CN108366369A - A kind of method and access net, terminal, equipment of the core network of data security transmission - Google Patents

Abstract

A kind of method and access net, terminal, equipment of the core network of data security transmission, this method includes the request message that the first access network equipment receiving terminal apparatus is sent, to the one or more of network slice selection information of the first equipment of the core network, receive the response message of the first equipment of the core network transmission, user plane security information is sent to terminal device, the encrypted data of first access network equipment receiving terminal apparatus transmission, and transmit the encrypted data to the first equipment of the core network.The user plane security information that the first equipment of the core network is terminal equipment configuration is sent to terminal device by the first access network equipment, so that terminal device is encrypted according to the user plane security information in data transmission, the safety of the data transmission procedure under the network architecture so as to improve network slice, reliability, since the first equipment of the core network is the user plane security information according to one or Multi net voting slice selection information configuration, the flexibility and safety of data encryption are improved.

Description

A kind of method and access net, terminal, equipment of the core network of data security transmission

Technical field

The present invention relates to wireless communication technology field, more particularly to the method for a kind of data security transmission and access net, end End, equipment of the core network.

Background technology

5th Generation Mobile Communication System (the fifth generation, 5G) proposes to cope with the difference of user demand The network architecture of network slice (network slice, NS), software defined network (software defined network, SDN it is) network slice framework with network function virtualization (network function virtualization, NFV) technology Core technology, NFV technologies realize bottom physical resource virtualization, load virtual network function (network function, NF general-purpose platform) is arrived.Such as virtual machine, SDN technologies then realize the logical connection between virtual machine, build carrier signaling and data flow Access.By access net (radio access network, RAN) and core net (core network, CN) NF it Between Dynamic link library, configuration business chain end to end, to build network slice.Operator can according to each user to capacity, Covering, rate, the demand of the Key Performance Indicators such as time delay and reliability (key performance indicator, KPI), A particular network functions set is formed and comprising Internet resources needed for these network functions are run, so as to needed for providing Telecommunications service business and network capabilities service, meet specialized market's scene and demand.

As shown in Figure 1：Third generation partner program (the third generation partnership Project, 3GPP) main Types that the network of 5G is sliced have been divided into following three categories：The mobile broadband service of enhancing (enhanced mobile broadband, eMBB), magnanimity machine type connect business (massive machine type Communication, mMTC) and super reliable low time delay business (ultra-reliable and low latency Communications, URLLC).Wherein eMBB is mainly directed towards the terminal for having high requirements to rate and mobility, such as hand Machine, multimedia equipment etc., mMTC have extensive, Hypomobility and lower rate requirement mainly for internet of things equipment, And URLLC refers mainly to car networking, security information etc. has time delay and reliability the business and device type of rigors.For example, Mobile phone user can access the network slice of eMBB types, carry out high-speed downloads or viewing 4K HD videos, sensor device MMTC networks slice can be accessed and carry out the transmission of small data packets and the update of system configuration.User can access one simultaneously Either multiple or overall network slice, meets business demand and reaches preferable user experience.

The discussion for the network architecture that 3GPP is sliced about network at present is concentrated mainly on network slice selection, network slice choosing The purpose selected is to select suitable network slice for user equipment (user equipment, UE), and by UE and specific network Slice is associated, to establish corresponding control plane (control plane, CP) and/or user plane with network slice The connection of (user plane, UP).

UE, in order to ensure the safety of communication, needs channel safe to use during being communicated with network slice.It is existing Security mechanism safeguards a main secret key in RAN equipment side, such as eNB, derives three sub- secret keys respectively, is suitable for the institute that UE is established There is radio bearer, does not consider the influence of other network slices at this time.The safety grades being sliced due to different network are not Together, the high network of safety grades is sliced, enciphering/deciphering function can be moved on to CN equipment side from RAN equipment side, to Improve the safety of communication.If also continuing to use existing security mechanism at this time, a main secret key is safeguarded by eNB, then in the sides RAN network element Under attack, the main secret key that may result in eNB maintenances is cracked, so as to threaten the safety of other network slices Property.

Invention content

The embodiment of the present invention provides a kind of method and access net, terminal, equipment of the core network of data security transmission, to carry The safety of data transmission procedure under the network architecture of high network slice, reliability, and improve the compatibility of data encryption.

In a first aspect, providing a kind of method of data security transmission.

Including：The request message that first access network equipment receiving terminal apparatus is sent；The request message includes one Or Multi net voting slice selection information；First access network equipment sends one or more of networks to the first equipment of the core network Slice selection information；First access network equipment receives the response message that first equipment of the core network is sent；Described first Access network equipment thinks that the terminal device sends the response message, and first access network equipment receives the terminal device and passes Defeated encrypted data, and transmit the encrypted data to first equipment of the core network.

With reference to first aspect, in the first possible realization method of first aspect, the response message includes institute State the user plane security information that the first equipment of the core network is the terminal equipment configuration；First access network equipment thinks the end End equipment sends the response message, including：First access network equipment sends the user plane peace to the terminal device Full information.

With reference to first aspect or the first possible realization method of first aspect, second in first aspect are possible In realization method, the user plane security information includes user plane enciphering/deciphering position indication information, for whole described in enciphering/deciphering The network of end equipment selection is sliced the user face data packet of associated business transmission.

With reference to first aspect or the first possible realization method or second of possible realization method of first aspect, exist In the third possible realization method of first aspect, the encrypted data are the terminal device according to the user plane Security information treated data.

The user plane security information that the first equipment of the core network is sent is received by the first access network equipment so that the first access Net equipment can know that network is sliced the associated user face security information of associated business, for example whether needing the first access net pair The user face data packet of business transmission carries out enciphering/deciphering, and the first access network equipment matches the first equipment of the core network for terminal device The user plane security information set is sent to terminal device so that terminal device is according to the user plane security information in data transmission Enciphering/deciphering, the safety of data transmission procedure under the network architecture so as to realize network slice, reliability, due to the One equipment of the core network is the user plane security information according to one or Multi net voting slice selection information configuration, can meet different nets Network is sliced the different demands to user plane safety, improves flexibility and the otherness of data enciphering/deciphering.

With reference to first aspect or in the first possible realization method to the third possible realization method of first aspect Any one possible realization method is set in the 4th kind of possible realization method of first aspect in the first access net For by after the encrypted data transmission to first equipment of the core network, further include：First access network equipment to Second access network equipment send switching request message, second access network equipment be the terminal device it is to be cut change to set It is standby；First access network equipment receives the switching request acknowledgement message that second access network equipment is sent；Described first connects Log equipment sends switching command and cache to the terminal device to be passed transports to the encrypted of second access network equipment Data, the encrypted data to be passed for transporting to second access network equipment are that the first equipment of the core network is encrypted and is transmitted to The data of the terminal device, the switching command are used to indicate the terminal device and are switched to from first access network equipment Second access network equipment；First access network equipment transmits Sequence Number (Sequence to second access network equipment Number, SN) state transfer message, it is used to indicate radio link layer control protocol (Radio Link Control, RLC) pattern Next or multiple uplink and downlink SN states；First access network equipment sends the caching to second access network equipment Encrypted data.

The encrypted data for sending above-mentioned caching to the second equipment of the core network by the first access network equipment, can solve The data-bag lost in handoff procedure is solved, simultaneously because the first access network equipment forward pass is encrypted data so that the Two access network equipments be sent to terminal device this it is data cached can continue to decrypt in terminal equipment side, ensure that data transmission Safety.

With reference to first aspect or the 4th kind of possible realization method of first aspect, the 5th kind in first aspect are possible In realization method, second access network equipment is communicated with the second equipment of the core network；First access network equipment is to described Two access network equipments send the encrypted data of the caching, including：First access network equipment is to first core Net equipment sends the encrypted data of the caching.

Encrypted data are sent to the first equipment of the core network by using the first access network equipment, so that passing through The encrypted data that first access network equipment caches are transferred to second and connect by the first equipment of the core network and the second equipment of the core network Log equipment can solve the loss of data in handoff procedure, and can transmit unencryption by the first equipment of the core network Data give the second equipment of the core network so that the second equipment of the core network can use the new security mechanism that the equipment is applicable in into line number According to encryption so that the second access network equipment is transferred to the peace that the data packet of terminal device can use the second equipment of the core network to be applicable in Full mechanism ensure that the smooth replacement of security mechanism after the safety and switching of data transmission.

With reference to first aspect or the 5th kind of possible realization method of first aspect, the 6th kind in first aspect are possible In realization method, the encrypted data of the caching are sent to first equipment of the core network in first access network equipment Before, further include：First access network equipment sends the SN state transfers message to first equipment of the core network.

With reference to first aspect or in the first possible realization method of first aspect to the 6th kind of possible realization method Any possible realization method, in seven kinds of possible realization methods of first aspect, the encrypted data packet of the caching Include being sent to the data of the terminal device and having been issued to the terminal device for first access network equipment caching The data of the terminal device feedback are not received also.

With reference to first aspect or in the first possible realization method of first aspect to the 7th kind of possible realization method Any possible realization method, in the 8th kind of possible realization method of first aspect, the user plane security information is also wrapped Include a compression function position indication information, integrity protection functional location instruction information.

With reference to first aspect or in the first possible realization method of first aspect to the 8th kind of possible realization method Any possible realization method receives in nine kinds of possible realization methods of first aspect in first access network equipment Before the encrypted data of the terminal device transmission, further include：First access network equipment receives operation and is set with management The network slice management message that preparation is sent, the network slice management message include the user plane safety of the network slice on basis Information；First access network equipment stores the user plane security information of the network slice on the basis.

Second aspect provides a kind of method of data security transmission.

This method includes：Terminal device sends request message to the first access network equipment, and the request message includes one A or multiple network slice selection information；The terminal device receives the first core net that first access network equipment is sent and sets Standby is the user plane security information of the terminal equipment configuration, and the user plane security information includes user plane enciphering/deciphering position Indicate information；The terminal device handles data to be transmitted according to the user plane security information, generates encrypted data, and The encrypted data are transmitted to first access network equipment.

Terminal device uses the user that the first equipment of the core network that the first access network equipment is sent is the terminal equipment configuration The data encryption that face security information transmits needs to the first equipment of the core network improves the data under the network architecture of network slice The safety of transmission process, reliability.

In conjunction with second aspect, in the first possible realization method of second aspect, in the terminal device to described After first access network equipment transmits the encrypted data, further include：The terminal device receives the first access net The switching command that equipment is sent；The terminal device is established RRC with second access network equipment and is connect, and is connect to described second Log equipment sends handoff completion message.

