CN108366369A - A kind of method and access net, terminal, equipment of the core network of data security transmission - Google Patents
A kind of method and access net, terminal, equipment of the core network of data security transmission Download PDFInfo
- Publication number
- CN108366369A CN108366369A CN201710064248.8A CN201710064248A CN108366369A CN 108366369 A CN108366369 A CN 108366369A CN 201710064248 A CN201710064248 A CN 201710064248A CN 108366369 A CN108366369 A CN 108366369A
- Authority
- CN
- China
- Prior art keywords
- equipment
- access network
- network equipment
- terminal device
- user plane
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/037—Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Abstract
A kind of method and access net, terminal, equipment of the core network of data security transmission, this method includes the request message that the first access network equipment receiving terminal apparatus is sent, to the one or more of network slice selection information of the first equipment of the core network, receive the response message of the first equipment of the core network transmission, user plane security information is sent to terminal device, the encrypted data of first access network equipment receiving terminal apparatus transmission, and transmit the encrypted data to the first equipment of the core network.The user plane security information that the first equipment of the core network is terminal equipment configuration is sent to terminal device by the first access network equipment, so that terminal device is encrypted according to the user plane security information in data transmission, the safety of the data transmission procedure under the network architecture so as to improve network slice, reliability, since the first equipment of the core network is the user plane security information according to one or Multi net voting slice selection information configuration, the flexibility and safety of data encryption are improved.
Description
Technical field
The present invention relates to wireless communication technology field, more particularly to the method for a kind of data security transmission and access net, end
End, equipment of the core network.
Background technology
5th Generation Mobile Communication System (the fifth generation, 5G) proposes to cope with the difference of user demand
The network architecture of network slice (network slice, NS), software defined network (software defined network,
SDN it is) network slice framework with network function virtualization (network function virtualization, NFV) technology
Core technology, NFV technologies realize bottom physical resource virtualization, load virtual network function (network function,
NF general-purpose platform) is arrived.Such as virtual machine, SDN technologies then realize the logical connection between virtual machine, build carrier signaling and data flow
Access.By access net (radio access network, RAN) and core net (core network, CN) NF it
Between Dynamic link library, configuration business chain end to end, to build network slice.Operator can according to each user to capacity,
Covering, rate, the demand of the Key Performance Indicators such as time delay and reliability (key performance indicator, KPI),
A particular network functions set is formed and comprising Internet resources needed for these network functions are run, so as to needed for providing
Telecommunications service business and network capabilities service, meet specialized market's scene and demand.
As shown in Figure 1:Third generation partner program (the third generation partnership
Project, 3GPP) main Types that the network of 5G is sliced have been divided into following three categories:The mobile broadband service of enhancing
(enhanced mobile broadband, eMBB), magnanimity machine type connect business (massive machine type
Communication, mMTC) and super reliable low time delay business (ultra-reliable and low latency
Communications, URLLC).Wherein eMBB is mainly directed towards the terminal for having high requirements to rate and mobility, such as hand
Machine, multimedia equipment etc., mMTC have extensive, Hypomobility and lower rate requirement mainly for internet of things equipment,
And URLLC refers mainly to car networking, security information etc. has time delay and reliability the business and device type of rigors.For example,
Mobile phone user can access the network slice of eMBB types, carry out high-speed downloads or viewing 4K HD videos, sensor device
MMTC networks slice can be accessed and carry out the transmission of small data packets and the update of system configuration.User can access one simultaneously
Either multiple or overall network slice, meets business demand and reaches preferable user experience.
The discussion for the network architecture that 3GPP is sliced about network at present is concentrated mainly on network slice selection, network slice choosing
The purpose selected is to select suitable network slice for user equipment (user equipment, UE), and by UE and specific network
Slice is associated, to establish corresponding control plane (control plane, CP) and/or user plane with network slice
The connection of (user plane, UP).
UE, in order to ensure the safety of communication, needs channel safe to use during being communicated with network slice.It is existing
Security mechanism safeguards a main secret key in RAN equipment side, such as eNB, derives three sub- secret keys respectively, is suitable for the institute that UE is established
There is radio bearer, does not consider the influence of other network slices at this time.The safety grades being sliced due to different network are not
Together, the high network of safety grades is sliced, enciphering/deciphering function can be moved on to CN equipment side from RAN equipment side, to
Improve the safety of communication.If also continuing to use existing security mechanism at this time, a main secret key is safeguarded by eNB, then in the sides RAN network element
Under attack, the main secret key that may result in eNB maintenances is cracked, so as to threaten the safety of other network slices
Property.
Invention content
The embodiment of the present invention provides a kind of method and access net, terminal, equipment of the core network of data security transmission, to carry
The safety of data transmission procedure under the network architecture of high network slice, reliability, and improve the compatibility of data encryption.
In a first aspect, providing a kind of method of data security transmission.
Including:The request message that first access network equipment receiving terminal apparatus is sent;The request message includes one
Or Multi net voting slice selection information;First access network equipment sends one or more of networks to the first equipment of the core network
Slice selection information;First access network equipment receives the response message that first equipment of the core network is sent;Described first
Access network equipment thinks that the terminal device sends the response message, and first access network equipment receives the terminal device and passes
Defeated encrypted data, and transmit the encrypted data to first equipment of the core network.
With reference to first aspect, in the first possible realization method of first aspect, the response message includes institute
State the user plane security information that the first equipment of the core network is the terminal equipment configuration;First access network equipment thinks the end
End equipment sends the response message, including:First access network equipment sends the user plane peace to the terminal device
Full information.
With reference to first aspect or the first possible realization method of first aspect, second in first aspect are possible
In realization method, the user plane security information includes user plane enciphering/deciphering position indication information, for whole described in enciphering/deciphering
The network of end equipment selection is sliced the user face data packet of associated business transmission.
With reference to first aspect or the first possible realization method or second of possible realization method of first aspect, exist
In the third possible realization method of first aspect, the encrypted data are the terminal device according to the user plane
Security information treated data.
The user plane security information that the first equipment of the core network is sent is received by the first access network equipment so that the first access
Net equipment can know that network is sliced the associated user face security information of associated business, for example whether needing the first access net pair
The user face data packet of business transmission carries out enciphering/deciphering, and the first access network equipment matches the first equipment of the core network for terminal device
The user plane security information set is sent to terminal device so that terminal device is according to the user plane security information in data transmission
Enciphering/deciphering, the safety of data transmission procedure under the network architecture so as to realize network slice, reliability, due to the
One equipment of the core network is the user plane security information according to one or Multi net voting slice selection information configuration, can meet different nets
Network is sliced the different demands to user plane safety, improves flexibility and the otherness of data enciphering/deciphering.
With reference to first aspect or in the first possible realization method to the third possible realization method of first aspect
Any one possible realization method is set in the 4th kind of possible realization method of first aspect in the first access net
For by after the encrypted data transmission to first equipment of the core network, further include:First access network equipment to
Second access network equipment send switching request message, second access network equipment be the terminal device it is to be cut change to set
It is standby;First access network equipment receives the switching request acknowledgement message that second access network equipment is sent;Described first connects
Log equipment sends switching command and cache to the terminal device to be passed transports to the encrypted of second access network equipment
Data, the encrypted data to be passed for transporting to second access network equipment are that the first equipment of the core network is encrypted and is transmitted to
The data of the terminal device, the switching command are used to indicate the terminal device and are switched to from first access network equipment
Second access network equipment;First access network equipment transmits Sequence Number (Sequence to second access network equipment
Number, SN) state transfer message, it is used to indicate radio link layer control protocol (Radio Link Control, RLC) pattern
Next or multiple uplink and downlink SN states;First access network equipment sends the caching to second access network equipment
Encrypted data.
The encrypted data for sending above-mentioned caching to the second equipment of the core network by the first access network equipment, can solve
The data-bag lost in handoff procedure is solved, simultaneously because the first access network equipment forward pass is encrypted data so that the
Two access network equipments be sent to terminal device this it is data cached can continue to decrypt in terminal equipment side, ensure that data transmission
Safety.
With reference to first aspect or the 4th kind of possible realization method of first aspect, the 5th kind in first aspect are possible
In realization method, second access network equipment is communicated with the second equipment of the core network;First access network equipment is to described
Two access network equipments send the encrypted data of the caching, including:First access network equipment is to first core
Net equipment sends the encrypted data of the caching.
Encrypted data are sent to the first equipment of the core network by using the first access network equipment, so that passing through
The encrypted data that first access network equipment caches are transferred to second and connect by the first equipment of the core network and the second equipment of the core network
Log equipment can solve the loss of data in handoff procedure, and can transmit unencryption by the first equipment of the core network
Data give the second equipment of the core network so that the second equipment of the core network can use the new security mechanism that the equipment is applicable in into line number
According to encryption so that the second access network equipment is transferred to the peace that the data packet of terminal device can use the second equipment of the core network to be applicable in
Full mechanism ensure that the smooth replacement of security mechanism after the safety and switching of data transmission.
With reference to first aspect or the 5th kind of possible realization method of first aspect, the 6th kind in first aspect are possible
In realization method, the encrypted data of the caching are sent to first equipment of the core network in first access network equipment
Before, further include:First access network equipment sends the SN state transfers message to first equipment of the core network.
With reference to first aspect or in the first possible realization method of first aspect to the 6th kind of possible realization method
Any possible realization method, in seven kinds of possible realization methods of first aspect, the encrypted data packet of the caching
Include being sent to the data of the terminal device and having been issued to the terminal device for first access network equipment caching
The data of the terminal device feedback are not received also.
With reference to first aspect or in the first possible realization method of first aspect to the 7th kind of possible realization method
Any possible realization method, in the 8th kind of possible realization method of first aspect, the user plane security information is also wrapped
Include a compression function position indication information, integrity protection functional location instruction information.
With reference to first aspect or in the first possible realization method of first aspect to the 8th kind of possible realization method
Any possible realization method receives in nine kinds of possible realization methods of first aspect in first access network equipment
Before the encrypted data of the terminal device transmission, further include:First access network equipment receives operation and is set with management
The network slice management message that preparation is sent, the network slice management message include the user plane safety of the network slice on basis
Information;First access network equipment stores the user plane security information of the network slice on the basis.
Second aspect provides a kind of method of data security transmission.
This method includes:Terminal device sends request message to the first access network equipment, and the request message includes one
A or multiple network slice selection information;The terminal device receives the first core net that first access network equipment is sent and sets
Standby is the user plane security information of the terminal equipment configuration, and the user plane security information includes user plane enciphering/deciphering position
Indicate information;The terminal device handles data to be transmitted according to the user plane security information, generates encrypted data, and
The encrypted data are transmitted to first access network equipment.
Terminal device uses the user that the first equipment of the core network that the first access network equipment is sent is the terminal equipment configuration
The data encryption that face security information transmits needs to the first equipment of the core network improves the data under the network architecture of network slice
The safety of transmission process, reliability.
In conjunction with second aspect, in the first possible realization method of second aspect, in the terminal device to described
After first access network equipment transmits the encrypted data, further include:The terminal device receives the first access net
The switching command that equipment is sent;The terminal device is established RRC with second access network equipment and is connect, and is connect to described second
Log equipment sends handoff completion message.
In conjunction with the possible realization method of the first of second aspect or second aspect, second in second aspect is possible
In realization method, after the terminal device sends handoff completion message to second access network equipment, further include:It is described
Terminal device receives the SN instruction messages that second access network equipment is sent, and is used to indicate the terminal device and receives or send
Data SN boundary values.
The third aspect provides a kind of method of data security transmission.
This method includes:First equipment of the core network receives one or more networks slice choosing that the first access network equipment is sent
Select information;
First equipment of the core network is sliced selection information, the use of configurating terminal device according to one or more of networks
Family face security information;First equipment of the core network sends the user plane security information to first access network equipment.
