to an activated state.

Among them, the first link is a link between the network device and the core network. For example, the first link may be a feeder link. The triggering condition for disconnection of the first link may refer to the relevant description of step S511 of the above method 500 and will not be described here.

Optionally, when the first link is disconnected, the network device determines whether to release the first DRB based on the first integrity security protection indication information, or the network device determines whether to modify the integrity security protection status of the first DRB based on the first integrity security protection indication information.

In other words, when the first link is disconnected, the network device determines whether to release the first DRB based on the first integrity security protection indication information, or the network device determines whether to modify the integrity security protection status of the first DRB based on the first integrity security protection indication information.

Exemplarily, when the first integrity security protection indication information indicates that the integrity security protection of the first DRB is not activated or turned on, the network device determines to release the session and/or the first DRB.

Exemplarily, when the first integrity security protection indication information indicates to activate or turn on the integrity security protection of the first DRB, the network device determines not to release the session and/or the first DRB.

Exemplarily, when the first integrity security protection indication information indicates that the integrity security protection of the first DRB is not activated or turned on, the network device determines to modify the integrity security protection state of the session and/or the first DRB to an activated state.

Exemplarily, when the first integrity security protection indication information indicates to activate or turn on the integrity security protection of the first DRB, the network device determines to keep the integrity security protection state of the session and/or the first DRB as activated.

For the above-mentioned network device, releasing the session and/or the first DRB for which integrity security protection is not activated or optionally activated, or the network device modifies the integrity security protection state of the session and/or the first DRB to an activated state, the corresponding triggering conditions may include one or more of the following:

(1) The network equipment supports store-and-forward operations and the feeder link is disconnected;

(2) The network device starts the store-and-forward operation and the feeder link is disconnected.

(3) The load of the network device is greater than a first threshold. The first threshold may be predefined, such as a protocol definition, or the first threshold may be configured or preconfigured, which is not limited in the present application.

(4) The value of the user plane integrity security policy obtained by the satellite base station is preferred.

Optionally, the network device may store the identifier of the session and/or the first DRB; and/or record that the integrity security protection state of the session and/or the first DRB before modification is in an inactivated state, for subsequent targeted restoration of the session and/or the first DRB and its integrity security protection state before modification.

Optionally, the present application does not limit the storage of the identifier of the session and/or the first DRB; and/or, the timing of recording the inactive integrity security protection state of the session and/or the first DRB before modification. For example, the network device may do so after sending the first message to the terminal device, that is, after step S640, and/or, the network device may do so before sending the second message to the terminal device. The specific implementation method may refer to the relevant description of the following step S660, which will not be explained here.

S640, the network device sends a first message to the terminal device, and correspondingly, the terminal device receives the first message from the network device.

The first message is used to indicate the release result or modification result of the session and/or the first DRB. Optionally, the first message may be an RRC reconfiguration message, such as an RRC Reconfiguration message.

Exemplarily, when the first integrity security protection indication information indicates that the first DRB does not activate integrity security protection, the release result indicates the release of the session and/or the first DRB.

Exemplarily, when the first integrity security protection indication information indicates that the first DRB activates integrity security protection, the release result indicates that the session and/or the first DRB will not be released.

Exemplarily, when the first integrity security protection indication information indicates that integrity security protection is not activated for the first DRB, the modification result indicates that the integrity security protection state of the session and/or the first DRB is modified to an activated state.

Exemplarily, when the first integrity security protection indication information indicates that the integrity security protection of the first DRB is activated, the modification result indicates that the integrity security protection state of the first DRB is kept activated.

S650: The terminal device performs an integrity check on the first message.

Exemplarily, the terminal device may determine whether the integrity check passes by comparing the MAC value. The specific implementation method may refer to the relevant description of the above method 300 and will not be described again here.

S660: When the integrity check passes, the terminal device determines whether to release the first DRB based on the release result, or determines whether to modify the integrity security protection status of the first DRB based on the modification result.

That is to say, after the terminal device receives the first message, when the integrity check of the first message passes, the terminal device can further determine whether to release the session and/or the first DRB, or whether to modify the integrity security protection status of the session and/or the first DRB.

For example, if the first message indicates to release the first DRB, the terminal device releases the session and/or the first DRB, and the terminal device cannot subsequently send uplink data through the session and/or the first DRB, and cannot receive downlink data through the session and/or the first DRB; for another example, if the first message indicates not to release the first DRB, the terminal device does not release the session and/or the first DRB, and the terminal device can subsequently still send uplink data through the session and/or the first DRB, and receive downlink data through the session and/or the first DRB. At the same time, whether integrity security protection is enabled for the session and/or the first DRB depends on the user plane integrity security policy, and the specific implementation method can refer to the relevant description of the above method 300.

For example, if the first message indicates to modify the integrity security protection state of the first DRB to an activated state, the terminal device modifies the integrity security protection state of the session and/or the first DRB to an activated state; for another example, if the first message indicates to keep the integrity security protection state of the first DRB activated, the terminal device does not need to modify the integrity security protection state of the session and/or the first DRB. The terminal device can subsequently send uplink data through the session and/or the first DRB, and receive downlink data through the session and/or the first DRB. It should be noted that the uplink and downlink data carried on the first DRB are integrity security protected and need to be integrity checked.

Optionally, if the integrity verification passes, the terminal device can reconfigure the PDCP entity of the first DRB. Exemplarily, if the first message indicates the release of the first DRB, the terminal device deletes the PDCP entity of the first DRB, including deleting the integrity security protection key and integrity security protection algorithm of the first DRB; if the first message indicates to modify the integrity security protection state of the first DRB to an activated state, the terminal device configures the integrity security protection key and integrity security protection algorithm in the PDCP entity corresponding to the first DRB, which means that it is necessary to activate the integrity security protection of the uplink user plane messages and/or data carried by the first DRB, and activate the integrity check of the downlink user plane messages and/or data carried by the first DRB.

Optionally, the terminal device may send a response message #1 to the network device, indicating that the terminal device has successfully released the first DRB, or indicating that the terminal device has successfully modified the integrity security protection state of the first DRB to an activated state. Optionally, if the first message of the above step S640 is carried in an RRC reconfiguration message, the terminal device may send an RRC reconfiguration completion message to the network device. If the terminal device fails to successfully release the first DRB, or the terminal device fails to successfully modify the integrity security protection state of the first DRB to an activated state, the terminal device may send a response message #2 to the network device. Optionally, the response message #2 may carry a failure cause value, for example, the failure cause value may be used to indicate that the verification of the first integrity security protection indication information has failed, etc.

Optionally, in the scenario where the connection between the network device and the ground core network is disconnected, the network device performs an integrity check on the received uplink message and/or data, and stores the uplink data if the integrity check passes, and does not store the uplink data or discards the uplink data if the integrity check fails. This ensures the security of network communications while reducing the risk of DoS attacks. For the specific implementation method, please refer to the relevant description of the following method 700 or 800, which will not be explained here.

Optionally, in one implementation, when the first link resumes connection, the network device may send a second message to the terminal device, where the second message is used to indicate establishment of a second DRB, and the second message includes second integrity security protection indication information, where the second integrity security protection indication information is used to indicate that the second DRB does not activate integrity security protection, and the second DRB is used to carry data between the terminal device and the network device.