In conjunction with the possible realization method of the first of second aspect or second aspect, second in second aspect is possible In realization method, after the terminal device sends handoff completion message to second access network equipment, further include：It is described Terminal device receives the SN instruction messages that second access network equipment is sent, and is used to indicate the terminal device and receives or send Data SN boundary values.

The third aspect provides a kind of method of data security transmission.

This method includes：First equipment of the core network receives one or more networks slice choosing that the first access network equipment is sent Select information；

First equipment of the core network is sliced selection information, the use of configurating terminal device according to one or more of networks Family face security information；First equipment of the core network sends the user plane security information to first access network equipment.

In conjunction with the third aspect, in the first possible realization method of the third aspect, in first equipment of the core network After sending the user plane security information to first access network equipment, further include：First equipment of the core network receives The encryption to be passed for transporting to the second access network equipment of SN state transfers message and caching that first access network equipment is sent Data afterwards.

Fourth aspect provides a kind of method of data security transmission.

This method includes：Second access network equipment receives the switching request message that the first access network equipment is sent；Described Two access network equipments send switching request acknowledgement message to first access network equipment, and receive first access network equipment The sequence number SN state transfer message of transmission；Second access network equipment receives the encrypted of the first access network equipment transmission Data.

In conjunction with fourth aspect, in the first possible realization method of fourth aspect, first access network equipment with First equipment of the core network communicates, and second access network equipment is communicated with the second equipment of the core network；Second access network equipment The encrypted data of the first access network equipment transmission are received, including：Second access network equipment receives the second core net and sets The data that preparation is sent.

In conjunction with the possible realization method of the first of fourth aspect or fourth aspect, second in fourth aspect is possible In realization method, first access network equipment is communicated with the first equipment of the core network, second access network equipment and the second core Heart net equipment communicates；Second access network equipment receive encrypted data that first access network equipment is sent it Afterwards, further include：Second access network equipment is established RRC with the terminal device and is connect；Second access network equipment is to institute It states terminal device and sends SN instruction information, be used to indicate the SN boundary values for the data that the terminal device is received or sent.

5th aspect, provides a kind of access network equipment.

The access network equipment includes：Receiver, processor and transmitter and the processor, it is described for controlling The request message that receiver receiving terminal apparatus is sent；The request message includes one or Multi net voting slice selection information； And the control transmitter sends one or more of network slice selection information to the first equipment of the core network；The processing Device is additionally operable to control the response message that the receiver receives the first equipment of the core network transmission；It is wrapped in the response message Include the user plane security information that first equipment of the core network is the terminal equipment configuration；The user plane security information includes User plane enciphering/deciphering position indication information, the network for terminal device selection described in enciphering/deciphering are sliced associated business transmission User face data packet；The processor is additionally operable to control the transmitter to the terminal device transmission user plane peace Full information；And the control receiver receives the encrypted data of the terminal device transmission, and control the transmitter The encrypted data are transmitted to first equipment of the core network, the encrypted data are the terminal device according to institute State user plane security information treated data.

In conjunction with the 5th aspect, in the first possible realization method of the 5th aspect, the access network equipment further includes Memory；

The processor is additionally operable to：After by the encrypted data transmission to first equipment of the core network, control It makes the transmitter and sends switching request message to the second access network equipment, second access network equipment is the terminal device The equipment to be cut changed to；It controls the receiver and receives the switching request acknowledgement message that second access network equipment is sent；Control Make the transmitter to the terminal send switching command and control the memory buffer it is to be passed transport to it is described second access net The encrypted data of equipment, the encrypted data to be passed for transporting to second access network equipment are that the first core net is set The standby data encrypted and be transmitted to the terminal device, the switching command are used to indicate the terminal device and are connect from described first Log equipment is switched to second access network equipment；It controls the transmitter and sends SN states to second access network equipment Message is transmitted, is used to indicate that RLC patterns are next or multiple uplink and downlink SN states；

Control the encrypted data that the transmitter sends the caching to second access network equipment.

In conjunction with the first possible realization method of the 5th aspect or the 5th aspect, second at the 5th aspect is possible In realization method, second access network equipment is communicated with the second equipment of the core network；The processor is specifically used for：Described in control Transmitter sends the encrypted data of the caching to first equipment of the core network.

In conjunction with second of possible realization method of the 5th aspect or the 5th aspect, the third at the 5th aspect is possible In realization method, the processor is additionally operable to：Controlling the transmitter caching is sent to first equipment of the core network Encrypted data before, control the transmitter and send the SN state transfers message to first equipment of the core network.

In conjunction in the first possible realization method to the third possible realization method of the 5th aspect or the 5th aspect Any possible realization method, in the 4th kind of possible realization method of the 5th aspect, the encrypted data of the caching Being sent to the data of the terminal device and have been issued to the terminal device also including access network equipment caching The data of the terminal device feedback are not received.

In conjunction in the first possible realization method to the 4th kind of possible realization method of the 5th aspect or the 5th aspect Any possible realization method, in the 5th kind of possible realization method of the 5th aspect, the user plane security information is also wrapped Include a compression function position indication information, integrity protection functional location instruction information.

In conjunction in the first possible realization method to the 5th kind of possible realization method of the 5th aspect or the 5th aspect Any possible realization method, in the 6th kind of possible realization method of the 5th aspect, the processor is additionally operable to：It is controlling Before the receiver receives the encrypted data of the terminal device transmission, controls the receiver and receive operation and management The network slice management message that equipment is sent, the network slice management message include the user plane peace of the network slice on basis Full information；Control the user plane security information that the memory stores the network slice on the basis.

6th aspect, provides a kind of terminal device.

The terminal device includes：Receiver, processor and transmitter and the transmitter, for being accessed to first Net equipment sends request message, and the request message includes one or more network slice selection information；The receiver is used Believe safely in receiving the user plane that the first equipment of the core network that first access network equipment is sent is the terminal equipment configuration Breath, the user plane security information includes user plane enciphering/deciphering position indication information；The processor, for according to the use Family face security information handles data to be transmitted, generates encrypted data, and controls the transmitter to first access Net equipment transmits the encrypted data.

In conjunction with the 6th aspect, in the first possible realization method of the 6th aspect, the processor is additionally operable to：It is controlling It makes after the transmitter transmits the encrypted data to first access network equipment, controls the receiver and receive institute State the switching command of the first access network equipment transmission；RRC is established with second access network equipment to connect, and controls the transmission Device sends handoff completion message to second access network equipment.

In conjunction with the first possible realization method of the 6th aspect or the 6th aspect, second at the 6th aspect is possible In realization method, the processor is additionally operable to：Controlling the transmitter switching completion is sent to second access network equipment After message, controls the receiver and receive the sequence number SN instruction messages that second access network equipment is sent, be used to indicate The SN boundary values for the data that the terminal device is received or sent.

7th aspect, provides a kind of equipment of the core network.

The equipment of the core network includes：Receiver, processor and transmitter and the receiver, for receiving first One or more networks slice selection information that access network equipment is sent；The processor, for according to one or more of Network slice selection information, the user plane security information of configurating terminal device；The transmitter, for accessing net to described first Equipment sends the user plane security information.

In conjunction with the 7th aspect, in the first possible realization method of the 7th aspect, the processor is additionally operable to：It is controlling It makes after the transmitter sends the user plane security information to first access network equipment, controls the receiver and receive The encryption to be passed for transporting to the second access network equipment of SN state transfers message and caching that first access network equipment is sent Data afterwards.

Eighth aspect provides a kind of access network equipment.

The access network equipment includes：Receiver, processor and transmitter and the processor, it is described for controlling Receiver receives the switching request message that the first access network equipment is sent；The processor, be additionally operable to control the transmitter to First access network equipment sends switching request acknowledgement message, and receives the SN states that first access network equipment is sent and pass Defeated message；And the control receiver receives the encrypted data that the first access network equipment is sent.

In conjunction with eighth aspect, in the first possible realization method of eighth aspect, first access network equipment with First equipment of the core network communicates, and the access network equipment is communicated with the second equipment of the core network；The processor is specifically used for：Control The receiver receives the data that the second equipment of the core network is sent.

In conjunction with the possible realization method of the first of eighth aspect or eighth aspect, second in eighth aspect is possible In realization method, first access network equipment is communicated with the first equipment of the core network, the access network equipment and the second core net Equipment communicates；The processor is additionally operable to：After controlling the receiver and receiving the encryption that first access network equipment is sent Data after, establish RRC with the terminal device and connect；It controls the transmitter and sends SN instruction letters to the terminal device Breath is used to indicate the SN boundary values for the data that the terminal device is received or sent.

9th aspect, provides a kind of access network equipment.The access network equipment includes receiving unit, processing unit and sends single Member, the receiving unit execute the step performed by the receiver in above-mentioned 5th aspect or its arbitrary realization method, the place Reason unit executes the step performed by the processor in above-mentioned 5th aspect or its arbitrary realization method, and the transmission unit executes The step performed by transmitter in above-mentioned 5th aspect or its arbitrary realization method.

Tenth aspect, provides a kind of terminal device.The terminal device includes receiving unit, processing unit and transmission unit, The receiving unit executes the step performed by the receiver in above-mentioned 6th aspect or its arbitrary realization method, and the processing is single Member executes the step performed by the processor in above-mentioned 6th aspect or its arbitrary realization method, and the transmission unit executes above-mentioned The step performed by transmitter in 6th aspect or its arbitrary realization method.

On the one hand tenth, provides a kind of equipment of the core network.The equipment of the core network includes receiving unit, processing unit and transmission Unit, the receiving unit executes the step performed by the receiver in above-mentioned 7th aspect or its arbitrary realization method, described Processing unit executes the step performed by the processor in above-mentioned 7th aspect or its arbitrary realization method, and the transmission unit is held The step performed by transmitter in above-mentioned 7th aspect of row or its arbitrary realization method.

12nd aspect, provides a kind of access network equipment.The access network equipment receiving unit, processing unit and transmission are single Member, the receiving unit execute the step performed by the receiver in above-mentioned eighth aspect or its arbitrary realization method, the place Reason unit executes the step performed by the processor in above-mentioned eighth aspect or its arbitrary realization method, and the transmission unit executes The step performed by transmitter in above-mentioned eighth aspect or its arbitrary realization method.