In conjunction with the third aspect, in the first possible realization method of the third aspect, in first equipment of the core network
After sending the user plane security information to first access network equipment, further include:First equipment of the core network receives
The encryption to be passed for transporting to the second access network equipment of SN state transfers message and caching that first access network equipment is sent
Data afterwards.
Fourth aspect provides a kind of method of data security transmission.
This method includes:Second access network equipment receives the switching request message that the first access network equipment is sent;Described
Two access network equipments send switching request acknowledgement message to first access network equipment, and receive first access network equipment
The sequence number SN state transfer message of transmission;Second access network equipment receives the encrypted of the first access network equipment transmission
Data.
In conjunction with fourth aspect, in the first possible realization method of fourth aspect, first access network equipment with
First equipment of the core network communicates, and second access network equipment is communicated with the second equipment of the core network;Second access network equipment
The encrypted data of the first access network equipment transmission are received, including:Second access network equipment receives the second core net and sets
The data that preparation is sent.
In conjunction with the possible realization method of the first of fourth aspect or fourth aspect, second in fourth aspect is possible
In realization method, first access network equipment is communicated with the first equipment of the core network, second access network equipment and the second core
Heart net equipment communicates;Second access network equipment receive encrypted data that first access network equipment is sent it
Afterwards, further include:Second access network equipment is established RRC with the terminal device and is connect;Second access network equipment is to institute
It states terminal device and sends SN instruction information, be used to indicate the SN boundary values for the data that the terminal device is received or sent.
5th aspect, provides a kind of access network equipment.
The access network equipment includes:Receiver, processor and transmitter and the processor, it is described for controlling
The request message that receiver receiving terminal apparatus is sent;The request message includes one or Multi net voting slice selection information;
And the control transmitter sends one or more of network slice selection information to the first equipment of the core network;The processing
Device is additionally operable to control the response message that the receiver receives the first equipment of the core network transmission;It is wrapped in the response message
Include the user plane security information that first equipment of the core network is the terminal equipment configuration;The user plane security information includes
User plane enciphering/deciphering position indication information, the network for terminal device selection described in enciphering/deciphering are sliced associated business transmission
User face data packet;The processor is additionally operable to control the transmitter to the terminal device transmission user plane peace
Full information;And the control receiver receives the encrypted data of the terminal device transmission, and control the transmitter
The encrypted data are transmitted to first equipment of the core network, the encrypted data are the terminal device according to institute
State user plane security information treated data.
In conjunction with the 5th aspect, in the first possible realization method of the 5th aspect, the access network equipment further includes
Memory;
The processor is additionally operable to:After by the encrypted data transmission to first equipment of the core network, control
It makes the transmitter and sends switching request message to the second access network equipment, second access network equipment is the terminal device
The equipment to be cut changed to;It controls the receiver and receives the switching request acknowledgement message that second access network equipment is sent;Control
Make the transmitter to the terminal send switching command and control the memory buffer it is to be passed transport to it is described second access net
The encrypted data of equipment, the encrypted data to be passed for transporting to second access network equipment are that the first core net is set
The standby data encrypted and be transmitted to the terminal device, the switching command are used to indicate the terminal device and are connect from described first
Log equipment is switched to second access network equipment;It controls the transmitter and sends SN states to second access network equipment
Message is transmitted, is used to indicate that RLC patterns are next or multiple uplink and downlink SN states;
Control the encrypted data that the transmitter sends the caching to second access network equipment.
In conjunction with the first possible realization method of the 5th aspect or the 5th aspect, second at the 5th aspect is possible
In realization method, second access network equipment is communicated with the second equipment of the core network;The processor is specifically used for:Described in control
Transmitter sends the encrypted data of the caching to first equipment of the core network.
In conjunction with second of possible realization method of the 5th aspect or the 5th aspect, the third at the 5th aspect is possible
In realization method, the processor is additionally operable to:Controlling the transmitter caching is sent to first equipment of the core network
Encrypted data before, control the transmitter and send the SN state transfers message to first equipment of the core network.
In conjunction in the first possible realization method to the third possible realization method of the 5th aspect or the 5th aspect
Any possible realization method, in the 4th kind of possible realization method of the 5th aspect, the encrypted data of the caching
Being sent to the data of the terminal device and have been issued to the terminal device also including access network equipment caching
The data of the terminal device feedback are not received.
In conjunction in the first possible realization method to the 4th kind of possible realization method of the 5th aspect or the 5th aspect
Any possible realization method, in the 5th kind of possible realization method of the 5th aspect, the user plane security information is also wrapped
Include a compression function position indication information, integrity protection functional location instruction information.
In conjunction in the first possible realization method to the 5th kind of possible realization method of the 5th aspect or the 5th aspect
Any possible realization method, in the 6th kind of possible realization method of the 5th aspect, the processor is additionally operable to:It is controlling
Before the receiver receives the encrypted data of the terminal device transmission, controls the receiver and receive operation and management
The network slice management message that equipment is sent, the network slice management message include the user plane peace of the network slice on basis
Full information;Control the user plane security information that the memory stores the network slice on the basis.
6th aspect, provides a kind of terminal device.
The terminal device includes:Receiver, processor and transmitter and the transmitter, for being accessed to first
Net equipment sends request message, and the request message includes one or more network slice selection information;The receiver is used
Believe safely in receiving the user plane that the first equipment of the core network that first access network equipment is sent is the terminal equipment configuration
Breath, the user plane security information includes user plane enciphering/deciphering position indication information;The processor, for according to the use
Family face security information handles data to be transmitted, generates encrypted data, and controls the transmitter to first access
Net equipment transmits the encrypted data.
In conjunction with the 6th aspect, in the first possible realization method of the 6th aspect, the processor is additionally operable to:It is controlling
It makes after the transmitter transmits the encrypted data to first access network equipment, controls the receiver and receive institute
State the switching command of the first access network equipment transmission;RRC is established with second access network equipment to connect, and controls the transmission
Device sends handoff completion message to second access network equipment.
In conjunction with the first possible realization method of the 6th aspect or the 6th aspect, second at the 6th aspect is possible
In realization method, the processor is additionally operable to:Controlling the transmitter switching completion is sent to second access network equipment
After message, controls the receiver and receive the sequence number SN instruction messages that second access network equipment is sent, be used to indicate
The SN boundary values for the data that the terminal device is received or sent.
7th aspect, provides a kind of equipment of the core network.
The equipment of the core network includes:Receiver, processor and transmitter and the receiver, for receiving first
One or more networks slice selection information that access network equipment is sent;The processor, for according to one or more of
Network slice selection information, the user plane security information of configurating terminal device;The transmitter, for accessing net to described first
Equipment sends the user plane security information.
In conjunction with the 7th aspect, in the first possible realization method of the 7th aspect, the processor is additionally operable to:It is controlling
It makes after the transmitter sends the user plane security information to first access network equipment, controls the receiver and receive
The encryption to be passed for transporting to the second access network equipment of SN state transfers message and caching that first access network equipment is sent
Data afterwards.
Eighth aspect provides a kind of access network equipment.
The access network equipment includes:Receiver, processor and transmitter and the processor, it is described for controlling
Receiver receives the switching request message that the first access network equipment is sent;The processor, be additionally operable to control the transmitter to
First access network equipment sends switching request acknowledgement message, and receives the SN states that first access network equipment is sent and pass
Defeated message;And the control receiver receives the encrypted data that the first access network equipment is sent.
In conjunction with eighth aspect, in the first possible realization method of eighth aspect, first access network equipment with
First equipment of the core network communicates, and the access network equipment is communicated with the second equipment of the core network;The processor is specifically used for:Control
The receiver receives the data that the second equipment of the core network is sent.
In conjunction with the possible realization method of the first of eighth aspect or eighth aspect, second in eighth aspect is possible
In realization method, first access network equipment is communicated with the first equipment of the core network, the access network equipment and the second core net
Equipment communicates;The processor is additionally operable to:After controlling the receiver and receiving the encryption that first access network equipment is sent
Data after, establish RRC with the terminal device and connect;It controls the transmitter and sends SN instruction letters to the terminal device
Breath is used to indicate the SN boundary values for the data that the terminal device is received or sent.
9th aspect, provides a kind of access network equipment.The access network equipment includes receiving unit, processing unit and sends single
Member, the receiving unit execute the step performed by the receiver in above-mentioned 5th aspect or its arbitrary realization method, the place
Reason unit executes the step performed by the processor in above-mentioned 5th aspect or its arbitrary realization method, and the transmission unit executes
The step performed by transmitter in above-mentioned 5th aspect or its arbitrary realization method.
Tenth aspect, provides a kind of terminal device.The terminal device includes receiving unit, processing unit and transmission unit,
The receiving unit executes the step performed by the receiver in above-mentioned 6th aspect or its arbitrary realization method, and the processing is single
Member executes the step performed by the processor in above-mentioned 6th aspect or its arbitrary realization method, and the transmission unit executes above-mentioned
The step performed by transmitter in 6th aspect or its arbitrary realization method.
On the one hand tenth, provides a kind of equipment of the core network.The equipment of the core network includes receiving unit, processing unit and transmission
Unit, the receiving unit executes the step performed by the receiver in above-mentioned 7th aspect or its arbitrary realization method, described
Processing unit executes the step performed by the processor in above-mentioned 7th aspect or its arbitrary realization method, and the transmission unit is held
The step performed by transmitter in above-mentioned 7th aspect of row or its arbitrary realization method.
12nd aspect, provides a kind of access network equipment.The access network equipment receiving unit, processing unit and transmission are single
Member, the receiving unit execute the step performed by the receiver in above-mentioned eighth aspect or its arbitrary realization method, the place
Reason unit executes the step performed by the processor in above-mentioned eighth aspect or its arbitrary realization method, and the transmission unit executes
The step performed by transmitter in above-mentioned eighth aspect or its arbitrary realization method.
13rd aspect, the embodiment of the present application provide a kind of access network equipment, which includes memory, transmitting-receiving
Device and processor, wherein:Memory is for storing instruction;The instruction that processor is used to store according to memory is executed, and control
Transceiver carries out signal reception and signal is sent, and when processor executes the instruction of memory storage, access network equipment is used to hold
The method of any possible realization method in the above-mentioned first aspect of row or first aspect.
Fourteenth aspect, the embodiment of the present application provide a kind of terminal device, the terminal device include memory, transceiver and
Processor, wherein:Memory is for storing instruction;The instruction that processor is used to store according to memory is executed, and control transmitting-receiving
Device carries out signal reception and signal is sent, and when processor executes the instruction of memory storage, terminal device is used to execute above-mentioned
The method of any possible realization method in second aspect or second aspect.
15th aspect, the embodiment of the present application provide a kind of equipment of the core network, which includes memory, transmitting-receiving
Device and processor, wherein:Memory is for storing instruction;The instruction that processor is used to store according to memory is executed, and control
Transceiver carries out signal reception and signal is sent, and when processor executes the instruction of memory storage, equipment of the core network is used to hold
The method of any possible realization method in the above-mentioned third aspect of row or the third aspect.
16th aspect, the embodiment of the present application provide a kind of access network equipment, which includes memory, transmitting-receiving
Device and processor, wherein:Memory is for storing instruction;The instruction that processor is used to store according to memory is executed, and control
Transceiver carries out signal reception and signal is sent, and when processor executes the instruction of memory storage, access network equipment is used to hold
The method of any possible realization method in the above-mentioned fourth aspect of row or fourth aspect.
17th aspect, provides a kind of computer storage media, and have program stored therein code on the computer storage media,
Said program code includes the arbitrary of the method for realizing the first aspect, second aspect, the third aspect or fourth aspect
The instruction of possible realization method.
