WO2026036328A1 - Procédé de traitement d'informations, dispositif de communication et support de stockage - Google Patents

Procédé de traitement d'informations, dispositif de communication et support de stockage

Info

Publication number
WO2026036328A1
WO2026036328A1 PCT/CN2024/112409 CN2024112409W WO2026036328A1 WO 2026036328 A1 WO2026036328 A1 WO 2026036328A1 CN 2024112409 W CN2024112409 W CN 2024112409W WO 2026036328 A1 WO2026036328 A1 WO 2026036328A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
key
message
security
instance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/112409
Other languages
English (en)
Chinese (zh)
Inventor
陆伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xiaomi Mobile Software Co Ltd
Original Assignee
Beijing Xiaomi Mobile Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xiaomi Mobile Software Co Ltd filed Critical Beijing Xiaomi Mobile Software Co Ltd
Priority to CN202480042271.5A priority Critical patent/CN121890127A/zh
Priority to PCT/CN2024/112409 priority patent/WO2026036328A1/fr
Publication of WO2026036328A1 publication Critical patent/WO2026036328A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • This disclosure relates to the field of communication technology, and in particular to an information processing method, communication device and storage medium.
  • NFs Network Functions
  • This disclosure provides an information processing method, a communication device, and a storage medium.
  • an information processing method is provided, wherein the method is executed by a user equipment (UE), and includes: generating a second key based on a first key of a first node; generating a third key based on the second key; the third key being used to protect the communication security between the UE and a second node; wherein the first node is a security anchor point.
  • UE user equipment
  • an information processing method is provided, wherein the method is executed by a third node, and the method includes:
  • UE user equipment
  • an information processing method is provided, wherein the method is executed by a first node, and the method includes:
  • a fifth key is generated based on the first key of the first node; the fifth key is sent to the second node, and the fifth key is used by the second node to generate a fourth key; the fourth key is used to protect the communication security between the second node and the UE; the first node is a security anchor point.
  • an information processing method is provided, wherein the method is executed by a second node, and the method includes:
  • the fifth key sent by the first node is generated based on the first key of the first node; generate the fourth key based on the fifth key, and the fourth key is used to protect the communication security between the second node and the user equipment (UE); the first node is a security anchor point.
  • a user equipment includes: a processing module configured to generate a second key based on a first key of a first node; and to generate a third key based on the second key; the third key is used to protect the communication security between the user equipment (UE) and a second node; wherein the first node is a security anchor point.
  • a third node is provided according to a sixth aspect of the present disclosure, wherein the third node includes: a receiving module configured to generate a second key based on a first key of a first node; and a sending module configured to generate a third key based on the second key; the third key is used to protect the communication security between a user equipment (UE) and the second node; wherein the first node is a security anchor point.
  • UE user equipment
  • a first node is provided according to a seventh aspect of the present disclosure, wherein the first node includes: a processing module configured to generate a fifth key based on a first key of the first node; a sending module configured to send the fifth key to a second node, the fifth key being used by the second node to generate a fourth key; the fourth key being used to protect the communication security between the second node and the UE; and the first node having a security anchor function.
  • a second node includes: a receiving module configured to receive a fifth key sent by a first node; the fifth key is generated based on a first key of the first node; a processing module configured to generate a fourth key based on the fifth key, the fourth key being used to protect the communication security between the second node and a user equipment (UE); and the first node having a security anchor function.
  • a receiving module configured to receive a fifth key sent by a first node
  • the fifth key is generated based on a first key of the first node
  • a processing module configured to generate a fourth key based on the fifth key, the fourth key being used to protect the communication security between the second node and a user equipment (UE); and the first node having a security anchor function.
  • a communication system is provided according to a ninth aspect of the present disclosure, wherein the communication system includes a user equipment (UE), a first node, a second node, and a third node; the UE is used to execute a method of any technical solution of the first aspect; the third node is used to execute a method of any technical solution of the second aspect; the first node is used to execute a method of any technical solution of the third aspect; and the second node is used to execute a method of any technical solution of the fourth aspect.
  • UE user equipment
  • the third node is used to execute a method of any technical solution of the second aspect
  • the first node is used to execute a method of any technical solution of the third aspect
  • the second node is used to execute a method of any technical solution of the fourth aspect.
  • a communication device includes: one or more processors; wherein the processors are configured to invoke instructions to cause the communication device to execute the information processing method provided by any of the technical means described in the first to fifth aspects.
  • a storage medium stores instructions that, when executed on a communication device, cause the communication device to perform the information processing method provided by any one of the first to fifth aspects.
  • a program product includes a computer program, which, when executed by a communication device, enables the communication device to implement the information processing method provided by any of the technical means of the first to fifth aspects.
  • the technical approach provided in this disclosure generates a second key based on the first key of the Security Anchor Function (SEAF), and protects the communication security between the UE and the second node through the second key, so that the UE can communicate securely and directly with the second node.
  • SEAF Security Anchor Function
  • Figure 1A is a schematic diagram of the architecture of a communication system according to an exemplary embodiment
  • Figure 1B is a schematic diagram of the architecture of a communication system according to an exemplary embodiment
  • Figure 1C is a schematic diagram illustrating the connection between a user equipment (UE), a radio access network (RAN), and a core network according to an exemplary embodiment.
  • UE user equipment
  • RAN radio access network
  • Figure 1D is a schematic diagram illustrating another connection between the UE and RAN and the core network according to an exemplary embodiment
  • Figure 1E is a schematic diagram of a security architecture according to an exemplary embodiment
  • Figure 1F is a schematic diagram of a security architecture according to an exemplary embodiment
  • Figure 1G is a schematic diagram of a security architecture according to an exemplary embodiment
  • Figure 2A is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 2B is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 3 is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 4A is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 4B is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 5A is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 5B is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 6A is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 6B is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 7A is a flowchart illustrating an information processing method according to an exemplary embodiment
  • Figure 7B is a flowchart illustrating an information processing method according to an exemplary embodiment
  • FIG. 8A is a schematic diagram of the structure of a user equipment (UE) according to an exemplary embodiment
  • Figure 8B is a schematic diagram of the structure of a source node according to an exemplary embodiment
  • Figure 8C is a schematic diagram of the structure of a target node according to an exemplary embodiment
  • Figure 8D is a schematic diagram of the structure of a core network node according to an exemplary embodiment
  • Figure 9A is a schematic diagram of the structure of a communication device according to an exemplary embodiment
  • Figure 9B is a schematic diagram of the structure of a chip according to an exemplary embodiment.
  • This disclosure provides an information processing method, a communication device, a communication system, and a storage medium.
  • the first aspect provides an information processing method, which is executed by a user equipment (UE).
  • the method includes: generating a second key based on a first key of a first node; generating a third key based on the second key; the third key being used to protect the communication security between the UE and the second node; wherein the first node is a security anchor point.
  • a second key is generated according to the first key of the Security Anchor Function (SEAF).
  • SEAF Security Anchor Function
  • generating a second key based on a first key of a first node includes at least one of the following: generating a second key based on the type of the first key and the second node; generating a second key based on the instance identifier (Identity, ID) of the first key and the second node.
  • the second key can be generated even if the UE does not know which specific second node it is actually accessing. If the second key is generated according to the instance ID of the second node and the first key, then when the UE communicates with the second node for the first time or when the instance ID of the second node is pre-configured, the UE will have different keys for communication with different second nodes of the same type, which can further improve communication security.
  • generating a second key based on the type of the first key and the second node includes at least one of the following: generating a second key based on the first key, the type of the second node, and a first count value; the first count value being a count of uplink non-access stratum (NAS) messages sent by the UE to the second node; generating a second key based on the first key, the type of the second node, and first time information; the first time information indicating the period in which the second key was generated.
  • NAS uplink non-access stratum
  • a specific implementation method for generating the second key is given.
  • the key used by the UE to communicate with the second node at different times can be different, which further improves the security of communication between the UE and the second node.
  • generating a second key based on a first key and an instance identifier ID of a second node includes: the UE is pre-configured with an instance ID of a second node, and the second key is generated based on the first key and the instance identifier ID of the second node.
  • the second key is generated based on the first key and the instance ID of the second node. If the UE is not configured with the instance ID of the second node, the second key can be generated in other ways, such as generating the second key based on the type of the second node and the first key. This allows the UE to generate the second key regardless of whether the instance ID of the second node is pre-configured.
  • generating a second key based on a first key and an instance identifier ID of a second node includes at least one of the following: generating a second key based on a first key, an instance ID of a second node, and a first count value; the first count value being a count of uplink non-access stratum (NAS) messages sent by the UE to the second node; generating a second key based on a first key, an instance ID of a second node, and first time information; the first time information indicating the time period in which the second key was generated.
  • NAS uplink non-access stratum
  • a specific implementation method for generating the second key is given.
  • the key used by the UE to communicate with the second node at different times can be different, which further improves the security of communication between the UE and the second node.
  • the method further includes: sending a first Radio Resource Control (RRC) message to a third node, the first RRC message being a first message; the first message being protected by a third key; and the second node being the receiving node of the first message.
  • RRC Radio Resource Control
  • the first message is encapsulated in the first RRC message and sent to the third node so that the third node can correctly receive the first message by receiving the RRC message, thereby realizing the transparent transmission or forwarding of the first message.
  • the first message includes at least one of the following: Non-Access Stratum (NAS) signaling; UE ID; and a first algorithm identifier, wherein the first algorithm identifier is used to identify a security algorithm protecting the first message.
  • NAS Non-Access Stratum
  • the first message includes one or more of the following: NAS signaling transmitted to the second node, the UE's ID, and a first algorithm identifier.
  • the NAS signaling is the signaling transmitted to the second node.
  • the UE's ID is used to identify the UE to the second node.
  • the first algorithm identifier can be the identifier of the security algorithm used when the UE communicates with the first node, thus saving the process of specifically negotiating the security algorithm and improving the efficiency of key generation.
  • the first RRC message is protected by the UE's access layer AS security context.
  • the first message is protected by the AS security context, thus ensuring the security of the first message over the air interface by borrowing the AS security context.
  • the method further includes: receiving a second RRC message sent by a third node, the second RRC message including a second message; the second message originating from a second node; the second message being protected using a fourth key; the fourth key being generated by a fifth key, the fifth key being generated based on a first key.
  • the UE receives the second message, which is transparently transmitted or forwarded by the third node through the second RRC message.
  • the UE can receive the second message through the RRC connection with the second node.
  • the second message is protected by a fourth key.
  • the second RRC message may or may not use AS security context protection, depending on the communication requirements.
  • the second RRC message is protected by the UE's access stratum AS security context.
  • the second RRC message is protected by the UE's AS security context, which is equivalent to the first message having two layers of security protection, further enhancing the security of the second message.