13rd aspect, the embodiment of the present application provide a kind of access network equipment, which includes memory, transmitting-receiving Device and processor, wherein：Memory is for storing instruction；The instruction that processor is used to store according to memory is executed, and control Transceiver carries out signal reception and signal is sent, and when processor executes the instruction of memory storage, access network equipment is used to hold The method of any possible realization method in the above-mentioned first aspect of row or first aspect.

Fourteenth aspect, the embodiment of the present application provide a kind of terminal device, the terminal device include memory, transceiver and Processor, wherein：Memory is for storing instruction；The instruction that processor is used to store according to memory is executed, and control transmitting-receiving Device carries out signal reception and signal is sent, and when processor executes the instruction of memory storage, terminal device is used to execute above-mentioned The method of any possible realization method in second aspect or second aspect.

15th aspect, the embodiment of the present application provide a kind of equipment of the core network, which includes memory, transmitting-receiving Device and processor, wherein：Memory is for storing instruction；The instruction that processor is used to store according to memory is executed, and control Transceiver carries out signal reception and signal is sent, and when processor executes the instruction of memory storage, equipment of the core network is used to hold The method of any possible realization method in the above-mentioned third aspect of row or the third aspect.

16th aspect, the embodiment of the present application provide a kind of access network equipment, which includes memory, transmitting-receiving Device and processor, wherein：Memory is for storing instruction；The instruction that processor is used to store according to memory is executed, and control Transceiver carries out signal reception and signal is sent, and when processor executes the instruction of memory storage, access network equipment is used to hold The method of any possible realization method in the above-mentioned fourth aspect of row or fourth aspect.

17th aspect, provides a kind of computer storage media, and have program stored therein code on the computer storage media, Said program code includes the arbitrary of the method for realizing the first aspect, second aspect, the third aspect or fourth aspect The instruction of possible realization method.

Description of the drawings

Fig. 1 is a kind of schematic diagram of network slice classification；

Fig. 2 is a kind of schematic diagram of system architecture provided in an embodiment of the present invention；

Fig. 3 is a kind of flow diagram of the method for data security transmission provided in an embodiment of the present invention；

Fig. 4 is a kind of flow diagram of terminal device switching provided in an embodiment of the present invention；

Fig. 5 is a kind of flow diagram of the method for data transmission provided in an embodiment of the present invention；

Fig. 6 is a kind of flow diagram of the method for data transmission provided in an embodiment of the present invention；

Fig. 7 is a kind of flow diagram of user plane security information transmission provided in an embodiment of the present invention；

Fig. 8 is a kind of structural schematic diagram of data security transmission device provided in an embodiment of the present invention.

Specific implementation mode

Fig. 2 illustratively shows a kind of system architecture that the embodiment of the present invention is applicable in, can be real based on the system architecture The flow of existing data security transmission, the system architecture of data security transmission provided in an embodiment of the present invention may include the network equipment 110 and terminal device 120.

Wherein, the network equipment 110 may include access net (the Radio Access communicated with terminal device 120 Network, RAN)) equipment and core net (Core Network, CN) equipment, RAN equipment can be the access point in WLAN Base station (Base Transceiver Station, BTS) in (ACCESS POINT, AP), GSM or CDMA can also be Base station (NodeB, NB) in WCDMA, can also be in LTE evolved base station (Evolutional Node B, eNB or ENodeB) the either network equipment in relay station or access point or mobile unit, wearable device and future 5G networks Or the network equipment in the PLMN networks of the following evolution, such as the base station of 5G equipments of the core network can be connected, transmission and reception Point (Transmission and Reception Point, TRP), centralized processing unit (Centralized Unit, CU), Distributed processing unit (Distributed Unit, DU) etc..CN equipment can be the mobile management entity (Mobile in LTE Management Entity, MME), gateway (Gateway), can also be in 5G networks control plane (Control Plan, CP) network function (Network Function, NF) and user plane (User Plan, UP) network function, such as public control Torus network function (Common CP NF, CCNF), session management network function (Session Management NF, SMF) etc.. Each network slice includes RAN equipment and CN equipment, wherein multiple network slices can share the network of a RAN equipment Function；Can include that the network function shared between network is sliced and network are sliced exclusive network function two in CN equipment Point, subnetwork slice can share the shared network function in CN equipment, and CN can also be used alone in subnetwork slice The network is sliced exclusive network function in equipment, and such as Slice A, Slice B, the two slices have shared the net in CN equipment Network function；Network slice can not also be sliced shared network function with other networks and possess CN equipment alone such as Slice C Network function.

In embodiments of the present invention, terminal device 120 can be with Wireless Fidelity (English：wireless Fidelity, WiFi) module equipment, for example, mobile phone, bracelet, tablet computer, laptop, super mobile personal calculate Machine (English：Ultra-Mobile Personal Computer, UMPC), personal digital assistant (English：Personal Digital Assistant, PDA) equipment, mobile unit, wearable device, the sensor etc. with network access facility, and It is not limited only to communication terminal.

In 5G systems, since the safe class that network is sliced demand is different, the high network slice of safe class adds/solution Close function will move on to CN equipment side from RAN equipment side, and CN equipment is sent to the data of terminal device 120, needs in CN equipment Upper encryption is sent to terminal device 120 by RAN equipment again after encryption, at this point, terminal device 120 is in reception or transmission data When, need the location information of the secret key for knowing encryption and decryption and encryption and decryption functions.

Therefore, in terminal device 120 before initiating the user face data packet that business is transmitted to CN equipment, it is thus necessary to determine that go out The secret key of the encryption and decryption for the data for receiving or sending, to realize the safe transmission of data.

Based on foregoing description, Fig. 3 illustratively shows a kind of side of data security transmission provided in an embodiment of the present invention The safe transmission of data in 5G systems may be implemented in the flow of method, the flow, and data peace is described below in conjunction with Fig. 2 and Fig. 3 The method transmitted entirely.

As shown in figure 3, the specific steps of the flow include：

Step 301, terminal device sends request message to the first RAN equipment.

Include one or more network slice selection information in the request message sent to the first RAN equipment, is used for The network slice that instruction terminal equipment to be initiated the connection.The request message can carry Non-Access Stratum (Non-access Stratum, NAS) message includes said one or multiple networks slice selection information in the NAS message, so that the first RAN Equipment is sliced selection information after receiving the request message, by one or more of request message network and is transmitted to the One CN equipment, for initiating the selection of network slice or protocol Data Unit (Protocol Data Unit, PDU) session establishment. Further, which can be RRC information, MAC message or physical layer message.

Above-mentioned network slice selection information is including but not limited to following relevant information：Network slice type, such as enhancing Mobile broadband service (enhanced Mobile Broadband, eMBB), super reliable low time delay communicate (Ultra-Reliable Low lactecncy Communications, URLLC), magnanimity machine type communication (Massive Machine Type Communication, mMTC) etc. instruction network slice type information, further, which can be arrived with finger tip Network slice type is held, including the sides RAN and the sides CN, can also refer to the sides RAN network slice type or the sides CN network slice class Type.Type of service, related to specific business, such as video traffic, car networking business, speech business etc. indicate service feature or The information of the specific business of person.Tenant (Tenant) information is used to indicate establishment or rents the customer information of network slice, such as Tencent, national grid etc..Subscriber group information is used to indicate and is grouped user according to certain feature, such as the rank of user Grouping information.It is sliced group information, is used to indicate according to certain feature, the network as user accesses is sliced the grouping being grouped Information.Network is sliced example information, the instance identification created for network slice and characteristic information is used to indicate, for example, being Network is sliced one mark of example allocation, is used to indicate network slice example, the base of instance identification can also be sliced in network A new mark is mapped on plinth, is associated with network slice example, and recipient can identify the specific of representative according to the mark Network is sliced example.Proprietary core net (Dedicated Core Network, DCN) mark, the mark are special for uniquely indicating There is core net, such as the core net that Internet of Things is proprietary, optionally, DCN marks can be sliced mark and do with network to be mapped, by DCN marks can map out network slice mark, and DCN marks can also be mapped out by network slice mark.

Step 302, the request message that the first RAN equipment receiving terminal apparatus is sent, and send one to the first CN equipment Or multiple network slice selection information.

First RAN equipment can pass through the first RAN equipment and the after the request message for receiving terminal device transmission The NAS message carried in the request message of reception is sent to the first CN equipment by the interface message of one CN equipment, so that the first CN Equipment selects information for terminal equipment configuration user plane security information according to one or more of request message network slice.

Step 303, the first CN equipment receives one or more networks slice selection information that the first RAN equipment is sent, and It is sliced selection information, the user plane security information of configurating terminal device according to one or more networks.

First CN equipment, can after receiving one or more networks slice selection information of the first RAN equipment transmission Choosing, network slice selection information can be sent to network and be sliced safety-related CN equipment by the first CN equipment, described Network is sliced relevant CN equipment can be sliced selection information, such as the net of different safety class according to the one or more network Network slice can configure different user plane security information, or can also be sliced according to network can be with associated different business Configure different user plane security information.This at least may include user plane for the user plane security information of terminal equipment configuration Enciphering/deciphering position indication information is used for data deciphering of the terminal device to reception or the data encryption to transmission, improves data The safety of transmission.

Specifically, the user plane security information can also be including but not limited to following relevant information：Enciphering/deciphering functional location Information, i.e. enciphering/deciphering functional location anchor point, such as positioned at the sides RAN, it is located at the sides CN, it is located at sides RAN and CN etc., further, If enciphering/deciphering function is located at the sides RAN, the sides RAN are needed to carry out enciphering/deciphering to user face data packet, if enciphering/deciphering function is located at CN Side, the sides RAN can not carry out enciphering/deciphering to user face data packet, if enciphering/deciphering function is located at the sides RAN and the sides CN, the sides RAN It also needs to carry out enciphering/deciphering to user face data packet；Further, Packet Data Convergence Protocol can be located at by being located at the sides RAN (Packet Data Convergence Protocol, PDCP) layer, or it is located at radio resource control (Radio Resource Control, RRC) layer；It can be located at the control plane or user's veil for being responsible for security function positioned at the sides CN Network function, such as session management network function or webmaster network function.Enciphering/deciphering function enables switching information, such as opens Or the sides RAN are closed, the enciphering/deciphering function of the sides CN or the sides RAN and CN.Enciphering/deciphering secret key, for example, need the sides RAN with And the enciphering/deciphering secret key that the sides UE use, or need the enciphering/deciphering secret key etc. used in the sides UE and the sides CN.Enciphering/deciphering function Algorithm used in the enciphering/deciphering function of algorithm, such as the sides RAN, the sides CN or the sides RAN and CN.Head compression (Robust Header Compression, ROHC) functional location information, such as positioned at the sides RAN, it is located at the sides CN, it is located at the sides RAN and CN Deng, further, if head compression function is located at the sides RAN, need the sides RAN to user face data packet into wardrobe compress, if enciphering/deciphering Function is located at the sides CN, and the sides RAN can not compress user face data packet into wardrobe, if enciphering/deciphering function is located at the sides RAN and CN Side, the sides RAN are also needed to user face data packet into wardrobe compression function；Further, can be located at by being located at the sides RAN by PDCP layers, Or it is located at rrc layer；It can be located at the control plane or user plane network function for being responsible for security function positioned at the sides CN, such as Session management network function or webmaster.Head compression function enables switching information, such as is turned on or off the sides RAN, the sides CN, Or the head compression function of the sides RAN and CN.The head of head compression function algorithm, such as the sides RAN, the sides CN or the sides RAN and CN Algorithm used in compression function.Head compression type, such as compressed real-time transport protocol (Real-time Transport Protocol, RTP) data packet head, User Datagram Protocol (User Datagram Protocol, UDP) data packet and mutually Networking protocol (Internet Protocol, IP) data packet head either compressed udp/IP data packet heads or only compressed IP number According to packet header etc..