Description of the drawings
Fig. 1 is a kind of schematic diagram of network slice classification;
Fig. 2 is a kind of schematic diagram of system architecture provided in an embodiment of the present invention;
Fig. 3 is a kind of flow diagram of the method for data security transmission provided in an embodiment of the present invention;
Fig. 4 is a kind of flow diagram of terminal device switching provided in an embodiment of the present invention;
Fig. 5 is a kind of flow diagram of the method for data transmission provided in an embodiment of the present invention;
Fig. 6 is a kind of flow diagram of the method for data transmission provided in an embodiment of the present invention;
Fig. 7 is a kind of flow diagram of user plane security information transmission provided in an embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram of data security transmission device provided in an embodiment of the present invention.
Specific implementation mode
Fig. 2 illustratively shows a kind of system architecture that the embodiment of the present invention is applicable in, can be real based on the system architecture
The flow of existing data security transmission, the system architecture of data security transmission provided in an embodiment of the present invention may include the network equipment
110 and terminal device 120.
Wherein, the network equipment 110 may include access net (the Radio Access communicated with terminal device 120
Network, RAN)) equipment and core net (Core Network, CN) equipment, RAN equipment can be the access point in WLAN
Base station (Base Transceiver Station, BTS) in (ACCESS POINT, AP), GSM or CDMA can also be
Base station (NodeB, NB) in WCDMA, can also be in LTE evolved base station (Evolutional Node B, eNB or
ENodeB) the either network equipment in relay station or access point or mobile unit, wearable device and future 5G networks
Or the network equipment in the PLMN networks of the following evolution, such as the base station of 5G equipments of the core network can be connected, transmission and reception
Point (Transmission and Reception Point, TRP), centralized processing unit (Centralized Unit, CU),
Distributed processing unit (Distributed Unit, DU) etc..CN equipment can be the mobile management entity (Mobile in LTE
Management Entity, MME), gateway (Gateway), can also be in 5G networks control plane (Control Plan,
CP) network function (Network Function, NF) and user plane (User Plan, UP) network function, such as public control
Torus network function (Common CP NF, CCNF), session management network function (Session Management NF, SMF) etc..
Each network slice includes RAN equipment and CN equipment, wherein multiple network slices can share the network of a RAN equipment
Function;Can include that the network function shared between network is sliced and network are sliced exclusive network function two in CN equipment
Point, subnetwork slice can share the shared network function in CN equipment, and CN can also be used alone in subnetwork slice
The network is sliced exclusive network function in equipment, and such as Slice A, Slice B, the two slices have shared the net in CN equipment
Network function;Network slice can not also be sliced shared network function with other networks and possess CN equipment alone such as Slice C
Network function.
In embodiments of the present invention, terminal device 120 can be with Wireless Fidelity (English:wireless
Fidelity, WiFi) module equipment, for example, mobile phone, bracelet, tablet computer, laptop, super mobile personal calculate
Machine (English:Ultra-Mobile Personal Computer, UMPC), personal digital assistant (English:Personal
Digital Assistant, PDA) equipment, mobile unit, wearable device, the sensor etc. with network access facility, and
It is not limited only to communication terminal.
In 5G systems, since the safe class that network is sliced demand is different, the high network slice of safe class adds/solution
Close function will move on to CN equipment side from RAN equipment side, and CN equipment is sent to the data of terminal device 120, needs in CN equipment
Upper encryption is sent to terminal device 120 by RAN equipment again after encryption, at this point, terminal device 120 is in reception or transmission data
When, need the location information of the secret key for knowing encryption and decryption and encryption and decryption functions.
Therefore, in terminal device 120 before initiating the user face data packet that business is transmitted to CN equipment, it is thus necessary to determine that go out
The secret key of the encryption and decryption for the data for receiving or sending, to realize the safe transmission of data.
Based on foregoing description, Fig. 3 illustratively shows a kind of side of data security transmission provided in an embodiment of the present invention
The safe transmission of data in 5G systems may be implemented in the flow of method, the flow, and data peace is described below in conjunction with Fig. 2 and Fig. 3
The method transmitted entirely.
As shown in figure 3, the specific steps of the flow include:
Step 301, terminal device sends request message to the first RAN equipment.
Include one or more network slice selection information in the request message sent to the first RAN equipment, is used for
The network slice that instruction terminal equipment to be initiated the connection.The request message can carry Non-Access Stratum (Non-access
Stratum, NAS) message includes said one or multiple networks slice selection information in the NAS message, so that the first RAN
Equipment is sliced selection information after receiving the request message, by one or more of request message network and is transmitted to the
One CN equipment, for initiating the selection of network slice or protocol Data Unit (Protocol Data Unit, PDU) session establishment.
Further, which can be RRC information, MAC message or physical layer message.
Above-mentioned network slice selection information is including but not limited to following relevant information:Network slice type, such as enhancing
Mobile broadband service (enhanced Mobile Broadband, eMBB), super reliable low time delay communicate (Ultra-Reliable
Low lactecncy Communications, URLLC), magnanimity machine type communication (Massive Machine Type
Communication, mMTC) etc. instruction network slice type information, further, which can be arrived with finger tip
Network slice type is held, including the sides RAN and the sides CN, can also refer to the sides RAN network slice type or the sides CN network slice class
Type.Type of service, related to specific business, such as video traffic, car networking business, speech business etc. indicate service feature or
The information of the specific business of person.Tenant (Tenant) information is used to indicate establishment or rents the customer information of network slice, such as
Tencent, national grid etc..Subscriber group information is used to indicate and is grouped user according to certain feature, such as the rank of user
Grouping information.It is sliced group information, is used to indicate according to certain feature, the network as user accesses is sliced the grouping being grouped
Information.Network is sliced example information, the instance identification created for network slice and characteristic information is used to indicate, for example, being
Network is sliced one mark of example allocation, is used to indicate network slice example, the base of instance identification can also be sliced in network
A new mark is mapped on plinth, is associated with network slice example, and recipient can identify the specific of representative according to the mark
Network is sliced example.Proprietary core net (Dedicated Core Network, DCN) mark, the mark are special for uniquely indicating
There is core net, such as the core net that Internet of Things is proprietary, optionally, DCN marks can be sliced mark and do with network to be mapped, by
DCN marks can map out network slice mark, and DCN marks can also be mapped out by network slice mark.
Step 302, the request message that the first RAN equipment receiving terminal apparatus is sent, and send one to the first CN equipment
Or multiple network slice selection information.
First RAN equipment can pass through the first RAN equipment and the after the request message for receiving terminal device transmission
The NAS message carried in the request message of reception is sent to the first CN equipment by the interface message of one CN equipment, so that the first CN
Equipment selects information for terminal equipment configuration user plane security information according to one or more of request message network slice.
Step 303, the first CN equipment receives one or more networks slice selection information that the first RAN equipment is sent, and
It is sliced selection information, the user plane security information of configurating terminal device according to one or more networks.
First CN equipment, can after receiving one or more networks slice selection information of the first RAN equipment transmission
Choosing, network slice selection information can be sent to network and be sliced safety-related CN equipment by the first CN equipment, described
Network is sliced relevant CN equipment can be sliced selection information, such as the net of different safety class according to the one or more network
Network slice can configure different user plane security information, or can also be sliced according to network can be with associated different business
Configure different user plane security information.This at least may include user plane for the user plane security information of terminal equipment configuration
Enciphering/deciphering position indication information is used for data deciphering of the terminal device to reception or the data encryption to transmission, improves data
The safety of transmission.
Specifically, the user plane security information can also be including but not limited to following relevant information:Enciphering/deciphering functional location
Information, i.e. enciphering/deciphering functional location anchor point, such as positioned at the sides RAN, it is located at the sides CN, it is located at sides RAN and CN etc., further,
If enciphering/deciphering function is located at the sides RAN, the sides RAN are needed to carry out enciphering/deciphering to user face data packet, if enciphering/deciphering function is located at CN
Side, the sides RAN can not carry out enciphering/deciphering to user face data packet, if enciphering/deciphering function is located at the sides RAN and the sides CN, the sides RAN
It also needs to carry out enciphering/deciphering to user face data packet;Further, Packet Data Convergence Protocol can be located at by being located at the sides RAN
(Packet Data Convergence Protocol, PDCP) layer, or it is located at radio resource control (Radio
Resource Control, RRC) layer;It can be located at the control plane or user's veil for being responsible for security function positioned at the sides CN
Network function, such as session management network function or webmaster network function.Enciphering/deciphering function enables switching information, such as opens
Or the sides RAN are closed, the enciphering/deciphering function of the sides CN or the sides RAN and CN.Enciphering/deciphering secret key, for example, need the sides RAN with
And the enciphering/deciphering secret key that the sides UE use, or need the enciphering/deciphering secret key etc. used in the sides UE and the sides CN.Enciphering/deciphering function
Algorithm used in the enciphering/deciphering function of algorithm, such as the sides RAN, the sides CN or the sides RAN and CN.Head compression (Robust
Header Compression, ROHC) functional location information, such as positioned at the sides RAN, it is located at the sides CN, it is located at the sides RAN and CN
Deng, further, if head compression function is located at the sides RAN, need the sides RAN to user face data packet into wardrobe compress, if enciphering/deciphering
Function is located at the sides CN, and the sides RAN can not compress user face data packet into wardrobe, if enciphering/deciphering function is located at the sides RAN and CN
Side, the sides RAN are also needed to user face data packet into wardrobe compression function;Further, can be located at by being located at the sides RAN by PDCP layers,
Or it is located at rrc layer;It can be located at the control plane or user plane network function for being responsible for security function positioned at the sides CN, such as
Session management network function or webmaster.Head compression function enables switching information, such as is turned on or off the sides RAN, the sides CN,
Or the head compression function of the sides RAN and CN.The head of head compression function algorithm, such as the sides RAN, the sides CN or the sides RAN and CN
Algorithm used in compression function.Head compression type, such as compressed real-time transport protocol (Real-time Transport
Protocol, RTP) data packet head, User Datagram Protocol (User Datagram Protocol, UDP) data packet and mutually
Networking protocol (Internet Protocol, IP) data packet head either compressed udp/IP data packet heads or only compressed IP number
According to packet header etc..
Further, which can also be including but not limited to following relevant information:Integrity protection work(
Energy location information, such as positioned at the sides RAN, it is located at the sides CN, it is located at sides RAN and CN etc., further, if integrity protection function
Positioned at the sides RAN, the sides RAN is needed to carry out integrity protection function to user face data packet, if integrity protection function is located at the sides CN,
The sides RAN can not carry out integrity protection function to user face data packet, if enciphering/deciphering function is located at the sides RAN and the sides CN,
The sides RAN also need to carry out integrity protection function to user face data packet;Further, can be located at by being located at the sides RAN by PDCP layers,
Or it is located at rrc layer;It can be located at the control plane or user plane network function for being responsible for security function positioned at the sides CN, such as
Session management network function or webmaster.Integrity protection function enables switching information, such as is turned on or off the sides RAN, CN
The integrity function of side or the sides RAN and CN.Integrity protection function algorithm information, such as the sides RAN, the sides CN or RAN
And the algorithm that the integrity protection function of the sides CN uses.Secret key updates functional information, such as terminal device is in switching or RRC
Algorithm used in secret key update during connection re-establishment (RRC Connection Re-establishment), further
Ground, the algorithm can indicate UE switching either RRC connection re-establishments process whether using or derive new secret key, also may be used
With indicate UE switching either RRC connection re-establishments process need not whether or derive new secret key.
Step 304, the first CN equipment sends user plane security information to the first RAN equipment.
First CN equipment passes through the user that the first CN equipment of the first RAN equipment of interfac message notification is terminal equipment configuration
Face security information, the user plane security information can make the first RAN equipment obtain user plane security information, user plane safety
Information can be carrying explicit or implicit in interface message, specifically can be adapted for following business relevant configuration informations
In:
The sides CN are that at least one network of UE selections is sliced corresponding user plane security information, are used for the network slice transmission
User face data;The sides RAN need the corresponding user plane peace of at least one radio bearer (radio bearer) established for UE
Full information is used for the user face data of the radio bearer transmissions,;The sides CN are the corresponding use of at least one PDU sessions that UE is established
Family face security information is used for the user face data of the PDU session transmissions;It includes at least that the sides CN, which are in the PDU sessions that UE is established,
The corresponding user plane security information of one stream (flow), is used for the user face data of the steaming transfer.