Optionally, the second DRB can be a DRB re-established between the terminal device and the network device, or it can be the first DRB released as determined in the above step S630, or the first DRB whose integrity security protection state is modified to an activated state. This application does not limit this. This implementation method is to facilitate subsequent normal communication between the terminal device and the network device.

Optionally, the second message includes an identifier of the first DRB, and/or the second integrity security protection indication information is determined based on the fact that the integrity security protection state of the first DRB before modification is in an inactivated state. That is, the network device may determine that the integrity security protection of the re-established second DRB is inactivated or not enabled based on the fact that the integrity security protection state of the first DRB before modification recorded in the above step S630 is inactivated. Optionally, the network device may also determine not to activate or enable the integrity security protection of the second DRB based on the user plane integrity security policy of the session, which is not limited in the present application.

It should be noted that the above method 600 is described by taking user plane integrity security protection, user plane integrity security policy, or integrity verification as an example, which is only an example given for ease of understanding and does not constitute a limitation on the technical solution of the present application. Optionally, the technical solution of the present application is also applicable to user plane confidentiality security protection, user plane confidentiality security policy, or decryption operation, etc. The specific implementation method can refer to the above related description, which will not be described here.

Based on the solution provided above, the network device determines whether to release the first DRB based on the user plane integrity security policy, or modifies the integrity security protection state of the first DRB to an activated state, so that the user plane data subsequently received by the network device is all protected by integrity security. In the scenario where the feeder link is disconnected, the satellite base station only stores user plane data that has passed the integrity check, which can alleviate potential DoS risks and ensure network communication security.

Figure 7 is a flow chart of a communication method 700 provided in an embodiment of the present application. As shown in Figure 7, the terminal device is UE, the core network element is AMF, and SMF is the execution subject for interaction. This method can be regarded as a further refinement of the above-mentioned method 600, and is mainly explained for the satellite base station and UE to release sessions and/or DRBs that do not activate integrity security protection. It should be understood that the embodiment shown in Figure 7 and the embodiment shown in Figure 6 can be coupled to each other and can be used as references to each other. Therefore, the relevant descriptions in the above-mentioned method 600 are also applicable to this implementation method. The same or similar technical means may exist between the two, and the contents described in the embodiment shown in Figure 6 will not be repeated. The method includes the following multiple steps, and the parts that are not fully described can refer to the above-mentioned method 600 or the existing protocol.

S701, UE1 and UE2 register with the network.

Optionally, the embodiment of the present application does not limit the number of UEs registered to the same network. For ease of description, this implementation is described by taking two UEs (e.g., UE1 and UE2) registering to the network, establishing a session, and determining whether to activate or not activate the user plane integrity security protection of the session as an example. Among them, the process of establishing a session between UE1 and UE2, and the specific implementation method of activating or not activating the user plane integrity security protection of the session are similar, and the following repeated parts will not be repeated.

S702, UE1 sends a session establishment request message to AMF, and correspondingly, AMF receives the session establishment request message from UE1.

S703, AMF sends a session creation context request message to SMF, and correspondingly, SMF receives the session creation context request message from AMF.

S704, SMF sends a session creation context response message to AMF, and correspondingly, AMF receives a session creation context response message from SMF.

S705, AMF sends a session resource establishment request message to the satellite base station, and correspondingly, the satellite base station receives the session resource establishment request message from AMF.

S706, the satellite base station sends an RRC reconfiguration message #1 to UE1, and correspondingly, UE1 receives the RRC reconfiguration message #1 from the satellite base station.

S707, UE1 performs integrity check on RRC reconfiguration message #1.

S708, UE1 sends an RRC reconfiguration completion message #1 to the satellite base station, and correspondingly, the satellite base station receives the RRC reconfiguration completion message #1 from UE1.

S709, the satellite base station sends a session resource establishment response message to the AMF, and correspondingly, the AMF receives a session resource establishment response message from the satellite base station.

The specific implementation of the above steps S701 to S709 may refer to the relevant description of the above method 300.

The following steps are for the satellite base station to release the session and/or DRB without integrity security protection between UE2 and the satellite base station after the feeder link is disconnected, thereby alleviating the potential DoS risk and reducing the processing load of UE2 and the satellite base station. In addition, after the feeder link is restored, the satellite base station triggers the addition of the previously released session and/or DRB without integrity security protection to ensure the communication connection between UE2 and the satellite base station.

S710, the connection between the satellite base station and the ground core network is disconnected, such as the feeder link is disconnected, wherein the triggering condition of the feeder link disconnection can refer to the relevant description of step S511 of the above method 500.

S711, the satellite base station releases the session and/or DRB for which integrity security protection is not activated.

It should be understood that a session and/or DRB for which integrity security protection is not activated means that the integrity security protection of the session and/or DRB is not turned on, or in other words, the user plane data carried on the session and/or DRB is not security protected and no integrity check is required.

Among them, the triggering conditions for the satellite base station to release the session and/or DRB for which integrity security protection is not activated can refer to the relevant description of the above-mentioned method 600 and will not be explained here.

Exemplarily, the satellite base station may determine the session and/or DRB that needs to be released according to the user plane integrity security policy received in step S705. For example, if the user plane integrity security policy indicates that integrity security protection is enabled for session #1 (or one or more DRB #1s corresponding to the session) between UE1 and the satellite base station, the satellite base station does not release the session #1 or the one or more DRB #1s; for another example, if the user plane integrity security policy indicates that integrity security protection is not enabled or can be optionally enabled for session #2 (or one or more DRB #2s corresponding to the session) between UE2 and the satellite base station, the satellite base station releases the session #2 or the one or more DRB #2s.

Furthermore, after determining that one or more DRB#2s need to be released, the satellite base station can release the PDCP entities corresponding to the one or more DRB#2s. In other words, all uplink data subsequently received by the satellite base station are integrity-secured, such as uplink data received through one or more DRB#1s, so it is necessary to perform integrity checks on all received uplink data.

S712, the satellite base station sends an RRC reconfiguration message #2 to UE2, and correspondingly, UE2 receives the RRC reconfiguration message #2 from the satellite base station.

In one example, the RRC reconfiguration message #2 includes a session ID and/or a DRB ID, for example, for identifying the session #2 or the one or more DRB #2s for which integrity security protection is not activated in the above step S711. For example, the RRC reconfiguration message #2 may carry a drb-ToReleaseList information element, which includes a DRB ID for which integrity security protection is not activated, for example, DRB #2 ID.

It should be understood that before releasing the session #2 or the one or more DRB #2s, the integrity security protection activation state of the session #2 or the one or more DRB #2s is in an inactive state, or in other words, the integrity security protection of the session #2 or the one or more DRB #2s is not enabled, indicating that the user plane data carried on the session #2 or the one or more DRB #2s has not been integrity-secured and no integrity check is required.

Optionally, the satellite base station stores the released Session#2ID and/or DRB#2ID. Optionally, the stored Session#2ID and/or DRB#2ID can be used to restore Session#2 and/or DRB#2 in the subsequent step S720.

S713, UE2 releases the session and/or DRB for which integrity security protection is not activated.