Further, which can also be including but not limited to following relevant information：Integrity protection work( Energy location information, such as positioned at the sides RAN, it is located at the sides CN, it is located at sides RAN and CN etc., further, if integrity protection function Positioned at the sides RAN, the sides RAN is needed to carry out integrity protection function to user face data packet, if integrity protection function is located at the sides CN, The sides RAN can not carry out integrity protection function to user face data packet, if enciphering/deciphering function is located at the sides RAN and the sides CN, The sides RAN also need to carry out integrity protection function to user face data packet；Further, can be located at by being located at the sides RAN by PDCP layers, Or it is located at rrc layer；It can be located at the control plane or user plane network function for being responsible for security function positioned at the sides CN, such as Session management network function or webmaster.Integrity protection function enables switching information, such as is turned on or off the sides RAN, CN The integrity function of side or the sides RAN and CN.Integrity protection function algorithm information, such as the sides RAN, the sides CN or RAN And the algorithm that the integrity protection function of the sides CN uses.Secret key updates functional information, such as terminal device is in switching or RRC Algorithm used in secret key update during connection re-establishment (RRC Connection Re-establishment), further Ground, the algorithm can indicate UE switching either RRC connection re-establishments process whether using or derive new secret key, also may be used With indicate UE switching either RRC connection re-establishments process need not whether or derive new secret key.

Step 304, the first CN equipment sends user plane security information to the first RAN equipment.

First CN equipment passes through the user that the first CN equipment of the first RAN equipment of interfac message notification is terminal equipment configuration Face security information, the user plane security information can make the first RAN equipment obtain user plane security information, user plane safety Information can be carrying explicit or implicit in interface message, specifically can be adapted for following business relevant configuration informations In：

The sides CN are that at least one network of UE selections is sliced corresponding user plane security information, are used for the network slice transmission User face data；The sides RAN need the corresponding user plane peace of at least one radio bearer (radio bearer) established for UE Full information is used for the user face data of the radio bearer transmissions,；The sides CN are the corresponding use of at least one PDU sessions that UE is established Family face security information is used for the user face data of the PDU session transmissions；It includes at least that the sides CN, which are in the PDU sessions that UE is established, The corresponding user plane security information of one stream (flow), is used for the user face data of the steaming transfer.

First RAN equipment can know that network is sliced by the message, radio bearer, PDU sessions or the PDU sessions Including stream user plane security information, for example whether the first RAN equipment is needed to be encrypted and/or the function etc. of head compression.

Optionally, the mark for the network slice that the first CN equipment is terminal device selection can also be carried in the interface message Know, it is the PDU session informations that the terminal device is established that can also carry the first CN equipment.

Step 305, the first RAN equipment receives the response message that the first CN equipment is sent, and sends user to terminal device Face information.

The response message includes the user plane security information that the first CN equipment is terminal equipment configuration, user plane safety Information includes at least user plane enciphering/deciphering position indication information, and the first RAN equipment sends user plane peace to terminal device later Full information generates encrypted data so that terminal device handles data to be transmitted according to the user plane security information, such as Data deciphering to reception or the data encryption to transmission, improve the safety of data transmission.

First CN equipment sends user plane security information to terminal device and can be sent by configuration message of eating dishes without rice or wine, this is eated dishes without rice or wine Configuration message can be RRC information, MAC message or physical layer message, carrying that can be explicit or implicit in the configuration message The safe secret key of the user plane, the safe secret key of the user plane can be adapted for one or more radio bearer, one or more PDU sessions one or more flow that either the PDU sessions include or the corresponding network slice of the PDU sessions, terminal Equipment knows that the radio bearer, the PDU sessions stream that either the PDU sessions include or the PDU sessions correspond to by the message Network slice security information, for example whether the sides UE is needed to carry out the function that enciphering/deciphering and/or head compress at PDCP layer.

Step 306, terminal device receives the user plane that the first CN equipment that the first RAN equipment is sent is terminal equipment configuration Security information, terminal device can be handled to be transmitted according to the user plane security information received according to user plane security information Data, generate encrypted data, and encrypted data are transmitted to the first RAN equipment, while can pacify using user plane Full information is decrypted to receiving the data that the first RAN equipment is sent.

The first CN equipment that terminal device receives the transmission of the first RAN equipment is that the user plane of terminal equipment configuration is believed safely After breath, which is preserved.Terminal device is used in the user face data packet of the business of initiation transmission The user plane security information of storage encrypts the user face data packet of business transmission, and after transmitting the encryption to the first RAN equipment Data.

Step 307, the encrypted data of the first RAN equipment receiving terminal apparatus transmission, and transmitted to the first CN equipment Encrypted data.

The encrypted data of first RAN equipment receiving terminal apparatus transmission, are subsequently forwarded to the first CN equipment.The encryption Data afterwards are that terminal device uses the first CN equipment for terminal equipment configuration.By using the user of the first CN device configurations Data are encrypted in face security information, can further increase the safety in data transmission procedure, avoid the occurrence of because of first RAN equipment causes main secret key to fail after being attacked, threaten the situation of other network slice safety.

When the enciphering/deciphering function of user plane on RAN equipment side by moving on to the equipment sides CN, if terminal device is needed from first RAN equipment is switched to the 2nd RAN equipment, or the 2nd RAN equipment of addition carries out multi-connection operation and provided jointly for terminal device Network connection service, the first RAN equipment and the 2nd RAN equipment all connect same CN equipment at this time, if terminal device is needed from the One RAN equipment is switched to the 2nd RAN equipment, then the first RAN equipment needs to transmit encrypted data to the 2nd RAN equipment.The One RAN equipment is source RAN node, and the 2nd RAN equipment is target RAN node.

Switching as shown in Figure 4/multi-connection flow, the specific steps of the flow include：

Step 401, the first RAN equipment sends switching request message to the 2nd RAN equipment.

The switching request message is used to indicate the 2nd RAN equipment and initiates switching preparation.Further, the switching request message Including but not limited to following information：Switch reasons, be used to indicate this time switch the reason of, such as wireless network layer reason (due to The switching of signal reason triggering, resource-based optimization etc.).Target Cell Identifier, the mark for uniquely indicating Target cell. Switching limitation list, including service PLMN, equivalent PLMN, the service area etc. forbidden.The corresponding temporary identifier of terminal device, is used for CN equipment searches the context of the terminal device preserved.The associated core net control function entity identifier of terminal device.Terminal is set One or more or overall network of alternative are sliced corresponding network slice mark.One of terminal device selection Either multiple or overall network is sliced the corresponding radio bearer information for needing to establish, such as radio bearer identification, nothing Line carries the qos parameter of rank, and tunnel destination node, the corresponding user plane security information of radio bearer, specific message content can be with With reference to the interface message of step 304.One or more or overall network of terminal device selection are sliced corresponding need The session information to be established, such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding user plane peace of session Full information, specific message content are referred to the interface message of step 304.Terminal device selection one or more or it is complete Portion's network is sliced the corresponding stream information for needing to establish, such as traffic identifier, flows the qos parameter of rank, tunnel destination node, stream Corresponding user plane security information, specific message content are referred to the interface message of step 304.Radio bearer information, such as Radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user plane security information of radio bearer, tool Body message content is referred to the interface message of step 304.Other need the session information established, such as session identification, session The qos parameter of rank, tunnel destination node, the corresponding user plane security information of session, specific message content are referred to step 304 Interface message.Other need the stream information established, such as traffic identifier, flow the qos parameter of rank, tunnel destination node, and stream corresponds to User plane security information, specific message content is referred to the interface message of step 304.The context of the terminal device is believed Breath, such as one or more or overall network of terminal device signing are sliced corresponding network slice mark etc..

Optionally, the first RAN equipment can send the addition request of RAN equipment to the 2nd RAN equipment, for asking second RAN equipment establishes multi-connection operation, to which distributing radio resource is to terminal device.Further, which adds request bag Contain but is not limited to following information：The corresponding needs of one or more or overall network slice of terminal device selection are built Vertical radio bearer information, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, radio bearer pair The user plane security information answered, specific message content are referred to the interface message of step 304.Terminal device selection one or Person is multiple or overall network is sliced the corresponding session information for needing to establish, such as session identification, the QoS of session-level Parameter, tunnel destination node, the corresponding user plane security information of session, the interface that specific message content is referred to step 304 disappear Breath.One or more or overall network of terminal device selection are sliced the corresponding stream information for needing to establish, such as Traffic identifier flows the qos parameter of rank, and tunnel destination node flows corresponding user plane security information, and specific message content is referred to The interface message of step 304.Other need the radio bearer information established, such as radio bearer identification, radio bearer rank Qos parameter, tunnel destination node, the corresponding user plane security information of radio bearer, specific message content are referred to step 304 Interface message.Other need the session information established, such as session identification, the qos parameter of session-level, tunnel destination node, meeting Corresponding user plane security information is talked about, specific message content is referred to the interface message of step 304.Other need the stream established Information, such as traffic identifier, flow the qos parameter of rank, tunnel destination node, flow corresponding user plane security information, in specific message Hold the interface message for being referred to step 304.