First RAN equipment can know that network is sliced by the message, radio bearer, PDU sessions or the PDU sessions
Including stream user plane security information, for example whether the first RAN equipment is needed to be encrypted and/or the function etc. of head compression.
Optionally, the mark for the network slice that the first CN equipment is terminal device selection can also be carried in the interface message
Know, it is the PDU session informations that the terminal device is established that can also carry the first CN equipment.
Step 305, the first RAN equipment receives the response message that the first CN equipment is sent, and sends user to terminal device
Face information.
The response message includes the user plane security information that the first CN equipment is terminal equipment configuration, user plane safety
Information includes at least user plane enciphering/deciphering position indication information, and the first RAN equipment sends user plane peace to terminal device later
Full information generates encrypted data so that terminal device handles data to be transmitted according to the user plane security information, such as
Data deciphering to reception or the data encryption to transmission, improve the safety of data transmission.
First CN equipment sends user plane security information to terminal device and can be sent by configuration message of eating dishes without rice or wine, this is eated dishes without rice or wine
Configuration message can be RRC information, MAC message or physical layer message, carrying that can be explicit or implicit in the configuration message
The safe secret key of the user plane, the safe secret key of the user plane can be adapted for one or more radio bearer, one or more
PDU sessions one or more flow that either the PDU sessions include or the corresponding network slice of the PDU sessions, terminal
Equipment knows that the radio bearer, the PDU sessions stream that either the PDU sessions include or the PDU sessions correspond to by the message
Network slice security information, for example whether the sides UE is needed to carry out the function that enciphering/deciphering and/or head compress at PDCP layer.
Step 306, terminal device receives the user plane that the first CN equipment that the first RAN equipment is sent is terminal equipment configuration
Security information, terminal device can be handled to be transmitted according to the user plane security information received according to user plane security information
Data, generate encrypted data, and encrypted data are transmitted to the first RAN equipment, while can pacify using user plane
Full information is decrypted to receiving the data that the first RAN equipment is sent.
The first CN equipment that terminal device receives the transmission of the first RAN equipment is that the user plane of terminal equipment configuration is believed safely
After breath, which is preserved.Terminal device is used in the user face data packet of the business of initiation transmission
The user plane security information of storage encrypts the user face data packet of business transmission, and after transmitting the encryption to the first RAN equipment
Data.
Step 307, the encrypted data of the first RAN equipment receiving terminal apparatus transmission, and transmitted to the first CN equipment
Encrypted data.
The encrypted data of first RAN equipment receiving terminal apparatus transmission, are subsequently forwarded to the first CN equipment.The encryption
Data afterwards are that terminal device uses the first CN equipment for terminal equipment configuration.By using the user of the first CN device configurations
Data are encrypted in face security information, can further increase the safety in data transmission procedure, avoid the occurrence of because of first
RAN equipment causes main secret key to fail after being attacked, threaten the situation of other network slice safety.
When the enciphering/deciphering function of user plane on RAN equipment side by moving on to the equipment sides CN, if terminal device is needed from first
RAN equipment is switched to the 2nd RAN equipment, or the 2nd RAN equipment of addition carries out multi-connection operation and provided jointly for terminal device
Network connection service, the first RAN equipment and the 2nd RAN equipment all connect same CN equipment at this time, if terminal device is needed from the
One RAN equipment is switched to the 2nd RAN equipment, then the first RAN equipment needs to transmit encrypted data to the 2nd RAN equipment.The
One RAN equipment is source RAN node, and the 2nd RAN equipment is target RAN node.
Switching as shown in Figure 4/multi-connection flow, the specific steps of the flow include:
Step 401, the first RAN equipment sends switching request message to the 2nd RAN equipment.
The switching request message is used to indicate the 2nd RAN equipment and initiates switching preparation.Further, the switching request message
Including but not limited to following information:Switch reasons, be used to indicate this time switch the reason of, such as wireless network layer reason (due to
The switching of signal reason triggering, resource-based optimization etc.).Target Cell Identifier, the mark for uniquely indicating Target cell.
Switching limitation list, including service PLMN, equivalent PLMN, the service area etc. forbidden.The corresponding temporary identifier of terminal device, is used for
CN equipment searches the context of the terminal device preserved.The associated core net control function entity identifier of terminal device.Terminal is set
One or more or overall network of alternative are sliced corresponding network slice mark.One of terminal device selection
Either multiple or overall network is sliced the corresponding radio bearer information for needing to establish, such as radio bearer identification, nothing
Line carries the qos parameter of rank, and tunnel destination node, the corresponding user plane security information of radio bearer, specific message content can be with
With reference to the interface message of step 304.One or more or overall network of terminal device selection are sliced corresponding need
The session information to be established, such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding user plane peace of session
Full information, specific message content are referred to the interface message of step 304.Terminal device selection one or more or it is complete
Portion's network is sliced the corresponding stream information for needing to establish, such as traffic identifier, flows the qos parameter of rank, tunnel destination node, stream
Corresponding user plane security information, specific message content are referred to the interface message of step 304.Radio bearer information, such as
Radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user plane security information of radio bearer, tool
Body message content is referred to the interface message of step 304.Other need the session information established, such as session identification, session
The qos parameter of rank, tunnel destination node, the corresponding user plane security information of session, specific message content are referred to step 304
Interface message.Other need the stream information established, such as traffic identifier, flow the qos parameter of rank, tunnel destination node, and stream corresponds to
User plane security information, specific message content is referred to the interface message of step 304.The context of the terminal device is believed
Breath, such as one or more or overall network of terminal device signing are sliced corresponding network slice mark etc..
Optionally, the first RAN equipment can send the addition request of RAN equipment to the 2nd RAN equipment, for asking second
RAN equipment establishes multi-connection operation, to which distributing radio resource is to terminal device.Further, which adds request bag
Contain but is not limited to following information:The corresponding needs of one or more or overall network slice of terminal device selection are built
Vertical radio bearer information, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, radio bearer pair
The user plane security information answered, specific message content are referred to the interface message of step 304.Terminal device selection one or
Person is multiple or overall network is sliced the corresponding session information for needing to establish, such as session identification, the QoS of session-level
Parameter, tunnel destination node, the corresponding user plane security information of session, the interface that specific message content is referred to step 304 disappear
Breath.One or more or overall network of terminal device selection are sliced the corresponding stream information for needing to establish, such as
Traffic identifier flows the qos parameter of rank, and tunnel destination node flows corresponding user plane security information, and specific message content is referred to
The interface message of step 304.Other need the radio bearer information established, such as radio bearer identification, radio bearer rank
Qos parameter, tunnel destination node, the corresponding user plane security information of radio bearer, specific message content are referred to step 304
Interface message.Other need the session information established, such as session identification, the qos parameter of session-level, tunnel destination node, meeting
Corresponding user plane security information is talked about, specific message content is referred to the interface message of step 304.Other need the stream established
Information, such as traffic identifier, flow the qos parameter of rank, tunnel destination node, flow corresponding user plane security information, in specific message
Hold the interface message for being referred to step 304.
Optionally, the first RAN equipment can send the request of RAN apparatus modifications to the 2nd RAN equipment, for asking modification the
The contextual information of two RAN equipment present terminal equipment and the 2nd RAN equipment are the radio resource allocation that terminal device prepares,
To which distributing radio resource is to terminal device.Further, RAN apparatus modifications request is including but not limited to following information:Eventually
One or more or the overall network slice of end equipment selection are corresponding to be needed to establish, and is changed and is discharged wireless
Carrying information, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user of radio bearer
Face security information, specific message content are referred to the interface message of step 304.Terminal device selection one or more or
Person's overall network is sliced the corresponding session information for needing to establish, changing and discharging, such as session identification, session-level
Qos parameter, tunnel destination node, the corresponding user plane security information of session, specific message content is referred to connecing for step 304
Mouth message.One or more or the overall network slice of terminal device selection are corresponding to be needed to establish, modification and
The stream information of release, such as traffic identifier flow the qos parameter of rank, and tunnel destination node flows corresponding user plane security information, tool
Body message content is referred to the interface message of step 304.Other need to establish, the radio bearer information changed and discharged,
Such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user plane of radio bearer are believed safely
Breath, specific message content are referred to the interface message of step 304.Other need to establish, the session information changed and discharged,
Such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding user plane security information of session, in specific message
Hold the interface message for being referred to step 304.Other need to establish, the stream information changed and discharged, such as traffic identifier, flow grade
Other qos parameter, tunnel destination node flow corresponding user plane security information, and specific message content is referred to connecing for step 304
Mouth message.
Optionally, the first RAN equipment can send RAN apparatus modifications demands to the 2nd RAN equipment, for triggering wireless money
The release in source, the modification of main serving cell, PDCP SN will be overturn.Further, which includes
But it is not limited to following information:One or more or the overall network slice of terminal device selection are corresponding to be needed to discharge
Radio bearer information, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, radio bearer corresponds to
User plane security information, specific message content is referred to the interface message of step 304.Terminal device selection one or
Multiple or overall network is sliced the corresponding session information for needing to discharge, such as session identification, the QoS ginsengs of session-level
Number, tunnel destination node, the corresponding user plane security information of session, specific message content are referred to the interface message of step 304.
One or more or overall network of terminal device selection are sliced the corresponding stream information for needing to discharge, such as fail to be sold at auction
Know, flows the qos parameter of rank, tunnel destination node flows corresponding user plane security information, and specific message content is referred to step
304 interface message.Other need the radio bearer information discharged, such as radio bearer identification, the QoS ginsengs of radio bearer rank
Number, tunnel destination node, the corresponding user plane security information of radio bearer, specific message content are referred to the interface of step 304
Message.Other need the session information discharged, such as session identification, the qos parameter of session-level, tunnel destination node, session pair
The user plane security information answered, specific message content are referred to the interface message of step 304.The stream letter that other needs discharge
Breath, such as traffic identifier, flow the qos parameter of rank, tunnel destination node flows corresponding user plane security information, specific message content
It is referred to the interface message of step 304.
Step 402, the 2nd RAN equipment receives the switching request message that the first RAN equipment is sent, and to the first RAN equipment
Send switching request acknowledgement message.
2nd RAN equipment sends switching request acknowledgement message to the first RAN equipment and shows that the 2nd RAN equipment has been prepared for
Resource has been got well, switching has been carried out and prepares.The switching request acknowledgement message is including but not limited to following information:The mark of first RAN equipment
Know.The mark of 2nd RAN equipment.The transparent vessel (container) of 2nd RAN equipment to the first RAN equipment, including RRC
Switching command.One or more or the overall network slice of terminal device selection is corresponding unaccepted wirelessly to be held
Information carrying ceases, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user plane of radio bearer
Security information, specific message content are referred to the interface message of step 304.Terminal device selection one or more or
Overall network is sliced corresponding unaccepted session information, such as session identification, the qos parameter of session-level, tunnel
Destination node, the corresponding user plane security information of session, specific message content are referred to the interface message of step 304.Terminal is set
One or more or overall network of alternative are sliced corresponding unaccepted stream information, such as traffic identifier, stream
The qos parameter of rank, tunnel destination node flow corresponding user plane security information, and specific message content is referred to step 304
Interface message.Other unaccepted radio bearer informations, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel
Road destination node, the corresponding user plane security information of radio bearer, specific message content are referred to the interface message of step 304.
Other unaccepted session informations, such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding use of session
Family face security information, specific message content are referred to the interface message of step 304.Other unaccepted stream informations, such as
Traffic identifier flows the qos parameter of rank, and tunnel destination node flows corresponding user plane security information, and specific message content is referred to
The interface message of step 304.