In one example, the UE releases the corresponding session #2 and/or DRB #2 according to the session #2ID and/or DRB #2ID. For example, UE2 releases the PDCP entity corresponding to DRB #2. That is, UE2 cannot transmit user plane data with the satellite base station through the session #2 and/or DRB #2.

It should be noted that since the user plane integrity security protection of session #2 and/or DRB #2 is not enabled before releasing session #2 and/or DRB #2, the RRC reconfiguration message #2 in the above step S712 does not need to undergo integrity security protection. Correspondingly, UE2 does not need to perform integrity check on RRC reconfiguration message #2.

S714, UE2 sends an RRC reconfiguration completion message #2 to the satellite base station, and correspondingly, the satellite base station receives the RRC reconfiguration completion message #2 from the UE.

Exemplarily, RRC reconfiguration complete message #2 is used to indicate that UE2 has released session #2 and/or DRB #2.

S715, UE1 sends uplink data to the satellite base station, and correspondingly, the satellite base station receives the uplink data from UE1.

It should be noted that since integrity security protection is enabled for session #1 or DRB #1 between UE1 and the satellite base station, UE1 needs to perform integrity security protection on the uplink data before sending the uplink data. For the specific implementation method, please refer to the relevant description of the above method 300.

S716, the satellite base station performs integrity check on the uplink data.

Exemplarily, the triggering conditions for the satellite base station to perform integrity check on uplink data include one or more of the following:

(1) The satellite base station supports store-and-forward operation and the feeder link is disconnected;

(2) The satellite base station starts the store-and-forward operation and the feeder link is disconnected.

(3) The load of the satellite base station is greater than a first threshold value, where the first threshold value may be predefined, such as a protocol definition, or the first threshold value may be configured or preconfigured, which is not limited in the present application;

(4) The value of the integrity security policy received by the satellite base station is "preferred".

It should be noted that, based on the above steps S711 and S713, the satellite base station and the UE have released the session and/or DRB for which integrity security protection has not been activated, indicating that the uplink data sent by the UE is integrity security protected, which means that the satellite base station needs to perform integrity check on all uplink data received in the above step S715. For the specific implementation method of the integrity check, please refer to the relevant description of the above method 300, which will not be repeated here.

S717, the satellite base station determines whether to store the uplink data according to the verification result.

The verification result includes verification success (pass), or verification failure (failure). It should be understood that the satellite base station stores the uplink data that passes the integrity verification and discards the uplink data that fails the integrity security protection verification.

S718, the connection between the satellite base station and the ground core network is restored, such as the feeder link is restored.

The triggering conditions for feeder link recovery include one or more of the following:

(1) The satellite base station flies to the side close to the ground gateway station, that is, the ground gateway station can receive the signal transmitted by the satellite base station;

(2) The communication conditions between the satellite base station and the ground gateway station are good.

S719, the satellite base station sends an RRC reconfiguration message #3 to UE2, and correspondingly, UE2 receives the RRC reconfiguration message #3 from the satellite base station.

Exemplarily, RRC reconfiguration message #3 is used to instruct UE2 to add (or reestablish) session #3 and/or DRB #3, and the session #3 and/or DRB #3 are used to transmit data between UE2 and the satellite base station. Optionally, session #3 and/or DRB #3 may be the same as or different from the above-mentioned released session #2 and/or DRB #2, and this application does not limit this. For example, RRC reconfiguration message #3 carries a drb-ToAddModList information element, which includes session #3ID and/or DRB #3ID and its corresponding integrity security protection indication.

Optionally, DRB#3ID can be the released DRB ID (for example, DRB#2ID) stored by the satellite base station in the above step S712. At this time, the RRC reconfiguration message #3 is used to instruct UE2 to re-establish the previously released session #2 and/or DRB#2, and according to the integrity security protection indication carried in the RRC reconfiguration message #3, the integrity security protection of the session #2 and/or DRB#2 is not enabled.

Exemplarily, the triggering condition for the satellite base station to send the RRC reconfiguration message #3 includes one or more of the following:

(1) Feeder link restoration;

(2) The load of the satellite base station itself is lower than a second threshold. The second threshold may be predefined, such as defined by a protocol, or the second threshold may be configured or preconfigured.

Optionally, the second threshold may be the same as or different from the first threshold in the above step S716, and this application does not limit this.

S720, UE2 establishes a session and/or DRB based on the session ID and/or DRB ID.

Exemplarily, UE2 re-establishes session #3 according to session #3ID, and determines that the integrity security protection of session #3 is not enabled according to the integrity security protection indication corresponding to session #3; in other words, UE2 re-establishes DRB #3 according to DRB #3ID, and determines that the integrity security protection of DRB #3 is not enabled according to the integrity security protection indication corresponding to DRB #3, that is, UE2 configures the PDCP entity corresponding to DRB #3. Since the integrity security protection of DRB #3 is not activated, UE2 does not need to configure the integrity security protection key and integrity security protection algorithm in the PDCP entity.

It should be noted that in the above steps S718-S720, in the case of feeder link recovery, it is an optional operation for the UE and the satellite base station to re-establish the above-mentioned released session and/or DRB with non-activated integrity security protection, wherein whether the satellite base station and the UE rebuild the session and/or DRB depends on the satellite base station policy, which is not limited in this application.

It should be noted that in the above examples, whether the user plane integrity security protection of one or more DRBs corresponding to the session is enabled is consistent. Optionally, whether the user plane integrity security protection of multiple DRBs corresponding to the session is enabled may be different. For example, if the value of the integrity security policy corresponding to session #a established between the satellite base station and UE1 is preferred, it means that the integrity security protection of session #a is optionally enabled, which means that the user plane integrity security protection of DRB#a and DRB#b corresponding to session #a is optionally enabled. Further, the satellite base station can determine to enable the user plane integrity security protection of DRB#a according to local policies or its own load conditions, and not to enable the user plane integrity security protection of DRB#b, that is, the satellite base station determines that DRB#b needs to be released. Furthermore, the satellite base station can notify UE1 to release DRB#b through an RRC reconfiguration message, and subsequently UE1 and the satellite base station can transmit data through DRB#a, and the transmitted data is integrity security protected, and the DRB#b cannot be used to transmit data between UE1 and the satellite base station. Further, in the case where the feeder link is restored, the satellite base station can instruct UE1 to add (or re-establish) DRB#c and the user plane integrity security protection of the DRB#c is not enabled. Optionally, the DRB#c and DRB#b may be the same or different. For the specific implementation, please refer to steps S710 to S714 of method 700, and the relevant description of steps S718 to S720. For the sake of brevity, they will not be repeated here.

The solution provided by the present application is that in the scenario where the feeder link is disconnected, the satellite base station releases the session and/or DRB without integrity security protection, so that the uplink data subsequently received by the satellite base station is all integrity security protected. The satellite base station also avoids receiving uplink data without integrity security protection, alleviates the potential DoS risk, and reduces the processing load of the UE and the satellite base station. In addition, after the feeder link is restored, the satellite base station triggers a new session and/or DRB without integrity security protection to ensure normal communication between the UE and the satellite base station.

Compared with the scheme shown in Figure 7 above, in combination with Figure 8 below, when the feeder link between the satellite base station and the UE is disconnected, the satellite base station and the UE will modify the integrity security protection status of the inactivated integrity security-protected session and/or the DRB to an activated state, so that the uplink data transmitted between the UE and the satellite base station are all securely protected, avoiding potential DoS risks while ensuring normal communication between the UE and the satellite base station.

