WO2025167843A1

WO2025167843A1 - Communication method and apparatus

Info

Publication number: WO2025167843A1
Application number: PCT/CN2025/075515
Authority: WO
Inventors: 郭燕飞; 吴义壮; 郭龙华
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2024-02-08
Filing date: 2025-01-27
Publication date: 2025-08-14
Anticipated expiration: 2026-08-08
Also published as: CN120456001A

Abstract

A communication method and apparatus, which are used for realizing the security of a communication system in a scenario where the communication system needs to simultaneously support a 128-bit algorithm and a 256-bit algorithm. The method in the present application comprises: a primary node determining a secondary node on the basis of a key length of a first security algorithm (or a key length of a security algorithm supported by the primary node) and key lengths of security algorithms supported by alternative nodes, wherein the first security algorithm is a security algorithm for protecting data transmitted between the primary node and a terminal device, and the alternative nodes comprise the secondary node; the primary node sending a node request to the secondary node, wherein the node request is used for requesting the addition of the secondary node; furthermore, the secondary node determining a second security algorithm, wherein the second security algorithm is used for protecting data transmitted between the secondary node and the terminal device, for example, the key length of the second security algorithm is equal to the key length of the first security algorithm.

Description

Communication method and device

相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS

本申请要求在2024年2月8日提交中华人民共和国国家知识产权局、申请号为202410178204.8、发明名称为“一种通信方法及装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the State Intellectual Property Office of the People's Republic of China on February 8, 2024, with application number 202410178204.8 and invention name "A Communication Method and Device", the entire contents of which are incorporated by reference into this application.

Technical Field

本申请实施例涉及无线通信领域，尤其涉及一种通信方法及装置。The embodiments of the present application relate to the field of wireless communications, and in particular to a communication method and apparatus.

Background Art

在通信系统中，对称安全算法通常用于保护终端设备和网络侧之间传输的数据，对称安全算法使用的密钥长度为128位(可将这些算法统称为是128位算法)。但随着计算机算力的增加，尤其是量子计算机的威胁，128位算法面临着被量子计算机攻破的风险，为此，业界专家建议将对称安全算法由128位算法升级为256位算法，也即是，使用密钥长度为256位的对称安全算法对数据进行保护。In communication systems, symmetric security algorithms are commonly used to protect data transmitted between terminal devices and the network. These algorithms use a 128-bit key length (collectively, these algorithms are referred to as 128-bit algorithms). However, with the increasing computing power of computers, especially the threat of quantum computers, 128-bit algorithms face the risk of being cracked by quantum computers. Therefore, industry experts recommend upgrading symmetric security algorithms from 128-bit to 256-bit. In other words, using a symmetric security algorithm with a 256-bit key length to protect data.

在引入256位算法的情况下，通信系统需要同时支持128位算法和256位算法。而在该场景中，如何实现通信系统的安全性，是目前亟待解决的技术问题。When 256-bit algorithms are introduced, the communication system needs to support both 128-bit and 256-bit algorithms. In this scenario, how to ensure the security of the communication system is a technical problem that needs to be solved urgently.

Summary of the Invention

本申请提供一种通信方法及装置，用于在通信系统需要同时支持128位算法和256位算法的场景中，实现通信系统的安全性。The present application provides a communication method and apparatus for achieving the security of a communication system in a scenario where the communication system needs to support both 128-bit algorithms and 256-bit algorithms.

第一方面，本申请提供一种通信方法，该通信方法可以由第一通信装置执行，第一通信装置可作为双连接(dual connectivity，DC)模式下的终端设备的主节点。第一通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)。为方便描述，如下以主节点执行为例说明。In a first aspect, the present application provides a communication method that can be performed by a first communication device, which can serve as a master node of a terminal device in dual connectivity (DC) mode. The first communication device can be a wireless access node or a component (such as a chip) in a wireless access node. For ease of description, the following description uses execution by a master node as an example.

方法包括：主节点根据主节点支持的安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点，或，主节点根据第一安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点，其中，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。备选节点包括辅节点。主节点向辅节点发送节点请求，节点请求用于请求添加辅节点。The method includes: a primary node determining a secondary node based on a key length of a security algorithm supported by the primary node and a key length of a security algorithm supported by a candidate node, or the primary node determining a secondary node based on a key length of a first security algorithm and a key length of a security algorithm supported by the candidate node, wherein the first security algorithm is a security algorithm used to protect data transmitted between the primary node and a terminal device. The candidate node includes the secondary node. The primary node sends a node request to the secondary node, wherein the node request is used to request the addition of the secondary node.

上述技术方案中，主节点在从备选节点中选择辅节点时，考虑第一安全算法的密钥长度(或考虑主节点支持的安全算法的密钥长度)和备选节点支持的安全算法的密钥长度，并请求添加该选择出的辅节点。从而能够使得辅节点的选择更加合理，便于后续辅节点能够选择出合适的安全算法。具体的，选择出的辅节点能够满足如下条件：主节点和辅节点各自能确定出合适的安全算法，从而使得主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，以符合安全通信的要求。比如，按照本申请方案选出的辅节点能够使得主节点和辅节点各自选择出的安全算法的密钥长度相同。In the above technical solution, when the main node selects a secondary node from the alternative nodes, it considers the key length of the first security algorithm (or the key length of the security algorithm supported by the main node) and the key length of the security algorithm supported by the alternative node, and requests to add the selected secondary node. This can make the selection of the secondary node more reasonable, and facilitates the subsequent secondary nodes to select a suitable security algorithm. Specifically, the selected secondary node can meet the following conditions: the main node and the secondary node can each determine a suitable security algorithm, so that the security strength of the data transmitted between the main node and the terminal device is consistent with the security strength of the data transmitted between the secondary node and the terminal device, so as to meet the requirements of secure communication. For example, the secondary node selected according to the solution of the present application can make the key lengths of the security algorithms selected by the main node and the secondary node the same.

进一步的，在终端设备使用双连接模式下的数据冗余传输(如超高可靠低时延通信(ultra reliable and low latency communications，URLLC))业务时，终端设备的两个互为冗余的协议数据单元(protocol data unit，PDU)会话用于传输业务的数据，该两个PDU会话对应的数据分别由主节点和辅节点各自使用选择出的安全算法进行保护，两个安全算法的密钥长度相同，符合数据冗余传输的安全假设。Furthermore, when the terminal device uses data redundant transmission (such as ultra reliable and low latency communications (URLLC)) services in dual connection mode, the terminal device's two redundant protocol data unit (PDU) sessions are used to transmit service data. The data corresponding to the two PDU sessions are protected by the primary node and the secondary node respectively using the selected security algorithms. The key lengths of the two security algorithms are the same, which meets the security assumption of data redundant transmission.

在一种可能的实现方式中，辅节点支持的安全算法的密钥长度不低于第一安全算法的密钥长度，示例性的，辅节点支持的安全算法的最大密钥长度不低于第一安全算法的密钥长度。或，辅节点支持的安全算法的密钥长度不低于主节点支持的安全算法的最大密钥长度，示例性的，辅节点支持的安全算法的最大密钥长度不低于主节点支持的安全算法的最大密钥长度。In one possible implementation, the key length of the security algorithm supported by the secondary node is not less than the key length of the first security algorithm. Exemplarily, the maximum key length of the security algorithm supported by the secondary node is not less than the key length of the first security algorithm. Alternatively, the key length of the security algorithm supported by the secondary node is not less than the maximum key length of the security algorithm supported by the primary node. Exemplarily, the maximum key length of the security algorithm supported by the secondary node is not less than the maximum key length of the security algorithm supported by the primary node.

上述技术方案中，辅节点支持的安全算法的密钥长度不低于第一安全算法的密钥长度或者主节点支持的安全算法的密钥长度，从而使得该辅节点有能力选择出合适的安全算法用于保护辅节点与终端设备之间的传输数据。也即是，避免主节点随意确定的辅节点无法选择合适的安全算法。比如，主节点确定了256位算法用于保护主节点与终端设备之间的传输数据，该情况下，若辅节点不支持256位算法而只支持128位算法，则该辅节点无法选择256位算法来达到安全要求。In the above technical solution, the key length of the security algorithm supported by the secondary node is not less than the key length of the first security algorithm or the key length of the security algorithm supported by the primary node, so that the secondary node is able to select an appropriate security algorithm to protect the data transmitted between the secondary node and the terminal device. In other words, it avoids the secondary node being arbitrarily determined by the primary node and unable to select an appropriate security algorithm. For example, if the primary node determines a 256-bit algorithm to protect the data transmitted between the primary node and the terminal device, in this case, if the secondary node does not support the 256-bit algorithm and only supports the 128-bit algorithm, the secondary node cannot select the 256-bit algorithm to meet the security requirements.

在一种可能的实现方式中，节点请求中包括第一安全算法的密钥长度的信息。具体的，第一安全算法的密钥长度的信息用于确定辅节点与终端设备之间传输的数据的安全算法。In a possible implementation, the node request includes information about the key length of the first security algorithm. Specifically, the information about the key length of the first security algorithm is used to determine the security algorithm for data transmitted between the secondary node and the terminal device.

上述技术方案中，辅节点能够从节点请求中获得第一安全算法的密钥长度的信息，根据第一安全算法的密钥长度的信息，选择安全算法。主节点和辅节点可各自选择出合适的安全算法，并基于各自选择出的安全算法保护与终端设备之间传输的数据，实现通信系统的安全性。例如，主节点和辅节点各自选择出的安全算法的密钥长度相同，在终端设备使用数据冗余传输业务的场景中，符合数据冗余传输的安全假设。In the above technical solution, the secondary node can obtain information about the key length of the first security algorithm from the node request and select a security algorithm based on this information. The primary and secondary nodes can each select an appropriate security algorithm and, based on their respective selected security algorithms, protect data transmitted between them and the terminal device, thereby achieving security for the communication system. For example, if the security algorithms selected by the primary and secondary nodes each have the same key length, this meets the security assumptions of data redundancy transmission in scenarios where the terminal device uses data redundancy transmission services.

在一种可能的实现方式中，在第一安全算法的密钥长度是预设密钥长度的情况下，节点请求中包括第一安全算法的密钥长度的信息，预设密钥长度例如是256位。In a possible implementation, when the key length of the first security algorithm is a preset key length, the node request includes information about the key length of the first security algorithm. The preset key length is, for example, 256 bits.

上述技术方案中，提供节点请求中包括第一安全算法的密钥长度的信息的一个触发条件，即第一安全算法的密钥长度是预设密钥长度。可以理解，当第一安全算法的密钥长度低于预设密钥长度时，可无需在节点请求中携带第一安全算法的密钥长度的信息，减少信令交互时占用的比特数。In the above technical solution, a triggering condition is provided where the node request includes information about the key length of the first security algorithm, namely, the key length of the first security algorithm is a preset key length. It will be appreciated that when the key length of the first security algorithm is less than the preset key length, it is not necessary to include the key length information of the first security algorithm in the node request, thereby reducing the number of bits occupied during signaling exchanges.

在一种可能的实现方式中，主节点中预配置有备选节点支持的安全算法的密钥长度的信息；或，主节点从备选节点中获得备选节点支持的安全算法的密钥长度的信息。In a possible implementation, the master node is preconfigured with information about the key length of the security algorithm supported by the candidate node; or the master node obtains information about the key length of the security algorithm supported by the candidate node from the candidate node.

其中，备选节点支持的安全算法的密钥长度的信息，可以是，备选节点支持的多个安全算法的多个密钥长度的标识，或是，备选节点支持的多个密钥长度中的最大密钥长度的标识，或是，备选节点是否支持预设密钥长度的指示，预设密钥长度可以是256位。Among them, the information on the key length of the security algorithm supported by the alternative node can be an identifier of multiple key lengths of multiple security algorithms supported by the alternative node, or an identifier of the maximum key length among multiple key lengths supported by the alternative node, or an indication of whether the alternative node supports a preset key length, and the preset key length can be 256 bits.

上述技术方案中，提供主节点获得备选节点支持的安全算法的密钥长度的信息的方式，从而主节点能够根据备选节点支持的安全算法的密钥长度，从备选节点中选择辅节点。In the above technical solution, a method is provided for the master node to obtain information about the key length of the security algorithm supported by the candidate node, so that the master node can select a secondary node from the candidate node based on the key length of the security algorithm supported by the candidate node.

在一种可能的实现方式中，主节点在确定满足冗余条件的情况下，根据第一安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点；或，主节点根据主节点支持的安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点。其中，冗余条件包括如下条件1至条件4中一项或多项：条件1，终端设备使用数据冗余传输(如URLLC)业务；条件2，为终端设备建立冗余用户面路径；条件3，为终端设备建立冗余PDU会话；或，条件4，为终端设备实现冗余传输。In one possible implementation, upon determining that a redundancy condition is met, the primary node determines a secondary node based on the key length of the first security algorithm and the key length of the security algorithm supported by the backup node; or, the primary node determines the secondary node based on the key length of the security algorithm supported by the primary node and the key length of the security algorithm supported by the backup node. The redundancy condition includes one or more of the following conditions 1 to 4: condition 1, the terminal device uses a data redundancy transmission (such as URLLC) service; condition 2, a redundant user plane path is established for the terminal device; condition 3, a redundant PDU session is established for the terminal device; or condition 4, redundant transmission is implemented for the terminal device.

上述技术方案中，提供主节点在确定辅节点时，考虑第一安全算法的密钥长度(或主节点支持的安全算法的密钥长度)和备选节点支持的安全算法的密钥长度的触发条件，也即是，在确定满足冗余条件时执行上述方法，避免主节点不必要的动作。In the above technical solution, the main node considers the trigger conditions of the key length of the first security algorithm (or the key length of the security algorithm supported by the main node) and the key length of the security algorithm supported by the alternative node when determining the secondary node. That is, the above method is executed when it is determined that the redundancy condition is met to avoid unnecessary actions of the main node.

第二方面，本申请提供一种通信方法，该通信方法可以由第一通信装置执行，第一通信装置可作为双连接模式下的终端设备的主节点。第一通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)。为方便描述，如下以主节点执行为例说明。In a second aspect, the present application provides a communication method that can be performed by a first communication device, which can serve as a master node of a terminal device in dual connectivity mode. The first communication device can be a wireless access node or a component (such as a chip) in a wireless access node. For ease of description, the following description uses the master node as an example.

方法包括：主节点获得辅节点支持的安全算法的信息。主节点根据辅节点支持的安全算法的信息，确定第一安全算法，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。示例性的，主节点可先从备选节点中选择辅节点，进而获得辅节点支持的安全算法的信息。The method includes: a primary node obtaining information about security algorithms supported by a secondary node. The primary node determines a first security algorithm based on the information about the security algorithms supported by the secondary node. The first security algorithm is a security algorithm used to protect data transmitted between the primary node and a terminal device. Exemplarily, the primary node may first select a secondary node from candidate nodes, and then obtain information about the security algorithms supported by the secondary node.

上述技术方案中，主节点在确定第一安全算法时，考虑辅节点支持的安全算法的信息，如此，主节点和辅节点各自均能确定出合适的安全算法，从而使得主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，以符合安全通信的要求。比如，按照本申请方案能够实现，主节点选出的第一安全算法与辅节点选择出的安全算法的密钥长度相同。In the above technical solution, when determining the first security algorithm, the master node considers information about the security algorithms supported by the secondary node. In this way, the master node and the secondary node can each determine an appropriate security algorithm, thereby ensuring that the security strength of data transmitted between the master node and the terminal device is consistent with the security strength of data transmitted between the secondary node and the terminal device, thereby meeting the requirements of secure communication. For example, according to the solution of this application, it is possible to achieve that the key length of the first security algorithm selected by the master node and the security algorithm selected by the secondary node are the same.

进一步的，在终端设备使用双连接模式下的数据冗余传输业务时，终端设备的两个互为冗余的PDU会话用于传输业务的数据，该两个PDU会话对应的数据分别由主节点和辅节点使用各自选择出的安全算法进行保护，该两个安全算法的密钥长度相同，符合数据冗余传输的安全假设。Furthermore, when the terminal device uses the data redundancy transmission service in the dual connection mode, the two redundant PDU sessions of the terminal device are used to transmit the service data. The data corresponding to the two PDU sessions are protected by the primary node and the secondary node respectively using their own selected security algorithms. The key lengths of the two security algorithms are the same, which meets the security assumption of data redundancy transmission.

在一种可能的实现方式中，辅节点支持的安全算法的信息中包括辅节点支持的安全算法的密钥长度的信息和/或辅节点支持的安全算法的标识。其中，辅节点支持的安全算法的密钥长度的信息具体可以是，辅节点支持的多个密钥长度的标识，或是，辅节点支持的最大密钥长度的标识，或是，辅节点是否支持预设密钥长度的指示，预设密钥长度例如是256位。In one possible implementation, the information about security algorithms supported by the secondary node includes information about key lengths of the security algorithms supported by the secondary node and/or identifiers of the security algorithms supported by the secondary node. The information about key lengths of the security algorithms supported by the secondary node may specifically include identifiers of multiple key lengths supported by the secondary node, or identifiers of the maximum key length supported by the secondary node, or an indication of whether the secondary node supports a preset key length, where the preset key length is, for example, 256 bits.

在一种可能的实现方式中，主节点还向辅节点发送节点请求，节点请求用于请求添加辅节点。示例性的，节点请求中包括第一安全算法的密钥长度的信息。具体的，第一安全算法的密钥长度的信息用于确定辅节点与终端设备之间传输的数据的安全算法，例如，第一安全算法的密钥长度的信息用于辅节点确定辅节点与终端设备之间传输的数据的安全算法。In one possible implementation, the primary node further sends a node request to the secondary node, requesting the addition of the secondary node. Exemplarily, the node request includes information about the key length of the first security algorithm. Specifically, the key length information of the first security algorithm is used to determine the security algorithm for data transmitted between the secondary node and the terminal device. For example, the key length information of the first security algorithm is used by the secondary node to determine the security algorithm for data transmitted between the secondary node and the terminal device.

上述技术方案中，辅节点能够从节点请求中获得第一安全算法的密钥长度的信息，根据第一安全算法的密钥长度的信息，选择安全算法，如此，辅节点可选择出密钥长度与第一安全算法的密钥长度相匹配(或相契合)的安全算法，进而，主节点和辅节点基于各自选择出的安全算法保护与终端设备之间传输的数据时，实现通信系统的安全性。进一步的，辅节点选择出的安全算法的密钥长度与第一安全算法的密钥长度可以是相同的，在终端设备使用数据冗余传输业务的场景中，符合数据冗余传输的安全假设。In the above technical solution, the secondary node can obtain information about the key length of the first security algorithm from the node request and select a security algorithm based on the information about the key length of the first security algorithm. In this way, the secondary node can select a security algorithm whose key length matches (or is consistent with) the key length of the first security algorithm. Furthermore, when the primary node and the secondary node protect the data transmitted between the terminal device and the secondary node based on their respective selected security algorithms, the security of the communication system is achieved. Furthermore, the key length of the security algorithm selected by the secondary node can be the same as the key length of the first security algorithm. In the scenario where the terminal device uses a data redundancy transmission service, this meets the security assumption of data redundancy transmission.

在一种可能的实现方式中，在第一安全算法的密钥长度是预设密钥长度的情况下，节点请求中包括第一安全算法的密钥长度的信息。In a possible implementation manner, when the key length of the first security algorithm is a preset key length, the node request includes information about the key length of the first security algorithm.

在一种可能的实现方式中，主节点在获得辅节点支持的安全算法的信息时，具体可以是，主节点中预配置有辅节点支持的安全算法的信息；或，主节点从辅节点中获得辅节点支持的安全算法的信息。In one possible implementation, when the primary node obtains information about security algorithms supported by the secondary node, the primary node may be pre-configured with information about security algorithms supported by the secondary node; or the primary node may obtain information about security algorithms supported by the secondary node from the secondary node.

上述技术方案中，提供主节点获得辅节点支持的安全算法的信息的方式，从而主节点能够根据辅节点支持的安全算法的信息，确定第一安全算法。In the above technical solution, a method is provided for the primary node to obtain information about security algorithms supported by the secondary nodes, so that the primary node can determine the first security algorithm based on the information about security algorithms supported by the secondary nodes.

在一种可能的实现方式中，主节点在确定满足冗余条件的情况下，根据辅节点支持的安全算法的信息，确定第一安全算法。其中，冗余条件包括如下条件1至条件4中一项或多项：条件1，终端设备使用数据冗余传输(如URLLC)业务；条件2，为终端设备建立冗余用户面路径；条件3，为终端设备建立冗余PDU会话；或，条件4，为终端设备实现冗余传输。In one possible implementation, the primary node determines a first security algorithm based on information about security algorithms supported by the secondary node when determining that a redundancy condition is met. The redundancy condition includes one or more of the following conditions 1 to 4: condition 1, the terminal device uses a data redundancy transmission (such as URLLC) service; condition 2, a redundant user plane path is established for the terminal device; condition 3, a redundant PDU session is established for the terminal device; or condition 4, redundant transmission is implemented for the terminal device.

上述技术方案中，提供主节点在确定第一安全算法时，考虑辅节点支持的安全算法的信息的触发条件，也即是，在确定满足冗余条件时执行上述方法，避免主节点不必要的动作。In the above technical solution, the master node is provided with a trigger condition for considering the information of the security algorithm supported by the secondary node when determining the first security algorithm. That is, the above method is executed when it is determined that the redundancy condition is met to avoid unnecessary actions of the master node.

在一种可能的实现方式中，安全算法的信息中包括安全算法的密钥长度的信息。主节点在根据辅节点支持的安全算法的信息，确定第一安全算法时，具体可以是，主节点根据辅节点支持的安全算法的密钥长度的信息和主节点支持的安全算法的信息，确定第一安全算法。In one possible implementation, the security algorithm information includes information about the key length of the security algorithm. When the primary node determines the first security algorithm based on the information about the security algorithms supported by the secondary node, the primary node may specifically determine the first security algorithm based on the information about the key length of the security algorithm supported by the secondary node and the information about the security algorithms supported by the primary node.

示例性的，主节点根据辅节点支持的安全算法的密钥长度的信息，确定辅节点支持的最大密钥长度，根据辅节点支持的最大密钥长度和主节点支持的安全算法的信息，确定第一安全算法。Exemplarily, the primary node determines the maximum key length supported by the secondary node based on information about the key length of the security algorithm supported by the secondary node, and determines the first security algorithm based on information about the maximum key length supported by the secondary node and the security algorithm supported by the primary node.

其中，辅节点支持的安全算法的密钥长度中包括第一安全算法的密钥长度。The key length of the security algorithm supported by the secondary node includes the key length of the first security algorithm.

上述技术方案中，主节点在确定第一安全算法时，考虑辅节点支持的安全算法的密钥长度，如此，主节点和辅节点各自均能确定出合适的安全算法，从而使得主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，以符合安全通信的要求。进一步的，在终端设备使用数据冗余传输业务的场景中，符合数据冗余传输的安全假设。In the above technical solution, when determining the first security algorithm, the primary node considers the key length of the security algorithm supported by the secondary node. This allows each primary and secondary node to determine an appropriate security algorithm, ensuring that the security strength of data transmitted between the primary node and the terminal device matches that of data transmitted between the secondary node and the terminal device, thus meeting the requirements for secure communication. Furthermore, in scenarios where the terminal device uses data redundancy transmission services, the security assumption of data redundancy transmission is met.

在一种可能的实现方式中，安全算法的信息中包括安全算法的标识。主节点在根据辅节点支持的安全算法的信息，确定第一安全算法时，具体可以是，主节点根据辅节点支持的安全算法的标识和主节点支持的安全算法的信息，确定第一安全算法和第二安全算法，第二安全算法是用于保护辅节点与终端设备之间传输的数据的安全算法。进一步的，主节点还向辅节点发送第二安全算法的标识。In one possible implementation, the security algorithm information includes a security algorithm identifier. When the primary node determines the first security algorithm based on the security algorithm information supported by the secondary node, the primary node may specifically determine the first security algorithm and the second security algorithm based on the security algorithm identifier supported by the secondary node and the security algorithm information supported by the primary node, where the second security algorithm is a security algorithm used to protect data transmitted between the secondary node and the terminal device. Furthermore, the primary node sends the identifier of the second security algorithm to the secondary node.

上述技术方案中，主节点不仅自行确定第一安全算法，还为辅节点选择第二安全算法。从而主节点可保障主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，例如，主节点可保障第一安全算法的密钥长度和第二安全算法的密钥长度是相同的，实现通信系统的安全性。在终端设备使用数据冗余传输业务的场景中，符合数据冗余传输的安全假设。In the above technical solution, the master node not only independently determines the first security algorithm but also selects the second security algorithm for the slave node. This ensures that the security strength of data transmitted between the master node and the terminal device is consistent with the security strength of data transmitted between the slave node and the terminal device. For example, the master node can ensure that the key length of the first security algorithm is the same as the key length of the second security algorithm, thereby ensuring the security of the communication system. In scenarios where terminal devices use data redundancy transmission services, this meets the security assumptions of data redundancy transmission.

第三方面，本申请提供一种通信方法，该通信方法可以由第一通信装置执行，第一通信装置可作为双连接模式下的终端设备的主节点。第一通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)。为方便描述，如下以主节点执行为例说明。In a third aspect, the present application provides a communication method that can be performed by a first communication device, which can serve as a master node of a terminal device in dual connectivity mode. The first communication device can be a wireless access node or a component (such as a chip) in a wireless access node. For ease of description, the following description uses the master node as an example.

方法包括：主节点确定第一安全算法，其中，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。主节点向辅节点发送节点请求，节点请求用于请求添加辅节点，节点请求中包括第一安全算法的密钥长度的信息。示例性的，第一安全算法的密钥长度的信息可具备如下功能中的一项或多项：用于辅节点确定是否支持第一安全算法的密钥长度，用于辅节点确定第二安全算法，用于辅节点确定第二安全算法的密钥长度与第一安全算法的密钥长度是否相契合，或，用于辅节点确定向主节点发送何种节点响应。其中，第二安全算法是辅节点确定出的用于保护辅节点与终端设备之间传输的数据的安全算法；节点响应用于指示添加辅节点失败，或节点响应用于指示添加辅节点成功。The method includes: the master node determines a first security algorithm, wherein the first security algorithm is a security algorithm for protecting data transmitted between the master node and the terminal device. The master node sends a node request to the slave node, the node request is used to request the addition of the slave node, and the node request includes information on the key length of the first security algorithm. Exemplarily, the information on the key length of the first security algorithm may have one or more of the following functions: used by the slave node to determine whether the key length of the first security algorithm is supported, used by the slave node to determine the second security algorithm, used by the slave node to determine whether the key length of the second security algorithm matches the key length of the first security algorithm, or used by the slave node to determine what type of node response to send to the master node. The second security algorithm is a security algorithm determined by the slave node to protect data transmitted between the slave node and the terminal device; the node response is used to indicate a failure to add the slave node, or the node response is used to indicate a success in adding the slave node.

在一种可能的实现方式中，主节点还可接收来自辅节点的节点响应，节点响应用于指示添加辅节点失败。进一步的，主节点重新选择辅节点，向重新选择的辅节点发送节点请求。可选的，主节点还接收来自该重新选择的辅节点的节点响应，该节点响应用于指示添加辅节点成功。In one possible implementation, the primary node may also receive a node response from the secondary node, where the node response indicates that adding the secondary node failed. Furthermore, the primary node reselects a secondary node and sends a node request to the reselected secondary node. Optionally, the primary node also receives a node response from the reselected secondary node, where the node response indicates that adding the secondary node was successful.

上述技术方案中，主节点通过向辅节点发送节点请求，以及，接收来自辅节点的节点响应的方式，确定出能够被成功添加的辅节点，该被成功添加的辅节点能够满足如下条件：主节点和辅节点各自能确定出合适的安全算法，从而使得主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，以符合安全通信的要求。比如，按照本申请方案添加的辅节点能够使得主节点和辅节点各自选择出的安全算法的密钥长度相同。In the above technical solution, the primary node determines a secondary node that can be successfully added by sending a node request to the secondary node and receiving a node response from the secondary node. The successfully added secondary node can meet the following conditions: the primary node and the secondary node can each determine an appropriate security algorithm, so that the security strength of the data transmitted between the primary node and the terminal device is consistent with the security strength of the data transmitted between the secondary node and the terminal device, thereby meeting the requirements of secure communication. For example, the secondary node added according to the solution of this application can ensure that the key length of the security algorithm selected by the primary node and the secondary node is the same.

进一步的，在终端设备使用双连接模式下的数据冗余传输业务时，终端设备的两个互为冗余的PDU会话用于传输业务的数据，该两个PDU会话对应的数据分别由主节点和辅节点各自使用选择出的安全算法进行保护，两个安全算法的密钥长度相同，符合数据冗余传输的安全假设。Furthermore, when the terminal device uses the data redundancy transmission service in the dual connection mode, the two redundant PDU sessions of the terminal device are used to transmit the service data. The data corresponding to the two PDU sessions are protected by the primary node and the secondary node respectively using the selected security algorithms. The key lengths of the two security algorithms are the same, which meets the security assumption of data redundant transmission.

在一种可能的实现方式中，主节点在确定满足冗余条件的情况下，向辅节点发送包含第一安全算法的密钥长度的信息的节点请求。其中，冗余条件包括如下条件1至条件4中一项或多项：条件1，终端设备使用数据冗余传输(如URLLC)业务；条件2，为终端设备建立冗余用户面路径；条件3，为终端设备建立冗余PDU会话；或，条件4，为终端设备实现冗余传输。In one possible implementation, the primary node sends a node request including information about the key length of the first security algorithm to the secondary node when determining that a redundancy condition is met. The redundancy condition includes one or more of the following conditions 1 to 4: condition 1, the terminal device uses a data redundancy transmission (such as URLLC) service; condition 2, a redundant user plane path is established for the terminal device; condition 3, a redundant PDU session is established for the terminal device; or condition 4, redundant transmission is implemented for the terminal device.