Optionally, the 2nd RAN equipment can send RAN equipment to the first RAN equipment and add request confirmation, be used to indicate the
Two RAN equipment have been already prepared to resource, to which distributing radio resource is to terminal device.Further, RAN equipment addition is asked
Ask confirmation including but not limited to following information:One or more or the overall network slice of terminal device selection correspond to respectively
The radio bearer information for not being accepted and being accepted, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel
Road destination node, the corresponding user plane security information of radio bearer, specific message content are referred to the interface message of step 304.
One or more or overall network of terminal device selection are sliced the corresponding session for not being accepted and being accepted
Information, such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding user plane security information of session, specifically
Message content is referred to the interface message of step 304.One or more or the overall network slice of terminal device selection
The corresponding stream information for not being accepted and being accepted, such as traffic identifier flow the qos parameter of rank, tunnel destination node, stream
Corresponding user plane security information, specific message content are referred to the interface message of step 304.Other be not accepted and by
The radio bearer information of receiving, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, radio bearer
Corresponding user plane security information, specific message content are referred to the interface message of step 304.Other be not accepted and by
The session information of receiving, such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding user plane safety of session
Information, specific message content are referred to the interface message of step 304.Other stream informations for not being accepted and being accepted, example
Such as traffic identifier, the qos parameter of rank is flowed, tunnel destination node flows corresponding user plane security information, and specific message content can join
According to the interface message of step 304.
Optionally, the 2nd RAN equipment can send RAN apparatus modifications request confirmations to the first RAN equipment, for responding the
The modification of one RAN equipment is asked.Further, the RAN apparatus modifications request confirmation is including but not limited to following information:Terminal is set
One or more or overall network of alternative are sliced the corresponding radio bearer information for not being accepted and receiving,
Such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user plane of radio bearer are believed safely
Breath, specific message content are referred to the interface message of step 304.One or more or whole net of terminal device selection
Network is sliced the corresponding session information for not being accepted and receiving, such as session identification, the qos parameter of session-level, tunnel
Road destination node, the corresponding user plane security information of session, specific message content are referred to the interface message of step 304.Terminal
One or more or overall network of equipment selection are sliced the corresponding stream information for not being accepted and receiving, such as
Traffic identifier flows the qos parameter of rank, and tunnel destination node flows corresponding user plane security information, and specific message content is referred to
The interface message of step 304.Other radio bearer informations for not being accepted and receiving, such as radio bearer identification, wirelessly hold
The qos parameter of load rank, tunnel destination node, the corresponding user plane security information of radio bearer, specific message content are referred to
The interface message of step 304.Other session informations for not being accepted and receiving, such as session identification, the QoS ginsengs of session-level
Number, tunnel destination node, the corresponding user plane security information of session, specific message content are referred to the interface message of step 304.
Other stream informations for not being accepted and receiving, such as traffic identifier, flow the qos parameter of rank, and tunnel destination node flows corresponding use
Family face security information, specific message content are referred to the interface message of step 304.
Step 403, the first RAN equipment receives the switching request acknowledgement message that the 2nd RAN equipment is sent, and is set to terminal
Preparation send switching command and caches the encrypted data to be passed for transporting to the 2nd RAN equipment.
First RAN equipment sends switching command after receiving switching request acknowledgement message, to terminal device, for referring to
Show that terminal device switches, which can carry in RRC information.Can also include in the RRC information but unlimited
In following information:Target Cell Identifier, the new temporary identifier of terminal device.Carrying configuration, such as PDCP, radio link layer control
Agreement (Radio Link Control, RLC), medium access control (Media Access Control, MAC) and physical layer
Configuration.
First RAN equipment also needs to cache the encrypted data to be transmitted to the 2nd RAN equipment, this is to be passed to transport to second
What the encrypted data of RAN equipment can cache for the first RAN equipment is sent to the data of terminal device and has sent
The data of terminal device feedback are not received also to terminal device.
Step 404, the first RAN equipment to the 2nd RAN equipment transmit Sequence Number (Sequence Number, SN) state pass
Defeated message, and the encrypted data cached are sent to the 2nd RAN equipment.
The SN state transfer message is used to indicate suitable for one or more carryings under RLC affirmation modes, session, stream pair
The uplink PDCP SN reception states and/or downlink PDCP SN answered send state.For example, uplink PDCP SN reception states are at least
Include No. SN of the upstream service data cell (Service Data Unit, SDU) of first loss, and the inside may wrap
Reception state bit map containing out of order uplink SDU is used to indicate which uplink SDU needs UE to be carried out again in RAN node 2
Transmission.Downlink PDCP SN send state and are used to indicate next new PDCP SN that the needs of RAN node 2 distribute.
First RAN equipment sends the encrypted data of above-mentioned caching to the 2nd RAN equipment, can solve in handoff procedure
Data-bag lost, simultaneously because the first RAN equipment forward pass is encrypted data so that the 2nd RAN equipment is sent to UE
This it is data cached can continue to decrypt in the sides UE, ensure that the safety of data transmission.
Step 405, terminal device receives the switching command that the first RAN equipment is sent, and establishing RRC with the 2nd RAN equipment connects
It connects, and handoff completion message is sent to the 2nd RAN equipment.
Terminal device is established RRC after receiving switching command, with the 2nd RAN equipment and is connect, and is then set to the 2nd RAN
Preparation send handoff completion message, such as RRC connection reconfigurations to set and complete message, and instruction has been completed to switch.
Optionally, when the enciphering/deciphering function of user plane on RAN equipment side by moving on to the equipment sides CN, if terminal device needs
It to be switched to the 2nd RAN equipment from the first RAN equipment, the first RAN equipment and the 2nd RAN equipment all connect different CN and sets at this time
Standby, then the first RAN equipment needs to transmit encrypted data to the 2nd RAN equipment.First RAN equipment be source RAN node, second
RAN equipment is target RAN node.
Optionally, when if desired triggering the handoff procedure of RAN equipment and CN equipment interfaces, such as above-mentioned first RAN
When between equipment and the 2nd RAN equipment without direct land side interface or wireless backhaul links, in above-mentioned steps 401
Switching request message can be by being forwarded, for example, the first RAN equipment sends the switching request message by the first equipment of the core network
To the first equipment of the core network, specific switching request message content can refer to step 401 switching request message, later this first
The switching request message is sent to the 2nd RAN equipment by equipment of the core network again, to realize the first RAN equipment to the 2nd RAN
Equipment sends switching request message.2nd RAN equipment sends switching request acknowledgement message to the first equipment of the core network, specific to switch
Request confirmation message can refer to the switching request acknowledgement message of step 402, and first equipment of the core network is again by the switching later
Request confirmation message is sent to the 2nd RAN equipment, and switching request is sent to the first RAN equipment to realize the 2nd RAN equipment
Confirmation message.First RAN equipment receives the switching request acknowledgement message that the 2nd RAN equipment is sent, and is sent to terminal device
Switching command simultaneously caches the encrypted data to be passed for transporting to the 2nd RAN equipment.First RAN equipment is sent to the 2nd RAN equipment
Sequence number SN) state transfer message, and the encrypted data cached are sent to the first core net, first core net is set later
It is standby that the data received are sent to the 2nd RAN equipment again, delay to realize the first RAN equipment and be sent to the 2nd RAN equipment
The encrypted data deposited.
The specific steps of the flow of data transmission as shown in Figure 5, the flow include:
Step 501, the first RAN equipment sends SN state transfer message to the 2nd RAN equipment.
The SN state transfer message is used to indicate suitable for one or more carryings under RLC affirmation modes, session, stream pair
The uplink PDCP SN reception states and/or downlink PDCP SN answered send state.For example, uplink PDCP SN reception states are at least
Include No. SN of uplink SDU of first loss, and the inside may the reception state ratio comprising out of order uplink SDU specially
Figure, is used to indicate which uplink SDU needs UE to be transmitted again in RAN node 2.Downlink PDCP SN send state for referring to
Show that RAN node 2 needs the next new PDCP SN distributed.
Step 502, the first RAN equipment sends the encrypted data of caching to the first CN equipment.
Optionally, the first RAN equipment sends SN state transfer message to the 2nd CN equipment.
Step 503, the first CN equipment receives the encrypted data that the first RAN equipment is sent, and to the encrypted number
According to decryption, the data of unencryption are sent to the 2nd CN equipment.
The data be can be being sent to the data of terminal device and having been issued to terminal for the first RAN equipment caching
Equipment does not receive the data of terminal device feedback also.
Step 504, the 2nd CN equipment receives the data for the unencryption that the first CN equipment is sent, and is sent to the 2nd RAN equipment
The data of unencryption.
The encrypted data that the first RAN equipment caches are transferred to by using the first CN equipment and the 2nd CN equipment
Two RAN equipment can solve the loss of data in handoff procedure, and the data of unencryption can be transmitted by the first CN equipment
To the 2nd CN equipment so that the new security mechanism that the 2nd CN equipment can use the equipment to be applicable in carries out data encryption so that
2nd RAN equipment is transferred to the security mechanism that the data packet of UE can use the 2nd CN equipment to be applicable in, and ensure that data transmission
The smooth replacement of security mechanism after safety and switching.
Optionally, when the enciphering/deciphering function of user plane on RAN equipment side by moving on to the equipment sides CN, if terminal device needs
It to be switched to the 2nd RAN equipment from the first RAN equipment, the first RAN equipment and the 2nd RAN equipment all connect different CN and sets at this time
Standby, then the first RAN equipment needs to transmit encrypted data to the 2nd RAN equipment.First RAN equipment be source RAN node, second
RAN equipment is target RAN node.
The specific steps of the flow of data transmission as shown in FIG. 6, the flow include:
Step 601, the first RAN equipment sends SN state transfer message to the 2nd RAN equipment.
The SN state transfer message is used to indicate suitable for one or more carryings under RLC affirmation modes, session, stream pair
The uplink PDCP SN reception states and/or downlink PDCP SN answered send state.For example, uplink PDCP SN reception states are at least
Include No. SN of uplink SDU of first loss, and the inside may the reception state ratio comprising out of order uplink SDU specially
Figure, is used to indicate which uplink SDU needs UE to be transmitted again in RAN node 2.Downlink PDCP SN send state for referring to
Show that RAN node 2 needs the next new PDCP SN distributed.
Step 602, the first RAN equipment sends SN state transfer message to the 2nd CN equipment.
Optionally, the first RAN equipment sends the encrypted data of caching to the first CN equipment.The data be can be
One RAN equipment caching is sent to the data of terminal device and has been issued to terminal device not receive terminal device also anti-
The data of feedback.
Step 603, the first CN equipment receives the encrypted data that the first RAN equipment is sent, and to the encrypted number
According to decryption, the data of unencryption are sent to the 2nd CN equipment.
Step 604, the 2nd CN equipment receives the data for the unencryption that the first CN equipment is sent, and is sent to the 2nd RAN equipment
The data of unencryption.
The encrypted data that the first RAN equipment caches are transferred to by using the first CN equipment and the 2nd CN equipment
Two RAN equipment can solve the loss of data in handoff procedure, and the data of unencryption can be transmitted by the first CN equipment
To the 2nd CN equipment so that the new security mechanism that the 2nd CN equipment can use the equipment to be applicable in carries out data encryption so that
2nd RAN equipment is transferred to the security mechanism that the data packet of UE can use the 2nd CN equipment to be applicable in, and ensure that data transmission
The smooth replacement of security mechanism after safety and switching.
Further, terminal device is from the first RAN equipment to the 2nd RAN equipment when switching, if the first RAN equipment and the
Two RAN equipment all connect different CN equipment, and in above-mentioned flow as shown in Figure 4, the 2nd RAN equipment is set receiving terminal
After the handoff completion message that preparation is sent, SN instruction messages are sent to terminal device, which can be RRC information,
MAC message or physical layer message, including but not limited to following relevant information:SN boundary values, be used to indicate UE which receive with
And send data packet need use original encryption and decryption secret key, which need use new encryption and decryption secret key, if such as these
No. SN data packet before SN boundary values of the corresponding PDCP SDU of data packet needs to use original encryption and decryption secret key, later
Data packet then need use new encryption and decryption secret key.