Optionally, the first RAN equipment can send the request of RAN apparatus modifications to the 2nd RAN equipment, for asking modification the The contextual information of two RAN equipment present terminal equipment and the 2nd RAN equipment are the radio resource allocation that terminal device prepares, To which distributing radio resource is to terminal device.Further, RAN apparatus modifications request is including but not limited to following information：Eventually One or more or the overall network slice of end equipment selection are corresponding to be needed to establish, and is changed and is discharged wireless Carrying information, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user of radio bearer Face security information, specific message content are referred to the interface message of step 304.Terminal device selection one or more or Person's overall network is sliced the corresponding session information for needing to establish, changing and discharging, such as session identification, session-level Qos parameter, tunnel destination node, the corresponding user plane security information of session, specific message content is referred to connecing for step 304 Mouth message.One or more or the overall network slice of terminal device selection are corresponding to be needed to establish, modification and The stream information of release, such as traffic identifier flow the qos parameter of rank, and tunnel destination node flows corresponding user plane security information, tool Body message content is referred to the interface message of step 304.Other need to establish, the radio bearer information changed and discharged, Such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user plane of radio bearer are believed safely Breath, specific message content are referred to the interface message of step 304.Other need to establish, the session information changed and discharged, Such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding user plane security information of session, in specific message Hold the interface message for being referred to step 304.Other need to establish, the stream information changed and discharged, such as traffic identifier, flow grade Other qos parameter, tunnel destination node flow corresponding user plane security information, and specific message content is referred to connecing for step 304 Mouth message.

Optionally, the first RAN equipment can send RAN apparatus modifications demands to the 2nd RAN equipment, for triggering wireless money The release in source, the modification of main serving cell, PDCP SN will be overturn.Further, which includes But it is not limited to following information：One or more or the overall network slice of terminal device selection are corresponding to be needed to discharge Radio bearer information, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, radio bearer corresponds to User plane security information, specific message content is referred to the interface message of step 304.Terminal device selection one or Multiple or overall network is sliced the corresponding session information for needing to discharge, such as session identification, the QoS ginsengs of session-level Number, tunnel destination node, the corresponding user plane security information of session, specific message content are referred to the interface message of step 304. One or more or overall network of terminal device selection are sliced the corresponding stream information for needing to discharge, such as fail to be sold at auction Know, flows the qos parameter of rank, tunnel destination node flows corresponding user plane security information, and specific message content is referred to step 304 interface message.Other need the radio bearer information discharged, such as radio bearer identification, the QoS ginsengs of radio bearer rank Number, tunnel destination node, the corresponding user plane security information of radio bearer, specific message content are referred to the interface of step 304 Message.Other need the session information discharged, such as session identification, the qos parameter of session-level, tunnel destination node, session pair The user plane security information answered, specific message content are referred to the interface message of step 304.The stream letter that other needs discharge Breath, such as traffic identifier, flow the qos parameter of rank, tunnel destination node flows corresponding user plane security information, specific message content It is referred to the interface message of step 304.

Step 402, the 2nd RAN equipment receives the switching request message that the first RAN equipment is sent, and to the first RAN equipment Send switching request acknowledgement message.

2nd RAN equipment sends switching request acknowledgement message to the first RAN equipment and shows that the 2nd RAN equipment has been prepared for Resource has been got well, switching has been carried out and prepares.The switching request acknowledgement message is including but not limited to following information：The mark of first RAN equipment Know.The mark of 2nd RAN equipment.The transparent vessel (container) of 2nd RAN equipment to the first RAN equipment, including RRC Switching command.One or more or the overall network slice of terminal device selection is corresponding unaccepted wirelessly to be held Information carrying ceases, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user plane of radio bearer Security information, specific message content are referred to the interface message of step 304.Terminal device selection one or more or Overall network is sliced corresponding unaccepted session information, such as session identification, the qos parameter of session-level, tunnel Destination node, the corresponding user plane security information of session, specific message content are referred to the interface message of step 304.Terminal is set One or more or overall network of alternative are sliced corresponding unaccepted stream information, such as traffic identifier, stream The qos parameter of rank, tunnel destination node flow corresponding user plane security information, and specific message content is referred to step 304 Interface message.Other unaccepted radio bearer informations, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel Road destination node, the corresponding user plane security information of radio bearer, specific message content are referred to the interface message of step 304. Other unaccepted session informations, such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding use of session Family face security information, specific message content are referred to the interface message of step 304.Other unaccepted stream informations, such as Traffic identifier flows the qos parameter of rank, and tunnel destination node flows corresponding user plane security information, and specific message content is referred to The interface message of step 304.

Optionally, the 2nd RAN equipment can send RAN equipment to the first RAN equipment and add request confirmation, be used to indicate the Two RAN equipment have been already prepared to resource, to which distributing radio resource is to terminal device.Further, RAN equipment addition is asked Ask confirmation including but not limited to following information：One or more or the overall network slice of terminal device selection correspond to respectively The radio bearer information for not being accepted and being accepted, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel Road destination node, the corresponding user plane security information of radio bearer, specific message content are referred to the interface message of step 304. One or more or overall network of terminal device selection are sliced the corresponding session for not being accepted and being accepted Information, such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding user plane security information of session, specifically Message content is referred to the interface message of step 304.One or more or the overall network slice of terminal device selection The corresponding stream information for not being accepted and being accepted, such as traffic identifier flow the qos parameter of rank, tunnel destination node, stream Corresponding user plane security information, specific message content are referred to the interface message of step 304.Other be not accepted and by The radio bearer information of receiving, such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, radio bearer Corresponding user plane security information, specific message content are referred to the interface message of step 304.Other be not accepted and by The session information of receiving, such as session identification, the qos parameter of session-level, tunnel destination node, the corresponding user plane safety of session Information, specific message content are referred to the interface message of step 304.Other stream informations for not being accepted and being accepted, example Such as traffic identifier, the qos parameter of rank is flowed, tunnel destination node flows corresponding user plane security information, and specific message content can join According to the interface message of step 304.

Optionally, the 2nd RAN equipment can send RAN apparatus modifications request confirmations to the first RAN equipment, for responding the The modification of one RAN equipment is asked.Further, the RAN apparatus modifications request confirmation is including but not limited to following information：Terminal is set One or more or overall network of alternative are sliced the corresponding radio bearer information for not being accepted and receiving, Such as radio bearer identification, the qos parameter of radio bearer rank, tunnel destination node, the corresponding user plane of radio bearer are believed safely Breath, specific message content are referred to the interface message of step 304.One or more or whole net of terminal device selection Network is sliced the corresponding session information for not being accepted and receiving, such as session identification, the qos parameter of session-level, tunnel Road destination node, the corresponding user plane security information of session, specific message content are referred to the interface message of step 304.Terminal One or more or overall network of equipment selection are sliced the corresponding stream information for not being accepted and receiving, such as Traffic identifier flows the qos parameter of rank, and tunnel destination node flows corresponding user plane security information, and specific message content is referred to The interface message of step 304.Other radio bearer informations for not being accepted and receiving, such as radio bearer identification, wirelessly hold The qos parameter of load rank, tunnel destination node, the corresponding user plane security information of radio bearer, specific message content are referred to The interface message of step 304.Other session informations for not being accepted and receiving, such as session identification, the QoS ginsengs of session-level Number, tunnel destination node, the corresponding user plane security information of session, specific message content are referred to the interface message of step 304. Other stream informations for not being accepted and receiving, such as traffic identifier, flow the qos parameter of rank, and tunnel destination node flows corresponding use Family face security information, specific message content are referred to the interface message of step 304.

Step 403, the first RAN equipment receives the switching request acknowledgement message that the 2nd RAN equipment is sent, and is set to terminal Preparation send switching command and caches the encrypted data to be passed for transporting to the 2nd RAN equipment.

First RAN equipment sends switching command after receiving switching request acknowledgement message, to terminal device, for referring to Show that terminal device switches, which can carry in RRC information.Can also include in the RRC information but unlimited In following information：Target Cell Identifier, the new temporary identifier of terminal device.Carrying configuration, such as PDCP, radio link layer control Agreement (Radio Link Control, RLC), medium access control (Media Access Control, MAC) and physical layer Configuration.

First RAN equipment also needs to cache the encrypted data to be transmitted to the 2nd RAN equipment, this is to be passed to transport to second What the encrypted data of RAN equipment can cache for the first RAN equipment is sent to the data of terminal device and has sent The data of terminal device feedback are not received also to terminal device.

Step 404, the first RAN equipment to the 2nd RAN equipment transmit Sequence Number (Sequence Number, SN) state pass Defeated message, and the encrypted data cached are sent to the 2nd RAN equipment.

The SN state transfer message is used to indicate suitable for one or more carryings under RLC affirmation modes, session, stream pair The uplink PDCP SN reception states and/or downlink PDCP SN answered send state.For example, uplink PDCP SN reception states are at least Include No. SN of the upstream service data cell (Service Data Unit, SDU) of first loss, and the inside may wrap Reception state bit map containing out of order uplink SDU is used to indicate which uplink SDU needs UE to be carried out again in RAN node 2 Transmission.Downlink PDCP SN send state and are used to indicate next new PDCP SN that the needs of RAN node 2 distribute.

First RAN equipment sends the encrypted data of above-mentioned caching to the 2nd RAN equipment, can solve in handoff procedure Data-bag lost, simultaneously because the first RAN equipment forward pass is encrypted data so that the 2nd RAN equipment is sent to UE This it is data cached can continue to decrypt in the sides UE, ensure that the safety of data transmission.

Step 405, terminal device receives the switching command that the first RAN equipment is sent, and establishing RRC with the 2nd RAN equipment connects It connects, and handoff completion message is sent to the 2nd RAN equipment.

Terminal device is established RRC after receiving switching command, with the 2nd RAN equipment and is connect, and is then set to the 2nd RAN Preparation send handoff completion message, such as RRC connection reconfigurations to set and complete message, and instruction has been completed to switch.

Optionally, when the enciphering/deciphering function of user plane on RAN equipment side by moving on to the equipment sides CN, if terminal device needs It to be switched to the 2nd RAN equipment from the first RAN equipment, the first RAN equipment and the 2nd RAN equipment all connect different CN and sets at this time Standby, then the first RAN equipment needs to transmit encrypted data to the 2nd RAN equipment.First RAN equipment be source RAN node, second RAN equipment is target RAN node.

Optionally, when if desired triggering the handoff procedure of RAN equipment and CN equipment interfaces, such as above-mentioned first RAN When between equipment and the 2nd RAN equipment without direct land side interface or wireless backhaul links, in above-mentioned steps 401 Switching request message can be by being forwarded, for example, the first RAN equipment sends the switching request message by the first equipment of the core network To the first equipment of the core network, specific switching request message content can refer to step 401 switching request message, later this first The switching request message is sent to the 2nd RAN equipment by equipment of the core network again, to realize the first RAN equipment to the 2nd RAN Equipment sends switching request message.2nd RAN equipment sends switching request acknowledgement message to the first equipment of the core network, specific to switch Request confirmation message can refer to the switching request acknowledgement message of step 402, and first equipment of the core network is again by the switching later Request confirmation message is sent to the 2nd RAN equipment, and switching request is sent to the first RAN equipment to realize the 2nd RAN equipment Confirmation message.First RAN equipment receives the switching request acknowledgement message that the 2nd RAN equipment is sent, and is sent to terminal device Switching command simultaneously caches the encrypted data to be passed for transporting to the 2nd RAN equipment.First RAN equipment is sent to the 2nd RAN equipment Sequence number SN) state transfer message, and the encrypted data cached are sent to the first core net, first core net is set later It is standby that the data received are sent to the 2nd RAN equipment again, delay to realize the first RAN equipment and be sent to the 2nd RAN equipment The encrypted data deposited.

The specific steps of the flow of data transmission as shown in Figure 5, the flow include：

Step 501, the first RAN equipment sends SN state transfer message to the 2nd RAN equipment.

The SN state transfer message is used to indicate suitable for one or more carryings under RLC affirmation modes, session, stream pair The uplink PDCP SN reception states and/or downlink PDCP SN answered send state.For example, uplink PDCP SN reception states are at least Include No. SN of uplink SDU of first loss, and the inside may the reception state ratio comprising out of order uplink SDU specially Figure, is used to indicate which uplink SDU needs UE to be transmitted again in RAN node 2.Downlink PDCP SN send state for referring to Show that RAN node 2 needs the next new PDCP SN distributed.

Step 502, the first RAN equipment sends the encrypted data of caching to the first CN equipment.

Optionally, the first RAN equipment sends SN state transfer message to the 2nd CN equipment.

Step 503, the first CN equipment receives the encrypted data that the first RAN equipment is sent, and to the encrypted number According to decryption, the data of unencryption are sent to the 2nd CN equipment.

The data be can be being sent to the data of terminal device and having been issued to terminal for the first RAN equipment caching Equipment does not receive the data of terminal device feedback also.

Step 504, the 2nd CN equipment receives the data for the unencryption that the first CN equipment is sent, and is sent to the 2nd RAN equipment The data of unencryption.

The encrypted data that the first RAN equipment caches are transferred to by using the first CN equipment and the 2nd CN equipment Two RAN equipment can solve the loss of data in handoff procedure, and the data of unencryption can be transmitted by the first CN equipment To the 2nd CN equipment so that the new security mechanism that the 2nd CN equipment can use the equipment to be applicable in carries out data encryption so that 2nd RAN equipment is transferred to the security mechanism that the data packet of UE can use the 2nd CN equipment to be applicable in, and ensure that data transmission The smooth replacement of security mechanism after safety and switching.

Optionally, when the enciphering/deciphering function of user plane on RAN equipment side by moving on to the equipment sides CN, if terminal device needs It to be switched to the 2nd RAN equipment from the first RAN equipment, the first RAN equipment and the 2nd RAN equipment all connect different CN and sets at this time Standby, then the first RAN equipment needs to transmit encrypted data to the 2nd RAN equipment.First RAN equipment be source RAN node, second RAN equipment is target RAN node.

The specific steps of the flow of data transmission as shown in FIG. 6, the flow include：

Step 601, the first RAN equipment sends SN state transfer message to the 2nd RAN equipment.

The SN state transfer message is used to indicate suitable for one or more carryings under RLC affirmation modes, session, stream pair The uplink PDCP SN reception states and/or downlink PDCP SN answered send state.For example, uplink PDCP SN reception states are at least Include No. SN of uplink SDU of first loss, and the inside may the reception state ratio comprising out of order uplink SDU specially Figure, is used to indicate which uplink SDU needs UE to be transmitted again in RAN node 2.Downlink PDCP SN send state for referring to Show that RAN node 2 needs the next new PDCP SN distributed.

Step 602, the first RAN equipment sends SN state transfer message to the 2nd CN equipment.

Optionally, the first RAN equipment sends the encrypted data of caching to the first CN equipment.The data be can be One RAN equipment caching is sent to the data of terminal device and has been issued to terminal device not receive terminal device also anti- The data of feedback.

Step 603, the first CN equipment receives the encrypted data that the first RAN equipment is sent, and to the encrypted number According to decryption, the data of unencryption are sent to the 2nd CN equipment.

Step 604, the 2nd CN equipment receives the data for the unencryption that the first CN equipment is sent, and is sent to the 2nd RAN equipment The data of unencryption.

The encrypted data that the first RAN equipment caches are transferred to by using the first CN equipment and the 2nd CN equipment Two RAN equipment can solve the loss of data in handoff procedure, and the data of unencryption can be transmitted by the first CN equipment To the 2nd CN equipment so that the new security mechanism that the 2nd CN equipment can use the equipment to be applicable in carries out data encryption so that 2nd RAN equipment is transferred to the security mechanism that the data packet of UE can use the 2nd CN equipment to be applicable in, and ensure that data transmission The smooth replacement of security mechanism after safety and switching.

Further, terminal device is from the first RAN equipment to the 2nd RAN equipment when switching, if the first RAN equipment and the Two RAN equipment all connect different CN equipment, and in above-mentioned flow as shown in Figure 4, the 2nd RAN equipment is set receiving terminal After the handoff completion message that preparation is sent, SN instruction messages are sent to terminal device, which can be RRC information, MAC message or physical layer message, including but not limited to following relevant information：SN boundary values, be used to indicate UE which receive with And send data packet need use original encryption and decryption secret key, which need use new encryption and decryption secret key, if such as these No. SN data packet before SN boundary values of the corresponding PDCP SDU of data packet needs to use original encryption and decryption secret key, later Data packet then need use new encryption and decryption secret key.

Optionally, which can also be by adding secret key instruction, for notifying terminal device in the packet The secret key that the data packet encryption and decryption uses has occurred and that variation, needs to use channel secret key.

Optionally, which can also pass through by the form of the data packet of generation end-marker and send one A end-marker data packets are used to indicate the previously stored encryption and decryption secret key failure in the sides UE, begin to use new secret key.

In order to make the first RAN equipment determine that the user plane security information of network slice is in the first RAN equipment Side also the first CN equipment side, the first RAN equipment can also receive operation and chain of command equipment (Operation and Management, OAM) send network slice management message.

Specifically, flow as shown in Figure 7, including process step specifically include：

Step 701, OAM equipment sends network slice management message to the first RAN equipment.

Network slice management message includes the user plane security information of the network slice on basis.The OAM can be cut Piece management (Slice manager) equipment and/or the slice management equipment in the fields RAN and/or the equipment management system of the sides RAN (Network Element Management System, EMS) etc..Also included content can be such as above-mentioned implementation in the message The description of user plane security information in example, details are not described herein.

The specific manifestation form of the message is unlimited, can be represented with different field according to specifying information research content Different user face security information, can also be encoded by way of index.

Step 702, the first RAN equipment receives the network slice management message that OAM equipment is sent, and is sent to OAM equipment Confirmation message.

First RAN equipment can send confirmation message after receiving network slice management message to OAM equipment, It can not send.The confirmation message can include following one or more of information combinations：Confirm success message, is used to indicate RAN Equipment agrees to that OAM equipment is sliced example by the network that message 1 is sent and generates and/or change configuration.Confirm failed message, is used for It indicates that RAN equipment refusal OAM equipment is sliced example and is generated and/or changed by the network that network slice management message is sent to match Set, further, the reason of which also can indicate that unsuccessfully, for example, can not complete network slice management message a certain item or The a plurality of configuration requirement of person, for example the configuration of enciphering/deciphering function algorithm can not be completed.

Step 703, the user plane security information of the network slice on the first RAN equipment storage basis, optionally, the first RAN The user plane security information that network is sliced can be sent to UE by equipment by idle message.

The idle message can be RRC information, such as message is established in RRC connections, and RRC connection reconfigurations set message etc.

Above-described embodiment shows that the request message that the first access network equipment receiving terminal apparatus is sent, the first access net are set It is standby to select information, the first access network equipment to receive the first core net to the one or more of network slices of the first equipment of the core network The response message that equipment is sent, user plane security information includes user plane enciphering/deciphering position indication information, is used for enciphering/deciphering institute The network for stating terminal device selection is sliced the user face data packet of associated business transmission, and the first access network equipment is to terminal device Send user plane security information, the encrypted data of the first access network equipment receiving terminal apparatus transmission, and to the first core Net equipment transmits the encrypted data, and encrypted data are after terminal device is handled according to the user plane security information Data.The user plane security information that the first equipment of the core network is sent is received by the first access network equipment so that the first access Net equipment can know that network is sliced the associated user face security information of associated business, for example whether needing the first access net pair The user face data packet of business transmission carries out enciphering/deciphering, and the first access network equipment matches the first equipment of the core network for terminal device The user plane security information set is sent to terminal device so that terminal device is according to the user plane security information in data transmission Enciphering/deciphering, the safety of data transmission procedure under the network architecture so as to realize network slice, reliability, due to the One equipment of the core network is the user plane security information according to one or Multi net voting slice selection information configuration, can meet different nets Network is sliced the different demands to user plane safety, improves flexibility and the otherness of data enciphering/deciphering.

It can also be line termination unit that the terminal device mentioned in the embodiment of the present invention, which can be wireless terminal device, Wireless terminal device can refer to the equipment for providing a user voice and/or other business datum connectivity, have and be wirelessly connected The portable equipment of function or other processing equipments for being connected to radio modem.Wireless terminal device can be through wireless Access net (English：Radio Access Network；Referred to as：RAN it) is communicated with one or more core net, wireless terminal Equipment can be mobile terminal, such as mobile phone (or be " honeycomb " phone) and the computer with mobile terminal, for example, can To be portable, pocket, hand-held, built-in computer or vehicle-mounted mobile device, they are exchanged with wireless access network Language and/or data.For example, personal communication service (English：Personal Communication Service；Referred to as：PCS) Phone, wireless phone, Session initiation Protocol (English：Session Initiation Protocol；Referred to as：SIP) phone, nothing Line local loop (English：Wireless Local Loop；Referred to as：WLL it) stands, personal digital assistant (English：Personal Digital Assistant；Referred to as：The equipment such as PDA).Wireless terminal device is referred to as system, subscriber unit (Subscriber Unit), subscriber station (Subscriber Station), movement station (Mobile Station), mobile station (Mobile), distant station (Remote Station), remote terminal (Remote Terminal), access terminal (Access Terminal), user terminal (User Terminal), user agent (User Agent), user equipment (User Device or User Equipment)。

In addition, term "and/or" in the embodiment of the present invention, only a kind of incidence relation of description affiliated partner, indicates There may be three kinds of relationships, for example, A and/or B, can indicate：Individualism A, exists simultaneously A and B, individualism B these three Situation.In addition, character "/" in the embodiment of the present invention, it is a kind of relationship of "or" to typically represent forward-backward correlation object.

Some English abbreviations in the embodiment of the present invention are the description carried out to the embodiment of the present invention by taking LTE system as an example, It changes such as the evolution of network, and specific evolution can refer to the description in respective standard.

Referring next to Fig. 8, Fig. 8 is a kind of possible knot of data security transmission device provided in an embodiment of the present invention Composition.The device is, for example, above-mentioned first access network equipment, the second access network equipment, the first equipment of the core network, the second core net A kind of possible structure chart of equipment, terminal device.As shown in figure 8, the device includes：Processor 10, transmitter 20, receiver 30, memory 40 and antenna 50.Memory 40, transmitter 20 and receiver 30 and processor 10 can be connected by bus It connects.Certainly, in practice, it can not be total knot between memory 40, transmitter 20 and receiver 30 and processor 10 Structure, and can be other structures, such as hub-and-spoke configuration, the application are not especially limited.

Optionally, processor 10 can be specifically general central processing unit or application-specific integrated circuit (English： Application Specific Integrated Circuit, referred to as：ASIC), can be that one or more is used to control journey The integrated circuit that sequence executes can be use site programmable gate array (English：Field Programmable Gate Array, referred to as：FPGA) the hardware circuit developed, can be baseband processor.

Optionally, processor 10 may include at least one processing core.

Optionally, memory 40 may include read-only memory (English：Read Only Memory, referred to as：ROM), with Machine accesses memory (English：Random Access Memory, referred to as：RAM one or more) and in magnetic disk storage.It deposits Reservoir 40 is used to store data and/or instruction required when processor 10 is run.The quantity of memory 40 can be one or more It is a.Part in memory 40 can be integral to the processor setting, can also be arranged independently of processor.

Optionally, transmitter 20 and receiver 30 can also can physically integrate independently of each other.Transmitter 20 can carry out data transmission by antenna 50.Receiver 30 can carry out data receiver by antenna 50.

Based on same inventive concept, the embodiment of the present invention also provides a kind of data security transmission device (as shown in Figure 8), should Device is for realizing any one method in preceding method.

When the device is access network equipment, such as when aforementioned first access network equipment, the processor 10, for controlling The request message that 30 receiving terminal apparatus of the receiver is sent；The request message includes one or Multi net voting slice selection Information；And the control transmitter 20 sends one or more of network slice selection information to the first equipment of the core network；

The processor 10, is additionally operable to control the receiver 30 and receives the response that first equipment of the core network is sent and disappear Breath；The response message includes the user plane security information that first equipment of the core network is the terminal equipment configuration；Institute It includes user plane enciphering/deciphering position indication information to state user plane security information, the net for terminal device selection described in enciphering/deciphering Network is sliced the user face data packet of associated business transmission；

The processor 10 is additionally operable to control the transmitter 20 to the terminal device transmission user plane safety letter Breath；And control the receiver 30 and receive the encrypted data of the terminal device transmission, and control the transmitter 20 The encrypted data are transmitted to first equipment of the core network, the encrypted data are the terminal device according to institute State user plane security information treated data.

Optionally, the access network equipment further includes memory 40；

The processor 10 is additionally operable to：

After by the encrypted data transmission to first equipment of the core network, the transmitter 20 is controlled to Two access network equipments send switching request message, and second access network equipment is the terminal device equipment to be cut changed to；

It controls the receiver 30 and receives the switching request acknowledgement message that second access network equipment is sent；

The transmitter 20 is controlled to send switching command to the terminal and control the memory 40 and cache to be passed transport to The encrypted data of second access network equipment, the encrypted data to be passed for transporting to second access network equipment The data of the terminal device are encrypted and are transmitted to for the first equipment of the core network, and the switching command is used to indicate the terminal and sets It is standby to be switched to second access network equipment from first access network equipment；

It controls the transmitter 20 and sends SN state transfer message to second access network equipment, be used to indicate RLC moulds Formula is next or multiple uplink and downlink SN states；

Control the encrypted data that the transmitter 20 sends the caching to second access network equipment.

Optionally, second access network equipment is communicated with the second equipment of the core network；

The processor 10 is specifically used for：

Control the encrypted data that the transmitter 20 sends the caching to first equipment of the core network.

Optionally, the processor 10 is additionally operable to：

Before controlling the transmitter 20 and sending the encrypted data of the caching to first equipment of the core network, It controls the transmitter 20 and sends the SN state transfers message to first equipment of the core network.

Optionally, the encrypted data of the caching include that access network equipment caching is sent to the terminal The data of equipment and have been issued to the data that the terminal device does not receive terminal device feedback also.

Optionally, the user plane security information further includes a compression function position indication information, integrity protection function Position indication information.

Optionally, the processor 10 is additionally operable to：

Before controlling the receiver 30 and receiving the encrypted data that the terminal device transmits, the reception is controlled Device 30 receives the network slice management message that operation is sent with management equipment, and the network slice management message includes basis The user plane security information of network slice；

Control the user plane security information that the memory 40 stores the network slice on the basis.

When the device is terminal device, the transmitter 20, for sending request message, institute to the first access network equipment It includes one or more network slice selection information to state request message；

The receiver 30 is the terminal for receiving the first equipment of the core network that first access network equipment is sent The user plane security information of device configuration, the user plane security information include user plane enciphering/deciphering position indication information；

The processor 10 generates encrypted for handling data to be transmitted according to the user plane security information Data, and control the transmitter 20 and transmit the encrypted data to first access network equipment.

Optionally, the processor 10 is additionally operable to：

After controlling the transmitter 20 and transmitting the encrypted data to first access network equipment, institute is controlled It states receiver 30 and receives the switching command that first access network equipment is sent；

RRC is established with second access network equipment to connect, and is controlled the transmitter 20 and set to the second access net Preparation send handoff completion message.

Optionally, the processor 10 is additionally operable to：

After controlling the transmitter 20 and sending handoff completion message to second access network equipment, connect described in control It receives device 30 and receives the SN instruction messages that second access network equipment is sent, be used to indicate what the terminal device was received or sent The SN boundary values of data.

When the equipment is equipment of the core network, the receiver 30, one for receiving the transmission of the first access network equipment Or multiple network slice selection information；

The processor 10, for being sliced selection information, the use of configurating terminal device according to one or more of networks Family face security information；

The transmitter 20, for sending the user plane security information to first access network equipment.

Optionally, the processor 10 is additionally operable to：

After controlling the transmitter 20 and sending the user plane security information to first access network equipment, control The receiver 30 receives the SN state transfers message that first access network equipment is sent and the to be passed of caching transports to second The encrypted data of access network equipment.

When the device is the second access network equipment, the processor 10 receives first for controlling the receiver 30 The switching request message that access network equipment is sent；

The processor 10, being additionally operable to control the transmitter 20, to first access network equipment to send switching request true Recognize message, and receives the SN state transfer message that first access network equipment is sent；And the control receiver 30 receives The encrypted data that first access network equipment is sent.

Optionally, first access network equipment is communicated with the first equipment of the core network, the access network equipment and the second core Heart net equipment communicates；

The processor 10 is specifically used for：

It controls the receiver 30 and receives the data that the second equipment of the core network is sent.

Optionally, first access network equipment is communicated with the first equipment of the core network, the access network equipment and the second core Heart net equipment communicates；

The processor 10 is additionally operable to：

It is and described after controlling the receiver 30 and receiving the encrypted data that first access network equipment is sent Terminal device establishes RRC connections；It controls the transmitter 20 and sends SN instruction information to the terminal device, be used to indicate described The SN boundary values for the data that terminal device is received or sent.

Based on same inventive concept, the embodiment of the present invention also provides a kind of data security transmission device, data transmission dress It sets including the function module for executing aforementioned method steps.

Various change mode and specific example in data transmission method in previous embodiment are equally applicable to this implementation Device in the data transmission device and Fig. 8 of example, passes through the aforementioned detailed description to data transmission method, people in the art Member is clear that the implementation of data transmission device and the device in Fig. 8 in the present embodiment, so in order to illustrate Book it is succinct, this will not be detailed here.

It should be understood by those skilled in the art that, embodiments herein can be provided as method or computer program product. Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application Form.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program code The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Formula.

Although the preferred embodiment of the application has been described, created once a person skilled in the art knows basic Property, then additional changes and modifications may be made to these embodiments.So it includes preferred real that the following claims are intended to be interpreted as It applies example and falls into all change and modification of the application range.

Obviously, those skilled in the art can be to the various modification and variations of the application without departing from scope of the present application. In this way, if these modifications and variations of the application belong within the scope of the application claim and its equivalent technologies, then originally Application is also intended to include these modifications and variations.

Claims (30)

1. a kind of method of data security transmission, which is characterized in that this method includes：

The request message that first access network equipment receiving terminal apparatus is sent；The request message includes that one or Multi net voting are cut Piece selects information；

First access network equipment sends one or more of network slice selection information to the first equipment of the core network；

First access network equipment receives the response message that first equipment of the core network is sent；The response message includes First equipment of the core network is the user plane security information of the terminal equipment configuration；The user plane security information includes using Family face enciphering/deciphering position indication information, the network selected for terminal device described in enciphering/deciphering are sliced associated business transmission User face data packet；

First access network equipment sends the user plane security information to the terminal device；

First access network equipment receives the encrypted data of the terminal device transmission, and is set to first core net It is standby to transmit the encrypted data, the encrypted data be the terminal device according to the user plane security information at Data after reason.

2. the method as described in claim 1, which is characterized in that in first access network equipment by the encrypted data It is transmitted to after first equipment of the core network, further includes：

First access network equipment sends switching request message to the second access network equipment, and second access network equipment is institute State the terminal device equipment to be cut changed to；

First access network equipment receives the switching request acknowledgement message that second access network equipment is sent；

First access network equipment to the terminal device send switching command and cache it is to be passed transport to it is described second access net The encrypted data of equipment, the encrypted data to be passed for transporting to second access network equipment are that the first core net is set The standby data encrypted and be transmitted to the terminal device, the switching command are used to indicate the terminal device and are connect from described first Log equipment is switched to second access network equipment；

First access network equipment transmits Sequence Number SN state transfer message to second access network equipment, is used to indicate nothing Link-layer control protocol RLC patterns are next or multiple uplink and downlink SN states；

First access network equipment sends the encrypted data of the caching to second access network equipment.

3. method as claimed in claim 2, which is characterized in that second access network equipment and the second equipment of the core network are logical Letter；；

First access network equipment sends the encrypted data of the caching to second access network equipment, including：

First access network equipment sends the encrypted data of the caching to first equipment of the core network.

4. method as claimed in claim 3, which is characterized in that set to first core net in first access network equipment Before preparation send the encrypted data of the caching, further include：

First access network equipment sends the SN state transfers message to first equipment of the core network.

5. such as claim 2 to 4 any one of them method, which is characterized in that the encrypted data of the caching include institute State being sent to the data of the terminal device and having been issued to the terminal device also not for the first access network equipment caching Receive the data of the terminal device feedback.

6. such as method described in any one of claim 1 to 5, which is characterized in that the user plane security information further includes head pressure Contracting functional location indicates that information, integrity protection functional location indicate information.

7. such as claim 1 to 6 any one of them method, which is characterized in that described in being received in first access network equipment Before the encrypted data of terminal device transmission, further include：

First access network equipment receives the network slice management message that operation is sent with management equipment, the network slice pipe Reason message includes the user plane security information of the network slice on basis；

First access network equipment stores the user plane security information of the network slice on the basis.

8. a kind of method of data security transmission, which is characterized in that this method includes：

Terminal device sends request message to the first access network equipment, and the request message includes one or more network slices Select information；

It is the terminal equipment configuration that the terminal device, which receives the first equipment of the core network that first access network equipment is sent, User plane security information, the user plane security information includes user plane enciphering/deciphering position indication information；

The terminal device handles data to be transmitted according to the user plane security information, generates encrypted data, and to institute It states the first access network equipment and transmits the encrypted data.

9. method as claimed in claim 8, which is characterized in that transmitted to first access network equipment in the terminal device After the encrypted data, further include：

The terminal device receives the switching command that first access network equipment is sent；

The terminal device is established radio resource control RRC with second access network equipment and is connect, and to described second Access network equipment sends handoff completion message.

10. method as claimed in claim 9, which is characterized in that sent out to second access network equipment in the terminal device After sending handoff completion message, further include：

The terminal device receives the sequence number SN instruction messages that second access network equipment is sent, and is used to indicate the terminal The SN boundary values for the data that equipment is received or sent.

11. a kind of method of data security transmission, which is characterized in that this method includes：

First equipment of the core network receives one or more networks slice selection information that the first access network equipment is sent；

First equipment of the core network is sliced selection information, the user plane of configurating terminal device according to one or more of networks Security information；

First equipment of the core network sends the user plane security information to first access network equipment.

12. method as claimed in claim 11, which is characterized in that access net to described first in first equipment of the core network After equipment sends the user plane security information, further include：

First equipment of the core network receives the sequence number SN state transfers message that first access network equipment is sent and delays The encrypted data to be passed for transporting to the second access network equipment deposited.

13. a kind of method of data security transmission, which is characterized in that this method includes：

Second access network equipment receives the switching request message that the first access network equipment is sent；

Second access network equipment sends switching request acknowledgement message to first access network equipment, and receives described first The sequence number SN state transfer message that access network equipment is sent；

Second access network equipment receives the encrypted data that the first access network equipment is sent.

14. method as claimed in claim 13, which is characterized in that first access network equipment and the first equipment of the core network are logical Letter, second access network equipment are communicated with the second equipment of the core network；

Second access network equipment receives the encrypted data that the first access network equipment is sent, including：

Second access network equipment receives the data that the second equipment of the core network is sent.

15. method according to claim 13 or 14, which is characterized in that first access network equipment is set with the first core net Standby communication, second access network equipment are communicated with the second equipment of the core network；

After the encrypted data that second access network equipment receives that first access network equipment is sent, further include：

Second access network equipment is established radio resource control RRC with the terminal device and is connect；

Second access network equipment to the terminal device transmit Sequence Number SN indicate information, be used to indicate the terminal device The SN boundary values for the data for receiving or sending.

16. a kind of access network equipment, which is characterized in that the access network equipment includes：Receiver, processor and transmitter, with And

The processor, the request message sent for controlling the receiver receiving terminal apparatus；It is wrapped in the request message Include one or Multi net voting slice selection information；And the control transmitter is one or more to the transmission of the first equipment of the core network A network slice selection information；

The processor is additionally operable to control the response message that the receiver receives the first equipment of the core network transmission；It is described Response message includes the user plane security information that first equipment of the core network is the terminal equipment configuration；The user plane Security information includes user plane enciphering/deciphering position indication information, and the network slice for terminal device selection described in enciphering/deciphering closes The user face data packet of the business transmission of connection；

The processor is additionally operable to control the transmitter to the terminal device transmission user plane security information；And It controls the receiver and receives the encrypted data of the terminal device transmission, and control the transmitter to first core Heart net equipment transmits the encrypted data, and the encrypted data are the terminal device according to user plane safety Data after information processing.

17. access network equipment as claimed in claim 16, which is characterized in that the access network equipment further includes memory；

The processor is additionally operable to：

After by the encrypted data transmission to first equipment of the core network, the transmitter is controlled to the second access Net equipment sends switching request message, and second access network equipment is the terminal device equipment to be cut changed to；

It controls the receiver and receives the switching request acknowledgement message that second access network equipment is sent；

The transmitter is controlled to send switching command to the terminal and control that the memory buffer is to be passed to transport to described second The encrypted data of access network equipment, the encrypted data to be passed for transporting to second access network equipment are the first core The data of the terminal device are encrypted and be transmitted to heart net equipment, and the switching command is used to indicate the terminal device from described First access network equipment is switched to second access network equipment；

It controls the transmitter to transmit Sequence Number SN state transfer message to second access network equipment, is used to indicate radio chains Road floor control RLC patterns are next or multiple uplink and downlink SN states；

Control the encrypted data that the transmitter sends the caching to second access network equipment.

18. access network equipment as claimed in claim 17, which is characterized in that second access network equipment and the second core net Equipment communicates；

The processor is specifically used for：

Control the encrypted data that the transmitter sends the caching to first equipment of the core network.

19. access network equipment as claimed in claim 18, which is characterized in that the processor is additionally operable to：

Before controlling the transmitter and sending the encrypted data of the caching to first equipment of the core network, institute is controlled It states transmitter and sends the SN state transfers message to first equipment of the core network.

20. such as claim 17 to 19 any one of them access network equipment, which is characterized in that the encrypted number of the caching According to the data for being sent to the terminal device cached including the access network equipment and have been issued to the terminal device The data of the terminal device feedback are not received also.

21. such as claim 16 to 20 any one of them access network equipment, which is characterized in that the user plane security information is also Information is indicated including head compression function position indication information, integrity protection functional location.

22. such as claim 16 to 21 any one of them access network equipment, which is characterized in that the processor is additionally operable to：

Before controlling the receiver and receiving the encrypted data that the terminal device transmits, controls the receiver and receive The network slice management message that operation is sent with management equipment, the network slice management message include the network slice on basis User plane security information；

Control the user plane security information that the memory stores the network slice on the basis.

23. a kind of terminal device, which is characterized in that the terminal device includes：Receiver, processor and transmitter, Yi Jisuo Transmitter is stated, for sending request message to the first access network equipment, the request message includes that one or more networks are cut Piece selects information；

The receiver is that the terminal device is matched for receiving the first equipment of the core network that first access network equipment is sent The user plane security information set, the user plane security information include user plane enciphering/deciphering position indication information；

The processor, for according to user plane security information processing data to be transmitted, generating encrypted data, and It controls the transmitter and transmits the encrypted data to first access network equipment.

24. terminal device as claimed in claim 23, which is characterized in that the processor is additionally operable to：

After controlling the transmitter and transmitting the encrypted data to first access network equipment, the reception is controlled Device receives the switching command that first access network equipment is sent；

Radio resource control RRC is established with second access network equipment to connect, and is controlled the transmitter and connect to described second Log equipment sends handoff completion message.

25. terminal device as claimed in claim 24, which is characterized in that the processor is additionally operable to：

After controlling the transmitter and sending handoff completion message to second access network equipment, controls the receiver and connect The sequence number SN instruction messages that second access network equipment is sent are received, the number that the terminal device is received or sent is used to indicate According to SN boundary values.

26. a kind of equipment of the core network, which is characterized in that the equipment of the core network includes：Receiver, processor and transmitter, with And

The receiver, one or more networks slice selection information for receiving the transmission of the first access network equipment；

The processor, for being sliced selection information, the user plane peace of configurating terminal device according to one or more of networks Full information；

The transmitter, for sending the user plane security information to first access network equipment.

27. equipment of the core network as claimed in claim 26, which is characterized in that the processor is additionally operable to：

After controlling the transmitter and sending the user plane security information to first access network equipment, connect described in control Receipts device receives the sequence number SN state transfers message of the first access network equipment transmission and the to be passed of caching is transported to second and connect The encrypted data of log equipment.

28. a kind of access network equipment, which is characterized in that the access network equipment includes：Receiver, processor and transmitter, with And

The processor receives the switching request message that the first access network equipment is sent for controlling the receiver；

The processor is additionally operable to control the transmitter and sends switching request acknowledgement message to first access network equipment, And receive the sequence number SN state transfer message that first access network equipment is sent；And the control receiver receives first The encrypted data that access network equipment is sent.

29. access network equipment as claimed in claim 28, which is characterized in that first access network equipment and the first core net Equipment communicates, and the access network equipment is communicated with the second equipment of the core network；

The processor is specifically used for：

It controls the receiver and receives the data that the second equipment of the core network is sent.

30. the access network equipment as described in claim 28 or 29, which is characterized in that first access network equipment and the first core Heart net equipment communicates, and the access network equipment is communicated with the second equipment of the core network；

The processor is additionally operable to：

After controlling the receiver and receiving the encrypted data that first access network equipment is sent, set with the terminal It is standby to establish radio resource control RRC connections；Control the transmitter to the terminal device transmit Sequence Number SN instruction letter Breath is used to indicate the SN boundary values for the data that the terminal device is received or sent.