  • the second aspect provides an information processing method, wherein the method is executed by a third node, the method comprising: receiving a first message sent by a user equipment (UE), the first message being protected by a third key; the third key being generated based on a second key, the second key being generated based on the first key of a first node; the receiving node of the first message being the second node; the first node being a security anchor function; and sending the first message to the second node.
  • UE user equipment
  • the method before sending the first message to the second node, the method further includes: sending a third message to the first node, the third message being used to request the first node to generate a fifth key, the fifth key being used to generate a fourth key; the fourth key being used by the second node to verify the security of the first message.
  • the method further includes: receiving a fourth message sent by the first node; the fourth message is used to indicate whether a fifth key has been generated.
  • sending a first message to the second node includes: sending a fourth message indicating that a fifth key has been generated, and sending the first message to the second node.
  • sending a third message to the first node includes: determining that the first node has not yet requested the UE to generate a fifth key for the second node, and then sending the third message to the first node.
  • receiving a first message sent by a user equipment includes: receiving a first radio resource control (RRC) message sent by the UE, wherein the first RRC message includes the first message.
  • RRC radio resource control
  • the first RRC message is protected by the access layer AS security context.
  • the first RRC message further includes at least one of the following: type information of the second node; instance ID of the second node; address information of the second node.
  • the third aspect provides an information processing method, which is executed by a first node.
  • the method includes: generating a fifth key based on a first key of the first node; sending the fifth key to a second node, wherein the fifth key is used by the second node to generate a fourth key; the fourth key is used to protect the communication security between the second node and the UE; and the first node functions as a security anchor point.
  • generating a fifth key based on a first key of a first node includes: receiving a third message sent by a third node, and generating a fifth key based on the first key; the third message is used to request the first node to generate a fifth key for the first node.
  • the method further includes: sending a fourth message to a third node; the fourth message is used to inform the third node whether a fifth key has been generated.
  • the third message includes at least one of the following: type information of the second node; instance identifier ID of the second node; identifier of the UE.
  • generating a fifth key based on a first key of a first node includes: receiving a fifth message from a second node and generating a fifth key based on the first key; the fifth message is used by the second node to request the generation of the fifth key.
  • the fifth message includes at least one of the following: type information of the second node; instance ID of the second node; second count value; the second count value is the count of uplink non-access stratum (NAS) messages received by the second node from the UE; and the identifier of the UE.
  • type information of the second node includes at least one of the following: type information of the second node; instance ID of the second node; second count value; the second count value is the count of uplink non-access stratum (NAS) messages received by the second node from the UE; and the identifier of the UE.
  • NAS uplink non-access stratum
  • generating a fifth key based on a first key of a first node includes: generating a fifth key based on the type of the first key and the second node; and generating a fifth key based on the instance identifier ID of the first key and the second node.
  • a fifth key is generated based on the type of the first key and the second node, including at least one of the following: generating the fifth key based on the first key, the type of the second node, and a second count value; the second count value being the count of uplink non-access stratum (NAS) messages received by the second node from the UE; generating the fifth key based on the first key, the type of the second node, and second time information; the second time information indicating the period in which the fifth key was generated.
  • NAS uplink non-access stratum
  • generating a fifth key based on the first key and the instance identifier ID of the second node includes: a fifth message containing the instance ID of the second node, and generating the fifth key based on the first key and the instance identifier ID of the second node.
  • generating a fifth key based on a first key and an instance identifier ID of a second node includes at least one of the following: generating a fifth key based on a first key, an instance ID of a second node, and a second count value; the second count value being a count of uplink non-access stratum (NAS) messages received by the second node from the UE; generating a fifth key based on a first key, an instance ID of a second node, and second time information; the second time information indicating the time period in which the fifth key was generated.
  • NAS uplink non-access stratum
  • the fourth aspect provides an information processing method, wherein the method is executed by a second node, the method comprising: receiving a fifth key sent by a first node; generating the fifth key based on a first key of the first node; generating a fourth key based on the fifth key, the fourth key being used to protect the communication security between the second node and the user equipment (UE); the first node being a security anchor point.
  • the method is executed by a second node, the method comprising: receiving a fifth key sent by a first node; generating the fifth key based on a first key of the first node; generating a fourth key based on the fifth key, the fourth key being used to protect the communication security between the second node and the user equipment (UE); the first node being a security anchor point.
  • the method further includes: receiving a first message sent by a third node, sending a fifth message to the first node, the fifth message being used to request a fifth key; the first message being protected by a third key, the third key being generated based on a second key; and the second key being generated based on the first key of the first node.
  • the fifth message includes at least one of the following: type information of the second node; instance ID of the second node; second count value; the second count value being the count of uplink non-access stratum (NAS) messages received by the second node from the UE; and the identifier of the UE.
  • type information of the second node includes at least one of the following: type information of the second node; instance ID of the second node; second count value; the second count value being the count of uplink non-access stratum (NAS) messages received by the second node from the UE; and the identifier of the UE.
  • NAS uplink non-access stratum
  • the method further includes sending a second message to a third node, the second message being protected by a fourth key.
  • the fifth aspect provides a user equipment (UE), wherein the UE includes: a processing module configured to generate a second key based on a first key of a first node; and to generate a third key based on the second key; the third key is used to protect the communication security between the user equipment (UE) and a second node; wherein the first node is a security anchor point.
  • UE user equipment
  • a sixth aspect provides a third node, wherein the third node includes: a receiving module configured to receive a first message sent by a user equipment (UE), the first message being protected by a third key; the third key is generated by the UE based on a second key, the second key being generated based on a first key of a first node; and the receiving node of the first message is the second node.
  • UE user equipment
  • a seventh aspect provides a first node, wherein the first node includes: a processing module configured to generate a fifth key based on a first key of the first node; a sending module configured to send the fifth key to a second node, the fifth key being used by the second node to generate a fourth key; the fourth key being used to protect the communication security between the second node and the UE; and the first node serving as a security anchor point.
  • the eighth aspect provides a second node, wherein the second node includes: a receiving module configured to receive data transmitted by a first node. The fifth key; the fifth key is generated based on the first key of the first node; the processing module is configured to generate a fourth key based on the fifth key, the fourth key being used to protect the communication security between the second node and the user equipment (UE); the first node is a security anchor point.
  • the second node includes: a receiving module configured to receive data transmitted by a first node.
  • the fifth key is generated based on the first key of the first node
  • the processing module is configured to generate a fourth key based on the fifth key, the fourth key being used to protect the communication security between the second node and the user equipment (UE);
  • the first node is a security anchor point.
  • a ninth aspect provides a communication system, wherein the communication system includes a user equipment (UE), a first node, a second node, and a third node; the UE is used to execute the method provided by any technical solution of the first aspect; the third node is used to execute the method provided by any technical solution of the second aspect; the first node is used to execute the method provided by any technical solution of the third aspect; and the second node is used to execute the method provided by any technical solution of the fourth aspect.
  • UE user equipment
  • embodiments of this disclosure provide a program product, wherein the program product includes a computer program, which, when executed by a communication device, enables the communication device to perform the information processing method described in the optional implementations of the first to fifth aspects.
  • embodiments of this disclosure provide a computer program that, when run on a computer, causes the computer to perform the information processing method described in the optional implementations of the first to fifth aspects.
  • This disclosure provides an information processing method, a communication device, a communication system, and a storage medium.
  • the embodiments of this disclosure are not exhaustive, but merely illustrative of some embodiments, and are not intended to limit the specific scope of protection of this disclosure.
  • each step in a particular embodiment can be implemented as an independent embodiment, and the steps can be arbitrarily combined. For example, removing some steps in a particular embodiment can also be implemented as an independent embodiment, and the order of the steps in a particular embodiment can be arbitrarily interchanged.
  • the optional implementations in a particular embodiment can be arbitrarily combined; moreover, the embodiments can be arbitrarily combined, for example, some or all steps of different embodiments can be arbitrarily combined, and a particular embodiment can be arbitrarily combined with optional implementations of other embodiments.
  • multiple refers to two or more.
  • the terms “at least one of”, “one or more”, “a plurality of”, “multiple”, etc., may be used interchangeably.
  • the notation "at least one of A and B", “A and/or B", “A in one case, B in another”, “A in one case, B in another”, etc. may include the following technical methods depending on the situation: in some embodiments, A (A is executed regardless of B); in some embodiments, B (B is executed regardless of A); in some embodiments, execution is selected from A and B (A and B are selectively executed); in some embodiments, A and B (both A and B are executed). The same applies when there are more branches such as A, B, C, etc.
  • the notation "A or B” may include the following technical approaches, depending on the circumstances: in some embodiments, A (execution of A regardless of B); in some embodiments, B (execution of B regardless of A); in some embodiments, selective execution from A and B (A and B are selectively executed). The same applies when there are more branches such as A, B, C, etc.
  • the descriptive object is a "field,” the ordinal numbers preceding "field” in “first field” and “second field” do not restrict the position or order of the "fields.” "First” and “second” do not restrict whether the "fields” they modify are in the same message, nor do they restrict the order of "first field” and “second field.”
  • the descriptive object is a "level,” the ordinal numbers preceding "level” in “first level” and “second level” do not restrict the priority between “levels.”
  • the number of descriptive objects is not limited by ordinal numbers and can be one or more. For example, in “first device,” the number of "devices" can be one or more.
  • the objects modified by different prefixes can be the same or different.
  • first device and second device can be the same device or different devices, and their types can be the same or different.
  • first type of information and second type of information can be the same information or different information, and their content can be the same or different.
  • “including A,” “containing A,” “for indicating A,” and “carrying A” can be interpreted as directly carrying A or indirectly indicating A.
  • the terms “greater than,” “greater than or equal to,” “not less than,” “more than,” “more than or equal to,” “not less than,” “higher than,” “higher than or equal to,” “not lower than,” and “above” can be used interchangeably, as can the terms “less than,” “less than or equal to,” “not greater than,” “less than,” “less than or equal to,” “not more than,” “lower than,” “lower than or equal to,” “not higher than,” and “below”.
  • devices, etc. can be interpreted as physical or virtual, and their names are not limited to the names recorded in the embodiments.
  • Terms such as “device”, “equipment”, “circuit”, “network element”, “node”, “function”, “unit”, “section”, “system”, “network”, “chip”, “chip system”, “entity”, and “subject” can be used interchangeably.
  • network can be interpreted as network-side devices or network functions such as access network devices and core network devices included in the network.
  • the terms “access network device (AN device),” “radio access network device (RAN device),” “base station (BS),” “radio base station,” “fixed station,” “node,” “access point,” “transmission point (TP),” “reception point (RP),” “transmission/reception point (TRP),” “panel,” “antenna panel,” “antenna array,” “cell,” “macro cell,” “small cell,” “femto cell,” “pico cell,” “sector,” “cell group,” “serving node,” “carrier,” “component carrier,” and “bandwidth part (BWP)” can be used interchangeably.
  • the terms “UE (terminal),” “UE device,” “user equipment (UE),” “user UE (user terminal),” “mobile station (MS),” “mobile UE (MT),” “subscriber station,” “mobile unit,” “subscriber unit,” “wireless unit,” “remote unit,” “mobile device,” “wireless device,” “wireless communication device,” “remote device,” “mobile subscriber station,” “access UE,” “mobile terminal,” “wireless UE,” “remote terminal,” “handset,” “user agent,” “mobile client,” and “client” can be used interchangeably.
  • the access network device, core network device, or network device can be replaced by a UE.