Optionally, which can also be by adding secret key instruction, for notifying terminal device in the packet
The secret key that the data packet encryption and decryption uses has occurred and that variation, needs to use channel secret key.
Optionally, which can also pass through by the form of the data packet of generation end-marker and send one
A end-marker data packets are used to indicate the previously stored encryption and decryption secret key failure in the sides UE, begin to use new secret key.
In order to make the first RAN equipment determine that the user plane security information of network slice is in the first RAN equipment
Side also the first CN equipment side, the first RAN equipment can also receive operation and chain of command equipment (Operation and
Management, OAM) send network slice management message.
Specifically, flow as shown in Figure 7, including process step specifically include:
Step 701, OAM equipment sends network slice management message to the first RAN equipment.
Network slice management message includes the user plane security information of the network slice on basis.The OAM can be cut
Piece management (Slice manager) equipment and/or the slice management equipment in the fields RAN and/or the equipment management system of the sides RAN
(Network Element Management System, EMS) etc..Also included content can be such as above-mentioned implementation in the message
The description of user plane security information in example, details are not described herein.
The specific manifestation form of the message is unlimited, can be represented with different field according to specifying information research content
Different user face security information, can also be encoded by way of index.
Step 702, the first RAN equipment receives the network slice management message that OAM equipment is sent, and is sent to OAM equipment
Confirmation message.
First RAN equipment can send confirmation message after receiving network slice management message to OAM equipment,
It can not send.The confirmation message can include following one or more of information combinations:Confirm success message, is used to indicate RAN
Equipment agrees to that OAM equipment is sliced example by the network that message 1 is sent and generates and/or change configuration.Confirm failed message, is used for
It indicates that RAN equipment refusal OAM equipment is sliced example and is generated and/or changed by the network that network slice management message is sent to match
Set, further, the reason of which also can indicate that unsuccessfully, for example, can not complete network slice management message a certain item or
The a plurality of configuration requirement of person, for example the configuration of enciphering/deciphering function algorithm can not be completed.
Step 703, the user plane security information of the network slice on the first RAN equipment storage basis, optionally, the first RAN
The user plane security information that network is sliced can be sent to UE by equipment by idle message.
The idle message can be RRC information, such as message is established in RRC connections, and RRC connection reconfigurations set message etc.
Above-described embodiment shows that the request message that the first access network equipment receiving terminal apparatus is sent, the first access net are set
It is standby to select information, the first access network equipment to receive the first core net to the one or more of network slices of the first equipment of the core network
The response message that equipment is sent, user plane security information includes user plane enciphering/deciphering position indication information, is used for enciphering/deciphering institute
The network for stating terminal device selection is sliced the user face data packet of associated business transmission, and the first access network equipment is to terminal device
Send user plane security information, the encrypted data of the first access network equipment receiving terminal apparatus transmission, and to the first core
Net equipment transmits the encrypted data, and encrypted data are after terminal device is handled according to the user plane security information
Data.The user plane security information that the first equipment of the core network is sent is received by the first access network equipment so that the first access
Net equipment can know that network is sliced the associated user face security information of associated business, for example whether needing the first access net pair
The user face data packet of business transmission carries out enciphering/deciphering, and the first access network equipment matches the first equipment of the core network for terminal device
The user plane security information set is sent to terminal device so that terminal device is according to the user plane security information in data transmission
Enciphering/deciphering, the safety of data transmission procedure under the network architecture so as to realize network slice, reliability, due to the
One equipment of the core network is the user plane security information according to one or Multi net voting slice selection information configuration, can meet different nets
Network is sliced the different demands to user plane safety, improves flexibility and the otherness of data enciphering/deciphering.
It can also be line termination unit that the terminal device mentioned in the embodiment of the present invention, which can be wireless terminal device,
Wireless terminal device can refer to the equipment for providing a user voice and/or other business datum connectivity, have and be wirelessly connected
The portable equipment of function or other processing equipments for being connected to radio modem.Wireless terminal device can be through wireless
Access net (English:Radio Access Network;Referred to as:RAN it) is communicated with one or more core net, wireless terminal
Equipment can be mobile terminal, such as mobile phone (or be " honeycomb " phone) and the computer with mobile terminal, for example, can
To be portable, pocket, hand-held, built-in computer or vehicle-mounted mobile device, they are exchanged with wireless access network
Language and/or data.For example, personal communication service (English:Personal Communication Service;Referred to as:PCS)
Phone, wireless phone, Session initiation Protocol (English:Session Initiation Protocol;Referred to as:SIP) phone, nothing
Line local loop (English:Wireless Local Loop;Referred to as:WLL it) stands, personal digital assistant (English:Personal
Digital Assistant;Referred to as:The equipment such as PDA).Wireless terminal device is referred to as system, subscriber unit
(Subscriber Unit), subscriber station (Subscriber Station), movement station (Mobile Station), mobile station
(Mobile), distant station (Remote Station), remote terminal (Remote Terminal), access terminal (Access
Terminal), user terminal (User Terminal), user agent (User Agent), user equipment (User Device
or User Equipment)。
In addition, term "and/or" in the embodiment of the present invention, only a kind of incidence relation of description affiliated partner, indicates
There may be three kinds of relationships, for example, A and/or B, can indicate:Individualism A, exists simultaneously A and B, individualism B these three
Situation.In addition, character "/" in the embodiment of the present invention, it is a kind of relationship of "or" to typically represent forward-backward correlation object.
Some English abbreviations in the embodiment of the present invention are the description carried out to the embodiment of the present invention by taking LTE system as an example,
It changes such as the evolution of network, and specific evolution can refer to the description in respective standard.
Referring next to Fig. 8, Fig. 8 is a kind of possible knot of data security transmission device provided in an embodiment of the present invention
Composition.The device is, for example, above-mentioned first access network equipment, the second access network equipment, the first equipment of the core network, the second core net
A kind of possible structure chart of equipment, terminal device.As shown in figure 8, the device includes:Processor 10, transmitter 20, receiver
30, memory 40 and antenna 50.Memory 40, transmitter 20 and receiver 30 and processor 10 can be connected by bus
It connects.Certainly, in practice, it can not be total knot between memory 40, transmitter 20 and receiver 30 and processor 10
Structure, and can be other structures, such as hub-and-spoke configuration, the application are not especially limited.
Optionally, processor 10 can be specifically general central processing unit or application-specific integrated circuit (English:
Application Specific Integrated Circuit, referred to as:ASIC), can be that one or more is used to control journey
The integrated circuit that sequence executes can be use site programmable gate array (English:Field Programmable Gate
Array, referred to as:FPGA) the hardware circuit developed, can be baseband processor.
Optionally, processor 10 may include at least one processing core.
Optionally, memory 40 may include read-only memory (English:Read Only Memory, referred to as:ROM), with
Machine accesses memory (English:Random Access Memory, referred to as:RAM one or more) and in magnetic disk storage.It deposits
Reservoir 40 is used to store data and/or instruction required when processor 10 is run.The quantity of memory 40 can be one or more
It is a.Part in memory 40 can be integral to the processor setting, can also be arranged independently of processor.
Optionally, transmitter 20 and receiver 30 can also can physically integrate independently of each other.Transmitter
20 can carry out data transmission by antenna 50.Receiver 30 can carry out data receiver by antenna 50.
Based on same inventive concept, the embodiment of the present invention also provides a kind of data security transmission device (as shown in Figure 8), should
Device is for realizing any one method in preceding method.
When the device is access network equipment, such as when aforementioned first access network equipment, the processor 10, for controlling
The request message that 30 receiving terminal apparatus of the receiver is sent;The request message includes one or Multi net voting slice selection
Information;And the control transmitter 20 sends one or more of network slice selection information to the first equipment of the core network;
The processor 10, is additionally operable to control the receiver 30 and receives the response that first equipment of the core network is sent and disappear
Breath;The response message includes the user plane security information that first equipment of the core network is the terminal equipment configuration;Institute
It includes user plane enciphering/deciphering position indication information to state user plane security information, the net for terminal device selection described in enciphering/deciphering
Network is sliced the user face data packet of associated business transmission;
The processor 10 is additionally operable to control the transmitter 20 to the terminal device transmission user plane safety letter
Breath;And control the receiver 30 and receive the encrypted data of the terminal device transmission, and control the transmitter 20
The encrypted data are transmitted to first equipment of the core network, the encrypted data are the terminal device according to institute
State user plane security information treated data.
Optionally, the access network equipment further includes memory 40;
The processor 10 is additionally operable to:
After by the encrypted data transmission to first equipment of the core network, the transmitter 20 is controlled to
Two access network equipments send switching request message, and second access network equipment is the terminal device equipment to be cut changed to;
It controls the receiver 30 and receives the switching request acknowledgement message that second access network equipment is sent;
The transmitter 20 is controlled to send switching command to the terminal and control the memory 40 and cache to be passed transport to
The encrypted data of second access network equipment, the encrypted data to be passed for transporting to second access network equipment
The data of the terminal device are encrypted and are transmitted to for the first equipment of the core network, and the switching command is used to indicate the terminal and sets
It is standby to be switched to second access network equipment from first access network equipment;
It controls the transmitter 20 and sends SN state transfer message to second access network equipment, be used to indicate RLC moulds
Formula is next or multiple uplink and downlink SN states;
Control the encrypted data that the transmitter 20 sends the caching to second access network equipment.
Optionally, second access network equipment is communicated with the second equipment of the core network;
The processor 10 is specifically used for:
Control the encrypted data that the transmitter 20 sends the caching to first equipment of the core network.
Optionally, the processor 10 is additionally operable to:
Before controlling the transmitter 20 and sending the encrypted data of the caching to first equipment of the core network,
It controls the transmitter 20 and sends the SN state transfers message to first equipment of the core network.
Optionally, the encrypted data of the caching include that access network equipment caching is sent to the terminal
The data of equipment and have been issued to the data that the terminal device does not receive terminal device feedback also.
Optionally, the user plane security information further includes a compression function position indication information, integrity protection function
Position indication information.
Optionally, the processor 10 is additionally operable to:
Before controlling the receiver 30 and receiving the encrypted data that the terminal device transmits, the reception is controlled
Device 30 receives the network slice management message that operation is sent with management equipment, and the network slice management message includes basis
The user plane security information of network slice;
Control the user plane security information that the memory 40 stores the network slice on the basis.
When the device is terminal device, the transmitter 20, for sending request message, institute to the first access network equipment
It includes one or more network slice selection information to state request message;
The receiver 30 is the terminal for receiving the first equipment of the core network that first access network equipment is sent
The user plane security information of device configuration, the user plane security information include user plane enciphering/deciphering position indication information;
The processor 10 generates encrypted for handling data to be transmitted according to the user plane security information
Data, and control the transmitter 20 and transmit the encrypted data to first access network equipment.
Optionally, the processor 10 is additionally operable to:
After controlling the transmitter 20 and transmitting the encrypted data to first access network equipment, institute is controlled
It states receiver 30 and receives the switching command that first access network equipment is sent;
RRC is established with second access network equipment to connect, and is controlled the transmitter 20 and set to the second access net
Preparation send handoff completion message.
Optionally, the processor 10 is additionally operable to:
After controlling the transmitter 20 and sending handoff completion message to second access network equipment, connect described in control
It receives device 30 and receives the SN instruction messages that second access network equipment is sent, be used to indicate what the terminal device was received or sent
The SN boundary values of data.
When the equipment is equipment of the core network, the receiver 30, one for receiving the transmission of the first access network equipment
Or multiple network slice selection information;
The processor 10, for being sliced selection information, the use of configurating terminal device according to one or more of networks
Family face security information;
The transmitter 20, for sending the user plane security information to first access network equipment.