上述技术方案中，提供节点请求中包括第一安全算法的密钥长度的信息的一个触发条件，也即是，在确定满足冗余条件时执行上述方法，避免主节点不必要的动作。In the above technical solution, a trigger condition is provided in which the node request includes information on the key length of the first security algorithm. That is, the above method is executed when it is determined that the redundancy condition is met, thereby avoiding unnecessary actions of the master node.

上述技术方案中，提供节点请求中包括第一安全算法的密钥长度的信息的又一个触发条件，即第一安全算法的密钥长度是预设密钥长度。可以理解，当第一安全算法的密钥长度低于预设密钥长度时，可无需在节点请求中携带第一安全算法的密钥长度的信息，减少信令交互时占用的比特数。In the above technical solution, a further triggering condition for providing the node request with information about the key length of the first security algorithm is that the key length of the first security algorithm is a preset key length. It will be appreciated that when the key length of the first security algorithm is less than the preset key length, it is not necessary to include the key length information of the first security algorithm in the node request, thereby reducing the number of bits occupied during signaling exchanges.

第四方面，本申请提供一种通信方法，该通信方法可以由第二通信装置执行，第二通信装置可作为双连接模式下的终端设备的辅节点。第二通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)。为方便描述，如下以辅节点执行为例说明。In a fourth aspect, the present application provides a communication method that can be performed by a second communication device, which can serve as a secondary node of a terminal device in dual connectivity mode. The second communication device can be a wireless access node or a component (such as a chip) in a wireless access node. For ease of description, the following description uses the secondary node as an example.

方法包括：辅节点接收来自主节点的节点请求，节点请求用于请求添加辅节点，节点请求中包括第一安全算法的密钥长度的信息，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。辅节点根据第一安全算法的密钥长度的信息，确定第二安全算法，第二安全算法是用于保护辅节点与终端设备之间传输的数据的安全算法。The method includes: a secondary node receiving a node request from a primary node, the node request being used to request adding the secondary node, the node request including information about a key length of a first security algorithm, the first security algorithm being a security algorithm used to protect data transmitted between the primary node and a terminal device. The secondary node determining, based on the information about the key length of the first security algorithm, a second security algorithm, the second security algorithm being a security algorithm used to protect data transmitted between the secondary node and the terminal device.

在一种可能的实现方式中，第二安全算法的密钥长度与第一安全算法的密钥长度相同。In a possible implementation, the key length of the second security algorithm is the same as the key length of the first security algorithm.

第五方面，本申请提供一种通信方法，该通信方法可以由第二通信装置执行，第二通信装置可作为双连接模式下的终端设备的辅节点。第二通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)。为方便描述，如下以辅节点执行为例说明。In a fifth aspect, the present application provides a communication method that can be performed by a second communication device, which can serve as a secondary node of a terminal device in dual connectivity mode. The second communication device can be a wireless access node or a component (such as a chip) in a wireless access node. For ease of description, the following description uses the secondary node as an example.

方法包括：辅节点接收来自主节点的节点请求，节点请求用于请求添加辅节点，节点请求中包括第二安全算法的标识；以及，辅节点根据第二安全算法，与终端设备传输数据。The method includes: the secondary node receives a node request from the primary node, the node request is used to request adding the secondary node, and the node request includes an identifier of the second security algorithm; and the secondary node transmits data with the terminal device according to the second security algorithm.

在一种可能的实现方式中，辅节点在根据第二安全算法，与终端设备传输数据之前，还可确定辅节点和/或终端设备支持第二安全算法。示例性的，辅节点还从节点请求中获得终端设备支持的安全算法，进而确定终端设备支持的安全算法中包括第二安全算法。In one possible implementation, before transmitting data with the terminal device based on the second security algorithm, the secondary node may further determine whether the secondary node and/or the terminal device supports the second security algorithm. Exemplarily, the secondary node further obtains the security algorithms supported by the terminal device from the node request, and further determines that the security algorithms supported by the terminal device include the second security algorithm.

在一种可能的实现方式中，辅节点还可向主节点发送节点响应，节点响应用于指示添加辅节点成功，节点响应中不携带第二安全算法的标识。In a possible implementation, the secondary node may further send a node response to the primary node. The node response is used to indicate that the secondary node is successfully added. The node response does not carry an identifier of the second security algorithm.

第六方面，本申请提供一种通信方法，该通信方法可以由第二通信装置执行，第二通信装置可作为双连接模式下的终端设备的辅节点。第二通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)。为方便描述，如下以辅节点执行为例说明。In a sixth aspect, the present application provides a communication method that can be performed by a second communication device, which can serve as a secondary node of a terminal device in dual connectivity mode. The second communication device can be a wireless access node or a component (such as a chip) in a wireless access node. For ease of description, the following description uses the secondary node execution as an example.

方法包括：辅节点接收节点请求，节点请求用于请求添加辅节点，节点请求中包括第一安全算法的密钥长度的信息，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。The method includes: the secondary node receives a node request, the node request is used to request to add a secondary node, the node request includes information on the key length of a first security algorithm, and the first security algorithm is a security algorithm used to protect data transmitted between the primary node and the terminal device.

辅节点在确定不支持第一安全算法的密钥长度的情况下，向主节点发送节点响应，节点响应用于指示添加辅节点失败；或，When the secondary node determines that it does not support the key length of the first security algorithm, it sends a node response to the primary node, where the node response is used to indicate that adding the secondary node fails; or

辅节点选择第二安全算法，当第一安全算法的密钥长度与第二安全算法的密钥长度不同的情况下，向主节点发送节点响应，节点响应用于指示添加辅节点失败；或，The secondary node selects the second security algorithm, and when the key length of the first security algorithm is different from the key length of the second security algorithm, sends a node response to the primary node, where the node response is used to indicate that adding the secondary node has failed; or

辅节点选择第二安全算法，当第一安全算法的密钥长度与第二安全算法的密钥长度相同的情况下，向主节点发送节点响应，节点响应用于指示添加辅节点成功；或，The secondary node selects the second security algorithm, and when the key length of the first security algorithm is the same as the key length of the second security algorithm, sends a node response to the primary node, where the node response is used to indicate that the secondary node is successfully added; or,

辅节点根据第一安全算法的密钥长度，选择第二安全算法，向主节点发送节点响应，节点响应用于指示添加辅节点成功，其中，第一安全算法的密钥长度与第二安全算法的密钥长度相同。The secondary node selects a second security algorithm based on the key length of the first security algorithm and sends a node response to the primary node. The node response is used to indicate that the secondary node is added successfully, wherein the key length of the first security algorithm is the same as the key length of the second security algorithm.

第七方面，本申请实施例提供一种通信装置，该装置具有实现上述第一方面或第一方面的任一种可能的实现方式中第一通信装置的功能，或，该装置具有实现上述第二方面或第二方面的任一种可能的实现方式中第一通信装置的功能，或，该装置具有实现上述第三方面或第三方面的任一种可能的实现方式中第一通信装置的功能，或，该装置具有实现上述第四方面或第四方面的任一种可能的实现方式中第二通信装置的功能，或，该装置具有实现上述第五方面或第五方面的任一种可能的实现方式中第二通信装置的功能，或，该装置具有实现上述第六方面或第六方面的任一种可能的实现方式中第二通信装置的功能。In the seventh aspect, an embodiment of the present application provides a communication device, which has the function of implementing the first aspect or any possible implementation of the first aspect, or the function of the first communication device in the second aspect or any possible implementation of the second aspect, or the function of the first communication device in the third aspect or any possible implementation of the third aspect, or the function of the second communication device in the fourth aspect or any possible implementation of the fourth aspect, or the function of the second communication device in the fifth aspect or any possible implementation of the fifth aspect, or the function of the second communication device in the sixth aspect or any possible implementation of the sixth aspect.

其中，第一通信装置可作为双连接模式下的终端设备的主节点。第一通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)。第二通信装置可作为双连接模式下的终端设备的辅节点。第二通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)。The first communication device may serve as a primary node for a terminal device in dual connectivity mode. The first communication device may be a wireless access node or a component (such as a chip) in a wireless access node. The second communication device may serve as a secondary node for a terminal device in dual connectivity mode. The second communication device may be a wireless access node or a component (such as a chip) in a wireless access node.

上述通信装置的功能可以通过硬件实现，也可以通过硬件执行相应的软件实现，硬件或软件包括一个或多个与上述功能相对应的模块或单元或手段(means)。The functions of the above-mentioned communication device can be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules, units or means corresponding to the above-mentioned functions.

在一种可能的实现方式中，该装置的结构中包括处理模块和收发模块。In a possible implementation, the structure of the device includes a processing module and a transceiver module.

其中，处理模块被配置为支持该装置实现上述第一方面或第一方面的任一种可能的实现方式中第一通信装置的方法，或，上述第二方面或第二方面的任一种可能的实现方式中第一通信装置的方法，或，上述第三方面或第三方面的任一种可能的实现方式中第一通信装置的方法，或，上述第四方面或第四方面的任一种可能的实现方式中第二通信装置的方法，或，上述第五方面或第五方面的任一种可能的实现方式中第二通信装置的方法，或，上述第六方面或第六方面的任一种可能的实现方式中第二通信装置的方法。In which, the processing module is configured to support the device to implement the method of the first communication device in the above-mentioned first aspect or any possible implementation of the first aspect, or the method of the first communication device in the above-mentioned second aspect or any possible implementation of the second aspect, or the method of the first communication device in the above-mentioned third aspect or any possible implementation of the third aspect, or the method of the second communication device in the above-mentioned fourth aspect or any possible implementation of the fourth aspect, or the method of the second communication device in the above-mentioned fifth aspect or any possible implementation of the fifth aspect, or the method of the second communication device in the above-mentioned sixth aspect or any possible implementation of the sixth aspect.

收发模块用于支持该装置与其他通信设备之间的通信，例如该装置为第一通信装置时，可向第二通信装置发送节点请求。该通信装置还可以包括存储模块，存储模块与处理模块耦合，其保存有装置必要的程序指令和数据。作为一种示例，处理模块可以为处理器，通信模块可以为收发器，存储模块可以为存储器，存储器可以和处理器集成在一起，也可以和处理器分离设置。The transceiver module is used to support communication between the device and other communication devices. For example, if the device is a first communication device, it can send a node request to a second communication device. The communication device may also include a storage module, which is coupled to the processing module and stores the necessary program instructions and data for the device. As an example, the processing module may be a processor, the communication module may be a transceiver, and the storage module may be a memory. The memory may be integrated with the processor or provided separately.

在另一种可能的实现方式中，该装置的结构中包括处理器，还可以包括存储器。处理器与存储器耦合，可用于执行存储器中存储的计算机程序指令，以使装置实现上述第一方面或第一方面的任一种可能的实现方式中第一通信装置的方法，或，上述第二方面或第二方面的任一种可能的实现方式中第一通信装置的方法，或，上述第三方面或第三方面的任一种可能的实现方式中第一通信装置的方法，或，上述第四方面或第四方面的任一种可能的实现方式中第二通信装置的方法，或，上述第五方面或第五方面的任一种可能的实现方式中第二通信装置的方法，或，上述第六方面或第六方面的任一种可能的实现方式中第二通信装置的方法。可选地，该装置还包括通信接口，处理器与通信接口耦合。当装置为无线接入节点时，该通信接口可以是收发器或输入/输出接口；当该装置为无线接入节点中包含的芯片时，该通信接口可以是芯片的输入/输出接口。可选地，收发器可以为收发电路，输入/输出接口可以是输入/输出电路。In another possible implementation, the device structure includes a processor and may also include a memory. The processor is coupled to the memory and is configured to execute computer program instructions stored in the memory to cause the device to implement the method of the first communication device described in the first aspect or any possible implementation of the first aspect, or the method of the first communication device described in the second aspect or any possible implementation of the second aspect, or the method of the first communication device described in the third aspect or any possible implementation of the third aspect, or the method of the second communication device described in the fourth aspect or any possible implementation of the fourth aspect, or the method of the second communication device described in the fifth aspect or any possible implementation of the fifth aspect, or the method of the second communication device described in the sixth aspect or any possible implementation of the sixth aspect. Optionally, the device also includes a communication interface, and the processor is coupled to the communication interface. When the device is a wireless access node, the communication interface may be a transceiver or an input/output interface; when the device is a chip included in the wireless access node, the communication interface may be the chip's input/output interface. Optionally, the transceiver may be a transceiver circuit, and the input/output interface may be an input/output circuit.

第八方面，本申请实施例提供一种芯片系统，包括：In an eighth aspect, an embodiment of the present application provides a chip system, including:

处理器和存储器，处理器与存储器耦合，存储器用于存储程序或指令，当程序或指令被处理器执行时，使得该芯片系统实现上述第一方面或第一方面的任一种可能的实现方式中第一通信装置的方法，或，上述第二方面或第二方面的任一种可能的实现方式中第一通信装置的方法，或，上述第三方面或第三方面的任一种可能的实现方式中第一通信装置的方法，或，上述第四方面或第四方面的任一种可能的实现方式中第二通信装置的方法，或，上述第五方面或第五方面的任一种可能的实现方式中第二通信装置的方法，或，上述第六方面或第六方面的任一种可能的实现方式中第二通信装置的方法。A processor and a memory, the processor is coupled to the memory, the memory is used to store programs or instructions, and when the programs or instructions are executed by the processor, the chip system implements the method of the first communication device in the above-mentioned first aspect or any possible implementation of the first aspect, or, the method of the first communication device in the above-mentioned second aspect or any possible implementation of the second aspect, or, the method of the first communication device in the above-mentioned third aspect or any possible implementation of the third aspect, or, the method of the second communication device in the above-mentioned fourth aspect or any possible implementation of the fourth aspect, or, the method of the second communication device in the above-mentioned fifth aspect or any possible implementation of the fifth aspect, or, the method of the second communication device in the above-mentioned sixth aspect or any possible implementation of the sixth aspect.

可选地，该芯片系统还包括接口电路，该接口电路用于交互代码指令至处理器。Optionally, the chip system further includes an interface circuit for transmitting interactive code instructions to the processor.

可选地，该芯片系统中的处理器可以为一个或多个，该处理器可以通过硬件实现也可以通过软件实现。当通过硬件实现时，该处理器可以是逻辑电路、集成电路等。当通过软件实现时，该处理器可以是一个通用处理器，通过读取存储器中存储的软件代码来实现。Optionally, there may be one or more processors in the chip system, and the processor may be implemented in hardware or software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, etc. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory.

可选地，该芯片系统中的存储器也可以为一个或多个。该存储器可以与处理器集成在一起，也可以和处理器分离设置。示例性的，存储器可以是非瞬时性处理器，例如只读存储器(read only memory，ROM)，其可以与处理器集成在同一块芯片上，也可以分别设置在不同的芯片上。Optionally, the chip system may include one or more memories. The memory may be integrated with the processor or provided separately from the processor. For example, the memory may be a non-transient processor, such as a read-only memory (ROM), which may be integrated with the processor on the same chip or provided on separate chips.

第九方面，本申请提供一种计算机可读存储介质，计算机可读存储介质中存储有计算机程序或指令，当计算机程序或指令被通信装置执行时，使得该通信装置实现上述第一方面或第一方面的任一种可能的实现方式中第一通信装置的方法，或，上述第二方面或第二方面的任一种可能的实现方式中第一通信装置的方法，或，上述第三方面或第三方面的任一种可能的实现方式中第一通信装置的方法，或，上述第四方面或第四方面的任一种可能的实现方式中第二通信装置的方法，或，上述第五方面或第五方面的任一种可能的实现方式中第二通信装置的方法，或，上述第六方面或第六方面的任一种可能的实现方式中第二通信装置的方法。In the ninth aspect, the present application provides a computer-readable storage medium, which stores a computer program or instruction. When the computer program or instruction is executed by a communication device, the communication device implements the method of the first communication device in the above-mentioned first aspect or any possible implementation of the first aspect, or the method of the first communication device in the above-mentioned second aspect or any possible implementation of the second aspect, or the method of the first communication device in the above-mentioned third aspect or any possible implementation of the third aspect, or the method of the second communication device in the above-mentioned fourth aspect or any possible implementation of the fourth aspect, or the method of the second communication device in the above-mentioned fifth aspect or any possible implementation of the fifth aspect, or the method of the second communication device in the above-mentioned sixth aspect or any possible implementation of the sixth aspect.

第十方面，本申请提供一种计算机程序产品，该计算机程序产品包括计算机程序或指令，当该计算机程序或指令被通信装置执行时，实现上述第一方面或第一方面的任一种可能的实现方式中第一通信装置的方法，或，上述第二方面或第二方面的任一种可能的实现方式中第一通信装置的方法，或，上述第三方面或第三方面的任一种可能的实现方式中第一通信装置的方法，或，上述第四方面或第四方面的任一种可能的实现方式中第二通信装置的方法，或，上述第五方面或第五方面的任一种可能的实现方式中第二通信装置的方法，或，上述第六方面或第六方面的任一种可能的实现方式中第二通信装置的方法。In a tenth aspect, the present application provides a computer program product, which includes a computer program or instructions. When the computer program or instructions are executed by a communication device, it implements the method of the first communication device in the above-mentioned first aspect or any possible implementation of the first aspect, or the method of the first communication device in the above-mentioned second aspect or any possible implementation of the second aspect, or the method of the first communication device in the above-mentioned third aspect or any possible implementation of the third aspect, or the method of the second communication device in the above-mentioned fourth aspect or any possible implementation of the fourth aspect, or the method of the second communication device in the above-mentioned fifth aspect or any possible implementation of the fifth aspect, or the method of the second communication device in the above-mentioned sixth aspect or any possible implementation of the sixth aspect.

第十一方面，本申请实施例提供一种通信系统，该通信系统包括：In an eleventh aspect, an embodiment of the present application provides a communication system, the communication system comprising:

上述第一方面或第一方面的任一种可能的实现方式中的第一通信装置，以及，上述第四方面或第四方面的任一种可能的实现方式中的第二通信装置；或，The first communication device in the first aspect or any possible implementation of the first aspect, and the second communication device in the fourth aspect or any possible implementation of the fourth aspect; or

上述第二方面或第二方面的任一种可能的实现方式中的第一通信装置，以及，上述第四方面或第四方面的任一种可能的实现方式中的第二通信装置；或，The first communication device in the second aspect or any possible implementation of the second aspect, and the second communication device in the fourth aspect or any possible implementation of the fourth aspect; or

上述第二方面或第二方面的任一种可能的实现方式中的第一通信装置，以及，上述第五方面或第五方面的任一种可能的实现方式中的第二通信装置；或，The first communication device in the second aspect or any possible implementation of the second aspect, and the second communication device in the fifth aspect or any possible implementation of the fifth aspect; or

上述第三方面或第三方面的任一种可能的实现方式中的第一通信装置，以及，上述第六方面或第六方面的任一种可能的实现方式中的第二通信装置。The first communication device in the third aspect or any possible implementation of the third aspect, and the second communication device in the sixth aspect or any possible implementation of the sixth aspect.

上述第四方面至第十一方面中任一方面可以达到的技术效果可以参照上述第一方面至第三方面中有益效果的描述，此处不再重复赘述。The technical effects that can be achieved in any of the above-mentioned aspects 4 to 11 can refer to the description of the beneficial effects in the above-mentioned aspects 1 to 3, and will not be repeated here.

BRIEF DESCRIPTION OF THE DRAWINGS

图1为一种5G网络架构示意图；Figure 1 is a schematic diagram of a 5G network architecture;

图2为一种5G系统中的密钥推演架构的示意图；FIG2 is a schematic diagram of a key derivation architecture in a 5G system;

图3为一种URLLC业务的用户面路径示意图；FIG3 is a schematic diagram of a user plane path of a URLLC service;

图4为本申请提供的第一种通信方法的流程示意图；FIG4 is a flow chart of the first communication method provided by this application;

图5为本申请提供的第二种通信方法的流程示意图；FIG5 is a flow chart of a second communication method provided in this application;

图6为本申请提供的第三种通信方法的流程示意图；FIG6 is a flow chart of a third communication method provided by the present application;

图7为本申请提供的第四种通信方法的流程示意图；FIG7 is a flow chart of a fourth communication method provided by the present application;

图8为本申请提供的第五种通信方法的流程示意图；FIG8 is a schematic diagram of a flow chart of a fifth communication method provided in this application;

图9为本申请提供的第五种通信方法中的辅节点的第一种判断方法的流程示意图；FIG9 is a schematic flow chart of a first determination method for a secondary node in the fifth communication method provided by this application;

图10为本申请提供的第五种通信方法中的辅节点的第二种判断方法的流程示意图；FIG10 is a schematic flow chart of a second determination method for a secondary node in the fifth communication method provided by this application;

图11为本申请提供的第五种通信方法中的辅节点的第三种判断方法的流程示意图；FIG11 is a schematic flow chart of a third method for determining a secondary node in the fifth communication method provided by this application;

图12为本申请提供的一种主节点确定满足冗余条件的流程示意图；FIG12 is a schematic diagram of a process for a master node to determine whether a redundancy condition is satisfied, provided by the present application;

图13为本申请提供的一种通信装置的结构示意图；FIG13 is a schematic structural diagram of a communication device provided by the present application;

图14为本申请提供的又一种通信装置的结构示意图。FIG14 is a schematic structural diagram of another communication device provided in this application.

DETAILED DESCRIPTION

下面先对本申请实施例所涉及的相关技术特征进行解释说明。需要说明的是，这些解释是为了让本申请实施例更容易被理解，而不应该视为对本申请所要求的保护范围的限定。The following first explains the relevant technical features involved in the embodiments of the present application. It should be noted that these explanations are intended to make the embodiments of the present application easier to understand and should not be regarded as limiting the scope of protection claimed by the present application.

一、5G网络架构1. 5G Network Architecture

图1为一种5G网络架构示意图。图1所示的5G网络架构中可包括三部分，分别是终端设备部分、数据网络(data network，DN)和运营商网络部分。下面对其中的部分网元的功能进行简单介绍说明。Figure 1 shows a schematic diagram of a 5G network architecture. The 5G network architecture shown in Figure 1 can be divided into three parts: the terminal device part, the data network (DN), and the operator network part. The following briefly describes the functions of some of these network elements.

其中，运营商网络可包括以下网元(或设备、功能、节点)中的一个或多个：无线接入节点(radio access node，RAN)、鉴权服务器功能(authentication server function，AUSF)、网络开放功能(network exposure function，NEF)、策略控制功能(policy control function，PCF)、统一数据管理(unified data management，UDM)、统一数据库(unified data repository，UDR)、网络存储功能(network repository function，NRF)、接入与移动性管理功能(access and mobility management function，AMF)、会话管理功能(session management function，SMF)、用户面功能(user plane function，UPF)、应用功能(application function，AF)等。Among them, the operator network may include one or more of the following network elements (or equipment, functions, nodes): radio access node (RAN), authentication server function (AUSF), network exposure function (NEF), policy control function (PCF), unified data management (UDM), unified data repository (UDR), network repository function (NRF), access and mobility management function (AMF), session management function (SMF), user plane function (UPF), application function (AF), etc.

终端设备(terminal device)，又可称为是用户设备(user equipment，UE)，是一种具有无线收发功能的设备，可以部署在陆地上，包括室内或室外、手持或车载；也可以部署在水面上(如轮船等)；还可以部署在空中(例如飞机、气球和卫星上等)。终端设备可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality，VR)终端、增强现实(augmented reality，AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self-driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。A terminal device (UE), also known as user equipment (UE), is a device with wireless transceiver capabilities. It can be deployed on land, indoors or outdoors, handheld or vehicle-mounted; on water (such as ships); or in the air (such as on airplanes, balloons, and satellites). Terminal devices can be mobile phones, tablets, computers with wireless transceiver capabilities, virtual reality (VR) terminals, augmented reality (AR) terminals, wireless terminals used in industrial control, wireless terminals used in self-driving, wireless terminals used in remote medicine, wireless terminals used in smart grids, wireless terminals used in transportation safety, wireless terminals used in smart cities, and wireless terminals used in smart homes.

上述终端设备可通过运营商网络提供的接口(例如N1等)与运营商网络建立连接，使用运营商网络提供的数据和/或语音等服务。终端设备还可通过运营商网络访问DN，使用DN上部署的运营商业务，和/或第三方提供的业务。其中，上述第三方可为运营商网络和终端设备之外的服务方，可为终端设备提供数据和/或语音等服务。其中，上述第三方的具体表现形式，具体可根据实际应用场景确定，在此不做限制。The above-mentioned terminal device can establish a connection with the operator network through the interface provided by the operator network (such as N1, etc.), and use the data and/or voice services provided by the operator network. The terminal device can also access the DN through the operator network, use the operator services deployed on the DN, and/or services provided by a third party. Among them, the above-mentioned third party may be a service provider other than the operator network and the terminal device, and can provide data and/or voice services to the terminal device. Among them, the specific form of the above-mentioned third party can be determined according to the actual application scenario and is not limited here.

无线接入节点，用于为特定区域的授权终端设备提供入网功能，并能够根据终端设备的级别、业务的需求等使用不同服务质量的传输隧道。无线接入节点能够管理无线资源，为终端设备提供接入服务，进而完成控制信号和数据在终端设备和核心网之间的转发，无线接入节点也可以理解为传统网络中的基站。示例性地，无线接入节点可以是用于与终端设备通信的任意一种具有无线收发功能的通信设备。该无线接入节点包括但不限于演进型节点B(evolved Node B，eNB)、5G系统中的gNB，或传输点(TRP或TP)，或5G系统中的基站的一个或一组(包括多个天线面板)天线面板，或还可以为构成gNB或传输点的网络节点，如基带单元(base band unit，BBU)，或分布式单元(distributed unit，DU)，或还可以是杆站、微型基站、宏站、接入回传一体化(integrated access and backhaul，IAB)节点等。A wireless access node provides network access for authorized terminal devices in a specific area and can utilize transmission tunnels with varying qualities of service (QoS) based on the terminal device's level and service requirements. A wireless access node manages wireless resources, provides access services to terminal devices, and forwards control signals and data between the terminal device and the core network. A wireless access node can also be understood as a base station in a traditional network. For example, a wireless access node can be any communication device with wireless transceiver capabilities used to communicate with terminal devices. Such a wireless access node includes, but is not limited to, an evolved Node B (eNB), a gNB in a 5G system, a transmission point (TRP or TP), or one or a group of antenna panels (including multiple antenna panels) of a base station in a 5G system. It can also be a network node that constitutes a gNB or a transmission point, such as a baseband unit (BBU) or a distributed unit (DU). It can also be a pole site, micro base station, macro base station, integrated access and backhaul (IAB) node, etc.

核心网部分包括用户面功能和控制面功能。The core network part includes user plane functions and control plane functions.

用户面功能包括UPF。UPF作为和数据网络的接口，完成用户面数据(如分组数据包)转发、服务质量(quality of service，QoS)控制、基于会话/流级的计费统计，带宽限制等功能。User plane functions include the UPF. As the interface with the data network, the UPF performs functions such as user plane data forwarding (such as packet data), quality of service (QoS) control, session/flow-level billing and statistics, and bandwidth limiting.

控制面功能主要进行用户注册认证、移动性管理、向用户面功能下发数据包转发策略、QoS控制策略等。控制面功能可以进一步细化包括除UPF之外的其它网元，如AMF和SMF等。The control plane functions mainly carry out user registration and authentication, mobility management, and delivery of data packet forwarding policies and QoS control policies to the user plane functions. The control plane functions can be further refined to include other network elements besides the UPF, such as the AMF and SMF.

其中，AMF，主要进行用户接入时的注册流程，以及用户移动过程中的位置管理、接入鉴权/授权等功能。此外，还负责在终端设备与PCF间传递用户策略。The AMF primarily handles user registration, location management, and access authentication/authorization during user mobility. It is also responsible for communicating user policies between terminal devices and the PCF.

SMF，主要进行用户发起业务时建立相应的会话连接，为用户提供具体服务，如基于SMF与UPF之间的NG4接口向UPF下发数据包转发策略、QoS策略等功能。SMF is mainly responsible for establishing corresponding session connections when users initiate services and providing specific services to users, such as sending data packet forwarding strategies and QoS strategies to UPF based on the NG4 interface between SMF and UPF.

AUSF，主要负责对用户进行鉴权，确定终端设备的合法性，以确定是否允许终端设备接入网络。AUSF is mainly responsible for authenticating users and determining the legitimacy of terminal devices to determine whether the terminal devices are allowed to access the network.

UDM，主要负责存储终端设备的签约数据、用户接入授权等功能。UDM is mainly responsible for storing the contract data of terminal devices, user access authorization and other functions.

UDR，主要负责签约数据、策略数据、应用数据等类型数据的存取功能。UDR is mainly responsible for the storage and access of contract data, policy data, application data and other types of data.

PCF，主要负责向AMF或SMF下发业务相关的策略。PCF is mainly responsible for issuing business-related policies to AMF or SMF.

NEF，主要用于支持能力和事件的开放。NEF is mainly used to support the opening of capabilities and events.

AF，主要向PCF传递应用侧对网络侧的需求，使得PCF生成对应的策略。AF可以是第三方功能实体，也可以是运营商部署的应用服务，如网络协议(internet protocol，IP)多媒体子系统(IP multimedia subsystem，IMS)语音呼叫业务。The AF primarily communicates application-side requirements for the network to the PCF, enabling the PCF to generate corresponding policies. The AF can be a third-party functional entity or an application service deployed by an operator, such as the Internet Protocol (IP) Multimedia Subsystem (IMS) voice call service.

NRF，可用于提供网元发现功能，基于其他网元的请求，提供网元类型对应的网元信息。NRF还提供网元管理服务，如网元注册、更新、去注册以及网元状态订阅和推送等。NRF can be used to provide network element discovery capabilities, providing network element information corresponding to the network element type based on requests from other network elements. NRF also provides network element management services such as network element registration, update, and deregistration, as well as network element status subscription and push.

DN，是位于运营商网络之外的网络，运营商网络可以接入多个DN，DN上可部署多种业务，可为终端设备提供数据和/或语音等服务。例如，DN是某智能工厂的私有网络，智能工厂安装在车间的传感器可为终端设备，DN中部署了传感器的控制服务器，控制服务器可为传感器提供服务。传感器可与控制服务器通信，获得控制服务器的指令，根据指令将采集的传感器数据传送给控制服务器等。又例如，DN是某公司的内部办公网络，该公司员工的手机或电脑可为终端设备，员工的手机或电脑可以访问公司内部办公网络上的信息、数据资源等。A DN is a network located outside of a carrier network. A carrier network can connect to multiple DNs, and a variety of services can be deployed on the DN, providing data and/or voice services to terminal devices. For example, a DN is the private network of a smart factory. Sensors installed in the workshop can be terminal devices, and the DN contains a control server for the sensors, which can provide services to the sensors. The sensors can communicate with the control server, receive instructions from the control server, and transmit collected sensor data to the control server according to the instructions. Another example is a DN that is a company's internal office network. An employee's mobile phone or computer can be a terminal device, allowing them to access information and data resources on the company's internal office network.

图1中Nnssf、Nausf、Nnef、Nnrf、Npcf、Nudm、Naf、Namf、Nsmf、N1、N2、N3、N4，以及N6为接口序列号。这些接口序列号的含义可参见第三代伙伴计划(the 3rd generation partnership project，3GPP)协议中定义的含义，在此不做限制。In Figure 1, Nnssf, Nausf, Nnef, Nnrf, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface sequence numbers. The meanings of these interface sequence numbers are defined in the 3rd Generation Partnership Project (3GPP) protocol and are not limited here.

可以理解的是，上述网元既可以是硬件设备中的网络元件，也可以是在专用硬件上运行软件功能，或是平台(例如，云平台)上实例化的虚拟化功能。可选的，上述网元可以由一个设备实现，也可以由多个设备共同实现，还可以是一个设备内的一个功能模块，本申请实施例对此不作具体限定。It is understood that the above-mentioned network element can be a network component in a hardware device, a software function running on dedicated hardware, or a virtualized function instantiated on a platform (e.g., a cloud platform). Optionally, the above-mentioned network element can be implemented by a single device, or by multiple devices, or can be a functional module within a single device, and this embodiment of the present application does not specifically limit this.

本申请实施例中涉及的网元可以是图1中的AMF、AUSF、UDM等，也可以是未来通信如第六代(6th generation，6G)网络中具有上述AMF、AUSF、UDM等的功能的网元，本申请实施例对此不限定。The network elements involved in the embodiments of the present application may be the AMF, AUSF, UDM, etc. in Figure 1, or they may be network elements having the functions of the above-mentioned AMF, AUSF, UDM, etc. in future communications such as the sixth generation (6G) network, and the embodiments of the present application are not limited to this.

二、256位算法2. 256-bit algorithm

安全算法(又称为密码算法)是通信系统的安全基础，在移动通信网络系统中被广泛应用。Security algorithms (also known as cryptographic algorithms) are the security foundation of communication systems and are widely used in mobile communication network systems.

安全算法一般分为对称安全算法和非对称安全算法。其中，对称安全算法可包括对称加密算法、哈希算法、完整性保护算法(如媒介接入控制(medium access control，MAC)、基于哈希的消息验证码(hash MAC，HMAC)等)。非对称安全算法可包括非对称加密算法、数字签名算法、密钥交换算法等。进一步的，非对称安全算法主要用于在系统建立初期进行交互双方或多方的身份认证、密钥协商和密钥建立。在密钥建立后，交互双方或多方就可以使用对称安全算法，基于建立的密钥，进行双方或多方交互信息的安全保护。Security algorithms are generally divided into symmetric security algorithms and asymmetric security algorithms. Among them, symmetric security algorithms may include symmetric encryption algorithms, hash algorithms, integrity protection algorithms (such as medium access control (MAC), hash-based message authentication code (hash MAC, HMAC)), etc.). Asymmetric security algorithms may include asymmetric encryption algorithms, digital signature algorithms, key exchange algorithms, etc. Furthermore, asymmetric security algorithms are mainly used for identity authentication, key negotiation, and key establishment of two or more interacting parties in the early stages of system establishment. After the key is established, the two or more interacting parties can use the symmetric security algorithm to securely protect the information exchanged between the two or more parties based on the established key.

当前，在通信系统中，用于终端设备和网络侧(例如，AMF或无线接入节点)之间交互信令和数据保护所使用的对称安全算法包括高级加密标准(advanced encryption standard，AES)、SNOW3G、祖冲之算法(ZUC)等，这些对称安全算法当前使用的密钥长度为128位(可将这些算法统称为是128位算法)。但随着计算机算力的增加，尤其是量子计算机的威胁，128位算法面临着被量子计算机攻破的风险，例如，借助量子计算机，Grover's算法可将暴力破解的难度从N次尝试降低到N^1/2次尝试，这样，128位加密(密钥空间)的安全性就变为64位。为了抵抗量子计算机的威胁，业界密码专家建议将对称安全算法由128位算法升级为256位算法，也即是，使用密钥长度为256位的对称安全算法对数据进行保护。Currently, in communication systems, symmetric security algorithms used for signaling and data protection between terminal devices and networks (e.g., AMFs or wireless access nodes) include the Advanced Encryption Standard (AES), SNOW3G, and the Zu Chongzhi algorithm (ZUC). These symmetric security algorithms currently use a 128-bit key length (collectively referred to as 128-bit algorithms). However, with the increasing computing power, especially the threat of quantum computers, 128-bit algorithms are at risk of being cracked by quantum computers. For example, with the help of quantum computers, Grover's algorithm can reduce the difficulty of brute force cracking from N attempts to N ^1/2 attempts, thus reducing the security of 128-bit encryption (key space) to 64 bits. To mitigate the threat of quantum computers, industry cryptography experts recommend upgrading symmetric security algorithms from 128-bit to 256-bit algorithms. In other words, using symmetric security algorithms with a 256-bit key length to protect data.

三、5G密钥推演架构3. 5G Key Derivation Architecture

5G系统中的密钥推演架构如图2所示，终端设备的全球用户识别卡(universal subscriber identity module，USIM)卡和UDM(或鉴权信任状存储处理功能实体(authentication credential repository and processing function，ARPF))侧保存了终端设备的长期密钥K。The key derivation architecture in the 5G system is shown in Figure 2. The universal subscriber identity module (USIM) card and UDM (or authentication credential repository and processing function, ARPF) side of the terminal device store the long-term key K of the terminal device.

终端设备向网络注册时会触发主认证流程。在主认证流程中：When a terminal device registers with the network, the main authentication process is triggered. In the main authentication process:

在终端设备侧，终端设备根据终端设备的长期密钥K，推导出CK和IK，根据CK和IK的拼接结果依次推导出AUSF密钥(K_AUSF)和SEAF密钥(K_SEAF)。进而终端设备通过SEAF密钥推导出AMF密钥(K_AMF)。终端设备又基于AMF密钥推导出非接入层(non-access stratum，NAS)密钥(K_NAS)和gNB密钥(K_gNB)，gNB密钥用于终端设备生成接入层(access stratum，AS)密钥，其中，AS密钥包括无线资源控制(radio resource control，RRC)密钥(K_RRC)和用户面(user plane，UP)密钥(K_UP)。On the terminal device side, the terminal device derives the CK and IK based on the terminal device's long-term key K. The AUSF key (K _AUSF ) and SEAF key (K _SEAF ) are then derived from the concatenation of the CK and IK. The terminal device then derives the AMF key (K _AMF ) from the SEAF key. The terminal device further derives the non-access stratum (NAS) key (K _NAS ) and gNB key (K _gNB ) based on the AMF key. The gNB key is used by the terminal device to generate access stratum (AS) keys. The AS keys include the radio resource control (RRC) key (K _RRC ) and the user plane (UP) key (K _UP ).

在网络侧，UDM根据CK和IK的拼接结果，推导出AUSF密钥，将AUSF密钥提供给AUSF。AUSF根据AUSF密钥推导出SEAF密钥，将SEAF密钥提供给SEAF。SEAF根据SEAF密钥推导出AMF密钥，将AMF密钥提供给AMF。AMF根据AMF密钥推导出NAS密钥、非3GPP互通功能(non-3gpp interworking function，N3IWF)密钥和gNB密钥，AMF将N3IWF密钥提供给N3IWF，N3IWF密钥用于保护后续的非3GPP接入的数据流量，以及，将gNB密钥和下一跳(next hop，NH)参数提供给gNB。gNB根据gNB密钥和NH参数生成RRC密钥、用户面密钥。On the network side, the UDM derives the AUSF key based on the concatenation of the CK and the IK and provides it to the AUSF. The AUSF derives the SEAF key based on the AUSF key and provides it to the SEAF. The SEAF derives the AMF key based on the SEAF key and provides it to the AMF. The AMF derives the NAS key, the non-3GPP interworking function (N3IWF) key, and the gNB key based on the AMF key. The AMF provides the N3IWF key to the N3IWF. The N3IWF key is used to protect subsequent non-3GPP access data traffic. The AMF also provides the gNB key and next hop (NH) parameters to the gNB. The gNB generates RRC keys and user plane keys based on the gNB key and NH parameters.

进一步的，RRC密钥包括RRC加密密钥(K_RRCenc)和RRC完整性保护密钥(K_RRCint)。用户面密钥包括用户面加密密钥(K_UPenc)和用户面完整性保护密钥(K_UPint)。在传输用户数据时，用户面加密密钥用于终端设备和gNB对用户数据进行加密保护，用户面完整性保护密钥用于终端设备和gNB对用户数据进行完整性保护。Furthermore, RRC keys include an RRC encryption key (K _RRCenc ) and an RRC integrity protection key (K _RRCint ). User plane keys include a user plane encryption key (K _UPenc ) and a user plane integrity protection key (K _UPint ). When transmitting user data, the user plane encryption key is used by the terminal device and gNB to encrypt and protect the user data, while the user plane integrity protection key is used by the terminal device and gNB to protect the integrity of the user data.

四、终端设备的安全能力4. Security Capabilities of Terminal Devices

终端设备的安全能力中包括终端设备支持的安全算法。终端设备支持的安全算法应用于移动通信网络的算法协商中：终端设备向网络侧上报终端设备支持的安全算法，网络侧根据本地的安全算法的优先级、终端设备支持的安全算法，选择网络侧和终端设备都支持的且优先级较高的安全算法。例如，网络侧的AMF确定NAS安全算法，用于保护终端设备和AMF之间的NAS消息；网络侧的无线接入节点确定AS安全算法，用于保护终端设备和无线接入节点之间的AS消息。目前，终端设备支持的安全算法的密钥长度可以是128位，并在未来通信中可能支持密钥长度是256位甚至512位的安全算法。The security capabilities of a terminal device include the security algorithms supported by the terminal device. The security algorithms supported by the terminal device are used in the algorithm negotiation of the mobile communication network: the terminal device reports the security algorithms supported by the terminal device to the network side, and the network side selects a security algorithm supported by both the network side and the terminal device and with a higher priority based on the priority of the local security algorithm and the security algorithms supported by the terminal device. For example, the AMF on the network side determines the NAS security algorithm to protect the NAS messages between the terminal device and the AMF; the wireless access node on the network side determines the AS security algorithm to protect the AS messages between the terminal device and the wireless access node. Currently, the key length of the security algorithm supported by the terminal device can be 128 bits, and in future communications, it may support security algorithms with a key length of 256 bits or even 512 bits.

五、双连接(dual connectivity，DC)模式和双连接模式下的安全算法选择5. Dual Connectivity (DC) Mode and Security Algorithm Selection in Dual Connectivity Mode

双连接是终端设备在RRC连接态下的一种操作模式。在此模式下，终端设备同时与两个不同的无线接入节点连接，这两个无线接入节点可以为相同或不同通信制式的无线接入节点，其中，控制面与核心网相连的无线接入节点可被称为主节点(master node，MN)，而控制面与核心网不相连的无线接入节点可被称为辅节点(secondary node，SN)，辅节点又可称为是从节点。Dual connectivity is an operating mode for a terminal device in the RRC connected state. In this mode, the terminal device is simultaneously connected to two different radio access nodes (RANs). These two RAPs can be of the same or different communication standards. The RAP whose control plane is connected to the core network is called the master node (MN), while the RAP whose control plane is not connected to the core network is called the secondary node (SN), which is also called a slave node.

双连接的优势在于：(1)单个无线接入节点提供的无线资源较为有限。如果终端设备能够同时与两个无线接入节点连接，则终端设备能够利用两个无线接入节点的无线资源，有效地提升吞吐率。(2)组网中可能存在不同通信制式的无线接入节点(如4G的无线接入节点和5G的无线接入节点)，如果终端设备能够与两个不同通信制式的无线接入节点连接，则可以灵活地适配组网环境。The advantages of dual connectivity are: (1) The wireless resources provided by a single wireless access node are relatively limited. If a terminal device can connect to two wireless access nodes at the same time, it can utilize the wireless resources of both wireless access nodes, effectively improving throughput. (2) There may be wireless access nodes of different communication standards in the network (such as a 4G wireless access node and a 5G wireless access node). If a terminal device can connect to two wireless access nodes of different communication standards, it can flexibly adapt to the networking environment.

在双连接模式下，主节点可获取终端设备支持的安全算法，根据终端设备支持的安全算法、主节点支持的安全算法以及主节点支持的安全算法的优先级，选择安全算法(记为安全算法A)，向终端设备发送安全算法A的标识；进一步的，主节点还可向辅节点发送终端设备支持的安全算法，相应的，辅节点根据终端设备支持的安全算法、辅节点支持的安全算法以及辅节点支持的安全算法的优先级，选择安全算法(记为安全算法B)，辅节点向主节点发送安全算法B的标识，主节点再向终端设备发送安全算法B的标识。如此，主节点和终端设备在传输数据时，能够使用安全算法A进行数据保护；辅节点和终端设备在传输数据时，能够使用安全算法B进行数据保护。In dual-connection mode, the primary node can obtain the security algorithms supported by the terminal device and, based on the security algorithms supported by the terminal device, the security algorithms supported by the primary node, and the priority of the security algorithms supported by the primary node, select a security algorithm (denoted as security algorithm A) and send the identifier of security algorithm A to the terminal device. Furthermore, the primary node can also send the security algorithms supported by the terminal device to the secondary node. Correspondingly, the secondary node selects a security algorithm (denoted as security algorithm B) based on the security algorithms supported by the terminal device, the security algorithms supported by the secondary node, and the priority of the security algorithms supported by the secondary node. The secondary node sends the identifier of security algorithm B to the primary node, which then sends the identifier of security algorithm B to the terminal device. In this way, when the primary node and the terminal device transmit data, they can use security algorithm A for data protection; when the secondary node and the terminal device transmit data, they can use security algorithm B for data protection.

六、超高可靠低时延通信(ultra reliable and low latency communications，URLLC)和URLLC中的安全算法选择VI. Ultra-Reliable and Low-Latency Communications (URLLC) and Security Algorithm Selection in URLLC

为了实现终端设备的URLLC业务，终端设备可在5G网络上建立两个协议数据单元(protocol data unit，PDU)会话(session)，该两个PDU会话对应的用户面路径分离，可参见图3示出的一种URLLC业务的用户面路径的示意图，其中一个PDU会话对应的用户面经由主节点和UPF1，而另一个PDU会话对应的用户面经由辅节点和UPF2，UPF1和UPF2连接至同一个DN中。该两个PDU会话中传输的数据符合数据冗余传输的安全假设，即传输的数据相同，且传输数据时使用的安全算法的密钥长度相同。To implement URLLC services for terminal devices, the terminal device can establish two protocol data unit (PDU) sessions on the 5G network. The user plane paths corresponding to these two PDU sessions are separated. Figure 3 shows a schematic diagram of the user plane path for a URLLC service. The user plane corresponding to one PDU session passes through the primary node and UPF1, while the user plane corresponding to the other PDU session passes through the secondary node and UPF2. UPF1 and UPF2 are connected to the same DN. The data transmitted in these two PDU sessions meets the security assumption of data redundancy transmission, that is, the transmitted data is identical and the key length of the security algorithm used for data transmission is the same.

进一步的，基于上述双连接模式下的安全算法选择的方式，当主节点和辅节点支持的安全算法的密钥长度不同时，例如，主节点支持的安全算法的密钥长度是256位和128位，辅节点支持的安全算法的密钥长度是128位，而终端设备支持的安全算法的密钥长度是256位和128位，那么，可能存在主节点选择使用密钥长度是256位的安全算法(即256位算法)与终端设备进行数据传输，而辅节点选择使用密钥长度是128位的安全算法(即128位算法)与终端设备进行数据传输，进而导致两个会话对应的安全算法的密钥长度不同，不符合双连接模式下的数据冗余传输(如URLLC)业务的安全假设。Furthermore, based on the above-mentioned method of selecting security algorithms in the dual-connection mode, when the key lengths of the security algorithms supported by the primary node and the secondary node are different, for example, the key lengths of the security algorithms supported by the primary node are 256 bits and 128 bits, the key lengths of the security algorithms supported by the secondary node are 128 bits, and the key lengths of the security algorithms supported by the terminal device are 256 bits and 128 bits, then, the primary node may choose to use a security algorithm with a key length of 256 bits (i.e., a 256-bit algorithm) to transmit data with the terminal device, while the secondary node may choose to use a security algorithm with a key length of 128 bits (i.e., a 128-bit algorithm) to transmit data with the terminal device, which results in the key lengths of the security algorithms corresponding to the two sessions being different, which does not meet the security assumptions of data redundancy transmission (such as URLLC) services in the dual-connection mode.

为此，本申请提供五种通信方法，用于在通信系统需要同时支持128位算法和256位算法的场景中，实现通信系统的安全性。进一步的，在终端设备使用双连接模式下的数据冗余传输业务时，终端设备的两个PDU会话对应的安全算法的密钥长度相同，符合数据冗余传输的安全假设。To this end, this application provides five communication methods for achieving communication system security in scenarios where the communication system needs to support both 128-bit and 256-bit algorithms. Furthermore, when a terminal device uses the data redundancy transmission service in dual-connection mode, the key lengths of the security algorithms corresponding to the two PDU sessions of the terminal device are the same, meeting the security assumption of data redundancy transmission.

该五种通信方法均可由第一通信装置和第二通信装置执行。The five communication methods can all be executed by the first communication device and the second communication device.

其中，第一通信装置和第二通信装置可分别作为双连接模式下的终端设备的主节点和辅节点。进一步的，第一通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)，第二通信装置可以是无线接入节点或无线接入节点中的部件(如芯片)。为方便描述，如下均以主节点和辅节点说明。The first communication device and the second communication device may serve as the primary node and secondary node, respectively, of a terminal device in dual-connectivity mode. Furthermore, the first communication device may be a wireless access node or a component (e.g., a chip) within a wireless access node, and the second communication device may be a wireless access node or a component (e.g., a chip) within a wireless access node. For ease of description, the following descriptions use primary and secondary nodes.

本申请中，安全算法又可称为是密码算法、安全保护算法、保护算法等。示例性的，安全算法具体可以是对称密码算法。示例性的，安全算法是完整性保护算法，或安全算法是加密算法，或安全算法包括完整性保护算法和加密算法，或安全算法是使用关联数据的鉴别加密(authenticated encryption with associated data，AEAD)算法，该AEAD算法对应于AEAD模式，也即是，在主节点(或辅节点)和终端设备进行数据传输时，AEAD算法既用于数据的完整性保护又用于数据的加密保护。In this application, a security algorithm may also be referred to as a cryptographic algorithm, a security protection algorithm, a protection algorithm, etc. Exemplarily, the security algorithm may be a symmetric cryptographic algorithm. Exemplarily, the security algorithm may be an integrity protection algorithm, or an encryption algorithm, or the security algorithm may include an integrity protection algorithm and an encryption algorithm, or the security algorithm may be an authenticated encryption with associated data (AEAD) algorithm, which corresponds to an AEAD mode, that is, when a primary node (or secondary node) and a terminal device transmit data, the AEAD algorithm is used for both integrity protection and encryption protection of the data.

本申请中，安全算法的密钥长度可用于指示安全算法对数据的保护强度，其中，安全算法的密钥长度越长，则表明该安全算法的对数据的保护强度越强，例如，安全算法1的密钥长度是256位，安全算法2的密钥长度是128位，那么，安全算法1对数据的保护强度高于(或强于)安全算法2对数据的保护强度。安全算法的密钥长度还可用于指示安全算法的算法强度，其中，安全算法的密钥长度越长，则表明该安全算法的算法强度越强，例如，安全算法1的密钥长度是256位，安全算法2的密钥长度是128位，那么，安全算法1的算法强度高于(或强于)安全算法2的算法强度。本申请中，可将安全算法的密钥长度称为是安全算法的保护强度或安全算法的算法强度。进一步的，安全算法的密钥长度例如是512位、256位、128位等，还可将安全算法按照密钥长度进行分类，即对应于512位密钥长度的安全算法为一类，对应于256位密钥长度的安全算法为一类，对应于128位密钥长度的安全算法为一类，还可将安全算法的密钥长度称为是安全算法的类别、分类等。进一步的，安全算法的密钥长度，又可称为是安全算法使用的密钥长度，安全算法输入的密钥长度，或安全算法对应(或关联)的密钥长度等。In the present application, the key length of a security algorithm can be used to indicate the protection strength of the security algorithm for data, wherein the longer the key length of the security algorithm, the stronger the protection strength of the security algorithm for data. For example, if the key length of security algorithm 1 is 256 bits and the key length of security algorithm 2 is 128 bits, then the protection strength of security algorithm 1 for data is higher (or stronger) than the protection strength of security algorithm 2 for data. The key length of a security algorithm can also be used to indicate the algorithm strength of a security algorithm, wherein the longer the key length of a security algorithm, the stronger the algorithm strength of the security algorithm. For example, if the key length of security algorithm 1 is 256 bits and the key length of security algorithm 2 is 128 bits, then the algorithm strength of security algorithm 1 is higher (or stronger) than the algorithm strength of security algorithm 2. In the present application, the key length of a security algorithm can be referred to as the protection strength of a security algorithm or the algorithm strength of a security algorithm. Furthermore, the key length of a security algorithm can be, for example, 512 bits, 256 bits, or 128 bits. Security algorithms can also be classified according to their key length, i.e., security algorithms corresponding to a 512-bit key length are classified into one category, security algorithms corresponding to a 256-bit key length are classified into another category, and security algorithms corresponding to a 128-bit key length are classified into another category. The key length of a security algorithm can also be referred to as the category or classification of the security algorithm. Furthermore, the key length of a security algorithm can also be referred to as the key length used by the security algorithm, the key length input to the security algorithm, or the key length corresponding to (or associated with) the security algorithm.

在第一种通信方法中，主节点根据第一安全算法的密钥长度，选择支持第一安全算法的密钥长度的辅节点，进而请求添加该辅节点，其中，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。辅节点确定用于保护辅节点与终端设备之间传输的数据的第二安全算法。In a first communication method, a primary node selects a secondary node that supports a first security algorithm key length based on the key length of the first security algorithm, and then requests to add the secondary node. The first security algorithm is a security algorithm used to protect data transmitted between the primary node and the terminal device. The secondary node determines a second security algorithm used to protect data transmitted between the secondary node and the terminal device.

在第二种通信方法中，主节点根据主节点支持的安全算法，选择辅节点，进而请求添加该辅节点，其中，辅节点支持的安全算法的密钥长度不低于主节点支持的安全算法的最大密钥长度。辅节点确定用于保护辅节点与终端设备之间传输的数据的第二安全算法。In the second communication method, the primary node selects a secondary node based on a security algorithm supported by the primary node and then requests to add the secondary node. The key length of the security algorithm supported by the secondary node must be no less than the maximum key length of the security algorithm supported by the primary node. The secondary node then determines a second security algorithm for protecting data transmitted between the secondary node and the terminal device.

在第三种通信方法中，主节点先确定辅节点，根据该辅节点支持的安全算法的信息，确定用于保护主节点与终端设备之间传输的数据的第一安全算法，其中，辅节点支持的安全算法的信息包括辅节点支持的安全算法的密钥长度的信息和/或辅节点支持的安全算法的标识。进而主节点请求添加该辅节点。辅节点确定用于保护辅节点与终端设备之间传输的数据的第二安全算法。In the third communication method, the primary node first identifies a secondary node and, based on information about security algorithms supported by the secondary node, determines a first security algorithm for protecting data transmitted between the primary node and the terminal device. The information about security algorithms supported by the secondary node includes information about key lengths and/or identifiers of security algorithms supported by the secondary node. The primary node then requests that the secondary node be added. The secondary node then determines a second security algorithm for protecting data transmitted between the secondary node and the terminal device.

在第四种通信方法中，主节点先确定辅节点，根据该辅节点支持的安全算法的信息，确定第一安全算法和第二安全算法。其中，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法，第二安全算法是用于保护辅节点与终端设备之间传输的数据的安全算法；辅节点支持的安全算法的信息包括辅节点支持的安全算法的标识(或辅节点支持的安全算法的标识和辅节点支持的安全算法的密钥长度)。进而主节点请求添加该辅节点，以及，向辅节点发送第二安全算法的标识。In the fourth communication method, the primary node first identifies the secondary node and, based on the security algorithm information supported by the secondary node, determines a first security algorithm and a second security algorithm. The first security algorithm is used to protect data transmitted between the primary node and the terminal device, and the second security algorithm is used to protect data transmitted between the secondary node and the terminal device. The information about the security algorithms supported by the secondary node includes the identifiers of the security algorithms supported by the secondary node (or the identifiers of the security algorithms supported by the secondary node and the key lengths of the security algorithms supported by the secondary node). The primary node then requests to add the secondary node and sends the identifier of the second security algorithm to the secondary node.

在第五种通信方法中，主节点先确定第一安全算法，其中，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。主节点选择辅节点(记为辅节点1)，请求添加辅节点1，辅节点1可确定不支持使用与第一安全算法具有相同长度的安全算法，于是向主节点发送添加辅节点1失败的指示。进一步的，主节点重新选择辅节点(记为辅节点2)，请求添加辅节点2，辅节点2可确定支持使用与第一安全算法具有相同长度的安全算法，向主节点发送添加辅节点2成功的指示。In the fifth communication method, the master node first determines the first security algorithm, which is used to protect data transmitted between the master node and the terminal device. The master node selects a secondary node (denoted as secondary node 1) and requests to add secondary node 1. Secondary node 1 may determine that it does not support the use of a security algorithm with the same length as the first security algorithm and sends an indication to the master node that the addition of secondary node 1 failed. Furthermore, the master node selects a new secondary node (denoted as secondary node 2) and requests to add secondary node 2. Secondary node 2 may determine that it supports the use of a security algorithm with the same length as the first security algorithm and sends an indication to the master node that the addition of secondary node 2 succeeded.

如下详细说明五种通信方法：The five communication methods are detailed below:

如图4为本申请示例性提供的第一种通信方法的流程示意图。FIG4 is a flow chart of the first communication method exemplarily provided in this application.

步骤401，主节点根据第一安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点。Step 401: The primary node determines a secondary node based on the key length of the first security algorithm and the key length of the security algorithm supported by the candidate node.

备选节点中包括辅节点。当备选节点是一个时，主节点可确定该备选节点是否能够作为辅节点；当备选节点是多个时，主节点可从多个备选节点中选择辅节点。为方便描述，如下均以后者为例说明。Candidate nodes include secondary nodes. When there is only one candidate node, the primary node can determine whether it can serve as a secondary node. When there are multiple candidate nodes, the primary node can select a secondary node from among the multiple candidate nodes. For ease of description, the following uses the latter as an example.

其中，辅节点支持的安全算法的密钥长度不低于第一安全算法的密钥长度。其中，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。The key length of the security algorithm supported by the secondary node is not less than the key length of the first security algorithm. The first security algorithm is a security algorithm used to protect data transmitted between the primary node and the terminal device.

主节点在确定辅节点时，可以将支持的安全算法满足如下条件一或条件二的备选节点作为辅节点，或者理解，辅节点支持的安全算法可符合如下条件一或条件二。When determining the secondary node, the primary node may select as the secondary node a candidate node whose supported security algorithm meets the following conditions 1 or 2, or it may be understood that the security algorithm supported by the secondary node may meet the following conditions 1 or 2.

条件一，第二密钥长度不低于第一安全算法的密钥长度，其中，第二密钥长度是辅节点支持的安全算法的最大密钥长度。示例性的，第二密钥长度等于第一安全算法的密钥长度。Condition 1: The second key length is not less than the key length of the first security algorithm, wherein the second key length is the maximum key length of the security algorithm supported by the secondary node. Exemplarily, the second key length is equal to the key length of the first security algorithm.

此处可以认为，当节点(主节点/辅节点)支持的安全算法的密钥长度中包括密钥长度1时，该节点支持的安全算法的密钥长度中同样包括密钥长度2，其中，密钥长度1高于(或称为大于)密钥长度2。例如，节点支持的安全算法的密钥长度中包括256位，那么，该节点支持的安全算法的密钥长度中同样包括128位。It can be considered here that when the key length of the security algorithm supported by a node (primary node/secondary node) includes key length 1, the key length of the security algorithm supported by the node also includes key length 2, wherein key length 1 is higher than (or greater than) key length 2. For example, if the key length of the security algorithm supported by a node includes 256 bits, then the key length of the security algorithm supported by the node also includes 128 bits.

例如，主节点支持的安全算法包括安全算法1至安全算法3，安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。多个备选节点中包括备选节点1至备选节点3，其中，备选节点1支持的安全算法的最大密钥长度是256位，备选节点2和备选节点3支持的安全算法的最大密钥长度是128位。当主节点确定第一安全算法是安全算法1时，主节点可选择备选节点1作为辅节点。当主节点确定第一安全算法是安全算法2时，主节点可从备选节点1至备选节点3中选择任一个作为辅节点。For example, the security algorithms supported by the master node include security algorithm 1 to security algorithm 3, the key length of security algorithm 1 is 256 bits, and the key lengths of security algorithm 2 and security algorithm 3 are both 128 bits. The multiple alternative nodes include alternative node 1 to alternative node 3, wherein the maximum key length of the security algorithm supported by alternative node 1 is 256 bits, and the maximum key length of the security algorithm supported by alternative node 2 and alternative node 3 is 128 bits. When the master node determines that the first security algorithm is security algorithm 1, the master node may select alternative node 1 as the secondary node. When the master node determines that the first security algorithm is security algorithm 2, the master node may select any one of alternative nodes 1 to alternative node 3 as the secondary node.

条件二，辅节点支持的安全算法的密钥长度中包括第一安全算法的密钥长度。Condition 2: The key length of the security algorithm supported by the secondary node includes the key length of the first security algorithm.

例如，主节点支持的安全算法包括安全算法1至安全算法3，安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。多个备选节点中包括备选节点1至备选节点3，其中，备选节点1支持的安全算法的密钥长度是256位，备选节点2支持的安全算法的密钥长度是128位，备选节点3支持的安全算法的密钥长度是256位和128位。当主节点确定第一安全算法是安全算法1时，主节点可选择备选节点1或备选节点3作为辅节点。当主节点确定第一安全算法是安全算法2时，主节点可选择备选节点2或备选节点3作为辅节点。For example, the security algorithms supported by the master node include security algorithm 1 to security algorithm 3, the key length of security algorithm 1 is 256 bits, and the key lengths of security algorithm 2 and security algorithm 3 are both 128 bits. The multiple alternative nodes include alternative node 1 to alternative node 3, wherein the key length of the security algorithm supported by alternative node 1 is 256 bits, the key length of the security algorithm supported by alternative node 2 is 128 bits, and the key lengths of the security algorithm supported by alternative node 3 are 256 bits and 128 bits. When the master node determines that the first security algorithm is security algorithm 1, the master node may select alternative node 1 or alternative node 3 as the auxiliary node. When the master node determines that the first security algorithm is security algorithm 2, the master node may select alternative node 2 or alternative node 3 as the auxiliary node.

在上述条件一和条件二中，主节点在选择辅节点时的逻辑类似，如下均以条件一为例说明。In the above conditions 1 and 2, the logic of the primary node in selecting the secondary node is similar. The following takes condition 1 as an example.

进一步的，在步骤401之前，主节点可获取备选节点支持的安全算法的密钥长度的信息。Furthermore, before step 401, the master node may obtain information about the key length of the security algorithm supported by the candidate node.

示例性的，备选节点可支持多个安全算法，多个安全算法可能对应于多个密钥长度，其中，一个密钥长度又可对应于一个或多个安全算法。或理解，备选节点可支持该多个密钥长度。For example, the candidate node may support multiple security algorithms, which may correspond to multiple key lengths, wherein a key length may correspond to one or more security algorithms. Alternatively, the candidate node may support the multiple key lengths.

备选节点支持的安全算法的密钥长度的信息，可以是，备选节点支持的多个安全算法的多个密钥长度的标识(可简称为备选节点支持的多个密钥长度的标识)。例如，安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。备选节点支持安全算法1至安全算法3，那么备选节点支持的安全算法的密钥长度的信息是256位和128位。The information about the key lengths of the security algorithms supported by the candidate node may be identifiers of multiple key lengths of multiple security algorithms supported by the candidate node (which may be referred to as identifiers of multiple key lengths supported by the candidate node). For example, the key length of security algorithm 1 is 256 bits, and the key lengths of security algorithms 2 and 3 are both 128 bits. If the candidate node supports security algorithms 1 to 3, then the information about the key lengths of the security algorithms supported by the candidate node is 256 bits and 128 bits.

或，备选节点支持的安全算法的密钥长度的信息，可以是，备选节点支持的多个密钥长度中的最大密钥长度的标识(可简称为备选节点支持的最大密钥长度的标识)。例如，安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。备选节点支持安全算法1至安全算法3，那么备选节点支持的安全算法的密钥长度的信息是256位。Alternatively, the key length information of the security algorithm supported by the candidate node may be an identifier of the maximum key length among multiple key lengths supported by the candidate node (which may be simply referred to as the identifier of the maximum key length supported by the candidate node). For example, the key length of security algorithm 1 is 256 bits, and the key lengths of security algorithms 2 and 3 are both 128 bits. If the candidate node supports security algorithms 1 through 3, then the key length information of the security algorithms supported by the candidate node is 256 bits.

或，备选节点支持的安全算法的密钥长度的信息，可以是，备选节点是否支持预设密钥长度的指示，示例性的，该指示可占用一个比特，当该指示的取值为1时，表示备选节点支持预设密钥长度，当该指示的取值为0时，表示备选节点不支持预设密钥长度。预设密钥长度可以是256位或128位。例如，预设密钥长度是256位，安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。备选节点支持安全算法1至安全算法3，那么备选节点支持的安全算法的密钥长度的信息是取值为1的指示；备选节点仅支持安全算法3，那么备选节点支持的安全算法的密钥长度的信息是取值为0的指示。Or, the information on the key length of the security algorithm supported by the alternative node may be an indication of whether the alternative node supports a preset key length. Exemplarily, the indication may occupy one bit. When the value of the indication is 1, it indicates that the alternative node supports the preset key length. When the value of the indication is 0, it indicates that the alternative node does not support the preset key length. The preset key length may be 256 bits or 128 bits. For example, the preset key length is 256 bits, the key length of security algorithm 1 is 256 bits, and the key lengths of security algorithm 2 and security algorithm 3 are both 128 bits. If the alternative node supports security algorithms 1 to 3, then the information on the key length of the security algorithm supported by the alternative node is an indication with a value of 1; if the alternative node only supports security algorithm 3, then the information on the key length of the security algorithm supported by the alternative node is an indication with a value of 0.

需要补充的是，当备选节点仅支持一个安全算法时，或，当备选节点支持的多个安全算法对应于同一个密钥长度时，“备选节点支持的密钥长度的标识”相当于“备选节点支持的最大密钥长度的标识”。在该情况中，均以备选节点支持的最大密钥长度的标识为例说明。该说明同样适用于其他实施例中。It should be noted that when a candidate node supports only one security algorithm, or when multiple security algorithms supported by the candidate node correspond to the same key length, the "identification of the key length supported by the candidate node" is equivalent to the "identification of the maximum key length supported by the candidate node." In this case, the identification of the maximum key length supported by the candidate node is used as an example. This description also applies to other embodiments.

此外，本申请中，备选节点支持的安全算法的密钥长度的信息，还可以是，备选节点支持的多个安全算法的标识，每个安全算法的标识中包括安全算法的密钥长度的标识，例如，安全算法的标识是“128-NEA2”，密钥长度是128，其中，NEA2指的是SNOW3G加密算法。In addition, in the present application, the information on the key length of the security algorithm supported by the alternative node may also be the identifiers of multiple security algorithms supported by the alternative node, where the identifier of each security algorithm includes the identifier of the key length of the security algorithm. For example, the identifier of the security algorithm is "128-NEA2", and the key length is 128, where NEA2 refers to the SNOW3G encryption algorithm.

本申请中，密钥长度的标识不仅可以是密钥长度的具体取值(如256位或128位)，还可以是其他预先约定的用于表示密钥长度的标识，例如，密钥长度的标识是标识A或标识B，标识A用于指示256位，标识B用于指示128位；再例如，密钥长度的标识是预设比特的取值，当预设比特取值为1时，用于指示256位，当预设比特取值为0时，用于指示128位。如下均以密钥长度的具体取值举例说明。In this application, the identifier of the key length can be not only a specific value of the key length (such as 256 bits or 128 bits), but also other pre-agreed identifiers used to indicate the key length. For example, the identifier of the key length is identifier A or identifier B, identifier A is used to indicate 256 bits, and identifier B is used to indicate 128 bits. For another example, the identifier of the key length is the value of a preset bit. When the preset bit value is 1, it is used to indicate 256 bits, and when the preset bit value is 0, it is used to indicate 128 bits. The following examples are all given with specific values of the key length.

主节点可通过如下获取方式1或获取方式2，获取备选节点支持的安全算法的密钥长度的信息。The master node can obtain information about the key length of the security algorithm supported by the candidate node through the following acquisition method 1 or acquisition method 2.

获取方式1，主节点中预配置备选节点支持的安全算法的密钥长度的信息。Acquisition method 1: Information about the key length of the security algorithm supported by the pre-configured candidate nodes in the master node.

或理解，主节点中包括预配置信息，该预配置信息中包括备选节点的标识和该备选节点支持的安全算法的密钥长度的信息。例如，备选节点支持的安全算法的密钥长度的信息是备选节点支持的最大密钥长度的标识，备选节点是备选节点1至备选节点3，备选节点1支持的最大密钥长度是256位，备选节点2支持的最大密钥长度是256位，备选节点3支持的最大密钥长度是128位，该预配置信息中可包括如下对应关系：(备选节点1的标识和256位)，(备选节点2的标识和256位)，(备选节点3的标识和128位)。Or it is understood that the master node includes pre-configuration information, which includes the identifier of the alternative node and the information of the key length of the security algorithm supported by the alternative node. For example, the information of the key length of the security algorithm supported by the alternative node is the identifier of the maximum key length supported by the alternative node, the alternative nodes are alternative node 1 to alternative node 3, the maximum key length supported by alternative node 1 is 256 bits, the maximum key length supported by alternative node 2 is 256 bits, and the maximum key length supported by alternative node 3 is 128 bits. The pre-configuration information may include the following correspondence: (identifier of alternative node 1 and 256 bits), (identifier of alternative node 2 and 256 bits), (identifier of alternative node 3 and 128 bits).

示例性的，该预配置信息具体是由管理设备(如AMF、操作维护管理(operation administration and maintenance，OAM)或设备管理系统(equipment management system，EMS))或人工配置的。备选节点可符合如下条件中的一项或多项：主节点和备选节点属于同一公共陆地移动网络(public land mobile network，PLMN)，主节点和备选节点位于同一个物理区域内，主节点和备选节点的信号覆盖范围有重叠，或，主节点的频点和备选节点的频点不相互干扰。Exemplarily, the pre-configured information is configured by a management device (such as an AMF, an operation administration and maintenance (OAM), or an equipment management system (EMS)) or manually. The candidate node may meet one or more of the following conditions: the primary node and the candidate node belong to the same public land mobile network (PLMN), the primary node and the candidate node are located in the same physical area, the signal coverage of the primary node and the candidate node overlap, or the frequency of the primary node and the frequency of the candidate node do not interfere with each other.

获取方式2，主节点从备选节点中获得备选节点支持的安全算法的密钥长度的信息。Acquisition method 2: The master node obtains information about the key length of the security algorithm supported by the candidate node from the candidate node.

示例性的，主节点中包括预配置信息，该预配置信息中包括备选节点的标识，备选节点的标识具体是由管理设备(如AMF、OAM或EMS)或人工配置的，备选节点的定义可参见获取方式1中描述。Exemplarily, the master node includes pre-configuration information, which includes the identifier of the alternative node. The identifier of the alternative node is specifically configured by a management device (such as AMF, OAM or EMS) or manually. The definition of the alternative node can be found in the description of acquisition method 1.

其中，备选节点的标识，例如是，备选节点的设备标识、备选节点的网际互连协议(internet protocol，IP)地址、备选节点的端口(port)号等。The identifier of the alternative node includes, for example, the device identifier of the alternative node, the Internet protocol (IP) address of the alternative node, the port number of the alternative node, etc.

示例性的，主节点根据每个备选节点的标识，向该备选节点发送安全能力请求，安全能力请求用于请求备选节点支持的安全算法的密钥长度的信息。相应的，备选节点响应于安全能力请求，向主节点发送该备选节点支持的安全算法的密钥长度的信息。Exemplarily, the master node sends a security capability request to each candidate node based on the identifier of the candidate node. The security capability request is used to request information about the key lengths of security algorithms supported by the candidate node. In response to the security capability request, the candidate node sends information about the key lengths of security algorithms supported by the candidate node to the master node.

还需要补充的是，本申请实施例中，主节点还可通过上述获取方式1或获取方式2，获取备选节点的节点信息(如备选节点的产品序列号、备选节点的通信制式、备选节点的部署日期中的一项或多项)。进而，主节点根据备选节点的节点信息，确定备选节点支持的安全算法的密钥长度的信息。It should also be noted that in the embodiment of the present application, the master node may also obtain node information of the candidate node (such as one or more of the candidate node's product serial number, the candidate node's communication standard, and the candidate node's deployment date) through the above-mentioned acquisition method 1 or acquisition method 2. Furthermore, the master node determines information about the key length of the security algorithm supported by the candidate node based on the candidate node information.

例如，备选节点的节点信息是备选节点的部署日期，主节点中预设规则“部署日期在2024年1月1日，及2024年1月1日之前的备选节点支持的最大密钥长度是128位；部署日期在2024年1月1日之后的备选节点支持的最大密钥长度是256位”，某个备选节点的部署日期是2024年3月1日，则主节点可确定该备选节点支持的最大密钥长度是256位。For example, the node information of the alternative node is the deployment date of the alternative node. The preset rule in the master node is "the maximum key length supported by the alternative nodes with a deployment date on or before January 1, 2024 is 128 bits; the maximum key length supported by the alternative nodes with a deployment date after January 1, 2024 is 256 bits." If the deployment date of a certain alternative node is March 1, 2024, the master node can determine that the maximum key length supported by the alternative node is 256 bits.

再例如，备选节点的节点信息是备选节点的通信制式，主节点中预设规则“5G通信制式以下的备选节点支持的最大密钥长度是128位；5G及5G通信制式以上的备选节点支持的最大密钥长度256位”，某个备选节点的通信制式是5.5G，则主节点可确定该备选节点支持的最大密钥长度是256位。For another example, the node information of the alternative node is the communication standard of the alternative node. The preset rule in the main node is "the maximum key length supported by alternative nodes below the 5G communication standard is 128 bits; the maximum key length supported by alternative nodes of 5G and above communication standards is 256 bits". If the communication standard of a certain alternative node is 5.5G, the main node can determine that the maximum key length supported by the alternative node is 256 bits.

还需要补充的是，主节点在从备选节点中选择辅节点时，不仅可考虑备选节点支持的安全算法的密钥长度，还可至少考虑如下中一项或多项：终端设备接收的备选节点的信号强度，备选节点的空口资源的使用情况，或备选节点的优先级。It should also be added that when the main node selects a secondary node from the alternative nodes, it can not only consider the key length of the security algorithm supported by the alternative node, but also consider at least one or more of the following: the signal strength of the alternative node received by the terminal device, the usage of the air interface resources of the alternative node, or the priority of the alternative node.

示例性的，主节点还可根据备选节点的标识，向终端设备发送测量指示，测量指示中包括备选节点的标识，测量指示用于指示终端设备测量备选节点的信号强度。相应的，终端设备接收测量指示，根据测量指示中备选节点的标识，测量备选节点的信号强度，向主节点发送测量结果，测量结果中包括备选节点的信号强度。主节点根据备选节点的信号强度和空口资源的使用情况，以及，备选节点支持的安全算法的密钥长度的信息，从备选节点中选择辅节点。Exemplarily, the master node may also send a measurement instruction to the terminal device based on the identifier of the candidate node. The measurement instruction includes the identifier of the candidate node and is used to instruct the terminal device to measure the signal strength of the candidate node. Accordingly, the terminal device receives the measurement instruction, measures the signal strength of the candidate node based on the identifier of the candidate node in the measurement instruction, and sends the measurement result to the master node. The measurement result includes the signal strength of the candidate node. The master node selects a secondary node from the candidate nodes based on the signal strength of the candidate node, the usage of air interface resources, and information about the key length of the security algorithm supported by the candidate node.

再示例性的，主节点的预配置信息中还包括备选节点的优先级。主节点在从备选节点中选择辅节点时，根据备选节点的优先级，以及，备选节点支持的安全算法的密钥长度的信息，从备选节点中选择辅节点。In another exemplary embodiment, the pre-configuration information of the master node also includes the priority of the candidate node. When the master node selects a secondary node from the candidate nodes, it selects the secondary node from the candidate nodes based on the priority of the candidate node and the key length of the security algorithm supported by the candidate node.

可选的，主节点根据第一安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点之前，还可包括步骤400，主节点确定(或选择)第一安全算法。Optionally, before the primary node determines the secondary node based on the key length of the first security algorithm and the key length of the security algorithm supported by the candidate node, step 400 may be further included, in which the primary node determines (or selects) the first security algorithm.

具体的，主节点根据主节点支持的安全算法的优先级、终端设备支持的安全算法，从主节点支持的安全算法中选择第一安全算法。示例性的，主节点选择主节点和终端设备均支持的且优先级较高的安全算法作为第一安全算法。例如，主节点支持安全算法1至安全算法3，其中，安全算法1至安全算法3优先级排序是：安全算法1、安全算法2、安全算法3。终端设备支持安全算法1至安全算法2，那么主节点可确定第一安全算法是安全算法1。Specifically, the master node selects a first security algorithm from the security algorithms supported by the master node based on the priorities of the security algorithms supported by the master node and the security algorithms supported by the terminal device. Exemplarily, the master node selects a security algorithm that is supported by both the master node and the terminal device and has a higher priority as the first security algorithm. For example, the master node supports security algorithms 1 to 3, where the priority order of security algorithms 1 to 3 is: security algorithm 1, security algorithm 2, security algorithm 3. If the terminal device supports security algorithms 1 to 2, the master node may determine that the first security algorithm is security algorithm 1.

示例性的，主节点还可先获得终端设备支持的安全算法。示例性的，终端设备向AMF发送注册请求时，在注册请求中携带终端设备支持的安全算法，进一步的，AMF向主节点发送终端设备支持的安全算法。再示例性的，主节点是Xn切换中的目标节点，主节点接收来自源节点的终端设备支持的安全算法。又示例性的，主节点是N2切换中的目标节点，主节点接收来自目标AMF的终端设备支持的安全算法。Exemplarily, the master node may also first obtain the security algorithms supported by the terminal device. Exemplarily, when the terminal device sends a registration request to the AMF, the registration request carries the security algorithms supported by the terminal device. Further, the AMF sends the security algorithms supported by the terminal device to the master node. In another exemplary embodiment, the master node is the target node in an Xn handover, and the master node receives the security algorithms supported by the terminal device from the source node. In another exemplary embodiment, the master node is the target node in an N2 handover, and the master node receives the security algorithms supported by the terminal device from the target AMF.

步骤402，主节点向辅节点发送节点请求，相应的，辅节点接收来自主节点的节点请求。Step 402: The primary node sends a node request to the secondary node. Correspondingly, the secondary node receives the node request from the primary node.

其中，节点请求用于请求添加辅节点。或理解，节点请求用于请求该接收到节点请求的节点作为主节点对应的辅节点。例如，节点1接收到节点请求，该节点请求用于请求节点1作为主节点对应的辅节点。或还可以理解，节点请求用于请求该接收到节点请求的节点作为终端设备的URLLC业务的辅节点，例如，节点1接收到节点请求，该节点请求用于请求节点1作为终端设备的URLLC业务的辅节点。Among them, the node request is used to request the addition of a secondary node. Or it can be understood that the node request is used to request the node that receives the node request to serve as a secondary node corresponding to the primary node. For example, node 1 receives a node request, and the node request is used to request node 1 to serve as a secondary node corresponding to the primary node. Or it can also be understood that the node request is used to request the node that receives the node request to serve as a secondary node for the URLLC service of the terminal device. For example, node 1 receives a node request, and the node request is used to request node 1 to serve as a secondary node for the URLLC service of the terminal device.

在一个可能方式中，节点请求中包括第一安全算法的密钥长度的信息，第一安全算法的密钥长度的信息可用于辅节点确定(或选择)第二安全算法，其中，第二安全算法是用于保护辅节点与终端设备之间传输的数据的安全算法，具体可参见步骤403和步骤404中的描述。In one possible embodiment, the node request includes information about the key length of the first security algorithm. The information about the key length of the first security algorithm can be used by the auxiliary node to determine (or select) a second security algorithm, wherein the second security algorithm is a security algorithm for protecting data transmitted between the auxiliary node and the terminal device. For details, please refer to the description in steps 403 and 404.

示例性的，第一安全算法的密钥长度的信息可以是第一安全算法的密钥长度的标识，例如，第一安全算法的密钥长度是256位，那么第一安全算法的密钥长度的信息是256位。Exemplarily, the information of the key length of the first security algorithm may be an identifier of the key length of the first security algorithm. For example, if the key length of the first security algorithm is 256 bits, then the information of the key length of the first security algorithm is 256 bits.

又示例性的，第一安全算法的密钥长度的信息可以是第一安全算法的密钥长度是否为预设密钥长度的指示，其中，该指示可占用一个比特，当该指示的取值为1时，表示第一安全算法的密钥长度是预设密钥长度，当该指示的取值为0时，表示第一安全算法的密钥长度不是预设密钥长度。例如，预设密钥长度是256位，第一安全算法的密钥长度是256位，那么第一安全算法的密钥长度的信息是取值为1的指示；第一安全算法的密钥长度是128位，那么第一安全算法的密钥长度的信息是取值为0的指示。As another example, the information about the key length of the first security algorithm may be an indication of whether the key length of the first security algorithm is a preset key length, where the indication may occupy one bit. When the value of the indication is 1, it indicates that the key length of the first security algorithm is the preset key length; when the value of the indication is 0, it indicates that the key length of the first security algorithm is not the preset key length. For example, if the preset key length is 256 bits and the key length of the first security algorithm is 256 bits, then the information about the key length of the first security algorithm is an indication with a value of 1; if the key length of the first security algorithm is 128 bits, then the information about the key length of the first security algorithm is an indication with a value of 0.

可选的，节点请求中还可包括终端设备支持的安全算法，终端设备支持的安全算法用于辅节点选择第二安全算法，具体可参见步骤403中的描述。可选的，节点请求中还可包括辅节点的节点密钥(例如gNB密钥)，辅节点的节点密钥用于辅节点推导出辅节点的用户面密钥，具体可参见步骤404中的描述。示例性的，主节点根据主节点的节点密钥，推导出辅节点的节点密钥，将辅节点的节点密钥携带于节点请求中。Optionally, the node request may further include a security algorithm supported by the terminal device. The security algorithm supported by the terminal device is used by the secondary node to select a second security algorithm. For details, see the description in step 403. Optionally, the node request may further include a node key of the secondary node (e.g., a gNB key). The node key of the secondary node is used by the secondary node to derive the user plane key of the secondary node. For details, see the description in step 404. Exemplarily, the primary node derives the node key of the secondary node based on the node key of the primary node and carries the node key of the secondary node in the node request.

可选的，图4相关实施中还包括如下步骤403和步骤404。Optionally, the implementation related to FIG4 further includes the following steps 403 and 404.

步骤403，辅节点确定第二安全算法。Step 403: The secondary node determines a second security algorithm.

其中，第二安全算法是用于保护辅节点与终端设备之间传输的数据的安全算法。The second security algorithm is a security algorithm used to protect data transmitted between the secondary node and the terminal device.

在一个可能方式中，节点请求中包括第一安全算法的密钥长度的信息。辅节点在接收到节点请求之后，从节点请求中获得第一安全算法的密钥长度的信息，根据第一安全算法的密钥长度的信息，在辅节点支持的安全算法中选择第二安全算法。其中，第二安全算法的密钥长度等于第一安全算法的密钥长度，第二安全算法的标识与第一安全算法的标识相同或不同。In one possible approach, the node request includes information about the key length of the first security algorithm. After receiving the node request, the secondary node obtains the key length information of the first security algorithm from the node request and, based on the key length information of the first security algorithm, selects a second security algorithm from among the security algorithms supported by the secondary node. The key length of the second security algorithm is equal to the key length of the first security algorithm, and the identifier of the second security algorithm is the same as or different from the identifier of the first security algorithm.

在一个可能示例中，辅节点在接收到节点请求之后，还可从节点请求中获得终端设备支持的安全算法，根据第一安全算法的密钥长度的信息、终端设备支持的安全算法、辅节点支持的安全算法的优先级，在辅节点支持的安全算法中确定第二安全算法。可以理解，不仅第二安全算法的密钥长度与第一安全算法的密钥长度相同，而且第二安全算法还需要被终端设备支持，也即是，终端设备支持的安全算法中包括第二安全算法，以及，第二安全算法是辅节点支持的多个安全算法中优先级较高的安全算法。In one possible example, after receiving the node request, the secondary node may also obtain the security algorithms supported by the terminal device from the node request, and determine a second security algorithm from among the security algorithms supported by the secondary node based on the key length of the first security algorithm, the security algorithms supported by the terminal device, and the priority of the security algorithms supported by the secondary node. It will be understood that not only does the key length of the second security algorithm need to be the same as the key length of the first security algorithm, but the second security algorithm also needs to be supported by the terminal device. That is, the security algorithms supported by the terminal device include the second security algorithm, and the second security algorithm is a security algorithm with a higher priority among the multiple security algorithms supported by the secondary node.

例如，终端设备支持安全算法1至安全算法3。安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。主节点确定第一安全算法是安全算法1，向辅节点发送的节点请求中包括第一安全算法的密钥长度(即256位)和终端设备支持的安全算法1至安全算法3的标识。相应的，辅节点支持安全算法1和安全算法4，辅节点中设置安全算法的优先级排序是：安全算法1、安全算法4、安全算法2、安全算法3。安全算法4的密钥长度是256位。辅节点从节点请求中获得第一安全算法的密钥长度(即256位)和终端设备支持的安全算法1至安全算法3的标识，并确定第二安全算法是安全算法1。For example, the terminal device supports security algorithms 1 to 3. The key length of security algorithm 1 is 256 bits, and the key lengths of security algorithms 2 and 3 are both 128 bits. The primary node determines that the first security algorithm is security algorithm 1, and the node request sent to the secondary node includes the key length of the first security algorithm (i.e., 256 bits) and the identifiers of security algorithms 1 to 3 supported by the terminal device. Correspondingly, the secondary node supports security algorithm 1 and security algorithm 4, and the priority order of the security algorithms set in the secondary node is: security algorithm 1, security algorithm 4, security algorithm 2, security algorithm 3. The key length of security algorithm 4 is 256 bits. The secondary node obtains the key length of the first security algorithm (i.e., 256 bits) and the identifiers of security algorithms 1 to 3 supported by the terminal device from the node request, and determines that the second security algorithm is security algorithm 1.

需要补充的是，当主节点和辅节点二者支持的最大密钥长度相同，且主节点和辅节点预先协商选择最大密钥长度对应的安全算法作为与终端设备进行通信的安全算法时，节点请求中可无需携带第一安全算法的密钥长度的信息。例如，主节点支持安全算法1至安全算法3，辅节点支持安全算法1和安全算法2，终端设备支持安全算法1和安全算法2，其中，安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。主节点可确定主节点支持的最大密钥长度对应的安全算法，也即安全算法1作为第一安全算法，以及，向辅节点发送节点请求，节点请求中可无需携带第一安全算法的密钥长度的信息。相应的，辅节点可确定辅节点支持的最大密钥长度对应的安全算法，也即安全算法1作为第二安全算法。当然，还可能在其他情况中，节点请求无需携带第一安全算法的密钥长度的信息，本申请不再列举。It should be noted that when the maximum key length supported by both the primary node and the secondary node is the same, and the primary node and the secondary node pre-negotiate to select the security algorithm corresponding to the maximum key length as the security algorithm for communicating with the terminal device, the node request may not need to carry information about the key length of the first security algorithm. For example, the primary node supports security algorithms 1 to 3, the secondary node supports security algorithms 1 and 2, and the terminal device supports security algorithms 1 and 2, where the key length of security algorithm 1 is 256 bits, and the key lengths of security algorithms 2 and 3 are both 128 bits. The primary node may determine the security algorithm corresponding to the maximum key length supported by the primary node, that is, security algorithm 1, as the first security algorithm, and send a node request to the secondary node, without needing to carry information about the key length of the first security algorithm. Accordingly, the secondary node may determine the security algorithm corresponding to the maximum key length supported by the secondary node, that is, security algorithm 1, as the second security algorithm. Of course, there may be other situations in which the node request does not need to carry information about the key length of the first security algorithm, which are not listed in this application.

步骤404，辅节点根据第二安全算法，与终端设备传输数据。Step 404: The secondary node transmits data with the terminal device according to the second security algorithm.

在步骤404之前，辅节点还可向主节点发送节点响应，节点响应用于指示添加辅节点成功。示例性的，节点响应中包括成功指示(例如肯定应答(acknowledgement，ACK))，该成功指示用于指示添加辅节点成功。示例性的，节点响应中还包括第二安全算法的标识，主节点接收到节点响应之后，从节点响应中获取第二安全算法的标识，向终端设备发送第二安全算法的标识。如此，终端设备即获取到第二安全算法的标识。示例性的，第二安全算法的标识承载于主节点向终端设备发送的RRC连接重配置消息中。Before step 404, the secondary node may also send a node response to the primary node, and the node response is used to indicate that the secondary node has been successfully added. Exemplarily, the node response includes a success indication (e.g., an acknowledgment (ACK)), which is used to indicate that the secondary node has been successfully added. Exemplarily, the node response also includes an identifier of the second security algorithm. After the primary node receives the node response, it obtains the identifier of the second security algorithm from the node response and sends the identifier of the second security algorithm to the terminal device. In this way, the terminal device obtains the identifier of the second security algorithm. Exemplarily, the identifier of the second security algorithm is carried in the RRC connection reconfiguration message sent by the primary node to the terminal device.

示例性的，节点请求具体是辅节点添加请求(SN addition request)，节点响应具体是辅节点添加确认(SN addition acknowledge)；或，节点请求具体是辅节点修改请求(SN modification request)，节点响应具体是辅节点添加确认(SN modification acknowledge)。Exemplarily, the node request is specifically a secondary node addition request (SN addition request), and the node response is specifically a secondary node addition confirmation (SN addition acknowledge); or, the node request is specifically a secondary node modification request (SN modification request), and the node response is specifically a secondary node addition confirmation (SN modification acknowledge).

在步骤404之前，辅节点可从节点请求中获取辅节点的节点密钥，根据辅节点的节点密钥，推导出辅节点的用户面密钥，辅节点的用户面密钥可以是用户面加密密钥，或是用户面完整性保护密钥，或包括用户面加密密钥和用户面完整性保护密钥，或是用户面保护所使用的AEAD算法的密钥，其中，AEAD算法既用于数据完整性保护又用于数据加密保护。Before step 404, the auxiliary node may obtain the node key of the auxiliary node from the node request, and derive the user plane key of the auxiliary node based on the node key of the auxiliary node. The user plane key of the auxiliary node may be a user plane encryption key, or a user plane integrity protection key, or include a user plane encryption key and a user plane integrity protection key, or a key of the AEAD algorithm used for user plane protection, wherein the AEAD algorithm is used for both data integrity protection and data encryption protection.

在辅节点根据第二安全算法，与终端设备传输数据时，具体可以是，辅节点根据第二安全算法和辅节点的用户面密钥，与终端设备传输数据：When the secondary node transmits data with the terminal device according to the second security algorithm, specifically, the secondary node transmits data with the terminal device according to the second security algorithm and the user plane key of the secondary node:

当辅节点需要向终端设备发送第一数据时，辅节点将辅节点的用户面密钥和第一数据输入到第二安全算法中，得到第二数据，向终端设备发送第二数据。相应的，终端设备接收来自辅节点的第二数据，将第二数据和终端设备的用户面密钥输入到第二安全算法中，得到第一数据。When the secondary node needs to send first data to the terminal device, the secondary node inputs the secondary node's user plane key and the first data into the second security algorithm to obtain second data, and then sends the second data to the terminal device. Correspondingly, the terminal device receives the second data from the secondary node, inputs the second data and the terminal device's user plane key into the second security algorithm, and obtains the first data.

当终端设备需要向辅节点发送第一数据时，终端设备将终端设备的用户面密钥和第一数据输入到第二安全算法中，得到第二数据，向辅节点发送第二数据。相应的，辅节点接收来自终端设备的第二数据，将第二数据和辅节点的用户面密钥输入到第二安全算法中，得到第一数据。When the terminal device needs to send first data to the secondary node, the terminal device inputs the terminal device's user plane key and the first data into the second security algorithm to obtain second data, and then sends the second data to the secondary node. Correspondingly, the secondary node receives the second data from the terminal device, inputs the second data and the secondary node's user plane key into the second security algorithm, and obtains the first data.

其中，终端设备的用户面密钥和辅节点的用户面密钥之间互为对称密钥。The user plane key of the terminal device and the user plane key of the auxiliary node are symmetric keys to each other.

需要补充的是，结合图2示出的5G密钥推演架构，CK和IK各自的长度通常是128位，CK和IK的拼接结果是256位。终端设备(或网络侧)依次推导得到的AUSF密钥、SEAF密钥、AMF密钥、NAS密钥、gNB密钥、RRC密钥、用户面密钥均是256位。当节点(如主节点或辅节点)与终端设备传输数据时，若二者协商使用的安全算法的密钥长度是256位，则二者可以使用该256位的用户面密钥进行传输保护；若二者协商使用的安全算法的密钥长度是128位，则二者可以各自将256位的用户面密钥进行截断得到128位的用户面密钥，进而使用128位的用户面密钥进行传输保护。It should be added that, in conjunction with the 5G key derivation architecture shown in Figure 2, the length of each of CK and IK is usually 128 bits, and the concatenation of CK and IK is 256 bits. The AUSF key, SEAF key, AMF key, NAS key, gNB key, RRC key, and user plane key derived in sequence by the terminal device (or network side) are all 256 bits. When a node (such as a master node or a slave node) transmits data with a terminal device, if the key length of the security algorithm negotiated by the two is 256 bits, the two can use the 256-bit user plane key for transmission protection; if the key length of the security algorithm negotiated by the two is 128 bits, the two can each truncate the 256-bit user plane key to obtain a 128-bit user plane key, and then use the 128-bit user plane key for transmission protection.

在上述图4相关实施例中，主节点先确定第一安全算法，其中，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。随后，主节点根据第一安全算法的密钥长度，选择辅节点，进而请求添加该辅节点。从而能够使得辅节点的选择更加合理，便于后续辅节点能够选择出合适的安全算法。具体的，选择出的辅节点能够满足如下条件：主节点和辅节点各自能确定出合适的安全算法，从而使得主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，以符合安全通信的要求。比如，按照本申请方案选出的辅节点能够使得主节点和辅节点各自选择出的安全算法的密钥长度相同。在终端设备使用数据冗余传输业务的场景中，终端设备的两个互为冗余的PDU会话用于传输业务的相同数据，该两个PDU会话对应的数据分别由主节点和辅节点各自使用选择出的安全算法进行保护，两个安全算法的密钥长度相同，符合数据冗余传输的安全假设。In the embodiment related to Figure 4 above, the master node first determines a first security algorithm, where the first security algorithm is a security algorithm used to protect data transmitted between the master node and the terminal device. Subsequently, the master node selects a secondary node based on the key length of the first security algorithm and then requests to add the secondary node. This makes the selection of the secondary node more reasonable, facilitating the subsequent secondary node to select an appropriate security algorithm. Specifically, the selected secondary node can meet the following conditions: the master node and the secondary node can each determine an appropriate security algorithm, so that the security strength of the data transmitted between the master node and the terminal device is consistent with the security strength of the data transmitted between the secondary node and the terminal device, so as to meet the requirements of secure communication. For example, the secondary node selected according to the solution of the present application can ensure that the key length of the security algorithm selected by the master node and the secondary node is the same. In a scenario where the terminal device uses data redundancy transmission service, two redundant PDU sessions of the terminal device are used to transmit the same data of the service. The data corresponding to the two PDU sessions are protected by the master node and the secondary node respectively using the selected security algorithm. The key length of the two security algorithms is the same, which meets the security assumption of data redundancy transmission.

如图5为本申请示例性提供的第二种通信方法的流程示意图。FIG5 is a flow chart of the second communication method exemplarily provided in this application.

步骤501，主节点根据主节点支持的安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点。In step 501, the primary node determines a secondary node based on the key length of the security algorithm supported by the primary node and the key length of the security algorithm supported by the candidate node.

主节点在确定辅节点时，可以将支持的安全算法满足如下条件(一)或条件(二)的备选节点作为辅节点，或者理解，辅节点支持的安全算法可符合如下条件(一)或条件(二)。When determining the secondary node, the primary node may select an alternative node whose supported security algorithm meets the following conditions (1) or (2) as the secondary node, or understand that the security algorithm supported by the secondary node may meet the following conditions (1) or (2).

条件(一)，辅节点支持的安全算法的最大密钥长度不低于主节点支持的安全算法的最大密钥长度。Condition (1): The maximum key length of the security algorithm supported by the secondary node is not less than the maximum key length of the security algorithm supported by the primary node.

示例性的，辅节点支持的安全算法的最大密钥长度等于主节点支持的安全算法的最大密钥长度。Exemplarily, the maximum key length of the security algorithm supported by the secondary node is equal to the maximum key length of the security algorithm supported by the primary node.

本申请中，可将主节点支持的安全算法的最大密钥长度称为是第一密钥长度，辅节点支持的安全算法的最大密钥长度称为是第二密钥长度。In this application, the maximum key length of the security algorithm supported by the primary node may be referred to as the first key length, and the maximum key length of the security algorithm supported by the secondary node may be referred to as the second key length.

此处可以认为，当节点(主节点/辅节点)支持的安全算法的密钥长度中包括密钥长度1时，该节点支持的安全算法的密钥长度中同样包括密钥长度2，其中，密钥长度1高于密钥长度2。例如，节点支持的安全算法的密钥长度中包括256位，那么，该节点支持的安全算法的密钥长度中同样包括128位。It can be considered here that when the key length of the security algorithm supported by a node (primary node/secondary node) includes key length 1, the key length of the security algorithm supported by the node also includes key length 2, wherein key length 1 is higher than key length 2. For example, if the key length of the security algorithm supported by the node includes 256 bits, then the key length of the security algorithm supported by the node also includes 128 bits.

例如，主节点支持的安全算法中包括安全算法1至安全算法3，安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。多个备选节点中包括备选节点1至备选节点3，其中，备选节点1支持的安全算法的最大密钥长度是256位，备选节点2和备选节点3支持的安全算法的最大密钥长度是128位。主节点可根据安全算法1至安全算法3的密钥长度，确定第一密钥长度是256位，进而主节点从备选节点1至备选节点3中选择备选节点1作为辅节点。For example, the security algorithms supported by the master node include security algorithms 1 to 3, the key length of security algorithm 1 is 256 bits, and the key lengths of security algorithms 2 and 3 are both 128 bits. The multiple candidate nodes include candidate nodes 1 to 3, wherein the maximum key length of the security algorithm supported by candidate node 1 is 256 bits, and the maximum key length of the security algorithms supported by candidate nodes 2 and 3 is 128 bits. The master node can determine that the first key length is 256 bits based on the key lengths of security algorithms 1 to 3, and then the master node selects candidate node 1 as the secondary node from candidate nodes 1 to 3.

条件(二)，辅节点支持的安全算法的密钥长度中包括主节点支持的安全算法的密钥长度。Condition (2): The key length of the security algorithm supported by the secondary node includes the key length of the security algorithm supported by the primary node.

例如，主节点支持的安全算法中包括安全算法1至安全算法3，安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。多个备选节点中包括备选节点1至备选节点3，其中，备选节点1支持的安全算法的密钥长度是256位，备选节点2支持的安全算法的密钥长度是128位，备选节点3支持的安全算法的密钥长度是256位和128位。主节点可根据安全算法1至安全算法3的密钥长度，从备选节点1至备选节点3中选择备选节点3作为辅节点。For example, the security algorithms supported by the master node include security algorithms 1 through 3. The key length of security algorithm 1 is 256 bits, and the key lengths of security algorithms 2 and 3 are both 128 bits. The multiple candidate nodes include candidate nodes 1 through 3. Among them, the key length of the security algorithm supported by candidate node 1 is 256 bits, the key length of the security algorithm supported by candidate node 2 is 128 bits, and the key lengths of the security algorithms supported by candidate node 3 are 256 bits and 128 bits. The master node may select candidate node 3 as a secondary node from among candidate nodes 1 through 3 based on the key lengths of security algorithms 1 through 3.

在条件(一)和条件(二)中，主节点在选择辅节点时的逻辑类似，如下均以条件(一)为例说明。In conditions (1) and (2), the logic of the primary node in selecting the secondary node is similar. The following takes condition (1) as an example.

进一步的，在步骤501之前，主节点可获取备选节点支持的安全算法的密钥长度的信息。其中，备选节点支持的安全算法的密钥长度的信息的说明、主节点获得备选节点支持的安全算法的密钥长度的信息的方式，具体可参见步骤401中的描述。Furthermore, before step 501, the master node may obtain information about the key lengths of security algorithms supported by the candidate nodes. For details about the information about the key lengths of security algorithms supported by the candidate nodes and how the master node obtains the information about the key lengths of security algorithms supported by the candidate nodes, please refer to the description of step 401.

步骤502，主节点向辅节点发送节点请求，相应的，辅节点接收来自主节点的节点请求。Step 502: The primary node sends a node request to the secondary node. Correspondingly, the secondary node receives the node request from the primary node.

其中，节点请求用于请求添加辅节点，具体说明可参见步骤402中的描述。The node request is used to request adding a secondary node. For details, please refer to the description in step 402.

在一个可能方式中，节点请求中包括第一安全算法的密钥长度的信息，第一安全算法的密钥长度的信息的作用和表现形式可参见步骤402中的描述。In one possible manner, the node request includes information about the key length of the first security algorithm. The function and form of the key length information of the first security algorithm can be found in the description of step 402 .

可选的，在主节点向辅节点发送节点请求之前，主节点可先从主节点支持的安全算法中选择第一安全算法。具体的，主节点根据主节点支持的安全算法的优先级、终端设备支持的安全算法，从主节点支持的安全算法中选择第一安全算法。具体说明可参见步骤400中的描述。Optionally, before the master node sends the node request to the secondary node, the master node may first select a first security algorithm from among the security algorithms supported by the master node. Specifically, the master node selects the first security algorithm from among the security algorithms supported by the master node based on the priority of the security algorithms supported by the master node and the security algorithms supported by the terminal device. For details, see the description in step 400.

步骤502中未详尽描述的内容，还可参见上述步骤402中的描述。For details not described in step 502 , please refer to the description in step 402 .

可选的，图5相关实施中还包括如下步骤503和步骤504。Optionally, the implementation related to FIG5 further includes the following steps 503 and 504.

步骤503，辅节点确定第二安全算法。其中，第二安全算法是用于保护辅节点与终端设备之间传输的数据的安全算法。具体可参见步骤403中的描述。In step 503, the secondary node determines a second security algorithm. The second security algorithm is a security algorithm for protecting data transmitted between the secondary node and the terminal device. For details, see the description in step 403.

步骤504，辅节点根据第二安全算法，与终端设备传输数据。具体可参见步骤404中的描述。In step 504, the secondary node transmits data to the terminal device according to the second security algorithm. For details, please refer to the description in step 404.

在上述图5相关实施例中，主节点根据主节点支持的安全算法，选择辅节点，进而请求添加该辅节点。从而能够使得辅节点的选择更加合理，便于后续辅节点能够选择出合适的安全算法。具体的，选择出的辅节点能够满足如下条件：主节点和辅节点各自能确定出合适的安全算法，从而使得主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，以符合安全通信的要求。比如，按照本申请方案选出的辅节点能够使得主节点和辅节点各自选择出的安全算法的密钥长度相同。In the embodiment related to FIG. 5 above, the primary node selects a secondary node based on the security algorithm supported by the primary node and then requests to add the secondary node. This makes the selection of the secondary node more reasonable, making it easier for the subsequent secondary node to select an appropriate security algorithm. Specifically, the selected secondary node can meet the following conditions: the primary node and the secondary node can each determine an appropriate security algorithm, so that the security strength of the data transmitted between the primary node and the terminal device is consistent with the security strength of the data transmitted between the secondary node and the terminal device, so as to meet the requirements of secure communication. For example, the secondary node selected according to the solution of the present application can ensure that the key length of the security algorithm selected by the primary node and the secondary node is the same.

进一步的，在终端设备使用数据冗余传输业务的场景中，终端设备的两个互为冗余的PDU会话用于传输业务的相同数据，该两个PDU会话对应的数据分别由主节点和辅节点各自使用选择出的安全算法进行保护，两个安全算法的密钥长度相同，符合数据冗余传输的安全假设。Furthermore, in a scenario where the terminal device uses data redundancy transmission services, the two redundant PDU sessions of the terminal device are used to transmit the same data of the service. The data corresponding to the two PDU sessions are protected by the primary node and the secondary node respectively using the selected security algorithms. The key lengths of the two security algorithms are the same, which meets the security assumption of data redundancy transmission.

如图6为本申请示例性提供的第三种通信方法的流程示意图。FIG6 is a flow chart of the third communication method exemplarily provided in this application.

步骤601，主节点获得辅节点支持的安全算法的信息。Step 601: The primary node obtains information about security algorithms supported by the secondary node.

其中，安全算法的信息中包括安全算法的密钥长度的信息和/或安全算法的标识。也即是，主节点获得辅节点支持的安全算法的密钥长度的信息，和/或，主节点获得辅节点支持的安全算法的标识。The security algorithm information includes information about the key length of the security algorithm and/or the identifier of the security algorithm. That is, the primary node obtains information about the key length of the security algorithm supported by the secondary node and/or obtains the identifier of the security algorithm supported by the secondary node.

其中，辅节点支持的安全算法的密钥长度的信息，可以是，辅节点支持的多个密钥长度的标识，或是，辅节点支持的最大密钥长度的标识，或是，辅节点是否支持预设密钥长度的指示。其中，辅节点是备选节点中的一个，辅节点支持的安全算法的密钥长度的信息可参见上述步骤401中的描述。The information about the key lengths of the security algorithms supported by the secondary node may include identifiers of multiple key lengths supported by the secondary node, an identifier of a maximum key length supported by the secondary node, or an indication of whether the secondary node supports a preset key length. The secondary node is one of the candidate nodes. The information about the key lengths of the security algorithms supported by the secondary node may be found in the description of step 401 above.

辅节点支持的安全算法的标识，具体可以是，辅节点支持的一个或多个安全算法的标识。例如，辅节点支持安全算法1至安全算法3，安全算法1至安全算法3的标识分别是标识1至标识3，那么，辅节点支持的安全算法的标识包括标识1至标识3。The identifiers of the security algorithms supported by the secondary node may specifically be the identifiers of one or more security algorithms supported by the secondary node. For example, if the secondary node supports security algorithms 1 through 3, and the identifiers of security algorithms 1 through 3 are identifiers 1 through 3, respectively, then the identifiers of the security algorithms supported by the secondary node include identifiers 1 through 3.

可选的，主节点在获得辅节点支持的安全算法的信息之前，还可包括如下步骤600：Optionally, before the primary node obtains information about the security algorithm supported by the secondary node, the following step 600 may be further included:

步骤600，主节点从备选节点中选择辅节点。Step 600: The primary node selects a secondary node from the candidate nodes.

其中，备选节点的定义可参见步骤401的获取方式1中描述。The definition of candidate nodes may refer to the description of acquisition method 1 in step 401 .

主节点具体可以是至少根据如下中一项或多项，从备选节点中选择辅节点：终端设备接收备选节点的信号强度，备选节点的空口资源的使用情况，或备选节点的优先级。The master node may specifically select the secondary node from the candidate nodes based on at least one or more of the following: signal strength of the terminal device receiving the candidate node, usage of the air interface resources of the candidate node, or priority of the candidate node.

如下示例性提供主节点从备选节点中选择辅节点的两个示例：The following are two examples of a primary node selecting a secondary node from candidate nodes:

示例(1)，主节点中预配置有备选节点的标识。主节点向终端设备发送测量指示，测量指示中包括备选节点的标识，测量指示用于指示终端设备测量备选节点的信号强度。相应的，终端设备接收测量指示，根据测量指示中备选节点的标识，测量备选节点的信号强度，向主节点发送测量结果，测量结果中包括备选节点的信号强度。主节点根据备选节点的信号强度和空口资源的使用情况，从备选节点中选择辅节点。In example (1), the master node is pre-configured with the identifier of the candidate node. The master node sends a measurement instruction to the terminal device, which includes the identifier of the candidate node. The measurement instruction is used to instruct the terminal device to measure the signal strength of the candidate node. Accordingly, the terminal device receives the measurement instruction, measures the signal strength of the candidate node based on the identifier of the candidate node in the measurement instruction, and sends the measurement result to the master node, which includes the signal strength of the candidate node. The master node selects a secondary node from the candidate nodes based on the signal strength of the candidate node and the usage of air interface resources.

示例(2)，主节点中预配置有备选节点的标识和优先级。主节点可根据备选节点的优先级和空口资源的使用情况，从备选节点中选择辅节点。In example (2), the primary node is pre-configured with the identifiers and priorities of the candidate nodes. The primary node can select a secondary node from the candidate nodes based on the priorities of the candidate nodes and the usage of air interface resources.

示例性的，主节点中包括预配置信息，该预配置信息中包括备选节点的标识，或包括备选节点的标识和优先级。该预配置信息可以是由管理设备(如AMF、OAM或EMS)或人工配置的。其中，备选节点的空口资源的使用情况可以是由主节点向备选节点请求的。Exemplarily, the master node includes pre-configuration information, which includes the identifier of the candidate node, or the identifier and priority of the candidate node. The pre-configuration information can be configured by a management device (such as an AMF, OAM, or EMS) or manually. The usage of the air interface resources of the candidate node can be requested by the master node to the candidate node.

进一步的，主节点可通过如下获取方式(1)或获取方式(2)，获取辅节点支持的安全算法的信息。Furthermore, the master node may obtain information about the security algorithms supported by the slave node through the following acquisition method (1) or acquisition method (2).

获取方式(1)，主节点中预配置辅节点支持的安全算法的信息。Acquisition method (1): Information about the security algorithms supported by the secondary nodes pre-configured in the primary node.

示例性的，该预配置信息中还包括备选节点支持的安全算法的信息(也即是，该预配置信息中包括辅节点支持的安全算法的信息)。示例性的，主节点根据辅节点的标识，从该预配置信息中获得辅节点支持的安全算法的信息。例如，备选节点是备选节点1至备选节点5，预配置信息中包括备选节点1至备选节点5的标识，以及备选节点1至备选节点5分别支持的安全算法的信息1至安全算法的信息5，当主节点选择备选节点2作为辅节点时，则进一步确定辅节点支持的安全算法的信息是安全算法的信息2。Exemplarily, the pre-configuration information also includes information about security algorithms supported by the candidate nodes (that is, the pre-configuration information includes information about security algorithms supported by the secondary nodes). Exemplarily, the master node obtains information about security algorithms supported by the secondary nodes from the pre-configuration information based on the identifier of the secondary node. For example, the candidate nodes are candidate nodes 1 to candidate nodes 5, and the pre-configuration information includes the identifiers of candidate nodes 1 to candidate nodes 5, as well as information about security algorithms 1 to information about security algorithms 5 supported by candidate nodes 1 to candidate nodes 5, respectively. When the master node selects candidate node 2 as the secondary node, it further determines that the information about security algorithms supported by the secondary node is security algorithm information 2.

获取方式(2)，主节点从该辅节点中获得辅节点支持的安全算法的信息。示例性的，主节点根据辅节点的标识，向该辅节点发送安全能力请求，安全能力请求用于请求辅节点支持的安全算法的信息，相应的，辅节点响应于安全能力请求，向主节点发送该辅节点支持的安全算法的信息。In acquisition method (2), the primary node obtains information about security algorithms supported by the secondary node from the secondary node. Exemplarily, the primary node sends a security capability request to the secondary node based on the secondary node's identifier. The security capability request is used to request information about security algorithms supported by the secondary node. Accordingly, the secondary node sends information about security algorithms supported by the secondary node to the primary node in response to the security capability request.

步骤602，主节点根据辅节点支持的安全算法的信息，确定第一安全算法，其中，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。Step 602: The primary node determines a first security algorithm based on information about security algorithms supported by the secondary node, wherein the first security algorithm is a security algorithm for protecting data transmitted between the primary node and the terminal device.

一个具体实现中，主节点根据辅节点支持的安全算法的信息和主节点支持的安全算法的信息，从主节点支持的安全算法中选择第一安全算法。In a specific implementation, the master node selects a first security algorithm from the security algorithms supported by the master node based on information about security algorithms supported by the slave node and information about security algorithms supported by the master node.

其中，主节点支持的安全算法的信息包括如下中一项或多项：主节点支持的多个密钥长度的标识，主节点支持的最大密钥长度的标识(即第一密钥长度的标识)，主节点是否支持预设密钥长度的指示，主节点支持的安全算法的标识，或主节点支持的安全算法的优先级。Among them, the information of the security algorithms supported by the master node includes one or more of the following: identification of multiple key lengths supported by the master node, identification of the maximum key length supported by the master node (i.e., identification of the first key length), an indication of whether the master node supports a preset key length, identification of the security algorithms supported by the master node, or the priority of the security algorithms supported by the master node.

示例性的，主节点支持的安全算法的信息具体是主节点支持的安全算法优先级列表，主节点支持的安全算法优先级列表中包括主节点支持的多个安全算法的标识和优先级。其中，主节点支持的安全算法的标识中包括安全算法的密钥长度，例如，安全算法的标识是“128-NEA2”，密钥长度是128，其中，NEA2指的是SNOW3G加密算法。Exemplarily, the information about security algorithms supported by the master node is a priority list of security algorithms supported by the master node, which includes identifiers and priorities of multiple security algorithms supported by the master node. The identifiers of the security algorithms supported by the master node include the key lengths of the security algorithms. For example, if the identifier of the security algorithm is "128-NEA2," the key length is 128, where NEA2 refers to the SNOW3G encryption algorithm.

进一步的，结合辅节点支持的安全算法的信息中包含的内容分情况说明：Furthermore, the following situations are explained in combination with the information contained in the security algorithms supported by the secondary nodes:

情况1，辅节点支持的安全算法的信息中包括辅节点支持的安全算法的密钥长度的信息时，主节点具体是根据辅节点支持的安全算法的密钥长度的信息和主节点支持的安全算法的信息，确定第一安全算法。In case 1, when the information of the security algorithm supported by the secondary node includes the information of the key length of the security algorithm supported by the secondary node, the primary node determines the first security algorithm based on the information of the key length of the security algorithm supported by the secondary node and the information of the security algorithm supported by the primary node.

示例(一)，主节点根据辅节点支持的安全算法的密钥长度的信息，确定第二密钥长度。进而确定第一密钥长度和第二密钥长度中的较小密钥长度，根据该较小密钥长度和终端设备支持的安全算法、主节点支持的安全算法的优先级，从主节点支持的安全算法中选择密钥长度低于(或称为小于)或等于该较小密钥长度的安全算法，将该选择出的安全算法作为第一安全算法。其中，第一密钥长度是主节点支持的安全算法的最大密钥长度，第二密钥长度是辅节点支持的安全算法的最大密钥长度。In Example (1), the master node determines the second key length based on the key length information of the security algorithm supported by the slave node. The smaller key length between the first and second key lengths is then determined. Based on the smaller key length and the priorities of the security algorithms supported by the terminal device and the security algorithms supported by the master node, a security algorithm with a key length lower than (or less than) or equal to the smaller key length is selected from the security algorithms supported by the master node, and the selected security algorithm is used as the first security algorithm. The first key length is the maximum key length of the security algorithm supported by the master node, and the second key length is the maximum key length of the security algorithm supported by the slave node.

具体的，当主节点确定第一密钥长度高于第二密钥长度时，主节点可根据终端设备支持的安全算法、主节点支持的安全算法的优先级，从主节点支持的安全算法中选择密钥长度低于或等于第二密钥长度的安全算法，将该选择出的安全算法作为第一安全算法。Specifically, when the master node determines that the first key length is higher than the second key length, the master node may select a security algorithm with a key length lower than or equal to the second key length from the security algorithms supported by the master node based on the security algorithms supported by the terminal device and the priority of the security algorithms supported by the master node, and use the selected security algorithm as the first security algorithm.

例如，第二密钥长度是128位，主节点支持安全算法1至安全算法3，安全算法1至安全算法3的优先级排序是：安全算法1、安全算法2、安全算法3。终端设备支持安全算法1至安全算法3。安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。主节点确定第一密钥长度是256位，且第一密钥长度高于第二密钥长度，于是根据第二密钥长度(即128位)、终端设备支持的安全算法1至安全算法3、安全算法1至安全算法3的优先级，选择安全算法2作为第一安全算法。For example, the second key length is 128 bits, the master node supports security algorithms 1 through 3, and the priority of security algorithms 1 through 3 is: security algorithm 1, security algorithm 2, security algorithm 3. The terminal device supports security algorithms 1 through 3. The key length of security algorithm 1 is 256 bits, and the key lengths of security algorithms 2 and 3 are both 128 bits. The master node determines that the first key length is 256 bits and that the first key length is longer than the second key length. Based on the second key length (i.e., 128 bits), the support of security algorithms 1 through 3 by the terminal device, and the priority of security algorithms 1 through 3, the master node selects security algorithm 2 as the first security algorithm.

当主节点确定第一密钥长度低于或等于第二密钥长度时，主节点可根据终端设备支持的安全算法、主节点支持的安全算法的优先级，从主节点支持的安全算法中选择密钥长度低于或等于第一密钥长度的安全算法，将该选择出的安全算法作为第一安全算法。When the master node determines that the first key length is less than or equal to the second key length, the master node may select a security algorithm with a key length less than or equal to the first key length from the security algorithms supported by the master node based on the security algorithms supported by the terminal device and the priority of the security algorithms supported by the master node, and use the selected security algorithm as the first security algorithm.

继续结合上述例子，第二密钥长度是256位，主节点确定第一密钥长度是256位，第一密钥长度低于或等于第二密钥长度，于是根据第一密钥长度(即256位)、终端设备支持的安全算法1至安全算法3、安全算法1至安全算法3的优先级，选择安全算法1作为第一安全算法。Continuing with the above example, the second key length is 256 bits. The master node determines that the first key length is 256 bits, and the first key length is less than or equal to the second key length. Therefore, based on the first key length (i.e., 256 bits), security algorithms 1 to 3 supported by the terminal device, and the priority of security algorithms 1 to 3, security algorithm 1 is selected as the first security algorithm.

示例(二)，主节点根据主节点支持的安全算法和优先级、终端设备支持的安全算法，初步选择安全算法，若该初步选择的安全算法的密钥长度小于或等于第二密钥长度时，则将该初步选择的安全算法确定为第一安全算法；若该初步选择的安全算法的密钥长度大于第二密钥长度时，则再根据主节点支持的安全算法和优先级、终端设备支持的安全算法，重新选择安全算法，并确定该重新选择的安全算法的密钥长度是否小于或等于第二密钥长度，以此类推，直至确定出第一安全算法。Example (2): The master node preliminarily selects a security algorithm based on the security algorithms and priorities supported by the master node and the security algorithms supported by the terminal device. If the key length of the preliminarily selected security algorithm is less than or equal to the second key length, the preliminarily selected security algorithm is determined as the first security algorithm; if the key length of the preliminarily selected security algorithm is greater than the second key length, the security algorithm is reselected based on the security algorithms and priorities supported by the master node and the security algorithms supported by the terminal device, and it is determined whether the key length of the reselected security algorithm is less than or equal to the second key length, and so on, until the first security algorithm is determined.

例如，第二密钥长度是128位，主节点支持安全算法1至安全算法3，安全算法1至安全算法3的优先级排序是：安全算法1、安全算法2、安全算法3。终端设备支持安全算法1至安全算法3。安全算法1的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。主节点根据主节点支持的安全算法和优先级，以及，终端设备支持的安全算法，选择安全算法1，并确定安全算法1的密钥长度大于第二密钥长度。进一步的，主节点根据主节点支持的安全算法和优先级，以及，终端设备支持的安全算法，重新选择安全算法2，确定安全算法2的密钥长度等于第二密钥长度，则确定安全算法2是第一安全算法。For example, the second key length is 128 bits, the master node supports security algorithms 1 to 3, and the priority order of security algorithms 1 to 3 is: security algorithm 1, security algorithm 2, security algorithm 3. The terminal device supports security algorithms 1 to 3. The key length of security algorithm 1 is 256 bits, and the key lengths of security algorithms 2 and 3 are both 128 bits. The master node selects security algorithm 1 based on the security algorithms and priorities supported by the master node and the security algorithms supported by the terminal device, and determines that the key length of security algorithm 1 is greater than the second key length. Further, the master node reselects security algorithm 2 based on the security algorithms and priorities supported by the master node and the security algorithms supported by the terminal device, and determines that the key length of security algorithm 2 is equal to the second key length, then determines that security algorithm 2 is the first security algorithm.

示例(三)，主节点根据辅节点支持的安全算法的密钥长度的信息、主节点支持的安全算法的密钥长度的信息，以及终端设备支持的安全算法的密钥长度的信息，确定三者都支持的安全算法的密钥长度。进而，主节点根据该三者都支持的安全算法的密钥长度、终端设备支持的安全算法、主节点支持的安全算法的优先级，从主节点支持的安全算法中选择第一安全算法，其中，第一安全算法的密钥长度等于该三者都支持的安全算法的密钥长度。Example (3): The master node determines the key length of a security algorithm supported by all three nodes based on the key length information of the security algorithms supported by the secondary node, the key length information of the security algorithms supported by the master node, and the key length information of the security algorithms supported by the terminal device. Furthermore, the master node selects a first security algorithm from the security algorithms supported by the master node based on the key lengths of the security algorithms supported by all three nodes, the security algorithms supported by the terminal device, and the priority of the security algorithms supported by the master node, where the key length of the first security algorithm is equal to the key length of the security algorithms supported by all three nodes.

例如，主节点支持安全算法1至安全算法3，安全算法1至安全算法3的优先级排序是：安全算法1、安全算法2、安全算法3。终端设备支持安全算法1至安全算法3。辅节点支持安全算法1和安全算法4。安全算法1和安全算法4的密钥长度是256位，安全算法2和安全算法3的密钥长度均是128位。那么，主节点根据主节点支持的安全算法的密钥长度、辅节点支持的安全算法的密钥长度、终端设备支持的安全算法的密钥长度，确定三者都支持的密钥长度是256位。进一步的，主节点根据三者都支持的密钥长度(即256位)、终端设备支持的安全算法1至安全算法3、主节点支持的安全算法的优先级排序，确定第一安全算法是安全算法1。For example, the master node supports security algorithms 1 to 3, and the priority order of security algorithms 1 to 3 is: security algorithm 1, security algorithm 2, security algorithm 3. The terminal device supports security algorithms 1 to 3. The auxiliary node supports security algorithms 1 and security algorithm 4. The key length of security algorithms 1 and 4 is 256 bits, and the key length of security algorithms 2 and 3 is 128 bits. Then, the master node determines that the key length supported by all three is 256 bits based on the key length of the security algorithm supported by the master node, the key length of the security algorithm supported by the auxiliary node, and the key length of the security algorithm supported by the terminal device. Furthermore, the master node determines that the first security algorithm is security algorithm 1 based on the key length supported by all three (i.e., 256 bits), the security algorithms 1 to 3 supported by the terminal device, and the priority order of the security algorithms supported by the master node.

情况2，辅节点支持的安全算法的信息中包括辅节点支持的安全算法的标识时，主节点根据辅节点支持的安全算法的标识，确定辅节点支持的安全算法的密钥长度的信息，进而根据辅节点支持的安全算法的密钥长度的信息和主节点支持的安全算法的信息，确定第一安全算法(具体可参见上述情况1中描述)。In case 2, when the information of the security algorithm supported by the secondary node includes the identifier of the security algorithm supported by the secondary node, the primary node determines the information of the key length of the security algorithm supported by the secondary node based on the identifier of the security algorithm supported by the secondary node, and then determines the first security algorithm based on the information of the key length of the security algorithm supported by the secondary node and the information of the security algorithm supported by the primary node (for details, please refer to the description in the above case 1).

可选的，图6相关实施中还包括如下步骤603至步骤605：Optionally, the implementation related to FIG6 further includes the following steps 603 to 605:

步骤603，主节点向辅节点发送节点请求，相应的，辅节点接收来自主节点的节点请求。Step 603: The primary node sends a node request to the secondary node. Correspondingly, the secondary node receives the node request from the primary node.

其中，节点请求中包括第一安全算法的密钥长度的信息，第一安全算法的密钥长度的信息可以是第一安全算法的密钥长度的标识，或是，第一安全算法的密钥长度是否为预设密钥长度的指示。节点请求用于请求添加辅节点。具体说明可参见步骤402中的描述。The node request includes information about the key length of the first security algorithm. This information can be an identifier of the key length of the first security algorithm or an indication of whether the key length of the first security algorithm is a preset key length. The node request is used to request the addition of a secondary node. For details, see the description in step 402.

在一个可能方式中，节点请求中还包括终端设备支持的安全算法。可选的，节点请求中还可包括辅节点的节点密钥，辅节点的节点密钥用于辅节点推导出辅节点的用户面密钥，具体可参见步骤402中的描述。In one possible approach, the node request also includes the security algorithm supported by the terminal device. Optionally, the node request may also include the node key of the secondary node, which is used by the secondary node to derive the user plane key of the secondary node. For details, see the description in step 402.

步骤604，辅节点根据第一安全算法的密钥长度的信息，确定第二安全算法。Step 604: The secondary node determines a second security algorithm based on the key length information of the first security algorithm.

具体的，辅节点在接收到节点请求之后，从节点请求中获得第一安全算法的密钥长度的信息，根据第一安全算法的密钥长度的信息，在辅节点支持的安全算法中确定第二安全算法，第一安全算法的密钥长度与第二安全算法的密钥长度相同。具体实现可参见步骤403中关于情况一的描述。Specifically, after receiving the node request, the secondary node obtains information about the key length of the first security algorithm from the node request. Based on the information about the key length of the first security algorithm, the secondary node determines a second security algorithm from among the security algorithms supported by the secondary node, where the key length of the first security algorithm is the same as the key length of the second security algorithm. For specific implementation, see the description of Case 1 in Step 403.

步骤605，辅节点根据第二安全算法，与终端设备传输数据。Step 605: The secondary node transmits data with the terminal device according to the second security algorithm.

在步骤605之前，辅节点还可向主节点发送节点响应，节点响应用于指示添加辅节点成功。步骤605中未详尽描述的内容，还可参见步骤404中的描述。Before step 605, the secondary node may also send a node response to the primary node, where the node response is used to indicate that the secondary node has been successfully added. For details not described in detail in step 605, please refer to the description in step 404.

在上述图6相关实施例中，主节点先确定辅节点，根据该辅节点支持的安全算法的信息，确定第一安全算法，进而根据第一安全算法的密钥长度的信息，请求添加该辅节点。主节点和辅节点各自均能确定出合适的安全算法，从而使得主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，以符合安全通信的要求。比如，按照本申请方案能够实现，主节点选出的第一安全算法与辅节点选择出的第二安全算法的密钥长度相同。In the embodiment related to Figure 6 above, the primary node first identifies the secondary node, then determines a first security algorithm based on information about the security algorithms supported by the secondary node, and then requests the addition of the secondary node based on information about the key length of the first security algorithm. The primary and secondary nodes can each determine an appropriate security algorithm, thereby ensuring that the security strength of data transmitted between the primary node and the terminal device matches the security strength of data transmitted between the secondary node and the terminal device, thereby meeting the requirements for secure communication. For example, according to the present application scheme, it is possible to achieve that the key length of the first security algorithm selected by the primary node and the second security algorithm selected by the secondary node are the same.

如图7为本申请示例性提供的第四种通信方法的流程示意图。FIG7 is a flow chart of the fourth communication method exemplarily provided in this application.

步骤701，主节点获得辅节点支持的安全算法的信息。具体可参见步骤601中的描述。In step 701, the primary node obtains information about security algorithms supported by the secondary node. For details, please refer to the description of step 601.

可选的，主节点在获得辅节点支持的安全算法的信息之前，还可包括：步骤700，主节点从备选节点中选择辅节点。具体可参见步骤600中的描述。Optionally, before the master node obtains the information about the security algorithms supported by the slave nodes, the following steps may be performed: Step 700 : The master node selects a slave node from the candidate nodes. For details, please refer to the description in Step 600 .

步骤702，主节点根据辅节点支持的安全算法的信息，确定第一安全算法和第二安全算法。Step 702: The primary node determines a first security algorithm and a second security algorithm based on information about security algorithms supported by the secondary node.

第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。第二安全算法是用于保护辅节点与终端设备之间传输的数据的安全算法。第一安全算法的密钥长度等于第二安全算法的密钥长度。The first security algorithm is a security algorithm used to protect data transmitted between the primary node and the terminal device. The second security algorithm is a security algorithm used to protect data transmitted between the secondary node and the terminal device. The key length of the first security algorithm is equal to the key length of the second security algorithm.

一个示例中，辅节点支持的安全算法的信息中包括辅节点支持的安全算法的标识，主节点根据辅节点支持的安全算法的标识，确定辅节点支持的安全算法的密钥长度的信息，进而根据辅节点支持的安全算法的密钥长度的信息和主节点支持的安全算法的信息，确定第一安全算法(具体可参见步骤602中描述)。主节点再根据第一安全算法的密钥长度和辅节点支持的安全算法的标识，确定第二安全算法。In one example, the information about the security algorithms supported by the secondary node includes an identifier of the security algorithms supported by the secondary node. The primary node determines the key length information of the security algorithms supported by the secondary node based on the identifier of the security algorithms supported by the secondary node, and then determines the first security algorithm based on the key length information of the security algorithms supported by the secondary node and the information about the security algorithms supported by the primary node (for details, see the description in step 602). The primary node then determines the second security algorithm based on the key length of the first security algorithm and the identifier of the security algorithm supported by the secondary node.

可选的，辅节点支持的安全算法的信息中还包括辅节点支持的安全算法的密钥长度的信息，主节点可根据辅节点支持的安全算法的密钥长度的信息和主节点支持的安全算法的信息，确定第一安全算法。进而主节点再根据第一安全算法的密钥长度和辅节点支持的安全算法的标识，确定第二安全算法。Optionally, the information about security algorithms supported by the secondary node also includes information about the key lengths of the security algorithms supported by the secondary node. The primary node may determine the first security algorithm based on the information about the key lengths of the security algorithms supported by the secondary node and the information about the security algorithms supported by the primary node. The primary node may then determine the second security algorithm based on the key length of the first security algorithm and the identifier of the security algorithm supported by the secondary node.

又一个示例中，辅节点支持的安全算法的信息中包括辅节点支持的安全算法的标识，主节点根据辅节点支持的安全算法的标识和主节点支持的安全算法的信息，确定第一安全算法和第二安全算法。In another example, the information of the security algorithms supported by the secondary node includes the identifiers of the security algorithms supported by the secondary node, and the primary node determines the first security algorithm and the second security algorithm based on the identifiers of the security algorithms supported by the secondary node and the information of the security algorithms supported by the primary node.

示例性的，第一安全算法和第二安全算法相同，也即是，主节点根据辅节点支持的安全算法的标识和主节点支持的安全算法的标识，选择标识相同的安全算法作为第一安全算法和第二安全算法。Exemplarily, the first security algorithm and the second security algorithm are the same, that is, the master node selects security algorithms with the same identifier as the first security algorithm and the second security algorithm based on the identifiers of the security algorithms supported by the slave node and the identifiers of the security algorithms supported by the master node.

例如，辅节点支持安全算法1至安全算法4，辅节点支持的安全算法的信息中包括安全算法1至安全算法4的标识；主节点支持安全算法1至安全算法3，主节点支持的安全算法的信息中包括安全算法1至安全算法3的标识。主节点可根据辅节点支持的安全算法的标识和主节点支持的安全算法的标识，确定第一安全算法和第二安全算法均是安全算法1，或确定第一安全算法和第二安全算法均是安全算法2等。For example, if the secondary node supports security algorithms 1 to 4, the information about the security algorithms supported by the secondary node includes the identifiers of security algorithms 1 to 4; if the primary node supports security algorithms 1 to 3, the information about the security algorithms supported by the primary node includes the identifiers of security algorithms 1 to 3. The primary node can determine, based on the identifiers of the security algorithms supported by the secondary node and the identifiers of the security algorithms supported by the primary node, that both the first security algorithm and the second security algorithm are security algorithm 1, or that both the first security algorithm and the second security algorithm are security algorithm 2, and so on.

当辅节点支持多个安全算法时，辅节点支持的安全算法的信息中还可包括辅节点支持的多个安全算法的优先级。进一步的，主节点可根据辅节点支持的多个安全算法的标识、辅节点支持的多个安全算法的优先级、主节点支持的安全算法的信息，确定第一安全算法和第二安全算法。When the secondary node supports multiple security algorithms, the information about the security algorithms supported by the secondary node may also include the priorities of the multiple security algorithms supported by the secondary node. Furthermore, the primary node may determine the first security algorithm and the second security algorithm based on the identifiers of the multiple security algorithms supported by the secondary node, the priorities of the multiple security algorithms supported by the secondary node, and the information about the security algorithms supported by the primary node.

结合上述例子，辅节点支持的安全算法的信息中还包括辅节点支持的安全算法的优先级，其中，优先级排序是安全算法1至安全算法4。主节点可根据辅节点支持的安全算法的标识和主节点支持的安全算法的标识，以及，辅节点支持的安全算法的优先级，确定第一安全算法和第二安全算法均是安全算法1。In conjunction with the above example, the information on the security algorithms supported by the secondary node also includes the priority of the security algorithms supported by the secondary node, where the priority is security algorithm 1 to security algorithm 4. The primary node can determine that the first security algorithm and the second security algorithm are both security algorithm 1 based on the identifiers of the security algorithms supported by the secondary node and the identifiers of the security algorithms supported by the primary node, as well as the priority of the security algorithms supported by the secondary node.

在该方式中，主节点还可向辅节点发送第二安全算法的标识。可选的，第二安全算法的标识包含于节点请求中。或，第二安全算法的标识包含于其他消息中，例如，主节点先向辅节点发送节点请求，节点请求用于请求添加辅节点，主节点再向辅节点发送该其他消息，该其他消息中包含第二安全算法的标识。In this approach, the primary node may also send the identifier of the second security algorithm to the secondary node. Optionally, the identifier of the second security algorithm is included in the node request. Alternatively, the identifier of the second security algorithm is included in another message. For example, the primary node first sends a node request to the secondary node, requesting the addition of the secondary node. The primary node then sends the other message to the secondary node, which includes the identifier of the second security algorithm.

可选的，图7相关实施中还包括如下步骤703至步骤704。Optionally, the implementation related to FIG. 7 further includes the following steps 703 to 704 .

步骤703，主节点向辅节点发送节点请求，相应的，辅节点接收来自主节点的节点请求。Step 703: The primary node sends a node request to the secondary node. Correspondingly, the secondary node receives the node request from the primary node.

可选的，节点请求中包括第二安全算法的标识。示例性的，节点请求还用于指示辅节点根据节点请求中包括的第二安全算法的标识，与终端设备传输数据。Optionally, the node request includes an identifier of the second security algorithm. Exemplarily, the node request is further used to instruct the secondary node to transmit data with the terminal device according to the identifier of the second security algorithm included in the node request.

步骤704，辅节点根据第二安全算法，与终端设备传输数据。Step 704: The secondary node transmits data with the terminal device according to the second security algorithm.

具体的，辅节点从节点请求中获取到第二安全算法的标识之后，直接根据第二安全算法的标识确定第二安全算法。例如，节点请求中包括安全算法1的标识，则辅节点可确定第二安全算法是安全算法1。Specifically, after the secondary node obtains the identifier of the second security algorithm from the node request, it directly determines the second security algorithm based on the identifier of the second security algorithm. For example, if the node request includes the identifier of security algorithm 1, the secondary node may determine that the second security algorithm is security algorithm 1.

进一步的，辅节点在确定第二安全算法之后，还可验证辅节点和/或终端设备支持第二安全算法，进而根据第二安全算法，与终端设备之间传输数据。示例性的，辅节点从节点请求中获取终端设备支持的安全算法的标识和第二安全算法的标识，确定终端设备支持的安全算法中包括第二安全算法。Furthermore, after determining the second security algorithm, the secondary node may verify that the secondary node and/or the terminal device supports the second security algorithm, and then transmit data to the terminal device based on the second security algorithm. Exemplarily, the secondary node obtains from the node request an identifier of the security algorithm supported by the terminal device and an identifier of the second security algorithm, and determines that the security algorithms supported by the terminal device include the second security algorithm.

在步骤704之前，辅节点还可向主节点发送节点响应，节点响应用于指示添加辅节点成功。由于主节点已知第二安全算法，所以，节点响应中可不携带第二安全算法的标识，有助于减少传输的数据量。Before step 704, the secondary node may also send a node response to the primary node, which indicates that the secondary node has been successfully added. Since the primary node already knows the second security algorithm, the node response may not carry the identifier of the second security algorithm, which helps reduce the amount of transmitted data.

在上述图7相关实施例中，主节点根据该辅节点支持的安全算法的信息，确定第一安全算法和第二安全算法，主节点将第二安全算法的标识发送给辅节点。从而主节点可保障主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，例如，主节点可保障第一安全算法的密钥长度和第二安全算法的密钥长度是相同的，实现通信系统的安全性。In the embodiment related to FIG. 7 , the master node determines the first and second security algorithms based on information about the security algorithms supported by the slave node. The master node then sends the identifier of the second security algorithm to the slave node. This ensures that the security strength of data transmitted between the master node and the terminal device matches the security strength of data transmitted between the slave node and the terminal device. For example, the master node can ensure that the key length of the first and second security algorithms is the same, thereby ensuring the security of the communication system.

进一步的，在终端设备使用数据冗余传输业务的场景中，终端设备的两个互为冗余的PDU会话用于传输业务的相同数据，该两个PDU会话对应的数据分别由第一安全算法和第二安全算法进行保护，该两个安全算法的密钥长度相同，符合数据冗余传输的安全假设。Furthermore, in a scenario where the terminal device uses data redundancy transmission services, two redundant PDU sessions of the terminal device are used to transmit the same data of the service. The data corresponding to the two PDU sessions are protected by a first security algorithm and a second security algorithm, respectively. The key lengths of the two security algorithms are the same, which meets the security assumption of data redundancy transmission.

如图8为本申请示例性提供的第五种通信方法的流程示意图。为方便描述，可将主节点在先选择的辅节点称为是辅节点1，主节点向辅节点1发送的节点请求称为是节点请求1，将主节点在后选择的辅节点称为是辅节点2，主节点向辅节点2发送的节点请求称为是节点请求2。FIG8 is a flow chart of the fifth communication method exemplified in the present application. For ease of description, the secondary node selected first by the primary node may be referred to as secondary node 1, and the node request sent by the primary node to secondary node 1 may be referred to as node request 1. The secondary node selected later by the primary node may be referred to as secondary node 2, and the node request sent by the primary node to secondary node 2 may be referred to as node request 2.

步骤801，主节点确定第一安全算法。Step 801: The master node determines a first security algorithm.

第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。The first security algorithm is a security algorithm for protecting data transmitted between the master node and the terminal device.

具体的，主节点根据主节点支持的安全算法的优先级、终端设备支持的安全算法，从主节点支持的安全算法中选择第一安全算法。具体示例可参见步骤400中的描述。Specifically, the master node selects the first security algorithm from the security algorithms supported by the master node based on the priority of the security algorithms supported by the master node and the security algorithms supported by the terminal device. Specific examples can be found in the description of step 400.

步骤802，主节点向辅节点(即辅节点1)发送节点请求1，相应的，辅节点1接收来自主节点的节点请求1。其中，节点请求1用于请求添加辅节点1，节点请求1中包括第一安全算法的密钥长度的信息。In step 802, the primary node sends a node request 1 to the secondary node (i.e., secondary node 1). In response, secondary node 1 receives the node request 1 from the primary node. Node request 1 is used to request the addition of secondary node 1 and includes information about the key length of the first security algorithm.

示例性的，第一安全算法的密钥长度的信息可以是第一安全算法的密钥长度的标识，或是，第一安全算法的密钥长度是否为预设密钥长度的指示，具体可参见步骤402中的描述。Illustratively, the information of the key length of the first security algorithm may be an identifier of the key length of the first security algorithm, or an indication of whether the key length of the first security algorithm is a preset key length. For details, please refer to the description in step 402.

在一个可能方式中，第一安全算法的密钥长度是预设密钥长度。或理解，主节点可在确定第一安全算法的密钥长度是预设密钥长度的情况下，在节点请求1中携带第一安全算法的密钥长度(即预设密钥长度)的信息。例如，预设密钥长度是256位，主节点若确定第一安全算法的密钥长度是256位，则向辅节点1发送的节点请求1中包括256位；主节点若确定第一安全算法的密钥长度是128位，则向辅节点1发送的节点请求1中可不包括128位。或还可理解，主节点和辅节点默认均支持低于预设密钥长度的密钥长度，但是不一定均支持预设密钥长度，当主节点确定第一安全算法的密钥长度是预设密钥长度时，需要将该第一安全算法的密钥长度的信息携带于节点请求1中，而主节点确定第一安全算法的密钥长度低于预设密钥长度时，可无需将该第一安全算法的密钥长度的信息携带于节点请求1中。该说明还可适用于其他的在节点请求中携带第一安全算法的密钥长度的信息的方案中，如步骤402、步骤603、步骤805中。In one possible approach, the key length of the first security algorithm is a preset key length. Alternatively, it can be understood that, if the master node determines that the key length of the first security algorithm is the preset key length, it may include information about the key length of the first security algorithm (i.e., the preset key length) in node request 1. For example, if the preset key length is 256 bits, if the master node determines that the key length of the first security algorithm is 256 bits, the node request 1 sent to the slave node 1 may include 256 bits; if the master node determines that the key length of the first security algorithm is 128 bits, the node request 1 sent to the slave node 1 may not include 128 bits. Alternatively, it can be understood that both the master node and the slave node support key lengths lower than the preset key length by default, but not necessarily both. When the master node determines that the key length of the first security algorithm is the preset key length, the key length information of the first security algorithm needs to be included in node request 1. However, if the master node determines that the key length of the first security algorithm is lower than the preset key length, the key length information of the first security algorithm may not need to be included in node request 1. This description is also applicable to other solutions in which the node request carries information about the key length of the first security algorithm, such as step 402 , step 603 , and step 805 .

可选的，主节点可从备选节点中选择辅节点1，具体实现可参见上述步骤600的描述。Optionally, the primary node may select the secondary node 1 from the candidate nodes. For specific implementation, please refer to the description of step 600 above.

可选的，图8相关实施中还包括如下步骤803至步骤804。Optionally, the implementation related to FIG8 further includes the following steps 803 to 804.

步骤803，辅节点1向主节点发送节点响应1，相应的，主节点接收来自辅节点1的节点响应1。Step 803 : The secondary node 1 sends a node response 1 to the primary node. Correspondingly, the primary node receives the node response 1 from the secondary node 1 .

其中，节点响应1是节点请求1对应的响应。Among them, node response 1 is the response corresponding to node request 1.

节点响应1用于指示添加辅节点1失败。示例性的，节点响应1中包括失败指示(例如否定应答(negative acknowledgement，NACK))，该失败指示用于指示添加辅节点1失败。Node response 1 is used to indicate that adding secondary node 1 has failed. Exemplarily, node response 1 includes a failure indication (e.g., a negative acknowledgment (NACK)), which is used to indicate that adding secondary node 1 has failed.

如下提供辅节点1确定向主节点发送节点响应1的三个示例：Three examples of the secondary node 1 determining to send a node response 1 to the primary node are provided as follows:

示例a1，辅节点1从节点请求1中获得第一安全算法的密钥长度的信息，根据第一安全算法的密钥长度的信息，确定辅节点1不支持第一安全算法的密钥长度的情况下，向主节点发送节点响应1。例如，辅节点1支持的密钥长度是128位，节点请求1中包括的第一安全算法的密钥长度的信息是256位，那么辅节点1可确定自己不支持第一安全算法的密钥长度，向主节点发送节点响应1。In Example a1, secondary node 1 obtains information about the key length of the first security algorithm from node request 1. Based on the information about the key length of the first security algorithm, if secondary node 1 determines that it does not support the key length of the first security algorithm, secondary node 1 sends node response 1 to the primary node. For example, if the key length supported by secondary node 1 is 128 bits, and the information about the key length of the first security algorithm included in node request 1 is 256 bits, secondary node 1 may determine that it does not support the key length of the first security algorithm and send node response 1 to the primary node.

示例b1，辅节点1从节点请求1中获得第一安全算法的密钥长度的信息，根据第一安全算法的密钥长度的信息，确定辅节点1支持第一安全算法的密钥长度的情况下，确定第二安全算法。进一步的，辅节点1在确定第一安全算法的密钥长度和第二安全算法的密钥长度不同时，向主节点发送节点响应1。例如，辅节点1支持的密钥长度是128位和256位，节点请求1中包括的第一安全算法的密钥长度的信息是256位，那么辅节点1可确定自己支持第一安全算法的密钥长度，进一步的，辅节点1确定第二安全算法的密钥长度是128位(例如，辅节点1根据辅节点1支持的安全算法的优先级，确定第二安全算法，且第二安全算法的密钥长度是128位)，辅节点1确定第一安全算法的密钥长度(即256位)和第二安全算法的密钥长度(即128位)不同，向主节点发送节点响应1。In Example b1, secondary node 1 obtains information about the key length of a first security algorithm from node request 1. Based on the information about the key length of the first security algorithm, if secondary node 1 determines that the key length of the first security algorithm is supported, secondary node 1 then determines a second security algorithm. Furthermore, upon determining that the key lengths of the first security algorithm and the second security algorithm are different, secondary node 1 sends node response 1 to the primary node. For example, if secondary node 1 supports key lengths of 128 bits and 256 bits, and the information about the key length of the first security algorithm included in node request 1 is 256 bits, secondary node 1 may determine that it supports the key length of the first security algorithm. Furthermore, secondary node 1 determines that the key length of the second security algorithm is 128 bits (for example, secondary node 1 determines the second security algorithm based on the priority of the security algorithms supported by secondary node 1, and the key length of the second security algorithm is 128 bits). Secondary node 1 determines that the key length of the first security algorithm (i.e., 256 bits) is different from the key length of the second security algorithm (i.e., 128 bits), and sends node response 1 to the primary node.

示例c1，辅节点1确定第二安全算法。进一步的，辅节点1确定第一安全算法的密钥长度和第二安全算法的密钥长度不同，向主节点发送节点响应1。例如，节点请求1中包括的第一安全算法的密钥长度的信息是256位。第二安全算法的密钥长度是128位，辅节点1确定第一安全算法的密钥长度(即256位)和第二安全算法的密钥长度(即128位)不同，向主节点发送节点响应1。In example c1, secondary node 1 determines the second security algorithm. Further, secondary node 1 determines that the key length of the first security algorithm differs from the key length of the second security algorithm and sends node response 1 to the primary node. For example, the key length information of the first security algorithm included in node request 1 is 256 bits. The key length of the second security algorithm is 128 bits. Secondary node 1 determines that the key length of the first security algorithm (i.e., 256 bits) differs from the key length of the second security algorithm (i.e., 128 bits) and sends node response 1 to the primary node.

示例性的，节点响应1中还可包括失败指示对应的原因值，原因值用于指示辅节点1向主节点返回失败指示的原因。例如，当原因值是1时，指示原因是辅节点1不支持第一安全算法的密钥长度；当原因值是2时，指示原因是辅节点1虽然支持第一安全算法的密钥长度，但是自行确定出的第二安全算法的密钥长度与第一安全算法的密钥长度不同；当原因值是3时，指示原因是辅节点1自行确定出的第二安全算法的密钥长度与第一安全算法的密钥长度不同，但未指示辅节点1是否支持第一安全算法的密钥长度。Exemplarily, the node response 1 may further include a reason value corresponding to the failure indication, which is used to indicate the reason why the secondary node 1 returns the failure indication to the primary node. For example, when the reason value is 1, the reason is that the secondary node 1 does not support the key length of the first security algorithm; when the reason value is 2, the reason is that although the secondary node 1 supports the key length of the first security algorithm, the key length of the second security algorithm determined by the secondary node 1 is different from the key length of the first security algorithm; when the reason value is 3, the reason is that the key length of the second security algorithm determined by the secondary node 1 is different from the key length of the first security algorithm, but it does not indicate whether the secondary node 1 supports the key length of the first security algorithm.

步骤804，主节点重新选择辅节点(即辅节点2)。Step 804: The primary node reselects a secondary node (ie, secondary node 2).

可选的，主节点从备选节点中选择辅节点2，具体实现可参见上述步骤600的描述。可以理解，辅节点2与辅节点1不同，主节点具体是从备选节点中除辅节点1以外的其他备选节点中选择辅节点2。进一步的，主节点在从备选节点中选择辅节点时，优先选择辅节点1，再选择辅节点2。示例性的，终端设备向主节点上报的测量报告中，辅节点1的信号强度高于辅节点2的信号强度。Optionally, the master node selects secondary node 2 from the candidate nodes. For details on this implementation, see the description of step 600 above. It will be appreciated that secondary node 2 is different from secondary node 1, and the master node specifically selects secondary node 2 from the candidate nodes other than secondary node 1. Furthermore, when selecting a secondary node from the candidate nodes, the master node prioritizes secondary node 1 over secondary node 2. Exemplarily, in the measurement report submitted by the terminal device to the master node, the signal strength of secondary node 1 is higher than the signal strength of secondary node 2.

步骤805，主节点向辅节点2发送节点请求2，相应的，辅节点2接收来自主节点的节点请求2。其中，节点请求2用于请求添加辅节点2，节点请求2中包括第一安全算法的密钥长度的信息。In step 805, the primary node sends a node request 2 to the secondary node 2. Correspondingly, the secondary node 2 receives the node request 2 from the primary node. The node request 2 is used to request the addition of the secondary node 2. The node request 2 includes information about the key length of the first security algorithm.

步骤806，辅节点2向主节点发送节点响应2，相应的，主节点接收来自辅节点2的节点响应2。Step 806 : The secondary node 2 sends a node response 2 to the primary node. Correspondingly, the primary node receives the node response 2 from the secondary node 2 .

其中，节点响应2是节点请求2对应的响应。节点响应2用于指示添加辅节点2成功。示例性的，节点响应2中包括成功指示，该成功指示用于指示添加辅节点2成功。Node response 2 is a response corresponding to node request 2. Node response 2 is used to indicate that the secondary node 2 is successfully added. Exemplarily, node response 2 includes a success indication, which is used to indicate that the secondary node 2 is successfully added.

如下提供辅节点2确定向主节点发送节点响应2的三个示例：Three examples of the secondary node 2 determining to send a node response 2 to the primary node are provided as follows:

示例a2，辅节点2从节点请求2中获得第一安全算法的密钥长度的信息，根据第一安全算法的密钥长度的信息，确定辅节点2支持第一安全算法的密钥长度的情况下，根据第一安全算法的密钥长度，确定第二安全算法，其中，第一安全算法的密钥长度等于第二安全算法的密钥长度。辅节点2向主节点发送节点响应2。例如，辅节点支持安全算法1，安全算法1的密钥长度是256位。节点请求2中包括的第一安全算法的密钥长度的信息是256位。辅节点确定自己支持第一安全算法的密钥长度，进而根据第一安全算法的密钥长度，确定第二安全算法是安全算法1，向主节点发送节点响应2。In Example a2, secondary node 2 obtains information about the key length of the first security algorithm from node request 2. Based on the information about the key length of the first security algorithm, secondary node 2 determines that secondary node 2 supports the key length of the first security algorithm. Then, based on the key length of the first security algorithm, secondary node 2 determines a second security algorithm, where the key length of the first security algorithm is equal to the key length of the second security algorithm. Secondary node 2 sends node response 2 to the primary node. For example, the secondary node supports security algorithm 1, and the key length of security algorithm 1 is 256 bits. The information about the key length of the first security algorithm included in node request 2 is 256 bits. The secondary node determines that it supports the key length of the first security algorithm, and then, based on the key length of the first security algorithm, determines that the second security algorithm is security algorithm 1, and sends node response 2 to the primary node.

示例b2，辅节点2从节点请求2中获得第一安全算法的密钥长度的信息，根据第一安全算法的密钥长度的信息，确定辅节点2支持第一安全算法的密钥长度的情况下，确定第二安全算法。进一步的，辅节点2确定第一安全算法的密钥长度和第二安全算法的密钥长度相同，向主节点发送节点响应2。例如，辅节点支持安全算法1，安全算法1的密钥长度是256位，节点请求2中包括的第一安全算法的密钥长度的信息是256位，那么辅节点可确定自己支持第一安全算法的密钥长度，进一步的，辅节点确定第二安全算法是安全算法1，辅节点确定第一安全算法的密钥长度(即256位)和第二安全算法的密钥长度(即256)相同，向主节点发送节点响应2。In example b2, the auxiliary node 2 obtains the information of the key length of the first security algorithm from the node request 2, and determines the second security algorithm based on the information of the key length of the first security algorithm. Further, the auxiliary node 2 determines that the key length of the first security algorithm is the same as the key length of the second security algorithm, and sends a node response 2 to the main node. For example, the auxiliary node supports security algorithm 1, the key length of security algorithm 1 is 256 bits, and the information of the key length of the first security algorithm included in the node request 2 is 256 bits. Then the auxiliary node can determine that it supports the key length of the first security algorithm. Further, the auxiliary node determines that the second security algorithm is security algorithm 1. The auxiliary node determines that the key length of the first security algorithm (i.e., 256 bits) is the same as the key length of the second security algorithm (i.e., 256), and sends a node response 2 to the main node.

示例c2，辅节点2确定第二安全算法。进一步的，辅节点2确定第一安全算法的密钥长度和第二安全算法的密钥长度相同，向主节点发送节点响应2。例如，辅节点支持安全算法1，安全算法1的密钥长度是256位，节点请求2中包括的第一安全算法的密钥长度的信息是256位。辅节点确定第二安全算法是安全算法1，辅节点确定第一安全算法的密钥长度(即256位)和第二安全算法的密钥长度(即256位)相同，向主节点发送节点响应2。In example c2, secondary node 2 determines the second security algorithm. Further, secondary node 2 determines that the key length of the first security algorithm is the same as the key length of the second security algorithm, and sends node response 2 to the primary node. For example, the secondary node supports security algorithm 1, the key length of security algorithm 1 is 256 bits, and the information about the key length of the first security algorithm included in node request 2 is 256 bits. The secondary node determines that the second security algorithm is security algorithm 1, and the secondary node determines that the key length of the first security algorithm (i.e., 256 bits) is the same as the key length of the second security algorithm (i.e., 256 bits), and sends node response 2 to the primary node.

可选的，节点响应2中包括第二安全算法的标识。可选的，主节点可从节点响应2中获得第二安全算法的标识，将第二安全算法的标识发送给终端设备。如此，终端设备即获取到第二安全算法的标识。示例性的，第二安全算法的标识承载于主节点向终端设备发送的RRC连接重配置消息中。Optionally, Node Response 2 includes an identifier of the second security algorithm. Optionally, the master node may obtain the identifier of the second security algorithm from Node Response 2 and send the identifier of the second security algorithm to the terminal device. In this way, the terminal device obtains the identifier of the second security algorithm. Exemplarily, the identifier of the second security algorithm is carried in an RRC connection reconfiguration message sent by the master node to the terminal device.

步骤807，辅节点2根据第二安全算法，与终端设备传输数据。Step 807: The secondary node 2 transmits data with the terminal device according to the second security algorithm.

其中，步骤807中未详尽描述的内容，还可参见步骤404中的描述。For details not described in step 807 , please refer to the description in step 404 .

基于图8相关实施例中，本申请示例性提供辅节点(即辅节点1或辅节点2)接收到节点请求之后，向主节点发送节点响应的三种判断方式。下述三种判断方式中未详尽描述的内容均可参见图8相关实施例中的描述。可以理解，第一安全算法的密钥长度的信息可具备如下功能中的一项或多项：用于辅节点确定是否支持第一安全算法的密钥长度，用于辅节点确定第二安全算法，用于辅节点确定第二安全算法的密钥长度与第一安全算法的密钥长度是否相契合，或，用于辅节点确定向主节点发送何种节点响应。其中，节点响应用于指示添加辅节点失败，或节点响应用于指示添加辅节点成功。Based on the relevant embodiment of Figure 8, the present application exemplarily provides three judgment methods for the auxiliary node (i.e., auxiliary node 1 or auxiliary node 2) to send a node response to the main node after receiving the node request. The contents not described in detail in the following three judgment methods can be found in the description of the relevant embodiment of Figure 8. It can be understood that the information of the key length of the first security algorithm may have one or more of the following functions: used for the auxiliary node to determine whether the key length of the first security algorithm is supported, used for the auxiliary node to determine the second security algorithm, used for the auxiliary node to determine whether the key length of the second security algorithm matches the key length of the first security algorithm, or used for the auxiliary node to determine what kind of node response to send to the main node. Among them, the node response is used to indicate that the addition of the auxiliary node failed, or the node response is used to indicate that the addition of the auxiliary node was successful.

方式A，对应于上述示例a1和示例a2，具体流程可参见图9示出的辅节点的第一种判断方法。Method A corresponds to the above examples a1 and a2. For the specific process, please refer to the first judgment method of the auxiliary node shown in FIG9 .

步骤A1，辅节点确定是否支持第一安全算法的密钥长度。In step A1, the secondary node determines whether it supports a key length of a first security algorithm.

辅节点在确定不支持第一安全算法的密钥长度的情况下：When the secondary node determines that it does not support the key length of the first security algorithm:

步骤A2，辅节点向主节点发送节点响应，节点响应用于指示添加辅节点失败；Step A2: The secondary node sends a node response to the primary node, where the node response indicates that adding the secondary node has failed.

辅节点在确定支持第一安全算法的密钥长度的情况下：When the secondary node determines that it supports the key length of the first security algorithm:

步骤A3，辅节点根据第一安全算法的密钥长度确定第二安全算法。In step A3, the secondary node determines a second security algorithm according to the key length of the first security algorithm.

步骤A4，辅节点向主节点发送节点响应，节点响应用于指示添加辅节点成功。Step A4: The secondary node sends a node response to the primary node. The node response is used to indicate that the secondary node is added successfully.

方式B，对应于上述示例b1和示例b2，具体流程可参见图10示出的辅节点的第二种判断方法。Method B corresponds to the above-mentioned examples b1 and b2. For the specific process, please refer to the second judgment method of the auxiliary node shown in FIG10 .

步骤B1，辅节点确定是否支持第一安全算法的密钥长度。In step B1, the secondary node determines whether it supports the key length of the first security algorithm.

辅节点在确定不支持第一安全算法的密钥长度的情况下:When the secondary node determines that it does not support the key length of the first security algorithm:

步骤B2，辅节点向主节点发送节点响应，节点响应用于指示添加辅节点失败。In step B2, the secondary node sends a node response to the primary node, where the node response is used to indicate that adding the secondary node has failed.

步骤B3，辅节点确定第二安全算法。Step B3: The secondary node determines a second security algorithm.

步骤B4，辅节点确定第一安全算法的密钥长度与第二安全算法的密钥长度是否相同。In step B4, the secondary node determines whether the key length of the first security algorithm is the same as the key length of the second security algorithm.

辅节点确定第一安全算法的密钥长度与第二安全算法的密钥长度不同的情况下：When the secondary node determines that the key length of the first security algorithm is different from the key length of the second security algorithm:

步骤B5，辅节点向主节点发送节点响应，节点响应用于指示添加辅节点失败。Step B5: The secondary node sends a node response to the primary node. The node response is used to indicate that adding the secondary node fails.

辅节点确定第一安全算法的密钥长度与第二安全算法的密钥长度相同的情况下：When the secondary node determines that the key length of the first security algorithm is the same as the key length of the second security algorithm:

步骤B6，辅节点向主节点发送节点响应，节点响应用于指示添加辅节点成功。Step B6: The secondary node sends a node response to the primary node. The node response is used to indicate that the secondary node is added successfully.

方式C，对应于上述示例c1和示例c2，具体流程可参见图11示出的辅节点的第三种判断方法。Method C corresponds to the above examples c1 and c2. For the specific process, please refer to the third judgment method of the auxiliary node shown in FIG11 .

步骤C1，辅节点确定第二安全算法。Step C1: The secondary node determines a second security algorithm.

步骤C2，辅节点确定第一安全算法的密钥长度与第二安全算法的密钥长度是否相同。In step C2, the secondary node determines whether the key length of the first security algorithm is the same as the key length of the second security algorithm.

步骤C3，辅节点向主节点发送节点响应，节点响应用于指示添加辅节点失败。In step C3, the secondary node sends a node response to the primary node, where the node response is used to indicate that adding the secondary node has failed.

步骤C4，辅节点向主节点发送节点响应，节点响应用于指示添加辅节点成功。In step C4, the secondary node sends a node response to the primary node. The node response is used to indicate that the secondary node is added successfully.

在上述图8至图11相关实施例中，主节点通过向辅节点发送节点请求，以及，接收来自辅节点的节点响应的方式，确定出能够被成功添加的辅节点，该被成功添加的辅节点能够满足如下条件：主节点和辅节点各自能确定出合适的安全算法，从而使得主节点与终端设备之间的传输数据的安全强度，和辅节点与终端设备之间的传输数据的安全强度相契合，以符合安全通信的要求。比如，按照本申请方案添加的辅节点能够使得主节点和辅节点各自选择出的安全算法的密钥长度相同。进一步的，在终端设备使用数据冗余传输业务的场景中，终端设备的两个互为冗余的PDU会话用于传输业务的相同数据，该两个PDU会话对应的数据分别由第一安全算法和第二安全算法进行保护，且第一安全算法的密钥长度和第二安全算法的密钥长度相同，也即，该两个PDU会话对应的数据的保护强度相同，符合数据冗余传输的安全假设。In the above-mentioned embodiments related to Figures 8 to 11, the main node determines the auxiliary node that can be successfully added by sending a node request to the auxiliary node and receiving a node response from the auxiliary node. The auxiliary node that is successfully added can meet the following conditions: the main node and the auxiliary node can each determine a suitable security algorithm, so that the security strength of the data transmitted between the main node and the terminal device is consistent with the security strength of the data transmitted between the auxiliary node and the terminal device, so as to meet the requirements of secure communication. For example, the auxiliary node added according to the solution of the present application can make the key length of the security algorithm selected by the main node and the auxiliary node the same. Furthermore, in a scenario where the terminal device uses data redundancy to transmit a service, two redundant PDU sessions of the terminal device are used to transmit the same data of the service, and the data corresponding to the two PDU sessions are protected by the first security algorithm and the second security algorithm respectively, and the key length of the first security algorithm is the same as the key length of the second security algorithm, that is, the protection strength of the data corresponding to the two PDU sessions is the same, which meets the security assumption of data redundancy transmission.

需要补充的是，在图4至图8相关实施例之前，主节点可确定满足冗余条件。其中，冗余条件包括如下条件1至条件4中一项或多项：It should be noted that, before the embodiments of FIG. 4 to FIG. 8 , the master node may determine that a redundancy condition is satisfied. The redundancy condition may include one or more of the following conditions 1 to 4:

条件1，终端设备使用数据冗余传输(如URLLC)业务；Condition 1: The terminal device uses data redundancy transmission (such as URLLC) service;

条件2，网络为终端设备建立冗余用户面路径；Condition 2: The network establishes a redundant user plane path for the terminal device;

条件3，网络为终端设备建立冗余PDU会话；或，Condition 3: The network establishes a redundant PDU session for the terminal device; or

条件4，网络为终端设备实现冗余传输。Condition 4: The network implements redundant transmission for terminal devices.

在一个可能方式中，主节点可在如图12示出的流程中确定满足冗余条件。In one possible approach, the master node may determine that the redundancy condition is satisfied in the process as shown in FIG. 12 .

步骤1201，终端设备向AMF发送PDU会话请求1和PDU会话请求2。Step 1201: The terminal device sends PDU session request 1 and PDU session request 2 to the AMF.

示例性的，终端设备在确定需要使用数据冗余传输业务时，向AMF发送PDU会话请求1和PDU会话请求2。其中，PDU会话请求1中携带数据网络名称(data network name，DNN)1和单个网络切片选择辅助信息(single network slice selection assistance information，S-NSSAI)1，PDU会话请求2中携带DNN2和S-NSSAI2。其中，DNN1和DNN2相同，S-NSSAI1和S-NSSAI2不同。For example, when the terminal device determines that it needs to use the data redundancy transmission service, it sends PDU session request 1 and PDU session request 2 to the AMF. PDU session request 1 carries data network name (DNN) 1 and single network slice selection assistance information (S-NSSAI) 1, and PDU session request 2 carries DNN2 and S-NSSAI2. DNN1 and DNN2 are the same, and S-NSSAI1 and S-NSSAI2 are different.

步骤1202，AMF根据PDU会话请求1中的DNN1和S-NSSAI1选择SMF1，向SMF1转发PDU会话请求1；根据PDU会话请求2中的DNN2和S-NSSAI2选择SMF2，向SMF2转发PDU会话请求2。In step 1202, AMF selects SMF1 according to DNN1 and S-NSSAI1 in PDU session request 1, and forwards PDU session request 1 to SMF1; selects SMF2 according to DNN2 and S-NSSAI2 in PDU session request 2, and forwards PDU session request 2 to SMF2.

步骤1203，SMF1根据PDU会话请求1和该终端设备对应的PDU会话策略1，确定PDU会话请求1对应的PDU会话1是冗余会话，生成冗余序列号(redundancy sequence number，RSN)1和PDU会话对ID(PDU session pair ID)1。SMF1向主节点发送冗余会话指示1，冗余会话指示1中携带RSN1和PDU会话对ID1。其中，该终端设备对应的PDU会话策略1来自于PCF。In step 1203, SMF1 determines that PDU session 1 corresponding to PDU session request 1 is a redundant session based on PDU session policy 1 corresponding to the terminal device. It then generates a redundancy sequence number (RSN) 1 and a PDU session pair ID 1. SMF1 sends a redundant session indication 1 to the master node, which carries RSN 1 and PDU session pair ID 1. The PDU session policy 1 corresponding to the terminal device comes from the PCF.

同理，SMF2根据PDU会话请求2和该终端设备对应的PDU会话策略2，确定PDU会话请求2对应的PDU会话2是冗余会话，生成RSN2和PDU会话对ID2。SMF2向主节点发送冗余会话指示2，冗余会话指示2中携带RSN2和PDU会话对ID2。其中，该终端设备对应的PDU会话策略2来自于PCF。Similarly, based on PDU Session Request 2 and the PDU Session Policy 2 corresponding to the terminal device, SMF2 determines that PDU Session 2 corresponding to PDU Session Request 2 is a redundant session and generates RSN2 and PDU Session Pair ID2. SMF2 sends Redundant Session Indication 2 to the master node, which carries RSN2 and PDU Session Pair ID2. The PDU Session Policy 2 corresponding to the terminal device comes from the PCF.

步骤1204，主节点确定冗余会话指示1和冗余会话指示2中携带的RSN不同，且携带的PDU会话对ID相同，进而确定冗余会话指示1和冗余会话指示2对应的两个PDU会话互为冗余会话，也即，主节点确定满足冗余条件。In step 1204, the master node determines that the RSNs carried in the redundant session indication 1 and the redundant session indication 2 are different, and the PDU session pair IDs carried are the same, and then determines that the two PDU sessions corresponding to the redundant session indication 1 and the redundant session indication 2 are redundant sessions of each other, that is, the master node determines that the redundancy condition is met.

此外，在图12相关实施例中，还可以是终端设备在确定需要使用数据冗余传输业务时，确定RSN1和PDU会话对ID1，以及RSN2和PDU会话对ID2，RSN1与RSN2不同，PDU会话对ID1和PDU会话对ID2相同。终端设备向AMF发送PDU会话请求1和PDU会话请求2，PDU会话请求1中不仅携带DNN1和S-NSSAI1，还携带RSN1和PDU会话对ID1，PDU会话请求2中不仅携带DNN2和S-NSSAI2，还携带RSN2和PDU会话对ID2。相应的，SMF1在接收到PDU会话请求1时，向主节点发送冗余会话指示1，冗余会话指示1中携带RSN1和PDU会话对ID1；SMF2在接收到PDU会话请求2时，向主节点发送冗余会话指示2，冗余会话指示2中携带RSN2和PDU会话对ID2。随后，主节点确定冗余会话指示1和冗余会话指示2对应的两个PDU会话互为冗余会话，也即，确定满足冗余条件。该方案中未详尽描述的内容，均可参见图12相关实施例中的描述。In addition, in the embodiment related to FIG12 , when the terminal device determines that the data redundancy transmission service is required, it may determine RSN1 and PDU session pair ID1, and RSN2 and PDU session pair ID2, where RSN1 and RSN2 are different and PDU session pair ID1 and PDU session pair ID2 are the same. The terminal device sends PDU session request 1 and PDU session request 2 to the AMF. PDU session request 1 carries not only DNN1 and S-NSSAI1, but also RSN1 and PDU session pair ID1. PDU session request 2 carries not only DNN2 and S-NSSAI2, but also RSN2 and PDU session pair ID2. Accordingly, upon receiving PDU session request 1, SMF1 sends redundant session indication 1 to the master node, carrying RSN1 and PDU session pair ID1. Upon receiving PDU session request 2, SMF2 sends redundant session indication 2 to the master node, carrying RSN2 and PDU session pair ID2. Subsequently, the master node determines that the two PDU sessions corresponding to redundant session indication 1 and redundant session indication 2 are redundant sessions, that is, determines that the redundancy condition is met. For any content not described in detail in this solution, please refer to the description of the embodiment related to Figure 12.

还需要指出的是，在图12相关实施例之前，终端设备可能与网络尚未建立PDU会话，随后，终端设备在确定需要使用数据冗余传输业务时，向AMF发送PDU会话请求1和PDU会话请求2，随后基于图12相关实施例建立互为冗余的PDU会话1和PDU会话2。或还可以是，在图12相关实施例之前，终端设备已经与网络建立了PDU会话0，且主节点与终端设备之间已经协商了安全算法(记为第三安全算法)，终端设备在确定需要使用数据冗余传输业务时，向AMF发送PDU会话请求1和PDU会话请求2，随后基于图12相关实施例建立互为冗余的PDU会话1和PDU会话2。可以理解，在后一种可能方式中，主节点能够复用之前的第三安全算法，也即是，第一安全算法是第三安全算法，在该场景中，主节点可根据第三安全算法确定辅节点，具体可参见上述第一种通信方法和第五种通信方法中的描述。It should also be noted that before the embodiment of Figure 12, the terminal device may not have established a PDU session with the network. Subsequently, when the terminal device determines that the data redundancy transmission service is required, it sends PDU session request 1 and PDU session request 2 to the AMF, and then establishes redundant PDU session 1 and PDU session 2 based on the embodiment of Figure 12. Alternatively, before the embodiment of Figure 12, the terminal device has already established PDU session 0 with the network, and the master node and the terminal device have negotiated a security algorithm (denoted as the third security algorithm). When the terminal device determines that the data redundancy transmission service is required, it sends PDU session request 1 and PDU session request 2 to the AMF, and then establishes redundant PDU session 1 and PDU session 2 based on the embodiment of Figure 12. It can be understood that in the latter possible approach, the master node can reuse the previous third security algorithm, that is, the first security algorithm is the third security algorithm. In this scenario, the master node can determine the secondary node based on the third security algorithm. For details, please refer to the description of the first communication method and the fifth communication method above.

图4至图12中任一个流程图的步骤编号仅为执行流程的一种示例，并不构成对步骤执行的先后顺序的限制，本申请实施例中相互之间没有时序依赖关系的步骤之间没有严格的执行顺序。各个流程图中所示意的步骤并非全部是必须执行的步骤，可以根据实际需要在各个流程图的基础上删除部分步骤，或也可以根据实际需要在各个流程图的基础上增添其它可能的步骤。The step numbers in any of the flowcharts in Figures 4 to 12 are merely examples of the execution process and do not constitute a limitation on the order in which the steps are executed. In the embodiments of the present application, there is no strict execution order between steps that have no temporal dependencies. Not all of the steps shown in the flowcharts are required to be executed. Some steps can be deleted from each flowchart based on actual needs, or other possible steps can be added to each flowchart based on actual needs.

需要补充的是，在图4至图8相关实施例中，主节点从主节点支持的安全算法中选择第一安全算法时，都需要考虑终端设备支持的安全算法、主节点支持的安全算法的优先级，也即是，主节点选择出的第一安全算法是由主节点和终端设备均支持且优先级较高的安全算法，具体实现还可参见现有技术中关于节点选择安全算法的描述。同理，辅节点从辅节点支持的安全算法中选择第二安全算法，需要考虑终端设备支持的安全算法、辅节点支持的安全算法的优先级。进一步的，本申请重点描述如何保障第一安全算法的密钥长度等于第二安全算法的密钥长度，以实现主节点基于第一安全算法保护与终端设备之间传输的数据，辅节点基于第二安全算法保护与终端设备之间传输的数据，以实现通信系统的安全性。进一步的，在终端设备使用数据冗余传输业务的场景中，终端设备建立两个互为冗余的PDU会话，该两个PDU会话对应的数据分别由第一安全算法和第二安全算法进行保护，且第一安全算法的密钥长度和第二安全算法的密钥长度相同，也即，该两个PDU会话对应的数据的保护强度相同，符合数据冗余传输的安全假设。It should be added that, in the relevant embodiments of Figures 4 to 8, when the master node selects the first security algorithm from the security algorithms supported by the master node, it is necessary to consider the security algorithms supported by the terminal device and the priority of the security algorithms supported by the master node. That is, the first security algorithm selected by the master node is a security algorithm supported by both the master node and the terminal device and has a higher priority. For specific implementation, please refer to the description of node selection security algorithm in the prior art. Similarly, when the auxiliary node selects the second security algorithm from the security algorithms supported by the auxiliary node, it is necessary to consider the security algorithms supported by the terminal device and the priority of the security algorithms supported by the auxiliary node. Furthermore, this application focuses on describing how to ensure that the key length of the first security algorithm is equal to the key length of the second security algorithm, so that the master node protects the data transmitted between the terminal device based on the first security algorithm, and the auxiliary node protects the data transmitted between the terminal device based on the second security algorithm, so as to achieve the security of the communication system. Furthermore, in a scenario where the terminal device uses a data redundant transmission service, the terminal device establishes two redundant PDU sessions, and the data corresponding to the two PDU sessions are protected by a first security algorithm and a second security algorithm, respectively, and the key length of the first security algorithm and the key length of the second security algorithm are the same, that is, the protection strength of the data corresponding to the two PDU sessions is the same, which meets the security assumption of data redundant transmission.

此外，本申请仅描述了五种通信方法的差异之处，除差异之处的其它内容，五种通信方法之间可以相互参照；此外，同一通信方法中，不同实现方式或不同示例之间也可以相互参照。In addition, this application only describes the differences among the five communication methods. Except for the differences, the five communication methods can refer to each other. In addition, different implementations or different examples in the same communication method can also refer to each other.

可以理解的是，为了实现上述实施例中功能，无线接入节点中包括了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到，结合本申请中所公开的实施例描述的各示例的单元及方法步骤，本申请能够以硬件或硬件和计算机软件相结合的形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行，取决于技术方案的特定应用场景和设计约束条件。It is understood that to implement the functions described in the above embodiments, the wireless access node includes hardware structures and/or software modules that perform the corresponding functions. Those skilled in the art will readily appreciate that, in conjunction with the various exemplary units and method steps described in the embodiments disclosed herein, this application can be implemented in hardware or a combination of hardware and computer software. Whether a function is implemented in hardware or in a hardware-driven manner by computer software depends on the specific application scenario and design constraints of the technical solution.

图13和图14为本申请的实施例提供的可能的通信装置的结构示意图。这些通信装置可以用于实现上述方法实施例中无线接入节点(主节点或辅节点)的功能，因此也能实现上述方法实施例所具备的有益效果。该通信装置可以是如图1所示的无线接入节点，还可以是应用于无线接入节点的模块(如芯片)。Figures 13 and 14 are schematic diagrams of possible communication devices provided in embodiments of the present application. These communication devices can be used to implement the functions of the wireless access node (primary node or secondary node) in the above-described method embodiments, thereby also achieving the beneficial effects of the above-described method embodiments. The communication device can be a wireless access node as shown in Figure 1, or a module (e.g., a chip) applied to a wireless access node.

如图13所示，通信装置1300包括处理模块1301和收发模块1302。通信装置1300用于实现上述图4至图12任一个图的相关方法实施例中无线接入节点的功能。As shown in Figure 13, the communication device 1300 includes a processing module 1301 and a transceiver module 1302. The communication device 1300 is used to implement the function of the wireless access node in the method embodiment described in any one of Figures 4 to 12.

当通信装置1300用于实现上述图4、图5或图12相关方法实施例中主节点的功能时：When the communication device 1300 is used to implement the function of the master node in the method embodiments related to FIG. 4 , FIG. 5 or FIG. 12 :

处理模块1301，用于根据第一安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法；或，用于根据主节点支持的安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点。其中，备选节点包括辅节点。收发模块1302，用于向辅节点发送节点请求，节点请求用于请求添加辅节点。Processing module 1301 is configured to determine a secondary node based on the key length of a first security algorithm and the key length of a security algorithm supported by the candidate node. The first security algorithm is a security algorithm used to protect data transmitted between the primary node and the terminal device; or to determine a secondary node based on the key length of a security algorithm supported by the primary node and the key length of a security algorithm supported by the candidate node. The candidate node includes a secondary node. Transceiver module 1302 is configured to send a node request to the secondary node. The node request is used to request the addition of the secondary node.

在一种可能的实现方式中，辅节点支持的安全算法的密钥长度不低于第一安全算法的密钥长度，或，辅节点支持的安全算法的密钥长度不低于主节点支持的安全算法的最大密钥长度。In one possible implementation, the key length of the security algorithm supported by the secondary node is not less than the key length of the first security algorithm, or the key length of the security algorithm supported by the secondary node is not less than the maximum key length of the security algorithm supported by the primary node.

在一种可能的实现方式中，节点请求中包括第一安全算法的密钥长度的信息。In a possible implementation manner, the node request includes information about the key length of the first security algorithm.

在一种可能的实现方式中，通信装置1300中还包括存储模块1303(图13中未示出)，存储模块1303用于预配置备选节点支持的安全算法的密钥长度的信息，处理模块1301还用于从存储模块1303中获得备选节点支持的安全算法的密钥长度；或，控制收发模块1302从备选节点中获得备选节点支持的安全算法的密钥长度的信息。In one possible implementation, the communication device 1300 also includes a storage module 1303 (not shown in Figure 13), and the storage module 1303 is used to pre-configure information on the key length of the security algorithm supported by the alternative node. The processing module 1301 is also used to obtain the key length of the security algorithm supported by the alternative node from the storage module 1303; or, the control transceiver module 1302 obtains information on the key length of the security algorithm supported by the alternative node from the alternative node.

在一种可能的实现方式中，处理模块1301具体用于：在确定满足冗余条件的情况下，根据第一安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点；或，用于根据主节点支持的安全算法的密钥长度和备选节点支持的安全算法的密钥长度，确定辅节点。其中，冗余条件包括如下条件1至条件4中一项或多项：条件1，终端设备使用URLLC业务；条件2，为终端设备建立冗余用户面路径；条件3，为终端设备建立冗余PDU会话；或，条件4，为终端设备实现冗余传输。In one possible implementation, the processing module 1301 is specifically configured to: determine a secondary node based on the key length of the first security algorithm and the key length of the security algorithm supported by the candidate node when determining that a redundancy condition is satisfied; or determine a secondary node based on the key length of the security algorithm supported by the primary node and the key length of the security algorithm supported by the candidate node. The redundancy condition includes one or more of the following conditions 1 to 4: condition 1, the terminal device uses URLLC service; condition 2, a redundant user plane path is established for the terminal device; condition 3, a redundant PDU session is established for the terminal device; or condition 4, redundant transmission is implemented for the terminal device.

当通信装置1300用于实现上述图6或图7或图12相关方法实施例中主节点的功能时：When the communication device 1300 is used to implement the function of the master node in the method embodiments related to FIG. 6 , FIG. 7 , or FIG. 12 :

处理模块1301，用于获得辅节点支持的安全算法的信息，以及，根据辅节点支持的安全算法的信息，确定第一安全算法，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。示例性的，处理模块1301，还用于从备选节点中选择辅节点。Processing module 1301 is configured to obtain information about security algorithms supported by the secondary node and, based on the information about the security algorithms supported by the secondary node, determine a first security algorithm, where the first security algorithm is a security algorithm used to protect data transmitted between the primary node and the terminal device. Exemplarily, processing module 1301 is further configured to select a secondary node from candidate nodes.

在一种可能的实现方式中，辅节点支持的安全算法的信息中包括辅节点支持的安全算法的密钥长度的信息和/或辅节点支持的安全算法的标识。In a possible implementation manner, the information of the security algorithm supported by the secondary node includes information of the key length of the security algorithm supported by the secondary node and/or an identifier of the security algorithm supported by the secondary node.

在一种可能的实现方式中，收发模块1302，用于向辅节点发送节点请求，节点请求用于请求添加辅节点，节点请求中包括第一安全算法的密钥长度的信息。In a possible implementation, the transceiver module 1302 is configured to send a node request to the secondary node, where the node request is used to request adding the secondary node, and the node request includes information about the key length of the first security algorithm.

在一种可能的实现方式中，通信装置1300中还包括存储模块1303，存储模块1303用于预配置辅节点支持的安全算法的信息，处理模块1301在获得辅节点支持的安全算法的信息时，具体用于，从存储模块1303中获得辅节点支持的安全算法的信息。在又一种可能的实现方式中，处理模块1301在获得辅节点支持的安全算法的信息时，具体用于，控制收发模块1302从辅节点中获得辅节点支持的安全算法的信息。In one possible implementation, the communication device 1300 further includes a storage module 1303, which is used to pre-configure information about security algorithms supported by the secondary node. When the processing module 1301 obtains the information about security algorithms supported by the secondary node, it is specifically configured to obtain the information about security algorithms supported by the secondary node from the storage module 1303. In another possible implementation, when the processing module 1301 obtains the information about security algorithms supported by the secondary node, it is specifically configured to control the transceiver module 1302 to obtain the information about security algorithms supported by the secondary node from the secondary node.

在一种可能的实现方式中，处理模块1301具体用于：在确定满足冗余条件的情况下，根据辅节点支持的安全算法的信息，确定第一安全算法。其中，冗余条件包括如下条件1至条件4中一项或多项：条件1，终端设备使用URLLC业务；条件2，为终端设备建立冗余用户面路径；条件3，为终端设备建立冗余PDU会话；或，条件4，为终端设备实现冗余传输。In one possible implementation, the processing module 1301 is specifically configured to: determine a first security algorithm based on information about security algorithms supported by the secondary node when a redundancy condition is determined to be met. The redundancy condition includes one or more of the following conditions 1 to 4: condition 1: the terminal device uses URLLC services; condition 2: a redundant user plane path is established for the terminal device; condition 3: a redundant PDU session is established for the terminal device; or condition 4: redundant transmission is implemented for the terminal device.

在一种可能的实现方式中，安全算法的信息中包括安全算法的密钥长度的信息，处理模块1301在根据辅节点支持的安全算法的信息，确定第一安全算法时，具体用于：根据辅节点支持的安全算法的密钥长度的信息和主节点支持的安全算法的信息，确定第一安全算法。In one possible implementation, the information of the security algorithm includes information about the key length of the security algorithm. When the processing module 1301 determines the first security algorithm based on the information about the security algorithm supported by the secondary node, it is specifically used to: determine the first security algorithm based on the information about the key length of the security algorithm supported by the secondary node and the information about the security algorithm supported by the primary node.

在一种可能的实现方式中，安全算法的信息中包括安全算法的标识，处理模块1301在根据辅节点支持的安全算法的信息，确定第一安全算法时，具体用于：根据辅节点支持的安全算法的标识和主节点支持的安全算法的信息，确定第一安全算法和第二安全算法，第二安全算法是用于保护辅节点与终端设备之间传输的数据的安全算法。收发模块1302，还用于向辅节点发送第二安全算法的标识。In one possible implementation, the security algorithm information includes an identifier of the security algorithm. When determining the first security algorithm based on the information about the security algorithms supported by the secondary node, the processing module 1301 is specifically configured to: determine the first security algorithm and a second security algorithm based on the identifier of the security algorithm supported by the secondary node and the information about the security algorithms supported by the primary node, where the second security algorithm is a security algorithm used to protect data transmitted between the secondary node and the terminal device. The transceiver module 1302 is further configured to send the identifier of the second security algorithm to the secondary node.

当通信装置1300用于实现上述图8或图12相关方法实施例中主节点的功能时：When the communication device 1300 is used to implement the function of the master node in the method embodiments related to FIG8 or FIG12 :

处理模块1301，用于确定第一安全算法，其中，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。收发模块1302，用于向辅节点发送节点请求，节点请求用于请求添加辅节点，节点请求中包括第一安全算法的密钥长度的信息。Processing module 1301 is configured to determine a first security algorithm, where the first security algorithm is a security algorithm used to protect data transmitted between the primary node and the terminal device. Transceiver module 1302 is configured to send a node request to a secondary node, requesting the addition of the secondary node. The node request includes information about the key length of the first security algorithm.

在一种可能的实现方式中，收发模块1302具体用于：在处理模块1301确定满足冗余条件的情况下，向辅节点发送包含第一安全算法的密钥长度的信息的节点请求。其中，冗余条件包括如下条件1至条件4中一项或多项：条件1，终端设备使用URLLC业务；条件2，为终端设备建立冗余用户面路径；条件3，为终端设备建立冗余PDU会话；或，条件4，为终端设备实现冗余传输。In one possible implementation, the transceiver module 1302 is specifically configured to: send a node request including information about the key length of the first security algorithm to the secondary node if the processing module 1301 determines that a redundancy condition is met. The redundancy condition includes one or more of the following conditions 1 to 4: condition 1: the terminal device uses URLLC services; condition 2: a redundant user plane path is established for the terminal device; condition 3: a redundant PDU session is established for the terminal device; or condition 4: redundant transmission is implemented for the terminal device.

在一种可能的实现方式中，收发模块1302，还用于接收来自辅节点的节点响应，节点响应用于指示添加辅节点失败。处理模块1301，还用于重新选择辅节点，收发模块1302，还用于向重新选择的辅节点发送节点请求。In one possible implementation, the transceiver module 1302 is further configured to receive a node response from the secondary node, the node response being used to indicate a failure to add the secondary node. The processing module 1301 is further configured to reselect a secondary node, and the transceiver module 1302 is further configured to send a node request to the reselected secondary node.

当通信装置1300用于实现上述图4或图6相关方法实施例中辅节点的功能时：When the communication device 1300 is used to implement the functions of the secondary node in the method embodiments related to FIG. 4 or FIG. 6 :

收发模块1302，用于接收来自主节点的节点请求，节点请求用于请求添加辅节点，节点请求中包括第一安全算法的密钥长度的信息，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。处理模块1301，用于根据第一安全算法的密钥长度的信息，确定第二安全算法，第二安全算法是用于保护辅节点与终端设备之间传输的数据的安全算法。Transceiver module 1302 is configured to receive a node request from a primary node, requesting the addition of a secondary node. The node request includes information about the key length of a first security algorithm used to protect data transmitted between the primary node and a terminal device. Processing module 1301 is configured to determine a second security algorithm based on the key length of the first security algorithm. The second security algorithm is used to protect data transmitted between the secondary node and the terminal device.

在一种可能的实现方式中，处理模块1301，还用于根据第二安全算法，控制收发模块1302与终端设备传输数据。In a possible implementation, the processing module 1301 is further configured to control the transceiver module 1302 to transmit data with the terminal device according to the second security algorithm.

当通信装置1300用于实现上述图7相关方法实施例中辅节点的功能时：When the communication device 1300 is used to implement the function of the secondary node in the method embodiment related to FIG7 :

收发模块1302，用于接收来自主节点的节点请求，节点请求用于请求添加辅节点，节点请求中包括第二安全算法的标识；处理模块1301，用于根据第二安全算法，控制收发模块1302与终端设备传输数据。The transceiver module 1302 is used to receive a node request from the master node, the node request is used to request the addition of a secondary node, and the node request includes an identifier of the second security algorithm; the processing module 1301 is used to control the transceiver module 1302 to transmit data with the terminal device according to the second security algorithm.

在一种可能的实现方式中，处理模块1301，用于根据第二安全算法，控制收发模块1302与终端设备传输数据之前，还用于确定辅节点和/或终端设备支持第二安全算法。In a possible implementation, the processing module 1301 is configured to control the transceiver module 1302 to transmit data with the terminal device according to the second security algorithm, and is further configured to determine whether the secondary node and/or the terminal device supports the second security algorithm.

在一种可能的实现方式中，收发模块1302还用于，向主节点发送节点响应，节点响应用于指示添加辅节点成功，节点响应中不携带第二安全算法的标识。In a possible implementation, the transceiver module 1302 is further configured to send a node response to the primary node, where the node response is used to indicate that the secondary node is successfully added, and the node response does not carry an identifier of the second security algorithm.

当通信装置1300用于实现上述图8至图11中任一个的相关方法实施例中辅节点的功能时：When the communication device 1300 is used to implement the function of the secondary node in any of the related method embodiments in FIG. 8 to FIG. 11 :

收发模块1302，用于接收节点请求，节点请求用于请求添加辅节点，节点请求中包括第一安全算法的密钥长度的信息，第一安全算法是用于保护主节点与终端设备之间传输的数据的安全算法。The transceiver module 1302 is used to receive a node request, which is used to request the addition of a secondary node. The node request includes information on the key length of the first security algorithm, which is a security algorithm used to protect data transmitted between the primary node and the terminal device.

处理模块1301，用于确定不支持第一安全算法的密钥长度；收发模块1302，还用于向主节点发送节点响应，节点响应用于指示添加辅节点失败；或，The processing module 1301 is used to determine that the key length of the first security algorithm is not supported; the transceiver module 1302 is further used to send a node response to the primary node, where the node response is used to indicate that adding the secondary node fails; or,

处理模块1301，用于选择第二安全算法；当第一安全算法的密钥长度与第二安全算法的密钥长度不同的情况下，收发模块1302，还用于向主节点发送节点响应，节点响应用于指示添加辅节点失败；或，The processing module 1301 is configured to select a second security algorithm; when the key length of the first security algorithm is different from the key length of the second security algorithm, the transceiver module 1302 is further configured to send a node response to the primary node, where the node response is used to indicate that the addition of the secondary node has failed; or

处理模块1301，用于根据第一安全算法的密钥长度，选择第二安全算法；收发模块1302，还用于向主节点发送节点响应，节点响应用于指示添加辅节点成功，其中，第一安全算法的密钥长度与第二安全算法的密钥长度相同。The processing module 1301 is used to select a second security algorithm based on the key length of the first security algorithm; the transceiver module 1302 is also used to send a node response to the master node, and the node response is used to indicate that the secondary node is successfully added, wherein the key length of the first security algorithm is the same as the key length of the second security algorithm.

有关上述处理模块1301和收发模块1302更详细的描述可以直接参考上述方法实施例中相关描述直接得到，这里不加赘述。A more detailed description of the processing module 1301 and the transceiver module 1302 can be directly obtained by referring to the relevant description in the above method embodiment, and will not be repeated here.

如图14所示，通信装置1400包括处理器1410和接口电路1420。处理器1410和接口电路1420之间相互耦合。可以理解的是，接口电路1420可以为收发器或输入输出接口。可选的，通信装置1400还可以包括存储器1430，用于存储处理器1410执行的指令或存储处理器1410运行指令所需要的输入数据或存储处理器1410运行指令后产生的数据。As shown in Figure 14, communication device 1400 includes a processor 1410 and an interface circuit 1420. Processor 1410 and interface circuit 1420 are coupled to each other. It is understood that interface circuit 1420 can be a transceiver or an input/output interface. Optionally, communication device 1400 may also include a memory 1430 for storing instructions executed by processor 1410, input data required by processor 1410 to execute instructions, or data generated after processor 1410 executes instructions.

当通信装置1400用于实现图4至图12任一个图的相关方法实施例所示的方法时，处理器1410用于实现上述处理模块1301的功能，接口电路1420用于实现上述收发模块1302的功能。When the communication device 1400 is used to implement the method shown in the relevant method embodiment of any one of Figures 4 to 12, the processor 1410 is used to implement the functions of the above-mentioned processing module 1301, and the interface circuit 1420 is used to implement the functions of the above-mentioned transceiver module 1302.

当上述通信装置为应用于无线接入节点的模块时，该无线接入节点的模块实现上述方法实施例中无线接入节点的功能。例如，无线接入节点是主节点，该无线接入节点的模块从无线接入节点中的其它模块(如射频模块或天线)接收信息，该信息是辅节点发送给无线接入节点的；或，该无线接入节点模块向无线接入节点中的其它模块(如射频模块或天线)发送信息，该信息是无线接入节点发送给辅节点的。这里的无线接入节点的模块可以是无线接入节点的基带芯片，也可以是分布式单元(distributed unit，DU)或其他模块，这里的DU可以是开放式无线接入网(open radio access network，O-RAN)架构下的DU。When the above-mentioned communication device is a module applied to a wireless access node, the module of the wireless access node implements the functions of the wireless access node in the above-mentioned method embodiment. For example, the wireless access node is a master node, and the module of the wireless access node receives information from other modules in the wireless access node (such as a radio frequency module or an antenna), and the information is sent by the auxiliary node to the wireless access node; or, the module of the wireless access node sends information to other modules in the wireless access node (such as a radio frequency module or an antenna), and the information is sent by the wireless access node to the auxiliary node. The module of the wireless access node here can be the baseband chip of the wireless access node, or it can be a distributed unit (DU) or other module. The DU here can be a DU under the open radio access network (O-RAN) architecture.

可以理解的是，本申请的实施例中的处理器可以是中央处理模块(central processing unit，CPU)，还可以是其它通用处理器、数字信号处理器(digital signal processor，DSP)、专用集成电路(application specific integrated circuit，ASIC)、现场可编程门阵列(field programmable gate array，FPGA)或其它可编程逻辑器件、晶体管逻辑器件，硬件部件或其任意组合。通用处理器可以是微处理器，也可以是任何常规的处理器。It is understood that the processor in the embodiments of the present application may be a central processing unit (CPU), or may be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. The general-purpose processor may be a microprocessor or any conventional processor.

本申请的实施例中的方法步骤可以通过硬件的方式来实现，也可以由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成，软件模块可以被存放于随机存取存储器、闪存、只读存储器、可编程只读存储器、可擦除可编程只读存储器、电可擦除可编程只读存储器、寄存器、硬盘、移动硬盘、CD-ROM或本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器，从而使处理器能够从该存储介质读取信息，且可向该存储介质写入信息。当然，存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外，该ASIC可以位于无线接入节点中。当然，处理器和存储介质也可以作为分立组件存在于无线接入节点中。The method steps in the embodiments of the present application can be implemented by hardware or by a processor executing software instructions. The software instructions can be composed of corresponding software modules, which can be stored in random access memory, flash memory, read-only memory, programmable read-only memory, erasable programmable read-only memory, electrically erasable programmable read-only memory, registers, hard disk, removable hard disk, CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor so that the processor can read information from the storage medium and write information to the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and storage medium can be located in an ASIC. In addition, the ASIC can be located in a wireless access node. Of course, the processor and storage medium can also exist as discrete components in the wireless access node.

在上述实施例中，可以全部或部分地通过软件、硬件、固件或其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。计算机程序产品包括一个或多个计算机程序或指令。在计算机上加载和执行计算机程序或指令时，全部或部分地执行本申请实施例的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、网络设备、用户设备或其它可编程装置。计算机程序或指令可以存储在计算机可读存储介质中，或从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，计算机程序或指令可以从一个网站站点、计算机、服务器或数据中心通过有线或无线方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质可以是计算机能够存取的任何可用介质或是集成一个或多个可用介质的服务器、数据中心等数据存储设备。可用介质可以是磁性介质，例如，软盘、硬盘、磁带；也可以是光介质，例如，数字视频光盘；还可以是半导体介质，例如，固态硬盘。该计算机可读存储介质可以是易失性或非易失性存储介质，或可包括易失性和非易失性两种类型的存储介质。In the above embodiments, all or part of the embodiments may be implemented using software, hardware, firmware, or any combination thereof. When implemented using software, all or part of the embodiments may be implemented in the form of a computer program product. A computer program product includes one or more computer programs or instructions. When the computer program or instructions are loaded and executed on a computer, the processes or functions of the embodiments of the present application are performed in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, a network device, a user device, or other programmable device. The computer program or instructions may be stored in a computer-readable storage medium or transferred from one computer-readable storage medium to another. For example, the computer program or instructions may be transferred from one website, computer, server, or data center to another website, computer, server, or data center via wired or wireless means. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center that integrates one or more available media. The available media may be magnetic media, such as floppy disks, hard disks, or magnetic tapes; optical media, such as digital video disks; or semiconductor media, such as solid-state drives. The computer-readable storage medium may be a volatile or nonvolatile storage medium, or may include both volatile and nonvolatile types of storage media.

在本申请的各个实施例中，如果没有特殊说明以及逻辑冲突，不同的实施例之间的术语和/或描述具有一致性、且可以相互引用，不同的实施例中的技术特征根据其内在的逻辑关系可以组合形成新的实施例。In the various embodiments of the present application, unless otherwise specified or there is a logical conflict, the terms and/or descriptions between different embodiments are consistent and can be referenced by each other. The technical features in different embodiments can be combined to form new embodiments according to their inherent logical relationships.

本申请中，“至少一个”是指一个或多个，“多个”是指两个或两个以上。“和/或”，描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B的情况，其中A,B可以是单数或复数。在本申请的文字描述中，字符“/”，一般表示前后关联对象是一种“或”的关系；在本申请的公式中，字符“/”，表示前后关联对象是一种“相除”的关系。“包括A，B和C中的至少一个”可以表示：包括A；包括B；包括C；包括A和B；包括A和C；包括B和C；包括A、B和C。In this application, "at least one" means one or more, and "plurality" means two or more. "And/or" describes the association relationship of associated objects, indicating that three relationships may exist. For example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural. In the textual description of this application, the character "/" generally indicates that the previous and next associated objects are in an "or" relationship; in the formula of this application, the character "/" indicates that the previous and next associated objects are in a "division" relationship. "Including at least one of A, B and C" can mean: including A; including B; including C; including A and B; including A and C; including B and C; including A, B and C.

可以理解的是，在本申请的实施例中涉及的各种数字编号仅为描述方便进行的区分，并不用来限制本申请的实施例的范围。上述各过程的序号的大小并不意味着执行顺序的先后，各过程的执行顺序应以其功能和内在逻辑确定。It is understood that the various numbers used in the embodiments of this application are merely for ease of description and are not intended to limit the scope of the embodiments of this application. The order of the sequence numbers of the above-mentioned processes does not necessarily imply a specific order of execution; the order of execution of the processes should be determined by their functions and inherent logic.

Claims

A communication method, comprising:

determining the secondary node based on a key length of a first security algorithm and a key length of a security algorithm supported by the candidate node, wherein the first security algorithm is a security algorithm for protecting data transmitted between the primary node and the terminal device, or determining the secondary node based on a key length of a security algorithm supported by the primary node and a key length of a security algorithm supported by the candidate node, wherein the candidate node includes the secondary node;

A node request is sent to the secondary node, where the node request is used to request to add the secondary node.

The method according to claim 1, wherein

The key length of the security algorithm supported by the secondary node is not less than the key length of the first security algorithm, or,

The key length of the security algorithm supported by the secondary node is not less than the maximum key length of the security algorithm supported by the primary node.

The method according to claim 1 or 2, characterized in that

The node request includes information about the key length of the first security algorithm.

The method according to any one of claims 1 to 3, further comprising:

Pre-configure information on the key length of the security algorithm supported by the candidate node; or,

Information about the key length of the security algorithm supported by the candidate node is obtained from the candidate node.

The method according to any one of claims 1 to 4, characterized in that determining the secondary node based on the key length of the first security algorithm and the key length of the security algorithm supported by the candidate node, or determining the secondary node based on the key length of the security algorithm supported by the primary node and the key length of the security algorithm supported by the candidate node, comprises:

When it is determined that one or more of the following conditions are met, the secondary node is determined based on the key length of the first security algorithm and the key length of the security algorithm supported by the candidate node, or the secondary node is determined based on the key length of the security algorithm supported by the primary node and the key length of the security algorithm supported by the candidate node:

The terminal device uses ultra-reliable low-latency communication (URLLC) service;

Establishing a redundant user plane path for the terminal device;

establishing a redundant protocol data unit (PDU) session for the terminal device; or,

Redundant transmission is implemented for the terminal device.

A communication method, comprising:

Obtain information about security algorithms supported by secondary nodes;

A first security algorithm is determined according to information about security algorithms supported by the secondary node, where the first security algorithm is a security algorithm for protecting data transmitted between the primary node and the terminal device.

The method according to claim 6, wherein

The information of the security algorithm includes information of the key length of the security algorithm and/or an identifier of the security algorithm.

The method according to claim 6 or 7, further comprising:

A node request is sent to the secondary node, where the node request is used to request adding the secondary node, and the node request includes information about the key length of the first security algorithm.

The method according to any one of claims 6 to 8, wherein obtaining information about security algorithms supported by the secondary node comprises:

Pre-configure information about security algorithms supported by the secondary node; or,

Information about a security algorithm supported by the secondary node is obtained from the secondary node.

The method according to any one of claims 6 to 9, wherein determining the first security algorithm according to the information of the security algorithms supported by the secondary node comprises:

When it is determined that one or more of the following conditions are met, a first security algorithm is determined according to information about security algorithms supported by the secondary node:

Establishing a redundant user plane path for the terminal device;

Redundant transmission is implemented for the terminal device.

The method according to any one of claims 6 to 10, wherein the security algorithm information includes information about a key length of the security algorithm, and determining the first security algorithm based on the information about the security algorithms supported by the secondary node comprises:

The first security algorithm is determined according to information about the key length of the security algorithm supported by the secondary node and information about the security algorithm supported by the primary node.

The method according to any one of claims 6 to 11, wherein the security algorithm information includes an identifier of the security algorithm, and determining the first security algorithm based on the information of the security algorithms supported by the secondary node comprises:

determining, according to the identifier of the security algorithm supported by the secondary node and the information of the security algorithm supported by the primary node, the first security algorithm and the second security algorithm, where the second security algorithm is a security algorithm for protecting data transmitted between the secondary node and the terminal device;

The method further comprises:

Sending an identifier of the second security algorithm to the secondary node.

A communication method, comprising:

Determining a first security algorithm, where the first security algorithm is a security algorithm for protecting data transmitted between the master node and the terminal device;

The method according to claim 13, further comprising:

If one or more of the following conditions are met, a node request is sent to the secondary node:

Establishing a redundant user plane path for the terminal device;

Redundant transmission is implemented for the terminal device.

The method according to claim 13 or 14, characterized in that, when the key length of the first security algorithm is a preset key length, the node request includes information on the key length of the first security algorithm.

The method according to any one of claims 13 to 15, further comprising:

receiving a node response from the secondary node, where the node response indicates a failure in adding the secondary node;

Reselect a secondary node, and send the node request to the reselected secondary node.

A communication method, comprising:

receiving a node request from a primary node, the node request being used to request adding a secondary node, the node request including information about a key length of a first security algorithm, where the first security algorithm is a security algorithm used to protect data transmitted between the primary node and a terminal device;

A second security algorithm is determined according to information about the key length of the first security algorithm, where the second security algorithm is a security algorithm for protecting data transmitted between the secondary node and the terminal device.

The method of claim 17, wherein the key length of the second security algorithm is the same as the key length of the first security algorithm.

A communication method, comprising:

receiving a node request from a primary node, the node request being used to request adding a secondary node, the node request including an identifier of a second security algorithm;

Data is transmitted with the terminal device according to the second security algorithm.

The method according to claim 19, characterized in that, before transmitting data with the terminal device according to the second security algorithm, it also includes:

Determine whether the secondary node and/or the terminal device supports the second security algorithm.

The method according to claim 19 or 20, further comprising:

A node response is sent to the primary node, where the node response is used to indicate that the secondary node is successfully added, and the node response does not carry an identifier of the second security algorithm.

A communication method, comprising:

receiving a node request for requesting to add a secondary node, the node request including information about a key length of a first security algorithm, where the first security algorithm is a security algorithm for protecting data transmitted between the primary node and the terminal device;

If it is determined that the key length of the first security algorithm is not supported, sending a node response to the primary node, where the node response is used to indicate that adding the secondary node fails; or

selecting a second security algorithm, and when the key length of the first security algorithm is different from the key length of the second security algorithm, sending a node response to the primary node, the node response being used to indicate a failure to add the secondary node; or,

According to the key length of the first security algorithm, a second security algorithm is selected, and a node response is sent to the primary node, where the node response is used to indicate that the secondary node is successfully added, and the key length of the first security algorithm is the same as the key length of the second security algorithm.

A communication device, comprising:

A module for performing the method according to any one of claims 1 to 5, or

A module for performing the method according to any one of claims 6 to 12, or,

A module for performing the method according to any one of claims 13 to 16, or,

A module for performing the method of claim 17 or 18, or,

A module for performing the method according to any one of claims 19 to 21, or,

Modules for performing the method of claim 22.

A communication device, characterized by comprising a processor and an interface circuit, wherein the interface circuit is used to receive signals from other communication devices outside the communication device and transmit them to the processor or send signals from the processor to other communication devices outside the communication device, and the processor uses a logic circuit or executes code instructions.

For implementing the method according to any one of claims 1 to 5, or

For implementing the method according to any one of claims 6 to 12, or,

For implementing the method according to any one of claims 13 to 16, or,

For implementing the method according to claim 17 or 18, or,

For implementing the method according to any one of claims 19 to 21, or,

Used to implement the method as claimed in claim 22.

A computer-readable storage medium, characterized in that a computer program or instruction is stored in the computer-readable storage medium, and when the computer program or instruction is executed by a communication device,

Implementing the method according to any one of claims 1 to 5, or,

Implementing the method according to any one of claims 6 to 12, or,

Implementing the method according to any one of claims 13 to 16, or,

Implementing the method according to claim 17 or 18, or,

Implementing the method according to any one of claims 19 to 21, or,

Implement the method as claimed in claim 22.

A computer program product, characterized in that the computer program product comprises a computer program or instructions, and when the computer program or instructions are executed by a communication device,

Implementing the method according to any one of claims 1 to 5, or,

Implementing the method according to any one of claims 6 to 12, or,

Implementing the method according to any one of claims 13 to 16, or,

Implementing the method according to claim 17 or 18, or,

Implementing the method according to any one of claims 19 to 21, or,

Implement the method as claimed in claim 22.

A communication system, comprising:

a first communication device and a second communication device;

Wherein, the first communication device is used to perform the method according to any one of claims 1 to 5, and the second communication device is used to perform the method according to claim 17 or 18; or

The first communication device is used to perform the method according to any one of claims 6 to 12, and the second communication device is used to perform the method according to claim 17 or 18; or

The first communication device is used to perform the method according to any one of claims 6 to 12, and the second communication device is used to perform the method according to any one of claims 19 to 21; or

The first communication device is used to perform the method according to any one of claims 13 to 16, and the second communication device is used to perform the method according to claim 22.