  • embodiments of this disclosure can also be applied to structures where communication between the access network device, core network device, or network device and the UE is replaced by communication between multiple UEs (e.g., device-to-device (D2D), vehicle-to-everything (V2X), etc.).
  • the UE can also be configured to have all or some of the functions of the access network device.
  • terms such as "uplink” and "downlink” can be replaced with terms corresponding to communication between UEs (e.g., "sidelink”).
  • uplink channel, downlink channel, etc. can be replaced with sidelink channel
  • uplink link, downlink, etc. can be replaced with sidelink link.
  • the UE can be replaced by an access network device, a core network device, or a network device. In this case, it can also be configured such that the access network device, core network device, or network device has all or some of the functions of the UE.
  • the acquisition of data, information, etc. may comply with the laws and regulations of the country where the location is situated.
  • data, information, etc. may be obtained with the user's consent.
  • each element, each row, or each column in the table of this disclosure can be implemented as an independent embodiment, and any combination of any element, any row, or any column can also be implemented as an independent embodiment.
  • Figure 1A is a schematic diagram of the architecture of a communication system according to an embodiment of the present disclosure.
  • the communication system 100 includes a terminal 101 and a network device 102.
  • the network device 102 may include access network equipment and/or core network equipment.
  • the terminal may also be referred to as a UE.
  • terminal 101 includes, for example, at least one of the following: mobile phone, wearable device, Internet of Things device, car with communication function, smart car, tablet computer, computer with wireless transceiver function, virtual reality (VR) UE device, augmented reality (AR) UE device, wireless UE device in industrial control, wireless UE device in self-driving, wireless UE device in remote medical surgery, wireless UE device in smart grid, wireless UE device in transportation safety, wireless UE device in smart city, and wireless UE device in smart home, but is not limited thereto.
  • VR virtual reality
  • AR augmented reality
  • the UE is also referred to as User Equipment (UE).
  • UE User Equipment
  • the access network device may be, for example, a node or device that enables a UE to access a wireless network.
  • the term includes, but is not limited to, at least one of the following in 5G communication systems: evolved NodeB (eNB), next-generation eNB (ng-eNB), next-generation NodeB (gNB), node B (NB), home node B (HNB), home evolved node B (HeNB), radio backhaul equipment, radio network controller (RNC), base station controller (BSC), base transceiver station (BTS), base band unit (BBU), mobile switching center; base station in 6G communication systems; open RAN; cloud RAN; base station in other communication systems; and access node in Wi-Fi systems.
  • eNB evolved NodeB
  • ng-eNB next-generation NodeB
  • gNB next-generation NodeB
  • gNB node B
  • HNB home node B
  • HeNB home evolved node B
  • RNC radio network controller
  • BSC base station controller
  • the technical methods of this disclosure can be applied to the Open RAN architecture.
  • the interfaces between or within access network devices involved in the embodiments of this disclosure can be transformed into internal interfaces of Open RAN.
  • the processes and information interactions between these internal interfaces can be implemented by software or programs.
  • the access network device may be composed of a central unit (CU) and a distributed unit (DU).
  • the CU may also be called a control unit.
  • the CU-DU structure can separate the protocol layer of the access network device. Some protocol layer functions are centrally controlled by the CU, while the remaining part or all of the protocol layer functions are distributed in the DU and centrally controlled by the CU. However, this is not the only possibility.
  • the core network equipment can be a single device, including a first network element, or it can be multiple devices or a group of devices, each including a first network element.
  • the network element can be virtual or physical.
  • the core network includes, for example, at least one of an Evolved Packet Core (EPC), a 5G Core Network (5GCN), and a Next Generation Core (NGC).
  • EPC Evolved Packet Core
  • 5GCN 5G Core Network
  • NGC Next Generation Core
  • the following embodiments of this disclosure can be applied to the communication system 100 shown in FIG1A, or to some of the main bodies, but are not limited thereto.
  • the main bodies shown in FIG1A are illustrative.
  • the communication system may include all or some of the main bodies in FIG1A, or it may include other main bodies outside of FIG1A.
  • the number and form of each main body are arbitrary.
  • the connection relationship between the main bodies is illustrative.
  • the main bodies may not be connected or may be connected.
  • the connection can be in any way, it can be a direct connection or an indirect connection, it can be a wired connection or a wireless connection.
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • LTE-B LTE-Beyond
  • SUPER 3G IMT-Advanced
  • 4G 4th generation mobile communication system
  • 5G 5th generation mobile communication system
  • 5G 5G New Radio
  • FAA New Radio Access Technology
  • RAT New Radio
  • NX New Radio Access
  • FX Future Generation Radio Access
  • GSM Global System for Mobile Communications
  • UMB Ultra Mobile Broadband
  • IEEE 802.11 Wi-Fi
  • IEEE 802.16 WiMAX
  • IEEE 802.20 Ultra-Wideband
  • PLMN Public Land Mobile Network
  • D2D Device-to-Device
  • M2M Machine-to-Machine
  • IoT Internet of Things
  • V2X Vehicle-to-Everything
  • systems utilizing configuration methods of other resources and next-generation systems extended from them.
  • multiple systems can be combined (e.g., LTE and NR can be combined).
  • NFs network functions
  • 5GC 5th Generation Core
  • AMF Access Management Function
  • RAN nodes can be consumers or producers providing services for other network functions besides the AMF.
  • Non-Access Stratum (NAS) signaling is only supported between the AMF and UE in the core network. Normally, NAS signaling is transparently transmitted through the RAN node.
  • NAS Non-Access Stratum
  • the RAN can evolve to communicate directly with other core NFs without going through the AMF, this means that users, in addition to the AMF, can also provide services for other network functions.
  • UE User Equipment
  • NF core network network
  • K AMF root key
  • SEAF Security Anchor Function
  • K AMF is used by the UE and AMF to derive the NAS integrity key K NASint and/or the NAS confidentiality protection key K NASenc , and no other core NF can derive the NAS security key. Since the current key hierarchy design of other core NFs does not support NAS security, it is impossible to protect NAS signaling between the UE and other core NFs.
  • this embodiment of the present disclosure provides an information processing method, executed by the communication system shown in Figure 1A.
  • the method may include:
  • S2101 The UE generates a second key based on the first key of the first node.
  • the communication system can be the one shown in Figure 1A.
  • the UE is the terminal 101 shown in Figure 1A.
  • the first node can be one of the network devices 102 shown in Figure 1A.
  • the first node can be a core network node.
  • the first node may include a Security Anchor Function (SEAF).
  • SEAF Security Anchor Function
  • the second key is an intermediate key used to generate the third key.
  • both the first node and the second node may be core network nodes.
  • a second key is generated based on the type of the first key and the second node.
  • the UE can determine the type of the second node based on the requested network service or function. For instance, if the UE requests a user plane session, the type of the second node is a Session Management Function (SMF). If the UE requests location, the type of the second node can be a Location Management Function (LMF).
  • the second node can be any node in the UE's serving network other than the first node.
  • the second node can be any core network node in the UE's serving network other than the first node.
  • the second node is not necessarily a core network node.
  • the UE uses a Key Derivation Function (KDF) to derive a second key, taking the first key as input and the type of the second node as the derivation parameter.
  • KDF Key Derivation Function
  • a second key is generated based on a first key, the type of the second node, and a first count value.
  • the first count value may be a count of uplink data messages sent by the UE to the second node; for example, it may be a count of uplink non-access stratum (NAS) messages sent by the UE to the second node.
  • NAS non-access stratum
  • the first count value can be the number of uplink NAS messages that the UE has sent to the second node. If the current UE has not yet sent any uplink NAS messages to the second node, the first count value can be 0.
  • a second key is generated based on a first key, the type of the second node, and first time information; the first time information indicates the time period during which the second key was generated.
  • the unit of the generation period may be milliseconds or seconds, so that the time difference between the UE generating the second key and the first node generating the fifth key can be ignored.
  • the generation period may be longer than the time required for information to be transmitted from the UE to the first node.
  • a second key is generated based on a first key and an instance identifier ID of a second node.
  • the UE may be pre-configured with an instance identifier (ID) corresponding to the second node. In this case, the UE may also generate the second key based on the instance ID of the second node and the first key.
  • ID instance identifier
  • the first node after the UE selects a second service node for the UE through information exchange with the first node, the first node returns the instance ID of the second node to the UE. At this point, the UE also knows the instance ID of the second node. Since the UE has already obtained the instance ID of the second node before generating the second key, it can generate the second key based on the instance ID of the second node. For example, the UE is pre-configured with the instance ID of the second node, and generates the second key based on the first key and the instance ID of the second node.
  • the UE ID can also be used as a parameter for generating the second key.
  • the second key is generated based on the first key and one or more of the following: the type of the second node, the instance ID of the second node, the first count value, the first time information, and the UE ID. If the second key is generated based on the UE ID and the first key, different UEs will have different second keys, thereby achieving isolation of communication security between different UEs and the second node.
  • the UE ID can be any information that can identify the UE.
  • the UE's International Mobile Subscriber Identification Number (IMSI), International Mobile Equipment Identification (IMEI), 5G Globally Unique Temporary Identifier (GUTI), Network Access Identifier (NAI), etc. can be information that uniquely identifies the UE.
  • S2102 The UE generates a third key based on the second key.
  • a third key is used to protect the security of communication between the UE and the second node.
  • the third key is used to protect the security of NAS communication between the UE and the second node.
  • This NAS communication security may include the security of NAS messages.
  • the third key may include at least one of the following: an integrity key; a confidentiality key; and a scrambling key.
  • the integrity key can be used for integrity protection (or integrity verification).
  • the confidentiality key can be used for confidentiality protection, such as encryption or decryption.
  • the scrambling key can be used for scrambling or descrambling information.
  • the security algorithms corresponding to the third key supported by different user terminal devices or core network devices may be different.
  • the algorithm identifier needs to be used as the generation parameter of the third key.
  • a second key is used as input to the KDF, and a third key is generated by combining one or more of the following parameters:
  • P0 algorithm type distinguisher, for example, the type of security algorithm here includes, but is not limited to, integrity algorithms and/or confidentiality algorithms;
  • L0 the length of P0
  • P1 Security Algorithm ID; for example, the ID for Advanced Encryption Standard (AES), the ID for Zu Chongzhi Algorithm (ZUC), etc.
  • AES Advanced Encryption Standard
  • ZUC Zu Chongzhi Algorithm
  • the third key can be used to protect NAS messages sent by the UE to the second node.
  • S2103 The UE sends the first message to the third node.
  • the third node may be an access network node, specifically a base station of various types.
  • the first message is carried in the first RRC message using a message container.
  • the first RRC message is protected using an AS security context.
  • this AS context may include the key used for communication between the UE and the access network node.
  • the first RRC message may be encrypted and/or protected for integrity.
  • the first message includes at least one of the following: Non-Access Stratum (NAS) signaling; UE ID; and a first algorithm identifier, wherein the first algorithm identifier is used to identify a security algorithm protecting the first message.
  • NAS Non-Access Stratum
  • NAS signaling may be a NAS message that the UE needs to send to the second node. This NAS signaling may be carried in a first RRC message via a container.
  • the encapsulation protocol of the NAS signaling may differ for different types of second nodes.
  • the signaling content of the NAS signaling may differ for different types of second nodes.
  • the NAS signaling may be NAS signaling encapsulated with the Long Term Evolution (LTE) Positioning Protocol (LPP), and/or, the NAS message may be related to the absolute and/or relative positioning of the UE.
  • LTE Long Term Evolution
  • LPP Long Term Evolution Positioning Protocol
  • the NAS message may be related to the absolute and/or relative positioning of the UE.
  • the signaling content of the NAS signaling may be related to the establishment, connection, or release of a Protocol Data Unit (PDU).
  • PDU Protocol Data Unit
  • the UE's ID may include, but is not limited to, various types of UE IDs, such as IMEI, IMSI, or NAI.
  • the first algorithm identifier can be used to identify a specific algorithm, such as an integrity algorithm or a confidentiality algorithm.
  • the first algorithm identifier may be an input parameter for the UE to generate a third key.
  • the security algorithm indicated by the first algorithm identifier can be the same as the NAS security algorithm negotiated between the UE and the first node. This means that the UE and the second node do not need to negotiate the security algorithm again.
  • the first node is AMF or SAEF
  • the first key is used to generate the NAS security key to protect the access stratum communication security between the UE and the first node.
  • the generation of the NAS security key between the UE and the first node may also require the algorithm identifier as an input parameter.
  • the algorithm identifier used in the UE's generation of the third key based on the second key can default to the algorithm identifier used in the non-access stratum communication between the UE and the first node.
  • the UE does not need to negotiate the algorithm with the second node separately, nor does it need to send the UE's supported algorithm capabilities to the network, simplifying the process and reducing signaling overhead.
  • the first message may or may not carry the first algorithm identifier. For example, the first message is sent to the first node via the third node.
  • the first node already knows the security algorithm identifier (i.e., the second algorithm identifier) negotiated between itself and the UE. This algorithm identifier can be provided to the second node by the first node. Of course, if the first message carries the first algorithm identifier, the first node does not need to provide the algorithm identifier to the second node separately. In short, the first algorithm identifier is an optional part of the first message.
  • the security algorithm identifier i.e., the second algorithm identifier
  • the first RRC message also includes at least one of the following: type information of the second node; instance ID of the second node; address information of the second node.
  • the type information of the second node is carried in the first RRC message, which can enable the third node or the first node to know the type of the second node and select the second node for the UE based on the UE's location information and/or the second node that the third node can reach.
  • the instance ID of the second node may be an identifier of the second node pre-configured on the UE. In some embodiments, the instance ID of the second node is obtained by the UE based on historical communications.
  • the address information of the second node may include, but is not limited to, a network protocol (IP) address.
  • IP network protocol
  • the first RRC message is also protected using an AS security context.
  • the AS security context may include: a confidentiality key and/or an integrity key for communication between the UE and the third node.
  • S2104 The third node sends the first message to the second node.
  • the third node after the third node determines the receiving node of the first message, the third node sends the first message to the second node.
  • the third node sends the first message to the second node via an SBI or tunnel.
  • the first message is sent to the second node based on the instance ID of the second node contained in the first message.
  • the third node sends the first message to a second node of the type indicated in the first message.
  • S2105 The second node sends the fifth message to the first node.
  • the fifth message is used by the second node to request the generation of a fifth key.
  • the fifth message includes, but is not limited to, at least one of the following: the identifier of the UE; the type of the second node; the instance identifier of the second node; and the first count value.
  • the fifth message may carry input parameters for the first node to generate the fifth key.
  • the UE identifier is used to indicate the UE, and the UE identifier can be used by the first node to determine the second algorithm identifier.
  • the fifth message is also used to request a second algorithm identifier.
  • the fifth message includes an indicator requesting an algorithm identifier, so that when the second node receives the fifth message containing the indicator, it will send the second algorithm identifier and the fifth key to the second node.
  • the indicator requesting the algorithm identifier is optional content of the fifth message. For example, if the second node sends the second algorithm identifier to the first node by default, then the fifth message does not need to include this indicator. Also, if the first message includes the first algorithm identifier, the second node does not need to obtain the second algorithm identifier from the first node. Furthermore, if the generation of the third and fourth keys does not use the algorithm identifier, it is obviously unnecessary to perform the transmission of the first and second algorithm identifiers between the UE and the network, and between different nodes.
  • S2106 The first node generates the fifth key.
  • the first node generates a fifth key based on a first key. In some embodiments, the first node receives a fifth message sent by a second node and generates a fifth key. In some embodiments, the first node may be SAEF, then the first key of the first node may be KSAEF . In some embodiments, generating a fifth key based on a first key includes at least one of the following: generating a fifth key based on the type of the first key and the second node; generating a fifth key based on the instance identifier ID of the first key and the second node.
  • generating a fifth key based on the type of the first key and the second node includes at least one of the following: generating a fifth key based on the first key, the type of the second node, and a first count value; the first count value being the count of uplink non-access stratum (NAS) messages sent by the UE to the second node; generating a fifth key based on the first key, the type of the second node, and second time information; the second time information indicating the period in which the fifth key was generated.
  • NAS uplink non-access stratum
  • the second key is generated using NAS message counting or second time information
  • the second key and fifth key will be different when the same UE communicates with the same second node at different time periods, thereby further improving the security of direct NAS communication between the UE and the second node.
  • generating a fifth key based on a first key and an instance identifier ID of a second node includes at least one of the following: generating a fifth key based on a first key, an instance ID of a second node, and a first count value; the first count value being a count of uplink non-access stratum (NAS) messages sent by the UE to the second node; generating a fifth key based on a first key, an instance ID of a second node, and second time information; the second time information indicating the generation period of the fifth key.
  • NAS uplink non-access stratum
  • generating a fifth key based on a first key and an instance identifier ID of a second node includes at least one of the following: generating a fifth key based on a first key, an instance ID of a second node, and a first count value; the first count value being a count of uplink non-access stratum (NAS) messages sent by the UE to the second node; generating a fifth key based on a first key, an instance ID of a second node, and second time information; the second time information indicating the generation period of the fifth key.
  • NAS uplink non-access stratum
  • P0 UE ID
  • L0 length of P0
  • L1 length of P1
  • P2 UTC value or number of uplink NAS messages
  • L2 length of P2.
  • the above are just examples.
  • the specific implementation is not limited to the examples mentioned above.
  • S2107 The first node sends the fifth key to the second node.
  • the first node also sends a second algorithm identifier to the second node.
  • the second algorithm identifier is used to identify a security algorithm protecting the first message.
  • the second algorithm identifier is an input parameter for generating the fourth key.
  • the second algorithm identifier may be sent to the second node together with the fifth key. Also exemplaryly, the second algorithm identifier may be sent to the second node separately.
  • the second algorithm identifier may be an identifier of the algorithm used by the first node and the UE to protect the communication between the UE and the first node, as agreed upon by the first node and the UE.
  • the first message may include a first algorithm identifier. If the UE and the first node include the first algorithm identifier in the first message by default, the first node may not need to send a second algorithm identifier to the second node.
  • the first algorithm identifier is used to identify the security algorithm negotiated by the UE and the first node to protect the communication between the UE and the first node.
  • the second algorithm identifier is used to identify the security algorithm negotiated by the first node and the UE to protect the communication between the UE and the first node.
  • the first algorithm identifier and the second algorithm identifier should be the same.
  • S2108 The second node generates the fourth key based on the fifth key.
  • S2109 The second node sends a second message to the third node.
  • the second message is protected using a fourth key.
  • the second message may be protected for integrity using the fourth key, or it may be protected for confidentiality using the fourth key.
  • the second node if the second node successfully verifies the first message using a fourth key, the second node sends a second message to the third node. In some embodiments, if the second node fails to verify the first message using the fourth key, the second node sends a rejection message to the third node. This rejection message can be used to indicate that UE access is denied. For example, the rejection message sent by the second node to the third node may also include a reason for failure. This reason for failure can indicate why UE access to the second node is denied.
  • the second node allows the UE to access the second node and send a second message.
  • This second message may be a response message to the first message.
  • S2110 The third node sends a second message to the UE.
  • the third node sends a second RRC message to the UE, the second RRC message including a second message.
  • the second RRC message is protected using an AS security context.
  • the UE may receive a second message from a third node. For example, after the UE receives the second message, it can be considered that a message exchange between the UE and the second node has been completed.
  • the UE may send subsequent NAS messages to the second node if necessary.
  • the third node will directly pass it through or forward it to the second node.
  • the third node will also directly receive the NAS messages sent to the UE from the second node and forward or pass them through to the UE.
  • this embodiment of the present disclosure provides an information processing method, executed by the communication system shown in Figure 1A.
  • the method may include:
  • S2201 The UE generates a second key based on the first key of the first node.
  • the relevant descriptions of the first node, the first key, and the second key can be found in the relevant descriptions of the embodiment corresponding to Figure 2A.
  • the optional implementation of the UE generating the second key based on the first node can be found in the optional implementation of S2101 of the embodiment corresponding to FIG2A.
  • S2202 The UE generates a third key based on the second key.
  • the relevant descriptions of the second key and/or the third key can be found in the embodiment corresponding to Figure 2A.
  • the optional implementation of the UE generating a third key based on the second key can be found in the optional implementation of S2102 of the embodiment corresponding to FIG2A.
  • S2203 The UE sends the first message to the third node.
  • the relevant descriptions of the third node and the first message can be found in the embodiment corresponding to Figure 2A.
  • an optional implementation of the UE sending a first message to a third node can be found in S2103 of the embodiment corresponding to FIG2A.
  • S2204 The third node sends a third message to the first node.
  • a third message is sent to the first node.
  • this first message is the first message sent by the UE after it accesses the third node this time.
  • Another example is the first message sent by the UE after its previous third key expired.
  • the third node determines that the first message is the first message sent by the UE to the second node, and sends the third message to the first node before sending the first message to the second node.
  • the third node determines that the first message is not the first message sent by the UE to the second node, it skips the step of sending the third message to the first node and directly proceeds to the step of the third node sending the first message to the second node.
  • the third node if it does not obtain the historical communication records between the UE and the second node, it sends a third message to the first node before sending the first message to the second node.
  • the third message is used to request the first node to generate a fifth key for the second node.
  • the fifth key is used to generate the fourth key.
  • the fourth key may include, but is not limited to, an integrity key and/or a confidentiality key.
  • the fourth key is used to protect the security of communication between the second node and the UE.
  • the third message includes at least one of the following: the UE's ID; the type of the second node; and the instance ID of the second node.
  • S2205 The first node sends the fourth message to the third node.
  • the fourth message is used by the third node to determine whether the fifth key has been generated; or, the fourth message is used to indicate that the first node has sent the fifth key to the second node.
  • the fourth message can be used by the third node to determine whether the first message can be sent to the second node.
  • the first node may also send second information to the third node. In some embodiments, if the first node does not need to select a second node for the UE, the first node does not need to send second information to the third node. For example, if the third message carries the instance ID or address information of the second node, it indicates that the first node does not need to select a second node for the UE; otherwise, it needs to select a second node for the UE.
  • the first node may also update the third node to determine a second node for the UE or allow the UE to select a second node itself, based on the load rate and/or abnormal conditions of different second nodes, even if it does not need to select a second node for the UE. In this case, if the first node reselects a second node for the UE, it needs to send the second information of the second node to the third node.
  • the second information includes at least one of the instance ID of the second node and the address information of the second node. In some embodiments, the second information may or may not be included in the fourth message. The second information may be sent to the third node together with the fourth message, or it may be sent separately to the third node.
  • S2206 The first node sends the fifth key to the second node.
  • the second node sends the fifth key and the second algorithm identifier to the second node.
  • the first node it is optional for the first node to send the second algorithm identifier to the second node.
  • the second node can obtain the first algorithm identifier from the first message and generate the fourth key based on the first algorithm identifier. In this case, the first node does not need to send the second algorithm identifier to the second node.
  • the third node after receiving the fourth message, the third node sends the first message to the second node.
  • the third node sends a third message to the first node while simultaneously sending a first message to the second node.
  • the first message includes at least one of the following: Non-Access Stratum (NAS) signaling; UE ID; and a first algorithm identifier, wherein the first algorithm identifier is used to identify a security algorithm protecting the first message.
  • NAS Non-Access Stratum
  • the NAS signaling may include, but is not limited to, LPP signaling. If the second node is an SMF, the NAS signaling may include, but is not limited to, signaling for session establishment requests, updates, or releases.
  • the first algorithm identifier may be an algorithm identifier provided by the UE to the second node, and the first algorithm identifier may be used by the second node to generate a fourth key.
  • the first node generates a fourth key based on the fifth key.
  • the second node generating the fourth key, see any alternative implementation of S2108 of the embodiment corresponding to FIG2A.
  • the optional implementation of the second node sending the second message to the third node can be found in any optional implementation of S2109 of the embodiment corresponding to FIG2A.
  • S2210 The third node sends a second message to the UE.
  • the optional implementation of the third node sending the second message to the UE can be found in any optional implementation of S2110 of the embodiment corresponding to FIG2A.
  • this embodiment of the present disclosure provides an information processing method, executed by a UE, which may include:
  • a second key is generated based on the first key of the first node.
  • first node, second node, third node, first key and/or second key can be found in the relevant descriptions in the embodiment corresponding to Figure 2A.
  • the optional implementation of the UE generating the second key based on the first key of the first node can be found in the relevant descriptions in embodiments S2101 or S2201 corresponding to Figures 2A and 2B.
  • S3102 Generate a third key.
  • a third key is generated based on the second key.
  • the optional implementation of the UE generating a third key based on the second key of the first node can be found in the relevant descriptions in embodiments S2102 or S2202 corresponding to Figures 2A and 2B.
  • S3103 Send the first message.
  • the UE sends a first message to the third node.
  • the optional implementations of the UE sending the first message to the third node can all be found in the relevant descriptions in embodiments S2103 or S2203 corresponding to Figures 2A and 2B.
  • S3104 Receive the second message.
  • the UE receives a second message from the second node that is forwarded or transparently transmitted by the third node.
  • the relevant description of the second message can be found in the embodiments corresponding to FIG2A and/or FIG2B.
  • this embodiment of the disclosure provides an information processing method, executed by a third node.
  • the method may include:
  • the third node receives the first message sent by the UE.
  • the first message is protected using a third key.
  • the third key is generated by the UE based on the second key.
  • the second key is generated based on the first key of the first node.
  • the receiving node of the first message is the second node.
  • the relevant descriptions of the first node, second node, third node, first key, second key, and first message can be found in the relevant descriptions in the embodiment S2101 corresponding to FIG2A.
  • S4102 Send the first message.
  • the third node sends a first message to the second node.
  • the optional method for the third node to send the first message to the second node can be found in S2104 of the embodiment corresponding to FIG2A.
  • a second message sent by a second node is received.
  • the relevant description of the second message can be found in the relevant description of the embodiment corresponding to FIG2A above.
  • S4104 Send the second message.
  • the third node sends a second message to the UE.
  • an optional implementation of the third node sending a second message to the UE can be found in S2110 of the example corresponding to FIG2A.
  • steps S4102 to S4104 are all optional. If the third node determines the second node for the UE, and if the third node fails to select the second node for the UE, or if the security verification of the first RRC message fails through the AS security context verification, then the first node does not need to send the first message and will not receive the second message returned based on the first message.
  • steps S4103 and S4104 are optional.
  • this embodiment of the present disclosure provides an information processing method, executed by a third node.
  • the method may include:
  • the first node receives a first message sent by the UE.
  • the first message is protected using a third key.
  • the third key is generated by the UE based on the second key.
  • the second key is generated based on the first key of the first node.
  • the receiving node of the first message is the second node.
  • the relevant descriptions of the first node, second node, third node, first key, second key, and first message can be found in the relevant descriptions in the embodiment S2201 corresponding to Figure 2B.
  • the third node sends a third message to the first node.
  • the description of the third message can be found in the description in the embodiment corresponding to FIG2B.
  • optional implementations of the third message may refer to S2204 of the embodiment corresponding to FIG2B.
  • the third node receives a fourth message sent by the first node.
  • the description of the fourth message can be found in the description in the embodiment corresponding to FIG2B.
  • an alternative implementation of the fourth message may refer to S2204 of the embodiment corresponding to FIG2B.
  • the third node sends a first message to the first node or the second node.
  • the optional method by which the third node sends the first message to the first node or the second node can be found in S2104 of the embodiment corresponding to FIG2A.
  • the third node receives a second message sent by the second node.
  • the relevant description of the second message can be found in the relevant description of the embodiment corresponding to FIG2B above.
  • S4205 Send a second message.
  • an optional implementation of the third node sending a second message to the UE can be found in S2209 of the example corresponding to FIG2B.
  • this embodiment of the present disclosure provides an information processing method, executed by a first node.
  • the method may include:
  • the first node may be SEAF.
  • the first node receives a fifth message sent by the second node.
  • the relevant descriptions of the first node, the second node, and the fifth message can be found in the relevant descriptions in the corresponding embodiment S2105 of Figure 2A.
  • a fifth key is generated based on the first key of the first node.
  • a fifth key is generated upon receiving a fifth message.
  • the relevant description of the fifth key can be found in S2106 of the embodiment corresponding to FIG2A.
  • the optional implementation of the first node generating the fifth key can be found in any optional implementation of embodiment S2106 corresponding to FIG2A.
  • the first node sends a fifth key and a first message to the second node.
  • the method further includes: the first node sending a second algorithm identifier and/or node information of a third node.
  • the description of the second algorithm identifier can be found in any optional implementation of embodiment S2106 corresponding to Figure 2A.
  • the node information of the third node may include: the node identifier of the third node, tunnel address, SBI interface, and other information that the second node can use to determine the third node.
  • the fifth key can be used by the second node to generate the fourth key.
  • the fourth key can be used to protect the communication security between the second node and the UE.
  • this embodiment of the present disclosure provides an information processing method, executed by a first node.
  • the method may include:
  • the first node receives a third message sent by the third node.
  • the third message is used to request the first node to generate a fifth key for the second node.
  • the fifth key is used to generate a fourth key.
  • the fourth key may include, but is not limited to, an integrity key and/or a confidentiality key.
  • the fourth key is used to protect the security of communication between the second node and the UE.
  • the fourth key is used by the second node to protect the security of communication with the UE.
  • the relevant descriptions of the first node, second node, third node, first key, second key, and third message can be found in the relevant descriptions in S2204 of Figure 2B.
  • a fifth key is generated based on the first key of the first node.
  • a fifth key is generated upon receiving a third message.
  • the optional implementation of the first node generating the fifth key can be found in any optional implementation of embodiment S2205 corresponding to FIG2B.
  • the method further includes: the first node sending a second algorithm identifier and/or node information of a third node.
  • a description of the second algorithm identifier can be found in any optional implementation of embodiment S2105 corresponding to Figure 2A.
  • the first node sends a fifth key to the second node.
  • the alternative implementation of sending the fifth key can be found in any alternative implementation of embodiment S2106 corresponding to FIG2A.
  • the first node may also send a second algorithm identifier to the second node.
  • the second algorithm identifier can be used to identify the security algorithm used to protect the second message.
  • the second algorithm identifier can also be used as an input parameter for generating a fourth key.
  • the relevant description of the fourth message can be found in the relevant description of the embodiment corresponding to FIG2B above.
  • sending a fourth message may be an optional step.
  • the third node and the first node are defaulted to each other, and the first node automatically generates a fifth key after receiving the third message without confirmation.
  • this embodiment of the present disclosure provides an information processing method, executed by a second node, which may include:
  • the second node receives a first message from the UE forwarded by the third node.
  • a description of the first message in some embodiments can be found in the embodiment corresponding to Figure 2A.
  • S6102 Send the fifth message.
  • the second node sends a fifth message to the first node.
  • the fifth message may include parameters required to generate the fifth key, such as a first count value.
  • the fifth message includes the UE's identifier, so that different UEs will have different fifth keys.
  • the relevant description of the fifth message can be found in S2105 of the embodiment corresponding to FIG2A.
  • the second node receives a fifth key sent by the first node.
  • the fifth key is generated by the first node based on the first key.
  • the fifth key is generated by the first node after receiving the fifth message sent by the third node.
  • the method further includes receiving a second algorithm identifier.
  • the second algorithm identifier may be one of the parameters used to generate the fourth key.
  • the second node generates the fourth key based on the fifth key.
  • an optional implementation of the second node generating the fourth key can be found in S2108 of the embodiment corresponding to FIG2A.
  • S6105 Send the second message.
  • the second node uses a fourth key to verify the first message. If the first message passes verification, it sends a second message. If the first message fails verification, it does not send a second message, but instead sends a rejection message.
  • the second node uses a fourth key to verify the first message, including but not limited to at least one of the following: using the fourth key to verify the integrity of the first message; using the fourth key to verify the confidentiality of the first message; using the fourth key to verify the scrambling and descrambling of the first message.
  • this embodiment of the present disclosure provides an information processing method, executed by a second node, which may include:
  • the second node receives the fifth key sent by the first node.
  • the relevant descriptions of the first node, the second node, and the fifth key can be found in the embodiment corresponding to Figure 2B.
  • the second node receives the first message sent by the first node.
  • S6201 may be executed first and then S6202, or S6202 may be executed first and then S6201, or S6201 and S6202 may be executed simultaneously.
  • the relevant description of the first message can be found in the relevant description of the embodiment corresponding to FIG2B.
  • the second node generates the fourth key based on the fifth key.
  • an optional implementation of the second node generating the fourth key can be found in S2208 of the embodiment corresponding to FIG2B.
  • the second node uses a fourth key to verify the first message. If the first message passes verification, it sends a second message. If the first message fails verification, it does not send a second message, but instead sends a rejection message.
  • the second node uses a fourth key to verify the first message, including but not limited to at least one of the following: using the fourth key to verify the integrity of the first message; using the fourth key to verify the confidentiality of the first message; using the fourth key to verify the scrambling and descrambling of the first message.
  • the first message is received from the third node, and the second node sends the second message to the third node.
  • the second message please refer to the relevant description in the embodiment corresponding to Figure 2B.
  • K AMF is a key derived from K SEAF by the UE and SEAF.
  • K AMF is further derived by the UE and AMF.
  • K NASINT is a key obtained by the UE and AMF from K AMF and can only be used to protect NAS signaling with specific integrity algorithms.
  • K NASENC is a key derived from K AMF by the UE and AMF, and can only be used to protect NAS signaling through specific encryption algorithms.
  • this disclosure proposes deriving a KNF as the security root for NAS or NF signaling between the UE and the NF.
  • a KNF as the security root for NAS or NF signaling between the UE and the NF.
  • 6G 6th Generation
  • the KNF be derived from the KSEAF by both the UE and the SEAF .
  • the UE and the target NF further derive the NAS security key between the UE and the NF, namely KNFint , which is used to protect the integrity of NAS or NF signaling between the UE and the NF, and KNFenc, which is used to protect the confidentiality of NAS or NF signaling between the UE and the NF. Therefore, the new key hierarchy structure is shown in Figure 1G.
  • KDF To Be Dertermined (TBD);
  • p0 UE ID; for example, the UE ID can be IMSI, NAI, GCI, or GLI;
  • l0 P0 length;
  • p1 NF type (such as LMF, SMF) or NF instance ID;
  • l1 P1 length;
  • p2 uplink NAS or NF count or UTC count;
  • l2 P2 length;
  • p3 ABBA parameter, which indicates the security features currently used by the network to prevent attackers from using low-security features to perform dimensionality reduction attacks on high-security features.
  • the ABBA parameter only has one value, 0x0000, indicating the initial security features of the 5G network.
  • l3 P3 length.
  • P0 can be any type of UE ID shared between the UE and the target NF.
  • P1 can be the NF type (such as LMF, SMF) or the NF instance ID (if available on the UE or RAN node).
  • P2 can be a UTC-based point in time for deriving the K NF , or an uplink NAS or NF count in the UE and the NF. It is assumed that the UE maintains a separate NAS count for each directly communicating NF, such as an uplink NAS/LMF count.
  • the input key to the key derivation function can be a 256-bit K SEAF .
  • fc To Be Dertermined (TBD);
  • p0 Algorithm type distinguisher, for example, the value of the algorithm type distinguisher is different for integrity algorithms or encryption algorithms;
  • l0 Length of the algorithm type distinguisher;
  • p1 Algorithm identifier, typical algorithm identifiers may include but are not limited to AES ID, ZUC ID, etc.;
  • l1 Length of the algorithm identifier;
  • the input key of the KDF key derivation function can be a 256-bit KNF .
  • an initial NAS procedure is performed between the UE and the AMF, involving primary authentication and initial mobility registration within the network.
  • the UE negotiates the integrity and encryption algorithms for NAS/AMF security with the AMF through the NAS SMC procedure. Therefore, any initial NAS/NF messages sent by the UE to a target NF outside the AMF can be considered to be sent after the UE has established NAS/AMF security with the AMF.
  • the AMF can negotiate the NAS/NF security algorithm with the UE on behalf of other NFs.
  • the NAS/AMF security algorithm negotiated between the UE and the AMF through the NAS SMC procedure can be applied to NAS/NF security between the UE and NFs outside the AMF, while no security mode negotiation is required between the UE and other NFs.
  • the SEAF is considered as the anchor NF for all NFs within the same serving network in a 6G system
  • the NAS/SEAF algorithm is negotiated between the UE and the SEAF during initial registration.
  • the NAS/SEAF security algorithm negotiated between the UE and SEAF can be applied to NAS/NF security between the UE and all other NFs; therefore, security mode negotiation is not required between the UE and other NFs.
  • SEAF should be able to notify other NFs of the negotiated NAS/SEAF security algorithm.
  • "/" can represent "or” or "and/or”.
  • the K NF can be derived from the K SEAF by the SEAF, or from the K AMF by the AMF—when the NF receives the initial NAS/NF message from the UE through the RAN node, it can send a key generation request to the SEAF or the AMF.
  • the method may include:
  • the UE Before the UE initiates a NAS message (such as a NAS or LPP message) to the LMF through the RAN node, the UE first obtains a K NF (such as a K LMF ) from the K SEAF .
  • the input parameters for generating the K NF include the UE's ID, the type or instance ID of the target NF (LMF in this example), and the uplink NAS/LMF COUNT. Note:
  • the K SEAF was previously derived by the UE during the authentication process.
  • the UE further derives NAS/LMF keys from K LMF , exemplarily K LMFint for NAS/LMF integrity and K LMFenc for NAS/LMF encryption.
  • K LMFint for NAS/LMF integrity
  • K LMFenc for NAS/LMF encryption.
  • the security algorithm identifiers derived for K LMFint and K LMFenc are the same as the security algorithm identifiers negotiated between the UE and AMF for NAS/AMF signaling through the NAS/AMF SMC process.
  • the UE protects the NAS/LPP message using the derived NAS/LMF key and encapsulates the NAS/LPP message within an RRC message. If the K NF is derived from the K SEAF , the applied algorithm is included in the protected NAS/LPP message.
  • the applied algorithm is the one negotiated between the UE and the AMF or SEAF.
  • the UE may also include the type or instance ID of the target NF (i.e., LMF) in the RRC message.
  • the RRC message is protected using existing AS security.
  • the RAN node forwards the protected NAS/LPP message to the LMF based on the type of the received NAS/LPP message or the target NF type specified by the UE.
  • the LMF Upon receiving a protected NAS/LPP message, if the LMF does not have an available NAS/LMF security context (exemplarily, a NAS/LMF security key) to verify the received NAS/LPP message, the LMF sends a key generation request message to the SEAF or AMF.
  • This request message may include the UE ID (e.g., IMSI, SUPI, etc.) and the uplink NAS/LMF message count. If the LMF already has a NAS/LMF security context in the UE, the LMF skips step 5 and proceeds to step 9.
  • the LMF can obtain the UE ID from the UE via NAS/LPP messages, or from the RAN node via IP mapping.
  • the LMF obtains the uplink NAS/LMF COUNT from the NAS/LPP messages.
  • SEAF or AMF derives K LMF from K SEAF using the received UE ID and NAS/LMF count, as well as the type or instance ID of the requested NF (LMF).
  • SEAF returns a key generation response to the LMF requesting the derivation of the K LMF .
  • AMF returns a key generation response to the LMF containing the NAS/AMF message protection algorithm and the derivation of the K LMF . If the NAS/SEAF message protection algorithm was negotiated between the UE and SEAF during the initial registration of the UE, SEAF may also send the negotiated NAS/SEAF message protection algorithm to the LMF.
  • the LMF derives the NAS/LMF key (i.e., K LMFint for NAS/LMF integrity and K LMFenc for NAS/LMF encryption) from the K LMF based on the algorithm identifier contained in the NAS/LPP message by the UE or sent by the SEAF/AMF.
  • the LMF uses the obtained NAS/LMF key to verify the received NAS/LPP message.
  • the LMF uses the NAS/LMF key to protect the NAS/LPP response message and sends it to the RAN node.
  • the RAN node encapsulates the protected NAS/LPP message response in an RRC message and sends it to the UE.
  • this disclosure provides a method that may include:
  • the UE Before the UE initiates a NAS message (such as an LPP/SLPP message) to the LMF through the RAN node, the UE derives a K NF (such as a K LMF ) from the K SEAF or K AMF .
  • the input parameters for generating the K NF include the UE ID, the type or instance ID of the target NF (LMF in this example), and a UTC-based counter.
  • Steps 2 and 3 are the same as steps 2 and 3 in the embodiment corresponding to Figure 7A.
  • the RAN node When the RAN node receives a protected NAS/LPP message contained in an RRC message, if it has not previously requested the generation of a NAS/LMF key for the same UE and the same target NF, it sends a key generation request message to the SEAF or AMF, containing the UE ID and the type or instance ID of the target NF (LMF). If the RAN node has already requested NAS/LMF key generation for a previous NAS/LPP message for the same UE and the same target NF, the RAN node skips step 4 and continues to step 7.
  • K LMF K LMF
  • the input parameters for generating K LMF include the received UE ID and the type or instance ID of the target NF (LMF), as well as a UTC-based counter.
  • the SEAF sends the derived K LMF to the target NF (LMF).
  • the AMF sends the NAS/AMF message protection algorithm along with the derived K LMF to the target NF (LMF).
  • the SEAF can also send the negotiated NAS/SEAF message protection algorithm to the LMF.
  • the LMF then responds to the SEAF or AMF with an acknowledgment.
  • SEAF or AMF returns a key generation confirmation to the RAN node.
  • the RAN node After receiving the key generation confirmation from SEAF or AMF, the RAN node forwards the protected NAS/LPP message to LMF.
  • Steps 9 to 11 are the same as steps 8 to 10 in Figure 7A.
  • the UE may perform at least one of the following operations:
  • the UE should be able to derive K NF from K SEAF as the root key to protect NAS/NF signaling between the UE and NF.
  • the UE should be able to derive KNFint and KNFenc from KNF as a NAS/NF security context to protect NAS/NF signaling between the UE and the NF.
  • the UE should be able to include the NAS/AMF security algorithm negotiated between the UE and the AMF in the NAS/NF message sent to the target NF.
  • the UE should be able to include the type or instance ID of the target NF in the RRC message containing NAS/NF messages sent to the RAN node.
  • the RAN may perform at least one of the following operations:
  • the RAN node should be able to send protected NAS/NF messages directly to the NF without going through the AMF. After receiving the protected NAS/NF message from the UE, the RAN node should be able to send a NAS/NF key generation request to the SEAF.
  • the RAN node should be able to receive a NAS/NF key generation confirmation from the SEAF. After receiving the NAS/NF key generation confirmation from the SEAF, the RAN node should be able to forward the protected NAS/NF message from the UE to the NF.
  • the SEAF should be able to receive and understand key generation requests sent by the NF or the RAN node.
  • the SEAF should be able to derive a K NF from the K SEAF after receiving the key generation request.
  • the SEAF should be able to send the NAS/SEAF security algorithm negotiated between the UE and the SEAF to the target NF.
  • the AMF should be able to receive and understand key generation requests sent by the NF or the RAN node. After receiving the key generation request, the AMF should be able to derive a K NF from the K AMF .
  • the AMF should be able to send the NAS/AMF security algorithm along with the K NF to the target NF.
  • the NF may perform at least one of the following operations: After receiving a protected NAS/NF message from the RAN node, the NF should be able to send a NAS/NF key generation request to the SEAF or AMF. The NF should be able to receive a derived K NF from the SEAF or AMF. The NF should be able to receive the applied NAS security algorithm from the SEAF or AMF. After receiving the derived K NF , the NF should be able to send an acknowledgment to the SEAF or AMF. The NF should be able to derive K NFint and K NFenc from the K NF as a NAS/NF security context for protecting NAS/NF signaling between the UE and the NF.
  • This disclosure also provides apparatus for implementing any of the above methods.
  • an apparatus is provided that includes units or modules for implementing the steps performed by the UE in any of the above methods.
  • another apparatus is provided that includes units or modules for implementing the steps performed by a network device (e.g., an access network device, or a core network device) in any of the above methods.
  • a network device e.g., an access network device, or a core network device
  • the division of units or modules in the above device is only a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated.
  • the units or modules in the device can be implemented by a processor calling software: for example, the device includes a processor connected to a memory containing instructions. The processor calls the instructions stored in the memory to implement any of the above methods or to implement the functions of the units or modules in the above device.
  • the processor can be, for example, a general-purpose processor, such as a Central Processing Unit (CPU) or a microprocessor, and the memory can be internal or external to the device.
  • the units or modules in the device can be implemented in the form of hardware circuits.
  • the functionality of some or all of the units or modules can be achieved through the design of these hardware circuits, which can be understood as one or more processors.
  • the hardware circuit is an application-specific integrated circuit (ASIC).
  • ASIC application-specific integrated circuit
  • the functionality of some or all of the units or modules is achieved through the design of the logical relationships between the components within the circuit.
  • the hardware circuit can be implemented using a programmable logic device (PLD). Taking a field-programmable gate array (FPGA) as an example, it can include a large number of logic gates. The connection relationships between the logic gates are configured through configuration files, thereby achieving the functionality of some or all of the units or modules. All units or modules of the above device can be implemented entirely through processor-called software, entirely through hardware circuits, or partially through processor-called software with the remaining parts implemented through hardware circuits.
  • PLD programmable logic device
  • the processor is a circuit with signal processing capabilities.
  • the processor can be a circuit with instruction read and execute capabilities, such as a Central Processing Unit (CPU), a microprocessor, a graphics processing unit (GPU) (which can be understood as a type of microprocessor), or a digital signal processor (DSP).
  • the processor can implement certain functions through the logical relationships of hardware circuits. The logical relationships of the aforementioned hardware circuits are fixed or reconfigurable.
  • the processor is an application-specific integrated circuit (ASIC). Hardware circuits implemented using ASICs (Integrated Circuits, ASICs) or programmable logic devices (PLDs), such as FPGAs.
  • ASIC application-specific integrated circuit
  • the process of a processor loading a configuration document to configure the hardware circuit can be understood as the processor loading instructions to implement the functions of some or all of the above units or modules.
  • it can also be a hardware circuit designed for artificial intelligence, which can be understood as a type of ASIC, such as a Neural Network Processing Unit (NPU), a Tensor Processing Unit (TPU), or a Deep Learning Processing Unit (DPU).
  • NPU Neural Network Processing Unit
  • TPU Tensor Processing Unit
  • DPU Deep Learning Processing Unit
  • this embodiment of the present disclosure provides a UE, wherein the UE includes:
  • Processing module 7101 is configured to generate a second key based on the first key of the first node; and to generate a third key based on the second key.
  • the first key is used to protect the communication security between the user equipment (UE) and the second node; the second key is used to protect the communication security between the user equipment (UE) and the second node.
  • the first node is a security anchor point.
  • the UE further includes a transmitting module and/or a receiving module.
  • the transmitting module may correspond to the UE's network interface and/or transceiver antenna.
  • the processing module can be used by the UE to perform information processing-related steps in any information processing method.
  • the transmitting module can be used by the UE to perform information transmission-related steps in any information processing method.
  • the receiving module can be used by the UE to perform information transmission-related steps in any information processing method.
  • the processing module is configured to perform at least one of the following: generating a second key based on the type of the first key and the second node; generating a second key based on the instance identifier ID of the first key and the second node.
  • the processing module is configured to perform at least one of the following: generating a second key based on a first key, the type of the second node, and a first count value; the first count value being the count of uplink non-access stratum (NAS) messages sent by the UE to the second node; generating the second key based on the first key, the type of the second node, and first time information; the first time information indicating the time period in which the second key was generated.
  • NAS uplink non-access stratum
  • the processing module is configured such that the UE is pre-configured with the instance ID of the second node, and generates a second key based on the first key and the instance identifier ID of the second node.
  • the processing module is configured to generate a second key based on a first key, an instance ID of a second node, and a first count value; the first count value is the count of uplink non-access stratum (NAS) messages sent by the UE to the second node; the second key is generated based on the first key, the instance ID of the second node, and first time information; the first time information indicates the generation period of the second key.
  • NAS uplink non-access stratum
  • the sending module is configured to send a first Radio Resource Control (RRC) message to a third node, the first RRC message being a first message; the first message is protected by a third key; and the second node is the receiving node of the first message.
  • RRC Radio Resource Control
  • the first message includes at least one of the following: Non-Access Stratum (NAS) signaling; the UE's ID; and a first algorithm identifier, wherein the first algorithm identifier is used to identify the security algorithm protecting the first message.
  • NAS Non-Access Stratum
  • AS Access Stratum
  • the receiving module is configured to receive a second RRC message sent by a third node, the second RRC message including a second message; the second message originates from the second node; the second message is protected by a fourth key; the fourth key is generated by a fifth key, and the fifth key is generated based on the first key.
  • the second RRC message is protected by the UE's access stratum AS security context.
  • the first RRC message further includes at least one of the following: type information of the second node; instance ID of the second node; address information of the second node.
  • this embodiment of the present disclosure provides a third node, wherein the third node includes: a receiving module 7201 configured to generate a second key based on a first key of a first node; and a sending module 7202 configured to generate a third key based on the second key; the third key is used to protect the communication security between the user equipment (UE) and the second node; wherein the first node is a security anchor point.
  • the third node includes: a receiving module 7201 configured to generate a second key based on a first key of a first node; and a sending module 7202 configured to generate a third key based on the second key; the third key is used to protect the communication security between the user equipment (UE) and the second node; wherein the first node is a security anchor point.
  • the third node further includes a processing module.
  • the transmitting module and/or receiving module may correspond to the network interface and/or transceiver antenna of the third node.
  • the processing module may be used by the third node to perform information processing-related steps in any information processing method.
  • the transmitting module may be used by the third node to perform information transmission-related steps in any information processing method.
  • the receiving module may be used by the third node to perform information transmission-related steps in any information processing method.
  • the sending module before sending the first message to the second node, is configured to send a third message to the first node.
  • the third message is used to request the first node to generate a fifth key
  • the fifth key is used to generate a fourth key.
  • the fourth key is used by the second node to verify the security of the first message.
  • the receiving module is configured to receive a fourth message sent by a first node; the fourth message indicates whether a fifth key has been generated.
  • the sending module is configured to send a first message to a second node after the fourth message indicates that the fifth key has been generated.
  • the sending module is configured to determine that the UE has not yet requested the first node to generate a fifth key for the second node, and send a third message to the first node.
  • the receiving module is configured to receive a first Radio Resource Control (RRC) message sent by the UE, the first RRC message including the first message.
  • RRC Radio Resource Control
  • the first RRC message is protected by the access layer AS security context.
  • the first RRC message may further include at least one of the following: type information of the second node; instance ID of the second node; address information of the second node.
  • this embodiment of the present disclosure provides a first node, wherein the first node includes: a processing module 7301 configured to generate a fifth key based on a first key of the first node; and a sending module 7302 configured to send the fifth key to a second node, wherein the fifth key is used by the second node to generate a fourth key; the fourth key is used to protect the communication security between the second node and the UE; the first The node serves as a safety anchor point.
  • the first node may further include a receiving module.
  • the transmitting module and/or receiving module may correspond to the network interface and/or transceiver antenna of the first node.
  • the processing module may be used by the first node to perform information processing-related steps in any information processing method.
  • the transmitting module may be used by the first node to perform information transmission-related steps in any information processing method.
  • the receiving module may be used by the first node to perform information transmission-related steps in any information processing method.
  • the processing module is configured to receive a third message sent by a third node and generate a fifth key based on a first key; the third message is used to request the first node to generate a fifth key for the first node.
  • the sending module is configured to send a fourth message to the third node; the fourth message is used to inform the third node whether a fifth key has been generated.
  • the third message includes at least one of the following: type information of the second node; instance identifier ID of the second node; identifier of the UE.
  • the processing module is configured to receive a fifth message from the second node and generate a fifth key based on the first key; the fifth message is used by the second node to request the generation of the fifth key.
  • the fifth message includes at least one of the following: type information of the second node; instance ID of the second node; second count value; the second count value is the count of uplink non-access stratum (NAS) messages received by the second node from the UE; and the identifier of the UE.
  • type information of the second node includes at least one of the following: type information of the second node; instance ID of the second node; second count value; the second count value is the count of uplink non-access stratum (NAS) messages received by the second node from the UE; and the identifier of the UE.
  • NAS uplink non-access stratum
  • the processing module is configured to generate a fifth key based on the type of the first key and the second node; and to generate the fifth key based on the instance identifier ID of the first key and the second node.
  • the processing module is configured to perform at least one of the following: generating a fifth key based on a first key, the type of a second node, and a second count value; the second count value being a count of uplink non-access stratum (NAS) messages received by the second node from the UE; generating the fifth key based on the first key, the type of the second node, and second time information; the second time information indicating the period in which the fifth key was generated.
  • NAS uplink non-access stratum
  • the processing module is configured to generate a fifth key based on the first key and the instance identifier ID of the second node, where the fifth message contains the instance ID of the second node.
  • the processing module is configured to generate a fifth key based on a first key, an instance ID of a second node, and a second count value; the second count value is the count of uplink non-access stratum (NAS) messages received by the second node from the UE; the fifth key is generated based on the first key, the instance ID of the second node, and second time information; the second time information indicates the generation period of the fifth key.
  • NAS uplink non-access stratum
  • this embodiment of the present disclosure provides a second node, wherein the second node includes: a receiving module 7401, configured to receive a fifth key sent by a first node; the fifth key is generated based on a first key of the first node; a processing module 7402, configured to generate a fourth key based on the fifth key, the fourth key being used to protect the communication security between the second node and the user equipment UE; and the first node having a security anchor function.
  • the second node may further include a receiving module and a processing module.
  • the transmitting module and/or receiving module may correspond to the network interface and/or transceiver antenna of the second node.
  • the processing module may be used by the second node to perform information processing-related steps in any information processing method.
  • the transmitting module may be used by the second node to perform information transmission-related steps in any information processing method.
  • the receiving module may be used by the second node to perform information transmission-related steps in any information processing method.
  • the receiving module is configured to receive a first message sent by a third node, and send a fifth message to the first node, the fifth message being used to request a fifth key; the first message is protected by a third key, the third key being generated based on a second key; the second key being generated based on the first node's first key.
  • the fifth message includes at least one of the following: type information of the second node; instance ID of the second node; second count value; the second count value is the count of uplink non-access stratum (NAS) messages received by the second node from the UE; and the identifier of the UE.
  • type information of the second node includes at least one of the following: type information of the second node; instance ID of the second node; second count value; the second count value is the count of uplink non-access stratum (NAS) messages received by the second node from the UE; and the identifier of the UE.
  • NAS uplink non-access stratum
  • the sending module is configured to send a second message to a third node, the second message being protected by a fourth key.
  • This disclosure also provides a communication device, which may include one or more processors; wherein the processors are configured to invoke instructions to cause the communication device to execute the information processing method that can be implemented in any of the foregoing embodiments.
  • the communication device 8100 further includes one or more memories 8102 for storing instructions.
  • the memories 8102 may also be located outside the communication device 8100.
  • the communication device may be the aforementioned UE or network device.
  • the network device may be a primary node and/or a secondary node.
  • the communication device 8100 further includes one or more transceivers 8103.
  • the communication steps such as sending and receiving in the above method are performed by the transceivers 8103, and other steps are performed by the processor 8101.
  • a transceiver may include a receiver and a transmitter, which may be separate or integrated.
  • transceiver, transceiver unit, transceiver, transceiver circuit, etc. may be used interchangeably; the terms transmitter, transmitting unit, transmitter, transmitting circuit, etc., may be used interchangeably; and the terms receiver, receiving unit, receiver, receiving circuit, etc., may be used interchangeably.
  • the communication device 8100 further includes one or more interface circuits 8104, which are connected to the memory 8102.
  • the interface circuits 8104 can be used to receive signals from the memory 8102 or other devices, and can be used to send signals to the memory 8102 or other devices.
  • the interface circuits 8104 can read instructions stored in the memory 8102 and send the instructions to the processor 8101.
  • the communication device 8100 described in the above embodiments may be a network device or a UE, but the scope of the communication device 8100 described in this disclosure is not limited thereto, and the structure of the communication device 8100 may not be limited by FIG. 9A.
  • the communication device may be a standalone device or may be part of a larger device.
  • the communication device may be: (1) a standalone integrated circuit IC, or chip, or chip system or subsystem; (2) a collection of one or more ICs, optionally, the IC collection may also include storage components for storing data and programs; (3) an ASIC, such as a modem; (4) a module that can be embedded in other devices; (5) a receiver, UE device, smart UE device, cellular phone, wireless device, handheld device, mobile unit, vehicle device, network device, cloud device, artificial intelligence device, etc.; (6) others, etc.
  • Figure 9B is a schematic diagram of the structure of chip 8200 provided in an embodiment of this disclosure.
  • the communication device 8100 can be a chip or a chip system, please refer to the schematic diagram of chip 8200 shown in Figure 9B, but it is not limited thereto.
  • Chip 8200 includes one or more processors 8201, which are used to invoke instructions to cause chip 8200 to execute any of the above information processing methods.
  • chip 8200 further includes one or more interface circuits 8202 connected to memory 8203.
  • Interface circuits 8202 can be used to receive signals from memory 8203 or other devices, and can also be used to send signals to memory 8203 or other devices.
  • interface circuit 8202 can read instructions stored in memory 8203 and send those instructions to processor 8201.
  • terms such as interface circuit, interface, transceiver pin, and transceiver can be used interchangeably.
  • chip 8200 further includes one or more memories 8203 for storing instructions.
  • all or part of the memories 8203 may be located outside of chip 8200.
  • This disclosure also provides a storage medium storing instructions that, when executed on a communication device 8100, cause the communication device 8100 to perform any of the methods described above.
  • the storage medium is an electronic storage medium.
  • the storage medium is a computer-readable storage medium, but it can also be a storage medium readable by other devices.
  • the storage medium can be a non-transitory storage medium, but it can also be a temporary storage medium.
  • This disclosure also provides a program product, which, when executed by a communication device 8100, causes the communication device 8100 to perform any of the above information processing methods.
  • the program product is a computer program product.
  • This disclosure also provides a computer program that, when run on a computer, causes the computer to perform any of the above information processing methods.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Des modes de réalisation de la présente divulgation concernent un procédé de traitement d'informations, un dispositif de communication et un support de stockage. Le procédé de traitement d'informations exécuté par un équipement utilisateur (UE) peut consister à : générer une deuxième clé sur la base d'une première clé d'un premier nœud ; et générer une troisième clé sur la base de la deuxième clé, la troisième clé étant utilisée pour protéger la sécurité de communication entre l'UE et un deuxième nœud, et le premier nœud étant une fonction d'ancrage de sécurité.
PCT/CN2024/112409 2024-08-15 2024-08-15 Procédé de traitement d'informations, dispositif de communication et support de stockage Pending WO2026036328A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202480042271.5A CN121890127A (zh) 2024-08-15 2024-08-15 信息处理方法、通信设备及存储介质
PCT/CN2024/112409 WO2026036328A1 (fr) 2024-08-15 2024-08-15 Procédé de traitement d'informations, dispositif de communication et support de stockage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2024/112409 WO2026036328A1 (fr) 2024-08-15 2024-08-15 Procédé de traitement d'informations, dispositif de communication et support de stockage

Publications (1)

Publication Number Publication Date
WO2026036328A1 true WO2026036328A1 (fr) 2026-02-19

Family

ID=98780392

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/112409 Pending WO2026036328A1 (fr) 2024-08-15 2024-08-15 Procédé de traitement d'informations, dispositif de communication et support de stockage

Country Status (2)

Country Link
CN (1) CN121890127A (fr)
WO (1) WO2026036328A1 (fr)

Also Published As

Publication number Publication date
CN121890127A (zh) 2026-04-17

Similar Documents

Publication Publication Date Title
WO2025010741A1 (fr) Procédé de traitement d'informations, dispositif, système de communication et support de stockage
WO2024234313A1 (fr) Procédé et appareil de traitement d'informations, dispositif de communication, système de communication et support de stockage
WO2025035417A1 (fr) Procédé de traitement d'informations, appareil et support de stockage
WO2026036328A1 (fr) Procédé de traitement d'informations, dispositif de communication et support de stockage
WO2025015513A1 (fr) Procédé de traitement d'informations, terminal, système de communication et support de stockage
WO2025030300A1 (fr) Procédé d'indication d'informations, premier invocateur d'api, première fonction de réseau et support de stockage
WO2026036326A1 (fr) Procédé de traitement d'informations, dispositif de communication et support d'enregistrement
WO2026055945A1 (fr) Procédé de traitement de sécurité de données, dispositif de communication, système de communication, support de stockage et produit-programme
WO2026065134A1 (fr) Procédés de communication, élément de réseau, terminal, dispositif et support de stockage
WO2026060719A1 (fr) Procédé de traitement de clé, dispositif de communication et support de stockage
WO2026055947A1 (fr) Procédé de traitement de sécurité de données, dispositif de communication, système de communication, support de stockage et produit-programme
WO2025217856A1 (fr) Procédé d'établissement de canal de transmission de données, dispositif de réseau, terminal, système de communication et support
WO2025010609A1 (fr) Procédé de traitement de communication et équipement utilisateur
WO2026036338A1 (fr) Procédé de traitement de sécurité de données, dispositif de communication, système de communication et support de stockage
WO2026007146A1 (fr) Procédé de traitement d'informations, système de communication et support de stockage
WO2025217858A1 (fr) Procédé de transmission de données, dispositif de réseau, terminal, système de communication, support de stockage et produit programme d'ordinateur
WO2026065522A1 (fr) Procédé de traitement d'informations de sécurité, dispositif de communication et support de stockage
WO2025241154A1 (fr) Procédé de communication, premier dispositif de réseau, second dispositif de réseau, terminal, système de communication et support de stockage
WO2026065156A1 (fr) Procédé de communication, terminal, élément de réseau, système et support
WO2026007409A1 (fr) Procédé de communication, premier dispositif réseau, terminal, système de communication et support de stockage
WO2025065348A1 (fr) Procédés de protection de sécurité de communication, dispositif de communication et support de stockage
WO2025152183A1 (fr) Procédé de traitement de la sécurité de données, dispositif de communication, système de communication et support de stockage
WO2025091186A1 (fr) Procédés de traitement de clé, dispositif de communication et support de stockage
WO2026011396A1 (fr) Procédé de traitement de clé, dispositif de communication et support de stockage
WO2025152184A1 (fr) Procédés de traitement de clé, dispositif de communication et support de stockage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24951012

Country of ref document: EP

Kind code of ref document: A1