Optionally, the processor 10 is additionally operable to:
After controlling the transmitter 20 and sending the user plane security information to first access network equipment, control
The receiver 30 receives the SN state transfers message that first access network equipment is sent and the to be passed of caching transports to second
The encrypted data of access network equipment.
When the device is the second access network equipment, the processor 10 receives first for controlling the receiver 30
The switching request message that access network equipment is sent;
The processor 10, being additionally operable to control the transmitter 20, to first access network equipment to send switching request true
Recognize message, and receives the SN state transfer message that first access network equipment is sent;And the control receiver 30 receives
The encrypted data that first access network equipment is sent.
Optionally, first access network equipment is communicated with the first equipment of the core network, the access network equipment and the second core
Heart net equipment communicates;
The processor 10 is specifically used for:
It controls the receiver 30 and receives the data that the second equipment of the core network is sent.
Optionally, first access network equipment is communicated with the first equipment of the core network, the access network equipment and the second core
Heart net equipment communicates;
The processor 10 is additionally operable to:
It is and described after controlling the receiver 30 and receiving the encrypted data that first access network equipment is sent
Terminal device establishes RRC connections;It controls the transmitter 20 and sends SN instruction information to the terminal device, be used to indicate described
The SN boundary values for the data that terminal device is received or sent.
Based on same inventive concept, the embodiment of the present invention also provides a kind of data security transmission device, data transmission dress
It sets including the function module for executing aforementioned method steps.
Various change mode and specific example in data transmission method in previous embodiment are equally applicable to this implementation
Device in the data transmission device and Fig. 8 of example, passes through the aforementioned detailed description to data transmission method, people in the art
Member is clear that the implementation of data transmission device and the device in Fig. 8 in the present embodiment, so in order to illustrate
Book it is succinct, this will not be detailed here.
It should be understood by those skilled in the art that, embodiments herein can be provided as method or computer program product.
Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application
Form.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program code
The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
Although the preferred embodiment of the application has been described, created once a person skilled in the art knows basic
Property, then additional changes and modifications may be made to these embodiments.So it includes preferred real that the following claims are intended to be interpreted as
It applies example and falls into all change and modification of the application range.
Obviously, those skilled in the art can be to the various modification and variations of the application without departing from scope of the present application.
In this way, if these modifications and variations of the application belong within the scope of the application claim and its equivalent technologies, then originally
Application is also intended to include these modifications and variations.
Claims (30)
1. a kind of method of data security transmission, which is characterized in that this method includes:
The request message that first access network equipment receiving terminal apparatus is sent;The request message includes that one or Multi net voting are cut
Piece selects information;
First access network equipment sends one or more of network slice selection information to the first equipment of the core network;
First access network equipment receives the response message that first equipment of the core network is sent;The response message includes
First equipment of the core network is the user plane security information of the terminal equipment configuration;The user plane security information includes using
Family face enciphering/deciphering position indication information, the network selected for terminal device described in enciphering/deciphering are sliced associated business transmission
User face data packet;
First access network equipment sends the user plane security information to the terminal device;
First access network equipment receives the encrypted data of the terminal device transmission, and is set to first core net
It is standby to transmit the encrypted data, the encrypted data be the terminal device according to the user plane security information at
Data after reason.
2. the method as described in claim 1, which is characterized in that in first access network equipment by the encrypted data
It is transmitted to after first equipment of the core network, further includes:
First access network equipment sends switching request message to the second access network equipment, and second access network equipment is institute
State the terminal device equipment to be cut changed to;
First access network equipment receives the switching request acknowledgement message that second access network equipment is sent;
First access network equipment to the terminal device send switching command and cache it is to be passed transport to it is described second access net
The encrypted data of equipment, the encrypted data to be passed for transporting to second access network equipment are that the first core net is set
The standby data encrypted and be transmitted to the terminal device, the switching command are used to indicate the terminal device and are connect from described first
Log equipment is switched to second access network equipment;
First access network equipment transmits Sequence Number SN state transfer message to second access network equipment, is used to indicate nothing
Link-layer control protocol RLC patterns are next or multiple uplink and downlink SN states;
First access network equipment sends the encrypted data of the caching to second access network equipment.
3. method as claimed in claim 2, which is characterized in that second access network equipment and the second equipment of the core network are logical
Letter;;
First access network equipment sends the encrypted data of the caching to second access network equipment, including:
First access network equipment sends the encrypted data of the caching to first equipment of the core network.
4. method as claimed in claim 3, which is characterized in that set to first core net in first access network equipment
Before preparation send the encrypted data of the caching, further include:
First access network equipment sends the SN state transfers message to first equipment of the core network.
5. such as claim 2 to 4 any one of them method, which is characterized in that the encrypted data of the caching include institute
State being sent to the data of the terminal device and having been issued to the terminal device also not for the first access network equipment caching
Receive the data of the terminal device feedback.
6. such as method described in any one of claim 1 to 5, which is characterized in that the user plane security information further includes head pressure
Contracting functional location indicates that information, integrity protection functional location indicate information.
7. such as claim 1 to 6 any one of them method, which is characterized in that described in being received in first access network equipment
Before the encrypted data of terminal device transmission, further include:
First access network equipment receives the network slice management message that operation is sent with management equipment, the network slice pipe
Reason message includes the user plane security information of the network slice on basis;
First access network equipment stores the user plane security information of the network slice on the basis.
8. a kind of method of data security transmission, which is characterized in that this method includes:
Terminal device sends request message to the first access network equipment, and the request message includes one or more network slices
Select information;
It is the terminal equipment configuration that the terminal device, which receives the first equipment of the core network that first access network equipment is sent,
User plane security information, the user plane security information includes user plane enciphering/deciphering position indication information;
The terminal device handles data to be transmitted according to the user plane security information, generates encrypted data, and to institute
It states the first access network equipment and transmits the encrypted data.
9. method as claimed in claim 8, which is characterized in that transmitted to first access network equipment in the terminal device
After the encrypted data, further include:
The terminal device receives the switching command that first access network equipment is sent;
The terminal device is established radio resource control RRC with second access network equipment and is connect, and to described second
Access network equipment sends handoff completion message.
10. method as claimed in claim 9, which is characterized in that sent out to second access network equipment in the terminal device
After sending handoff completion message, further include:
The terminal device receives the sequence number SN instruction messages that second access network equipment is sent, and is used to indicate the terminal
The SN boundary values for the data that equipment is received or sent.
11. a kind of method of data security transmission, which is characterized in that this method includes:
First equipment of the core network receives one or more networks slice selection information that the first access network equipment is sent;
First equipment of the core network is sliced selection information, the user plane of configurating terminal device according to one or more of networks
Security information;
First equipment of the core network sends the user plane security information to first access network equipment.
12. method as claimed in claim 11, which is characterized in that access net to described first in first equipment of the core network
After equipment sends the user plane security information, further include:
First equipment of the core network receives the sequence number SN state transfers message that first access network equipment is sent and delays
The encrypted data to be passed for transporting to the second access network equipment deposited.
13. a kind of method of data security transmission, which is characterized in that this method includes:
Second access network equipment receives the switching request message that the first access network equipment is sent;
Second access network equipment sends switching request acknowledgement message to first access network equipment, and receives described first
The sequence number SN state transfer message that access network equipment is sent;
Second access network equipment receives the encrypted data that the first access network equipment is sent.
14. method as claimed in claim 13, which is characterized in that first access network equipment and the first equipment of the core network are logical
Letter, second access network equipment are communicated with the second equipment of the core network;
Second access network equipment receives the encrypted data that the first access network equipment is sent, including:
Second access network equipment receives the data that the second equipment of the core network is sent.
15. method according to claim 13 or 14, which is characterized in that first access network equipment is set with the first core net
Standby communication, second access network equipment are communicated with the second equipment of the core network;
After the encrypted data that second access network equipment receives that first access network equipment is sent, further include:
Second access network equipment is established radio resource control RRC with the terminal device and is connect;
Second access network equipment to the terminal device transmit Sequence Number SN indicate information, be used to indicate the terminal device
The SN boundary values for the data for receiving or sending.
16. a kind of access network equipment, which is characterized in that the access network equipment includes:Receiver, processor and transmitter, with
And
The processor, the request message sent for controlling the receiver receiving terminal apparatus;It is wrapped in the request message
Include one or Multi net voting slice selection information;And the control transmitter is one or more to the transmission of the first equipment of the core network
A network slice selection information;
The processor is additionally operable to control the response message that the receiver receives the first equipment of the core network transmission;It is described
Response message includes the user plane security information that first equipment of the core network is the terminal equipment configuration;The user plane
Security information includes user plane enciphering/deciphering position indication information, and the network slice for terminal device selection described in enciphering/deciphering closes
The user face data packet of the business transmission of connection;
The processor is additionally operable to control the transmitter to the terminal device transmission user plane security information;And
It controls the receiver and receives the encrypted data of the terminal device transmission, and control the transmitter to first core
Heart net equipment transmits the encrypted data, and the encrypted data are the terminal device according to user plane safety
Data after information processing.
17. access network equipment as claimed in claim 16, which is characterized in that the access network equipment further includes memory;
The processor is additionally operable to:
After by the encrypted data transmission to first equipment of the core network, the transmitter is controlled to the second access
Net equipment sends switching request message, and second access network equipment is the terminal device equipment to be cut changed to;
It controls the receiver and receives the switching request acknowledgement message that second access network equipment is sent;
The transmitter is controlled to send switching command to the terminal and control that the memory buffer is to be passed to transport to described second
The encrypted data of access network equipment, the encrypted data to be passed for transporting to second access network equipment are the first core
The data of the terminal device are encrypted and be transmitted to heart net equipment, and the switching command is used to indicate the terminal device from described
First access network equipment is switched to second access network equipment;
It controls the transmitter to transmit Sequence Number SN state transfer message to second access network equipment, is used to indicate radio chains
Road floor control RLC patterns are next or multiple uplink and downlink SN states;
Control the encrypted data that the transmitter sends the caching to second access network equipment.
18. access network equipment as claimed in claim 17, which is characterized in that second access network equipment and the second core net
Equipment communicates;
The processor is specifically used for:
Control the encrypted data that the transmitter sends the caching to first equipment of the core network.
19. access network equipment as claimed in claim 18, which is characterized in that the processor is additionally operable to:
Before controlling the transmitter and sending the encrypted data of the caching to first equipment of the core network, institute is controlled
It states transmitter and sends the SN state transfers message to first equipment of the core network.
20. such as claim 17 to 19 any one of them access network equipment, which is characterized in that the encrypted number of the caching
According to the data for being sent to the terminal device cached including the access network equipment and have been issued to the terminal device
The data of the terminal device feedback are not received also.
21. such as claim 16 to 20 any one of them access network equipment, which is characterized in that the user plane security information is also
Information is indicated including head compression function position indication information, integrity protection functional location.
22. such as claim 16 to 21 any one of them access network equipment, which is characterized in that the processor is additionally operable to:
Before controlling the receiver and receiving the encrypted data that the terminal device transmits, controls the receiver and receive
The network slice management message that operation is sent with management equipment, the network slice management message include the network slice on basis
User plane security information;
Control the user plane security information that the memory stores the network slice on the basis.
23. a kind of terminal device, which is characterized in that the terminal device includes:Receiver, processor and transmitter, Yi Jisuo
Transmitter is stated, for sending request message to the first access network equipment, the request message includes that one or more networks are cut
Piece selects information;
The receiver is that the terminal device is matched for receiving the first equipment of the core network that first access network equipment is sent
The user plane security information set, the user plane security information include user plane enciphering/deciphering position indication information;
The processor, for according to user plane security information processing data to be transmitted, generating encrypted data, and
It controls the transmitter and transmits the encrypted data to first access network equipment.