Figure 8 is a flow chart of a communication method 800 provided in an embodiment of the present application. As shown in Figure 8, the terminal device is UE and the session management network element is SMF as the execution subject to interact. This method can be regarded as a further refinement of the above method 400. It should be understood that the embodiment shown in Figure 8 and the embodiment shown in Figure 6 can be coupled with each other and can refer to each other. Therefore, the relevant description in the above method 600 is also applicable to this implementation. There may be the same or similar technical means between the two, and the content described in the embodiment shown in Figure 6 or Figure 7 will not be repeated. The method includes the following multiple steps, and the part not described in detail can refer to the above methods 600-700, or the existing protocol.

S801, UE registers to the network.

S802, the UE sends a session establishment request message to the AMF, and correspondingly, the AMF receives the session establishment request message from the UE.

S803, AMF sends a session creation context request message to SMF, and correspondingly, SMF receives the session creation context request message from AMF.

S804, SMF sends a session creation context response message to AMF, and correspondingly, AMF receives a session creation context response message from SMF.

S805, AMF sends a session resource establishment request message to the satellite base station, and correspondingly, the satellite base station receives the session resource establishment request message from the AMF.

S806, the satellite base station sends an RRC reconfiguration message #1 to the UE, and correspondingly, the UE receives the RRC reconfiguration message #1 from the satellite base station.

S807, the UE performs an integrity check on the RRC reconfiguration message #1.

S808, the UE sends an RRC reconfiguration completion message #1 to the satellite base station, and correspondingly, the satellite base station receives the RRC reconfiguration completion message #1 from the UE.

S809, the satellite base station sends a session resource establishment response message to the AMF, and correspondingly, the AMF receives a session resource establishment response message from the satellite base station.

The specific implementation of the above steps S801 to S809 may refer to the related description of steps S701 to S709 of the above method 700.

The following steps are for the satellite base station to modify the session without integrity security protection and/or DRB to activate integrity security protection after the feeder link is disconnected, thereby mitigating the potential DoS risk and reducing the processing load of the UE and the satellite base station. In addition, after the feeder link is restored, the satellite base station triggers the above-mentioned DRB with activated integrity security protection to restore to the previous state without integrity security protection, ensuring the communication connection between the UE and the satellite base station.

S810, the connection between the satellite base station and the ground core network is disconnected, such as the feeder link is disconnected, wherein the triggering condition of the feeder link disconnection can refer to the relevant description of step S511 of the above method 500.

S811, the satellite base station modifies the integrity security protection state of the session and/or DRB for which integrity security protection is not activated to an activated state.

It should be understood that a session and/or DRB for which integrity security protection is not activated means that the integrity security protection of the session and/or DRB is not turned on, or in other words, the user plane data carried on the session and/or DRB is not security protected and no integrity check is required.

Among them, the triggering conditions for the satellite base station to modify the integrity security protection state of the session and/or DRB that has not activated integrity security protection to an activated state can refer to the relevant description of the above-mentioned method 600 and will not be explained here.

Exemplarily, the satellite base station may determine the session and/or DRB whose integrity security protection state needs to be modified based on the user plane integrity security policy received in step S805. For example, if the user plane integrity security policy indicates that integrity security protection is enabled for the session between the UE and the satellite base station (or one or more DRBs corresponding to the session), the satellite base station does not need to modify the integrity security protection state of the session or the one or more DRBs; for another example, if the user plane integrity security policy indicates that integrity security protection is not enabled or can be optionally enabled for the session between the UE and the satellite base station or one or more DRBs corresponding to the session, the satellite base station may modify the integrity security protection state of the session or the one or more DRBs to be activated.

Furthermore, after determining that the session and/or DRB whose integrity security protection state needs to be modified is activated, the satellite base station modifies the PDCP entity corresponding to the DRB accordingly, for example, the satellite base station configures the integrity security protection key and the integrity security protection algorithm in the PDCP entity. At the same time, the satellite base station activates the integrity security protection of the downlink data on the DRB, and activates the integrity check of the uplink data on the DRB. In other words, all uplink data subsequently received by the satellite base station through the DRB is integrity security protected, so it is necessary to perform integrity check on the uplink data received through the DRB.

S812, the satellite base station sends an RRC reconfiguration message #2 to the UE, and correspondingly, the UE receives the RRC reconfiguration message #2 from the satellite base station.

In one example, the RRC reconfiguration message #2 includes a session ID and/or a DRB ID, and the integrity security protection activation state of the session and/or DRB corresponding to the session ID and/or DRB ID is an inactive state. In addition, the RRC reconfiguration message #2 also includes an integrity security protection indication corresponding to the session and/or DRB, and the integrity security protection indication is used to instruct the UE to activate (or turn on) the integrity security protection of the session and/or DRB. In other words, the RRC reconfiguration message #2 is used to instruct the UE to modify the integrity security protection state of the session and/or DRB, that is, to change it from an inactive state to an active state. For example, the RRC reconfiguration message #2 carries a drb-ToAddModList information element, which includes a session ID and/or DRB ID for which integrity security protection is not activated.

Optionally, the satellite base station records the session ID and/or DRB ID whose integrity security protection state has been modified, or records that the integrity security protection state of the session and/or DRB before the modification is in an inactive state, or records that the integrity security policy of the session and/or DRB before the modification indicates that integrity security protection is not enabled, etc. Optionally, the recorded session ID and/or DRB ID is used to restore the integrity security protection state of the session and/or DRB to an inactive state in the subsequent step S820.

S813, the UE modifies the integrity security protection state of the session and/or DRB to an activated state.

That is to say, the integrity security protection state of the session/DRB before the modification is in an inactive state, and the integrity security protection state of the session/DRB after the modification is in an active state.

In one example, the UE modifies the integrity security protection state of the corresponding session and/or DRB to an activated state according to the session ID and/or DRB ID. For example, the UE modifies the PDCP entity corresponding to the DRB, including: configuring the integrity security protection key and the integrity security protection algorithm in the PDCP entity. At the same time, the UE activates the integrity security protection of the uplink data on the DRB, and activates the integrity check of the downlink data on the DRB. In other words, all uplink data subsequently sent by the UE through the session and/or DRB are integrity security protected, so the satellite base station also needs to perform integrity check on the uplink data received through the session and/or DRB.

S814, the UE sends an RRC reconfiguration completion message #2 to the satellite base station, and correspondingly, the satellite base station receives the RRC reconfiguration completion message #2 from the UE.

Exemplarily, the RRC reconfiguration complete message #2 is used to indicate that the UE has modified the integrity security protection state of the session and/or DRB to an activated state.

S815, the UE sends uplink data to the satellite base station, and correspondingly, the satellite base station receives the uplink data from the UE.

It should be noted that since the UE has modified the integrity security protection status of the session and/or DRB that has not activated integrity security protection to an activated state, the UE needs to perform integrity security protection on the uplink data before sending the uplink data. For the specific implementation method, please refer to the relevant description of the above method 300.

S816, the satellite base station performs integrity check on the uplink data.

S817, the satellite base station determines whether to store the uplink data according to the verification result.

S818, the connection between the satellite base station and the ground core network is restored, such as the feeder link is restored.

Among them, the specific implementation method of the above steps S816-S818, the triggering conditions of the integrity check, and the triggering conditions of the feeder link recovery can refer to the relevant description of steps S716-S718 of the above method 700.

S819, the satellite base station sends an RRC reconfiguration message #3 to the UE, and correspondingly, the UE receives the RRC reconfiguration message #3 from the satellite base station.

Among them, the triggering condition for the satellite base station to send the RRC reconfiguration message #3 can refer to the relevant description of step S719 of the above method 700.

Exemplarily, RRC reconfiguration message #3 is used to instruct the UE to add (or reestablish) a session and/or DRB, and the added or reestablished session and/or DRB are used for subsequent data transmission between the UE and the satellite base station. Optionally, the added or reestablished session and/or DRB may be the same as the session and/or DRB whose user plane integrity security protection state is modified to an activated state, or may be different, and this application does not limit this. For example, RRC reconfiguration message #3 carries a drb-ToAddModList information element, which includes a session ID and/or DRB ID, and its corresponding integrity security protection indication.

Optionally, the session ID is the session ID of the session whose integrity security protection state has been modified recorded by the satellite base station in the above step S812. At this time, the RRC reconfiguration message #3 is used to instruct the UE to modify the integrity security protection state of the session and/or DRB, that is, from an activated state to an inactivated state. The integrity security protection indication is used to indicate that the integrity security protection of the session and/or DRB is not enabled.

S820, the UE modifies the integrity security protection status of the session and/or DRB to an inactivated state based on the session ID and/or DRB ID.

Exemplarily, the UE modifies the integrity security protection state of the corresponding session and/or DRB according to the session ID and/or DRB ID to an inactive state, that is, the integrity security protection of the session and/or DRB is not enabled. For example, the UE modifies the PDCP entity corresponding to the DRB. Since the integrity security protection of the DRB is not enabled, the UE does not need to configure the integrity security protection key and integrity security protection algorithm in the PDCP entity. For example, the satellite base station deletes the integrity security protection key and integrity security protection algorithm corresponding to the PDCP entity.

It should be noted that in the above steps S818-S820, in the case of feeder link recovery, it is an optional operation for the UE and the satellite base station to modify the integrity security protection state of the session and/or DRB. Whether the satellite base station and the UE modify the integrity security protection state of the session and/or DRB to an inactive state depends on the satellite base station policy, which is not limited in this application.

It should be noted that in the above examples, whether the user plane integrity security protection of one or more DRBs corresponding to the session is enabled is consistent. Optionally, whether the user plane integrity security protection of multiple DRBs corresponding to the session is enabled may be different. For example, if the value of the integrity security policy corresponding to session #a established between the satellite base station and the UE is preferred, it means that the integrity security protection of session #a is optionally enabled, which means that the integrity security protection of DRB#a and DRB#b corresponding to session #a is optionally enabled. Further, the satellite base station can determine to activate the integrity security protection of DRB#a according to local policies or its own load conditions, and not to activate the integrity security protection of DRB#b, that is, the satellite base station determines that the integrity security protection state of DRB#b needs to be modified to an activated state, that is, the modified DRB#b turns on integrity security protection. Further, the satellite base station can notify the UE to modify the integrity security protection state of DRB#b to an activated state through an RRC reconfiguration message, and subsequently the UE and the satellite base station can transmit data through DRB#a and DRB#b, and the transmitted data is integrity security protected. Furthermore, when the feeder link is restored, the satellite base station can instruct the UE to modify the integrity security protection status of the DRB#b to an inactivated state. The specific implementation method can refer to steps S810 to S814 of method 800, and the relevant descriptions of steps S818 to S820. For the sake of brevity, they will not be repeated here.

The solution provided by the present application is that in the scenario where the feeder link is disconnected, the satellite base station modifies the integrity security protection state of the session without integrity security protection and/or DRB to an activated state, so that the uplink data subsequently received by the satellite base station are all integrity-protected, and the satellite base station also avoids receiving uplink data without integrity security protection, alleviating the potential DoS risk. In addition, after the feeder link is restored to the connection, the satellite base station triggers the above-mentioned session and/or DRB that have been modified to enable integrity security protection to be restored to an inactivated state, ensuring the communication connection between the UE and the satellite base station.

Figure 9 is a flow chart of a communication method 900 provided in an embodiment of the present application. As shown in Figure 9, the terminal device is UE, the core network element is AMF, and SMF is the execution subject for interaction. This method can be regarded as a further refinement of the above-mentioned method 400 or 600, and is mainly described for SMF to determine the user plane integrity security policy according to the indication information and/or the contract information. It should be understood that the embodiment shown in Figure 9 and the embodiments shown in Figures 4 to 8 can be coupled with each other and can be used as references to each other. Therefore, the relevant descriptions in the above-mentioned methods 400 to 800 are also applicable to this implementation method. The same or similar technical means may exist between the two, and the contents described in the embodiments shown in Figures 4 to 8 will not be repeated. The method includes the following multiple steps, and the parts that are not fully described can refer to the existing protocol.

S901, UE registers to the network.

S902, the UE sends a session establishment request message to the AMF, and correspondingly, the AMF receives the session establishment request message from the UE.

The specific implementation of the above steps S901 and S902 may refer to the relevant description of the above method 300.

S903, AMF sends a session creation context request message to SMF, and correspondingly, SMF receives the session creation context request message from AMF.

The session creation context request message carries indication information, where the indication information is used to indicate that the base station is deployed on a satellite (referred to as a satellite base station for short). Optionally, the indication information is also used to indicate that the satellite base station supports a store-and-forward feature.

Optionally, the AMF obtains one or more of the capability information, configuration information or location information of the base station through local query or by sending a query message to the OAM or UDM. For specific interpretations, please refer to the relevant description of the above method 500. The AMF can determine that the base station is deployed on a satellite through the query. Optionally, the AMF can also determine that the satellite base station supports the store-and-forward feature.

S904, SMF determines the user plane integrity security policy of the session based on the indication information and/or contract information.

Optionally, the indication information may be obtained by the SMF from the AMF, or may be obtained by the SMF from the OAM or UDM.

Optionally, the contract information can be obtained by SMF from UDM or PCF.

In the first example, the SMF determines the user plane integrity security policy of the session based on the indication information.

In the second example, the SMF determines the user plane integrity security policy based on the subscription information.

Among them, the UE's subscription information is used to indicate whether the UE has subscribed to the store-and-forward operation service.

Optionally, this application does not limit the order in which the SMF obtains the contract information and indication information.

In the third example, the SMF determines the user plane integrity security policy based on the indication information and the subscription information.

The specific implementation method in the above example can refer to the relevant description of step S401 of the above method 400.

S905, SMF sends a session creation context response message to AMF, and correspondingly, AMF receives a session creation context response message from SMF.

S906, AMF sends a session resource establishment request message to the satellite base station, and correspondingly, the satellite base station receives the session resource establishment request message from the AMF.

S907, the satellite base station sends an RRC reconfiguration message to the UE, and correspondingly, the UE receives the RRC reconfiguration message from the satellite base station.

It should be noted that, for the value of the integrity security policy determined in the above step S904 as preferred, the satellite base station can further determine whether the integrity security policy is required or not needed based on the local policy. The specific implementation method can refer to the relevant description of the above method 300.

S908, the UE performs an integrity check on the RRC reconfiguration message.

S909, the UE sends an RRC reconfiguration completion message to the satellite base station, and correspondingly, the satellite base station receives the RRC reconfiguration completion message from the UE.

The specific implementation of the above steps S905 to S909 may refer to the relevant description of the above method 300.

S910, the satellite base station sends a session resource establishment response message to the AMF, and correspondingly, the AMF receives a session resource establishment response message from the satellite base station.

S911, the connection between the satellite base station and the ground core network is disconnected, such as the feeder link is disconnected, wherein the triggering condition of the feeder link disconnection can refer to the relevant description of step S511 of the above method 500.

S912, the UE sends uplink data to the satellite base station, and correspondingly, the satellite base station receives the uplink data from the UE.

S913, the satellite base station performs integrity check on the uplink data.

Among them, the triggering conditions for the satellite base station to perform integrity check on the uplink data, and the specific implementation method of the satellite base station to perform integrity check on the uplink data can refer to the relevant description of step S513 of the above method 500, which will not be repeated here.

S914, the satellite base station determines whether to store the uplink data according to the verification result.

For the specific implementation, please refer to the relevant description of step S514 of the above method 500.

The solution provided by this application sets an integrity security policy through indication information, so that the user plane data subsequently received by the satellite base station is protected by integrity security to the maximum extent, alleviating potential DoS risks and reducing the processing load of UE and base station. In the scenario where the feeder link is disconnected, the satellite base station can only store data that has passed the integrity check to ensure network security.

The above describes in detail the communication method side embodiment of the present application in conjunction with Figures 1 to 9, and the following describes in detail the communication device side embodiment of the present application in conjunction with Figures 10 and 11. It should be understood that the description of the device embodiment corresponds to the description of the method embodiment, and therefore, the part not described in detail can refer to the previous method embodiment.

Figure 10 is a schematic diagram of a communication device provided by an embodiment of the present application. As shown in Figure 10, the communication device 1000 includes a processing module 1010 and a communication module 1020. The communication device 1000 can be a terminal device, or a communication device applied to a terminal device or used in combination with a terminal device, which can implement a method executed by the terminal device, such as a chip, a chip system or a circuit; or, the communication device 1000 can be a network device, or a communication device applied to a network device or used in combination with a network device, which can implement a method executed by the network device, such as a chip, a chip system or a circuit; or, the communication device 1000 can be a session management network element, or a communication device applied to a session management network element or used in combination with a session management network element, which can implement a method executed by the session management network element, such as a chip, a chip system or a circuit.

The communication module may also be referred to as a transceiver module, a transceiver, a transceiver, or a transceiver device, etc. The processing module may also be referred to as a processor, a processing board, a processing unit, or a processing device, etc. Optionally, the communication module is used to perform the sending operation and the receiving operation of the terminal device and the network device in the above method, and the device used to implement the receiving function in the communication module may be regarded as a receiving unit, and the device used to implement the sending function in the communication module may be regarded as a sending unit, that is, the communication module includes a receiving unit and a sending unit.

When the communication device 1000 is applied to a terminal device, the processing module 1010 can be used to implement the processing function of the terminal device in the above embodiments, and the communication module 1020 can be used to implement the transceiver function of the terminal device in the above embodiments.

When the communication device 1000 is applied to a network device, the processing module 1010 can be used to implement the processing function of the network device in the above embodiments, and the communication module 1020 can be used to implement the transceiver function of the network device in the above embodiments.

When the communication device 1000 is applied to a session management network element, the processing module 1010 can be used to implement the processing function of the session management network element in the above embodiments, and the communication module 1020 can be used to implement the sending and receiving function of the session management network element in the above embodiments.

In addition, it should be noted that the aforementioned communication module and/or processing module can be implemented by a virtual module, for example, the processing module can be implemented by a software function unit or a virtual device, and the communication module can be implemented by a software function or a virtual device. Alternatively, the processing module or the communication module can also be implemented by a physical device, for example, if the device is implemented using a chip/circuit (such as an integrated circuit or a logic circuit, etc.). The communication module can be an input-output circuit and/or a communication interface, performing input operations (corresponding to the aforementioned receiving operations) and output operations (corresponding to the aforementioned sending operations); the processing module is an integrated processor or microprocessor or circuit (such as an integrated circuit or a logic circuit, etc.).

The division of modules in this application is schematic and is only a logical function division. There may be other division methods in actual implementation. In addition, each functional module in each example of this application may be integrated into one processor, or may exist physically separately, or two or more modules may be integrated into one module. The above-mentioned integrated modules may be implemented in the form of hardware or in the form of software functional modules.

FIG11 is a schematic diagram of another communication device provided by an embodiment of the present application. As shown in FIG11, optionally, the communication device 2000 may be the aforementioned terminal device or network device or session management network element, or a chip or chip system for the aforementioned terminal device or network device or session management network element. Optionally, in the present application, the chip system may be composed of a chip, or may include a chip and other discrete devices.

The communication device 2000 can be used to implement the functions of any device (e.g., terminal device, network device, or session management network element) in the communication system described in the above examples. The communication device 2000 may include at least one processing circuit 2010. Optionally, the processing circuit 2010 is coupled to a memory, and the memory may be located within the device, or the memory may be integrated with the processor, or the memory may be located outside the device. For example, the communication device 2000 may also include at least one memory 2020. The memory 2020 stores the necessary computer programs, computer programs or instructions and/or data for implementing any of the above examples; the processing circuit 2010 may execute the computer program stored in the memory 2020 to complete the method in any of the above examples.

The communication device 2000 may also include a transceiver circuit 2030, and the communication device 2000 may exchange information with other devices through the transceiver circuit 2030. Exemplarily, the transceiver circuit 2030 may be a transceiver, a circuit, a bus, a module, a pin, or other types of communication interfaces. When the communication device 2000 is a chip-type device or circuit, the transceiver circuit 2030 in the device 2000 may also be an input-output circuit, or an interface circuit, which may input information (or receive information) and output information (or send information). When the communication device 2000 is a network device or a terminal device, the transceiver circuit 2030 may be a transmitter, a receiver or a transceiver, or a communication interface, which is not limited here.

The processing circuit 2010 may be one or more processors, or all or part of the processing circuits in one or more processors. The processing circuit 2010 is an integrated processor, microprocessor, integrated circuit or logic circuit, etc. The processor may determine output information based on input information.

The coupling in this application is an indirect coupling or communication connection between devices, units or modules, which can be electrical, mechanical or other forms, and is used for information exchange between devices, units or modules. The processing circuit 2010 may cooperate with the memory 2020 and the transceiver circuit 2030. The specific connection medium between the above-mentioned processing circuit 2010, the memory 2020 and the transceiver circuit 2030 is not limited in this application.

Optionally, as shown in FIG11 , the processing circuit 2010, the memory 2020, and the transceiver circuit 2030 are interconnected via a bus 2040. Optionally, the bus may include an address bus, a data bus, a control bus, and other types of buses. In addition, for ease of representation, FIG11 shows a bus 2040, but does not mean that there is only one bus or one type of bus.

It should be understood that the processor mentioned in the embodiments of the present application can be the following devices or part of the circuit used for processing functions in the following devices: central processing unit (CPU), other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field programmable gate arrays (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or the processor can also be any conventional processor, etc.

It should also be understood that the memory mentioned in the embodiments of the present application may be a volatile memory and/or a non-volatile memory. Among them, the non-volatile memory may be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), or a flash memory. The volatile memory may be a random access memory (RAM). For example, a RAM may be used as an external cache. By way of example and not limitation, RAM includes the following forms: static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous link DRAM (SLDRAM), and direct rambus RAM (DR RAM).

It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, the memory (storage module) can be integrated into the processor.

It should also be noted that the memory described herein is intended to include, but is not limited to, these and any other suitable types of memory.

An embodiment of the present application also provides a computer-readable storage medium on which computer instructions are stored for implementing the method executed by at least one of a terminal device, a network device, or a session management network element in the above-mentioned method embodiments.

An embodiment of the present application also provides a computer program product, comprising codes or instructions, which, when executed by a computer, implement the method executed by at least one of the terminal device, network device, or session management network element in the above-mentioned method embodiments.

An embodiment of the present application also provides a communication system, which includes at least one of the core network element, session management network element, or network device in the above embodiments.

Optionally, the communication system also includes the terminal device in the above embodiments.

The explanation of the relevant contents and beneficial effects of any of the above-mentioned devices can be referred to the corresponding method embodiments provided above, which will not be described again here.

In order to facilitate understanding of the above embodiments provided in this application, the following points are explained:

1) In this application, unless otherwise specified or there is a logical conflict, the terms and/or descriptions between different embodiments are consistent and can be referenced to each other, and the technical features in different embodiments can be combined to form new embodiments according to their internal logical relationships.

2) In this application, "at least one" means one or more, and "more than one" means two or more. "And/or" describes the association relationship of associated objects, indicating that three relationships may exist. For example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural. In the text description of this application, the character "/" generally indicates that the associated objects before and after are in an "or" relationship. "At least one of the following" or similar expressions refers to any combination of these items, including any combination of single or plural items. For example, at least one of a, b and c can mean: a, or b, or c, or a and b, or a and c, or b and c, or a, b and c. Where a, b and c can be single or multiple, respectively.

3) In the present application, "first", "second" and various numerical numbers (e.g., #1, #2, etc.) indicate distinctions made for ease of description and are not used to limit the scope of the embodiments of the present application. For example, to distinguish between different messages, etc., rather than to describe a specific order or sequence. It should be understood that the objects described in this way can be interchanged where appropriate so as to be able to describe solutions other than the embodiments of the present application.

4) In this application, descriptions such as "when...", "in the case of..." and "if" all mean that the device will take corresponding actions under certain objective circumstances. They do not limit the time, nor do they require the device to make judgments when implementing them, nor do they mean that there are other limitations.

5) In this application, "indication" or "used to indicate" may include being used for direct indication and being used for indirect indication. When describing that a certain indication information is used to indicate A, it may include that the indication information directly indicates A or indirectly indicates A, but it does not mean that the indication information must carry A.

The indication method involved in the embodiments of the present application should be understood to include various methods that can enable the party to be indicated to know the information to be indicated. The information to be indicated can be sent as a whole or divided into multiple sub-information and sent separately, and the sending period and/or sending time of these sub-information can be the same or different. This application does not limit the sending method, for example.

The "indication information" in the embodiments of the present application may be an explicit indication, i.e., directly indicated by signaling, or obtained by combining other rules or other parameters or by deduction according to the parameters indicated by the signaling. It may also be an implicit indication, i.e., obtained by combining other rules or other parameters or by deduction according to a rule or relationship. The present application does not make any specific limitation on this.

6) In this application, "protocol" may refer to a standard protocol in the field of communications, such as 5G protocol, NR protocol, and related protocols used in future communication systems, which are not limited in this application. "Predefined" may include pre-definition. For example, protocol definition. "Preconfiguration" may be implemented by pre-saving corresponding codes, tables, or other methods that can be used to indicate relevant information in the device, and this application does not limit its implementation method, for example.

7) In this application, "communication" may also be described as "data transmission", "information transmission", "data processing", etc. "Transmission" includes "sending" and "receiving".

8) In this application, "sending information to XX (device)" can be understood as the destination of the information being the device. This can include sending information to the device directly or indirectly. "Receiving information from XX (device) or receiving information from XX (device)" can be understood as the source of the information being the device, which can include receiving information from the device directly or indirectly. The information may be processed as necessary between the source and destination of the information, such as format changes, but the destination can understand the valid information from the source.

In various embodiments of the present application, the size of the serial numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.

In the present application, under the premise of no logical contradiction, the examples may reference each other, for example, the methods and/or terms between method embodiments may reference each other, for example, the functions and/or terms between device embodiments may reference each other, for example, the functions and/or terms between device examples and method examples may reference each other.

It should be understood that in some of the above embodiments, the devices in the existing network architecture are mainly used as examples for exemplary description, and the specific form of the device is not limited in the embodiments of the present application. For example, devices that can achieve the same function in the future are applicable to the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be described again here.

In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of devices or units, which can be electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.

If the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application, or the part that contributes to the prior art or the part of the technical solution, can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in each embodiment of the present application. The aforementioned storage medium includes: various media that can store program codes, such as USB flash drives, mobile hard drives, ROM, RAM, magnetic disks, or optical disks.

The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any person skilled in the art who is familiar with the present technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (29)

A secure communication method, the method being applied to a network device or a chip in the network device, characterized in that it comprises: During the session establishment process of the terminal device, determining whether to activate integrity security protection of the session according to first information, wherein the first information is used to indicate whether the network device supports a store-and-forward operation, and the session is used to transmit data between the terminal device and the core network; Sending first integrity security protection indication information to the terminal device, where the first integrity security protection indication information is used to indicate an activation result. The method according to claim 1, characterized in that the determining whether to activate the integrity security protection of the session according to the first information comprises: In the case where the first information indicates that the network device supports a store-and-forward operation, determining to activate integrity security protection of the session; and/or, In a case where the first information indicates that the network device does not support a store-and-forward operation, it is determined not to activate integrity security protection of the session. The method according to claim 1 or 2, characterized in that before determining whether to activate the integrity security protection of the session according to the first information, it includes: Acquire a user plane integrity security policy corresponding to the session, where the user plane integrity security policy is used to indicate whether integrity security protection is activated for the session; The determining, according to the first information, whether to activate integrity security protection of the session comprises: Determine whether to activate integrity security protection for the session according to the first information and the user plane integrity security policy. The method according to claim 3, characterized in that the determining whether to activate integrity security protection of the session according to the first information and the user plane integrity security policy comprises: In the case where the first information indicates that the network device does not support a store-and-forward operation and the user plane integrity security policy indicates that the session is activated or integrity security protection is optionally activated, determining to activate integrity security protection for the session; and/or, When the first information indicates that the network device does not support store-and-forward operations and the user plane integrity security policy indicates that integrity security protection is not activated for the session, it is determined not to activate integrity security protection for the session. The method according to claim 3 or 4, characterized in that the determining whether to activate integrity security protection of the session according to the first information and the user plane integrity security policy comprises: In a case where the first information indicates that the network device supports a store-and-forward operation and the user plane integrity security policy indicates that the session is activated or integrity security protection is optionally activated, determining to activate integrity security protection for the session; and/or, When the first information indicates that the network device supports a store-and-forward operation and the user plane integrity security policy indicates that integrity security protection is not activated for the session, it is determined to activate integrity security protection for the session. A secure communication method, characterized in that the method is applied to a terminal device or a chip in the terminal device, comprising: During the session establishment process of the terminal device, receiving first integrity security protection indication information from the network device, the first integrity security protection indication information is used to indicate whether to activate integrity security protection of the session, the first integrity security protection indication information is determined according to first information, and the first information is used to indicate whether the network device supports a store-and-forward operation; Determine whether to activate integrity security protection for the session according to the first integrity security protection indication information. The method according to claim 6, characterized in that In the case where the first information indicates that the network device supports a store-and-forward operation, the first integrity security protection indication information is used to indicate activation of integrity security protection for the session; and/or, In a case where the first information indicates that the network device does not support a store-and-forward operation, the first integrity security protection indication information is used to indicate that integrity security protection of the session is not activated. A secure communication method, the method being applied to a network device or a chip in the network device, characterized in that it comprises: During the session establishment process of the terminal device, obtaining a user plane integrity security policy corresponding to the session, wherein the user plane integrity security policy is used to indicate whether integrity security protection is activated for the session, and the session is used to transmit data between the terminal device and the core network; Determine first integrity security protection indication information according to the user plane integrity security policy, where the first integrity security protection indication information is used to indicate whether to activate integrity security protection of a first data radio bearer DRB, where the session corresponds to the first data radio bearer DRB, and where the first DRB is used to carry data between the terminal device and the network device; Activate or deactivate integrity security protection of the first DRB according to the first integrity security protection indication information; In the case where the first link is disconnected, determining whether to release the first DRB according to whether the integrity security protection of the first DRB is activated, or determining whether to modify the integrity security protection state of the first DRB according to whether the integrity security protection of the first DRB is activated, wherein the first link is a link between the network device and the core network; A first message is sent to the terminal device, where the first message is used to indicate a release result or a modification result of the first DRB. The method according to claim 8, characterized in that the determining whether to release the first DRB according to whether the integrity security protection of the first DRB is activated comprises: In a case where integrity security protection is not activated for the first DRB, determine to release the first DRB. The method according to claim 8, characterized in that the determining whether to modify the integrity security protection state of the first DRB according to whether the integrity security protection of the first DRB is activated comprises: In the case where integrity security protection of the first DRB is not activated, it is determined to modify the integrity security protection state of the first DRB to an activated state. The method according to any one of claims 1 to 10, characterized in that the method further comprises: When the first link restores connection, a second message is sent to the terminal device, the second message is used to instruct the terminal device to establish a second DRB, the second message includes second integrity security protection indication information, the second integrity security protection indication information is used to indicate that the second DRB does not activate integrity security protection, and the second DRB is used to carry data between the terminal device and the network device. The method according to claim 11, characterized in that the second DRB is the first DRB; Before sending the second message to the terminal device, and/or after sending the first message to the terminal device, the method further includes: Storing the identifier of the first DRB; and/or recording that the integrity security protection state of the first DRB before modification is in an inactivated state; The second message includes an identifier of the first DRB, and/or the second integrity security protection indication information is determined based on the fact that the integrity security protection state of the first DRB before modification is in an inactivated state. The method according to any one of claims 8 to 12, characterized in that the method further comprises: Receiving first data from the terminal device through the first DRB; When the first integrity security protection indication information indicates activation of integrity security protection of the first DRB, performing integrity check on the first data; If the integrity check passes and the first link is disconnected, the first data is stored. The method according to claim 13, characterized in that before storing the first data, the method further comprises: If the integrity check passes, determine whether the first link is disconnected. The method according to claim 13, characterized in that before performing integrity check on the first data, the method further comprises: Determine whether the first link is disconnected. A secure communication method, characterized in that the method is applied to a terminal device or a chip in the terminal device, comprising: In the case where the first link is disconnected, receiving a first message from a network device, wherein the first message is used to indicate a release result or a modification result of a first data radio bearer DRB, the release result is used to indicate whether to activate the first DRB, and the modification result is used to indicate whether to modify the integrity security protection state of the first DRB, the release result or the modification result is determined according to whether the integrity security protection of the first DRB is activated, the first DRB is used to carry data between a terminal device and a network device, and the first link is a link between the network device and a core network; Determine whether to release the first DRB based on the release result, or determine whether to modify the integrity security protection status of the first DRB based on the modification result. The method according to claim 16, characterized in that In a case where integrity security protection is not activated for the first DRB, the release result indicates the release of the first DRB. The method according to claim 16, characterized in that In the case where integrity security protection is not activated for the first DRB, the modification result indicates that the integrity security protection state of the first DRB is modified to an activated state. A secure communication method, characterized in that the method is applied to a session management network element or a chip in the session management network element, comprising: During the session establishment process of the terminal device, obtaining indication information, where the indication information is used to instruct the network device to be deployed on the satellite; Determine, according to the indication information, a user plane integrity security policy corresponding to the session, where the user plane integrity security policy is used to indicate that the session is activated or optionally activated for integrity security protection; Send the user plane integrity security policy to the network device. The method according to claim 19 is characterized in that the indication information is also used to indicate that the network device supports store-and-forward operations. The method according to claim 19 or 20, characterized in that the method further comprises: Acquiring contract information, where the contract information is used to indicate whether the terminal device has signed a contract for a store-and-forward operation service; Determining a user plane integrity security policy according to the indication information includes: The user plane integrity security policy is determined according to the indication information and the subscription information. The method according to claim 21, characterized in that the determining the user plane integrity security policy according to the indication information and the subscription information comprises: In a case where the subscription information indicates that the terminal device has subscribed to a store-and-forward operation service, the integrity security policy is determined to be used to indicate that the session activates integrity security protection. A communication device, characterized in that it comprises at least one module, wherein the at least one module is used to execute the method as claimed in any one of claims 1 to 22. A communication device, characterized in that it comprises: at least one processor, wherein the at least one processor is used to execute a computer program or instruction so that the method according to any one of claims 1 to 22 is executed. The communication device according to claim 24, characterized in that The communication device further comprises a memory, wherein the memory is used to store the computer program or instruction; and/or, The communication device further comprises a communication interface, which is coupled to the at least one processor and is used to input and/or output information. The communication device according to claim 24 or 25 is characterized in that the communication device is a chip or a chip system. A communication system, characterized in that it includes: at least one of a network device, a terminal device or a session management network element, wherein the network device is used to execute the method as described in any one of claims 1 to 5 and 8 to 15, the terminal device is used to execute the method as described in any one of claims 6 or 7 and 16 to 18, and the session management network element is used to execute the method as described in any one of claims 19 to 22. A computer-readable storage medium, characterized in that computer program code or instructions are stored on the computer-readable storage medium, and when the computer program code or instructions are run on a computer, the method described in any one of claims 1 to 22 is executed. A computer program product, characterized in that it contains instructions, and when the instructions are executed, the method according to any one of claims 1 to 22 is performed.