24. terminal device as claimed in claim 23, which is characterized in that the processor is additionally operable to:
After controlling the transmitter and transmitting the encrypted data to first access network equipment, the reception is controlled
Device receives the switching command that first access network equipment is sent;
Radio resource control RRC is established with second access network equipment to connect, and is controlled the transmitter and connect to described second
Log equipment sends handoff completion message.
25. terminal device as claimed in claim 24, which is characterized in that the processor is additionally operable to:
After controlling the transmitter and sending handoff completion message to second access network equipment, controls the receiver and connect
The sequence number SN instruction messages that second access network equipment is sent are received, the number that the terminal device is received or sent is used to indicate
According to SN boundary values.
26. a kind of equipment of the core network, which is characterized in that the equipment of the core network includes:Receiver, processor and transmitter, with
And
The receiver, one or more networks slice selection information for receiving the transmission of the first access network equipment;
The processor, for being sliced selection information, the user plane peace of configurating terminal device according to one or more of networks
Full information;
The transmitter, for sending the user plane security information to first access network equipment.
27. equipment of the core network as claimed in claim 26, which is characterized in that the processor is additionally operable to:
After controlling the transmitter and sending the user plane security information to first access network equipment, connect described in control
Receipts device receives the sequence number SN state transfers message of the first access network equipment transmission and the to be passed of caching is transported to second and connect
The encrypted data of log equipment.
28. a kind of access network equipment, which is characterized in that the access network equipment includes:Receiver, processor and transmitter, with
And
The processor receives the switching request message that the first access network equipment is sent for controlling the receiver;
The processor is additionally operable to control the transmitter and sends switching request acknowledgement message to first access network equipment,
And receive the sequence number SN state transfer message that first access network equipment is sent;And the control receiver receives first
The encrypted data that access network equipment is sent.
29. access network equipment as claimed in claim 28, which is characterized in that first access network equipment and the first core net
Equipment communicates, and the access network equipment is communicated with the second equipment of the core network;
The processor is specifically used for:
It controls the receiver and receives the data that the second equipment of the core network is sent.
30. the access network equipment as described in claim 28 or 29, which is characterized in that first access network equipment and the first core
Heart net equipment communicates, and the access network equipment is communicated with the second equipment of the core network;
The processor is additionally operable to:
After controlling the receiver and receiving the encrypted data that first access network equipment is sent, set with the terminal
It is standby to establish radio resource control RRC connections;Control the transmitter to the terminal device transmit Sequence Number SN instruction letter
Breath is used to indicate the SN boundary values for the data that the terminal device is received or sent.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710064248.8A CN108366369B (en) | 2017-01-26 | 2017-01-26 | Method for data secure transmission, access network, terminal and core network equipment |
PCT/CN2018/074201 WO2018137689A1 (en) | 2017-01-26 | 2018-01-25 | Method for secure data transmission, access network, terminal and core network device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710064248.8A CN108366369B (en) | 2017-01-26 | 2017-01-26 | Method for data secure transmission, access network, terminal and core network equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108366369A true CN108366369A (en) | 2018-08-03 |
CN108366369B CN108366369B (en) | 2021-02-12 |
Family
ID=62977804
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710064248.8A Active CN108366369B (en) | 2017-01-26 | 2017-01-26 | Method for data secure transmission, access network, terminal and core network equipment |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN108366369B (en) |
WO (1) | WO2018137689A1 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108966217A (en) * | 2018-08-29 | 2018-12-07 | 冯志杰 | A kind of secret communication method, mobile terminal and secrecy gateway |
CN111479335A (en) * | 2019-01-24 | 2020-07-31 | 华为技术有限公司 | Data transmission method and communication device |
CN111585721A (en) * | 2019-02-15 | 2020-08-25 | 华为技术有限公司 | Entity establishment processing method and device |
WO2020192050A1 (en) * | 2019-03-22 | 2020-10-01 | 长安大学 | V2r communication test system and test method based on 5g technology |
CN111770498A (en) * | 2019-04-01 | 2020-10-13 | 华为技术有限公司 | Method for determining security protection mode, access network equipment and terminal |
CN113348682A (en) * | 2019-06-28 | 2021-09-03 | Oppo广东移动通信有限公司 | Wireless communication method, terminal equipment, access network equipment and core network equipment |
CN113766607A (en) * | 2020-06-03 | 2021-12-07 | 华为技术有限公司 | Access control method and related equipment |
WO2022125200A3 (en) * | 2020-10-23 | 2022-08-18 | Dish Wireless L.L.C. | Secondary operator integration with a cellular network |
US11622282B2 (en) | 2020-10-23 | 2023-04-04 | Dish Wireless L.L.C. | Secondary operator integration with a cellular network |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11350272B2 (en) * | 2018-11-01 | 2022-05-31 | Qualcomm Incorporated | Encrypting network slice selection assistance information |
CN110582109A (en) * | 2019-08-31 | 2019-12-17 | 华为技术有限公司 | Wireless Local Area Network (WLAN) network access method and device |
CN117221894B (en) * | 2023-11-09 | 2024-01-12 | 湖南雷诺科技发展有限公司 | Big data-based 5G communication transmission method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101047998A (en) * | 2006-06-27 | 2007-10-03 | 华为技术有限公司 | Data transmission method in switchover procedure between base station |
CN101047500A (en) * | 2006-03-28 | 2007-10-03 | 华为技术有限公司 | Method for transmitting ciphered data pack in gradual network |
US20080076386A1 (en) * | 2006-09-22 | 2008-03-27 | Amit Khetawat | Method and apparatus for preventing theft of service in a communication system |
CN102056226A (en) * | 2009-11-10 | 2011-05-11 | 中兴通讯股份有限公司 | Method for acquiring PDCP (packet data convergence protocol) status report and PDCP entity |
CN106060900A (en) * | 2016-05-13 | 2016-10-26 | 宇龙计算机通信科技(深圳)有限公司 | Method and apparatus for controlling access to network slicing, terminal small cell and SDN controller |
CN106210042A (en) * | 2016-07-11 | 2016-12-07 | 清华大学 | A kind of user based on end to end network section services request selection method |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3281434B1 (en) * | 2015-04-08 | 2020-02-12 | Telefonaktiebolaget LM Ericsson (publ) | Method, apparatus, and system for providing encryption or integrity protection in a wireless network |
US20160352578A1 (en) * | 2015-05-26 | 2016-12-01 | Dell Products L.P. | System and method for adaptive paths locator for virtual network function links |
US9973578B2 (en) * | 2015-06-01 | 2018-05-15 | Telefonaktiebolaget Lm Ericsson (Publ) | Real time caching efficient check in a content centric networking (CCN) |
-
2017
- 2017-01-26 CN CN201710064248.8A patent/CN108366369B/en active Active
-
2018
- 2018-01-25 WO PCT/CN2018/074201 patent/WO2018137689A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101047500A (en) * | 2006-03-28 | 2007-10-03 | 华为技术有限公司 | Method for transmitting ciphered data pack in gradual network |
CN101047998A (en) * | 2006-06-27 | 2007-10-03 | 华为技术有限公司 | Data transmission method in switchover procedure between base station |
US20080076386A1 (en) * | 2006-09-22 | 2008-03-27 | Amit Khetawat | Method and apparatus for preventing theft of service in a communication system |
CN102056226A (en) * | 2009-11-10 | 2011-05-11 | 中兴通讯股份有限公司 | Method for acquiring PDCP (packet data convergence protocol) status report and PDCP entity |
CN106060900A (en) * | 2016-05-13 | 2016-10-26 | 宇龙计算机通信科技(深圳)有限公司 | Method and apparatus for controlling access to network slicing, terminal small cell and SDN controller |
CN106210042A (en) * | 2016-07-11 | 2016-12-07 | 清华大学 | A kind of user based on end to end network section services request selection method |
Non-Patent Citations (1)
Title |
---|
NOKIA: "《3GPP SA WG2 Meeting #114,Solution to Key Issue 8: Functional allocation in UE/ CN / RAN》", 11 April 2016 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108966217B (en) * | 2018-08-29 | 2022-05-17 | 焦作市数据安全工程研究中心 | Secret communication method, mobile terminal and secret gateway |
CN108966217A (en) * | 2018-08-29 | 2018-12-07 | 冯志杰 | A kind of secret communication method, mobile terminal and secrecy gateway |
CN111479335A (en) * | 2019-01-24 | 2020-07-31 | 华为技术有限公司 | Data transmission method and communication device |
CN111585721A (en) * | 2019-02-15 | 2020-08-25 | 华为技术有限公司 | Entity establishment processing method and device |
WO2020192050A1 (en) * | 2019-03-22 | 2020-10-01 | 长安大学 | V2r communication test system and test method based on 5g technology |
CN111770498A (en) * | 2019-04-01 | 2020-10-13 | 华为技术有限公司 | Method for determining security protection mode, access network equipment and terminal |
CN113348682B (en) * | 2019-06-28 | 2023-01-10 | Oppo广东移动通信有限公司 | Wireless communication method, terminal equipment, access network equipment and core network equipment |
CN113348682A (en) * | 2019-06-28 | 2021-09-03 | Oppo广东移动通信有限公司 | Wireless communication method, terminal equipment, access network equipment and core network equipment |
CN113766607A (en) * | 2020-06-03 | 2021-12-07 | 华为技术有限公司 | Access control method and related equipment |
WO2022125200A3 (en) * | 2020-10-23 | 2022-08-18 | Dish Wireless L.L.C. | Secondary operator integration with a cellular network |
US11622282B2 (en) | 2020-10-23 | 2023-04-04 | Dish Wireless L.L.C. | Secondary operator integration with a cellular network |
US11665549B2 (en) | 2020-10-23 | 2023-05-30 | Dish Wireless L.L.C. | Dynamic cellular network spectrum sharing |
US11930374B2 (en) | 2020-10-23 | 2024-03-12 | Dish Wireless L.L.C. | Dynamic cellular network spectrum sharing |
Also Published As
Publication number | Publication date |
---|---|
CN108366369B (en) | 2021-02-12 |
WO2018137689A1 (en) | 2018-08-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108366369A (en) | A kind of method and access net, terminal, equipment of the core network of data security transmission | |
US11950314B2 (en) | Configuration method and apparatus, and system | |
US11665579B2 (en) | Apparatus and method for controlling data flow in wireless communication system | |
CN109640324B (en) | A kind of communication means and relevant apparatus | |
CN103517356B (en) | A kind of method for switching over, system and equipment | |
CN110463270A (en) | System and method for dynamic data relaying | |
CN110505160A (en) | A kind of communication means and device | |
CN110475267A (en) | A kind of configuration method, data transmission method and device | |
US10348703B2 (en) | Method and device for generating access stratum key in communications system | |
CN109586900A (en) | Data safety processing method and device | |
CN108347410A (en) | Safety implementation method, equipment and system | |
CN104349309B (en) | Using NH, NCC to the method for solving safety problem in a kind of mobile communication system | |
CN106941733A (en) | Method for realizing reconfiguration in dual connection, main service base station and auxiliary service base station | |
CN105530681B (en) | Method for processing business and device | |
CN106233774A (en) | Radio resource for integrated WLAN/3GPP radio access technologies controls (RRC) agreement | |
CN109479336A (en) | System and method for connection management | |
CN108259362A (en) | flow control method, device, CU and DU | |
CN110166273A (en) | A kind of transmission method and the network equipment | |
CN110519807A (en) | A kind of communication means and device | |
KR20210094955A (en) | The method of data forwarding when Conditional Handover or Dual Stack Protocol Handover is applied | |
CN109246696B (en) | Key processing method and related device | |
CN108432338A (en) | A kind of data transmission system, method and apparatus | |
CN114828117A (en) | Switching method, access network equipment and terminal equipment | |
CN108307516A (en) | Data transmission method and relevant device | |
CN107734571A (en) | The processing method and equipment of a kind of data transmission channel |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |