CN114450989B

CN114450989B - Filling method of equipment session key identification field and related products

Info

Publication number: CN114450989B
Application number: CN202080068470.5A
Authority: CN
Inventors: 许阳; 卢前溪
Original assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Current assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date: 2020-01-17
Filing date: 2020-01-17
Publication date: 2023-12-22
Anticipated expiration: 2040-01-17
Also published as: CN114450989A; WO2021142808A1

Abstract

The embodiment of the invention discloses a filling method of a device session key identification field and related products, comprising the following steps: the first equipment performs parameter negotiation with the second equipment to form an equipment session key identifier Kd-sess Id; and the first device fills a Kd-sess Id field according to the Kd-sess Id and a second length, wherein the second length is the length of the Kd-sess Id field in a packet data convergence protocol PDCP data packet, and the length of the Kd-sess Id field is the difference between a first numerical value and the first length of a Counter field. The embodiment of the invention is beneficial to meeting the rationality of filling the Kd-pass Id field when the length of the Kd-pass ID field is changed, improving the flexibility of filling the Kd-pass Id field and further guaranteeing the integrity protection and the encryption protection of the communication between devices.

Description

Filling method of equipment session key identification field and related products

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method for filling a device session key identifier field and a related product.

Background

The packet data convergence protocol (Packet Data Convergence Protocol, PDCP) header includes two parts, namely a device session key identifier Kd-sess Id field and a Counter field, wherein the Counter field is a packet data convergence protocol sequence number (PDCP Serial Number, PDCP SN) value, and the total length of the Kd-sess Id field and the Counter field is 32 bits.

In the fifth generation mobile communication technology (5th generation mobile networks,5G), the length of PDCP SN is variable, and the PDCP SN length used for different data bearers between two devices is also different, which means that the length of the Counter field in the PDCP header may be different, so that a change in the length of the Counter field affects the length of the Kd-sess Id. However, the PDCP SN length is determined after the security context negotiation process is initiated between the two devices, that is, the PDCP SN length cannot be determined in the security context negotiation process, but the Kd-pass Id needs to be generated in the negotiation process, so how to negotiate the Kd-pass Id in the security context negotiation process, so that it is a problem to be solved to correctly fill the Kd-pass Id field in the PDCP header.

Disclosure of Invention

The embodiment of the invention provides a filling method and a related device of a device session key identification field, which are used for filling a Kd-pass Id field when the length of the Kd-pass ID field is changed, improving the flexibility of filling the Kd-pass Id field and further guaranteeing the integrity protection and the encryption protection of the communication between devices.

In a first aspect, an embodiment of the present invention provides a method for filling a device session key identifier field, including:

The first equipment performs parameter negotiation with the second equipment to form an equipment session key identifier Kd-sess Id;

and the first device fills a Kd-sess Id field according to the Kd-sess Id and a second length, wherein the second length is the length of the Kd-sess Id field in a packet data convergence protocol PDCP data packet, and the length of the Kd-sess Id field is the difference between a first numerical value and the first length of a Counter field.

In a second aspect, an embodiment of the present invention provides a method for filling a device session key identifier field, including:

the second device forms a device session key identifier Kd-sess Id through parameter negotiation with the first device;

and the second device fills a Kd-sess Id field according to the Kd-sess Id and a second length, wherein the second length is the length of the Kd-sess Id field in a packet data convergence protocol PDCP data packet, and the length of the Kd-sess Id field is the difference between a first value and the first length of a Counter field.

In a third aspect, an embodiment of the present invention provides a first device, where the first device includes a processing unit and a communication unit, where,

the processing unit is used for forming a device session key identifier Kd-sess Id through parameter negotiation between the communication unit and the second device; and the method is used for filling the Kd-sess Id field according to the Kd-sess Id and a second length, wherein the second length is the length of the Kd-sess Id field in the PDCP data packet of the packet data convergence protocol, and the length of the Kd-sess Id field is the difference between a first value and the first length of a Counter field.

In a fourth aspect, an embodiment of the present invention provides a second device, the second device comprising a processing unit and a communication unit, wherein,

the processing unit is configured to perform parameter negotiation with the first device through the communication unit to form a device session key identifier Kd-sess Id two, and fill a Kd-sess Id field according to the Kd-sess Id and a second length, where the second length is a length of the Kd-sess Id field in the packet data convergence protocol PDCP data packet, and the length of the Kd-sess Id field is a difference between the first value and a first length of the Counter field.

In a fifth aspect, embodiments of the present application provide a chip, including: and a processor for calling and running a computer program from the memory, so that the device on which the chip is mounted performs some or all of the steps as described in any of the methods of the first aspect of the embodiments of the present application.

In a sixth aspect, embodiments of the present application provide a chip, including: a processor for calling and running a computer program from a memory, causing a device on which the chip is mounted to perform some or all of the steps as described in any of the methods of the second aspect of the embodiments of the present application.

In a seventh aspect, an embodiment of the present invention provides a first device comprising a processor, a memory, a communication interface, and one or more programs, wherein the one or more programs are stored in the memory and configured for execution by the processor, the programs comprising instructions for performing the steps of any of the methods of the first aspect of the embodiments of the present invention.

In an eighth aspect, an embodiment of the present invention provides a second device comprising a processor, a memory, a communication interface, and one or more programs, wherein the one or more programs are stored in the memory and configured for execution by the processor, the programs comprising instructions for performing the steps in any of the methods of the second aspect of the embodiments of the present invention.

In a ninth aspect, embodiments of the present invention provide a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for electronic data exchange, wherein the computer program causes a computer to perform some or all of the steps as described in any of the methods of the first aspect of the embodiments of the present invention.

In a tenth aspect, embodiments of the present invention provide a computer readable storage medium storing a computer program for electronic data exchange, wherein the computer program causes a computer to perform part or all of the steps as described in any of the methods of the second aspect of the embodiments of the present invention.

In an eleventh aspect, embodiments of the present invention provide a computer program product, wherein the computer program product comprises a non-transitory computer-readable storage medium storing a computer program operable to cause a computer to perform some or all of the steps described in any of the methods of the first aspect of the embodiments of the present invention. The computer program product may be a software installation package.

In a twelfth aspect, embodiments of the present invention provide a computer program product, wherein the computer program product comprises a non-transitory computer readable storage medium storing a computer program operable to cause a computer to perform some or all of the steps described in any of the methods of the second aspect of the embodiments of the present invention. The computer program product may be a software installation package.

It can be seen that, in the embodiment of the present invention, the first device forms the device session key identifier Kd-sess Id by performing parameter negotiation with the second device, and fills the Kd-sess Id field according to the Kd-sess Id and a second length, where the second length is the length of the Kd-sess Id field in the PDCP packet, and the length of the Kd-sess Id field is the difference between the first value and the first length of the Counter field. It can be seen that the first device can determine the second length of the Kd-pass Id field according to the first length of the Counter field, so as to flexibly fill the Kd-pass Id field in the PDCP packet header according to the Kd-pass Id, promote the rationality of filling the Kd-pass Id field, and provide an effective guarantee for the integrity protection and ciphering protection process of the subsequent inter-device communication through the PDCP packet header.

Drawings

The drawings that accompany the embodiments or the prior art description can be briefly described as follows.

Fig. 1 is a network architecture diagram of a communication system according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a derivation relationship of each security parameter according to an embodiment of the present invention;

FIG. 3 is a flow chart of a security parameter negotiation process according to an embodiment of the present invention;

fig. 4 is a schematic diagram of a PDCP packet according to an embodiment of the present invention;

FIG. 5 is a flow chart illustrating an integrity protection process according to an embodiment of the present invention;

FIG. 6 is a schematic flow chart of an encryption process according to an embodiment of the present invention;

fig. 7 is a flowchart of a method for filling a device session key identifier field according to an embodiment of the present invention;

FIG. 8 is a schematic diagram illustrating filling of a Kd-sess Id field of a PDCP packet in accordance with an embodiment of the present invention;

FIG. 9 is a diagram illustrating filling of Kd-sess Id field of another PDCP packet in accordance with an embodiment of the present invention;

FIG. 10 is a diagram illustrating filling of Kd-sess Id field of another PDCP packet in accordance with an embodiment of the present invention;

FIG. 11 is a flowchart illustrating another method for filling a device session key identification field according to an embodiment of the present invention;

Fig. 12 is a schematic structural diagram of a first device according to an embodiment of the present invention;

fig. 13 is a schematic structural diagram of a second apparatus according to an embodiment of the present invention;

FIG. 14 is a functional block diagram of a first device according to an embodiment of the present invention;

fig. 15 is a functional unit composition block diagram of a second device according to an embodiment of the present invention.

Detailed Description

The following description of the technical solutions in the embodiments of the present application will be made with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

The technical solution of the embodiment of the application can be applied to various communication systems, for example: global system for mobile communications (Global System ofMobile communication, GSM), code division multiple access (Code Division Multiple Access, CDMA) system, wideband code division multiple access (Wideband Code Division Multiple Access, WCDMA) system, general packet Radio service (General Packet Radio Service, GPRS), long term evolution (Long Term Evolution, LTE) system, LTE frequency division duplex (Frequency Division Duplex, FDD) system, LTE time division duplex (Time Division Duplex, TDD) system, long term evolution advanced (Advanced long term evolution, LTE-a) system, new Radio (NR) system, evolution system of NR system, LTE (LTE-based access to unlicensed spectrum, LTE-U) system on unlicensed band, NR (NR-based access to unlicensed spectrum, NR-U) system on unlicensed band, universal mobile communication system (Universal Mobile Telecommunication System, UMTS), universal internet microwave access (Worldwide Interoperability for Microwave Access, wiMAX) communication system, wireless local area network (Wireless Local Area Networks, WLAN), wireless fidelity (Wireless Fidelity, wiFi), next generation communication system or other communication system, etc.

Generally, the number of connections supported by the conventional communication system is limited and easy to implement, however, with the development of communication technology, the mobile communication system will support not only conventional communication but also, for example, device-to-Device (D2D) communication, machine-to-machine (Machine to Machine, M2M) communication, machine type communication (Machine Type Communication, MTC), inter-vehicle (Vehicle to Vehicle, V2V) communication, and the like, to which the embodiments of the present application can also be applied.

Exemplary, a communication system 100 to which embodiments of the present application apply is shown in fig. 1. The communication system 100 may include a network device 110, and the network device 110 may be a device that communicates with a terminal device 120 (or referred to as a communication terminal, terminal). Network device 110 may provide communication coverage for a particular geographic area and may communicate with terminal devices located within the coverage area. Alternatively, the network device 110 may be a base station (Base Transceiver Station, BTS) in a GSM system or a CDMA system, a base station (NodeB, NB) in a WCDMA system, an evolved base station (Evolutional Node B, eNB or eNodeB) in an LTE system, or a radio controller in a cloud radio access network (Cloud Radio Access Network, CRAN), or the network device may be a mobile switching center, a relay station, an access point, a vehicle device, a wearable device, a hub, a switch, a bridge, a router, a network-side device in a 5G network, or a network device in a future evolved public land mobile network (Public Land Mobile Network, PLMN), etc.

The communication system 100 further comprises at least one terminal device 120 located within the coverage area of the network device 110. "terminal device" as used herein includes, but is not limited to, a connection via a wireline, such as via a public-switched telephone network (Public Switched Telephone Networks, PSTN), digital subscriber line (Digital Subscriber Line, DSL), digital cable, direct cable connection; and/or another data connection/network; and/or via a wireless interface, e.g., for a cellular network, a wireless local area network (Wireless Local Area Network, WLAN), a digital television network such as a DVB-H network, a satellite network, an AM-FM broadcast transmitter; and/or means of the other terminal device arranged to receive/transmit communication signals; and/or internet of things (Internet of Things, ioT) devices. Terminal devices arranged to communicate via a wireless interface may be referred to as "wireless communication terminals", "wireless terminals" or "mobile terminals". Examples of mobile terminals include, but are not limited to, satellites or cellular telephones; a personal communications system (Personal Communications System, PCS) terminal that may combine a cellular radiotelephone with data processing, facsimile and data communications capabilities; a PDA that can include a radiotelephone, pager, internet/intranet access, web browser, organizer, calendar, and/or a global positioning system (Global Positioning System, GPS) receiver; and conventional laptop and/or palmtop receivers or other electronic devices that include a radiotelephone transceiver. A terminal device may refer to an access terminal, user Equipment (UE), subscriber unit, subscriber station, mobile station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or User Equipment. An access terminal may be a cellular telephone, a cordless telephone, a session initiation protocol (Session Initiation Protocol, SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital assistant (Personal Digital Assistant, PDA), a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a wearable device, a terminal device in a 5G network or a terminal device in a future evolved PLMN, etc.

Alternatively, direct terminal (D2D) communication may be performed between the terminal devices 120.

Alternatively, the 5G system or 5G network may also be referred to as a New Radio (NR) system or NR network.

Fig. 1 illustrates one network device and two terminal devices by way of example, and alternatively, the communication system 100 may include a plurality of network devices and may include other numbers of terminal devices within the coverage area of each network device, which is not limited in this embodiment of the present application.

Optionally, the communication system 100 may further include a network controller, a mobility management entity, and other network entities, which are not limited in this embodiment of the present application.

It should be understood that a device having a communication function in a network/system in an embodiment of the present application may be referred to as a communication device. Taking the communication system 100 shown in fig. 1 as an example, the communication device may include a network device 110 and a terminal device 120 with communication functions, where the network device 110 and the terminal device 120 may be specific devices described above, and are not described herein again; the communication device may also include other devices in the communication system 100, such as a network controller, a mobility management entity, and other network entities, which are not limited in this embodiment of the present application.

It should be understood that the terms "system" and "network" are used interchangeably herein. The term "and/or" is herein merely one kind of association relation describing the association object, meaning that three kinds of relations may exist, e.g., a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/", herein generally indicates that the associated object is an "or" relationship.

The method of the embodiment of the present application may be mainly applied to a 1-to-1 service scenario such as D2D, vehicle-to-environment information (V2X), network control interaction service (Network Controlled Interactive Service, NCIS), public security (Public security), etc., it should be noted that in the embodiment of the present application, the first device may be the network device 101 or the terminal device 102, and the second device may be the network device 101 or the terminal device 102, where:

1) The security parameters of the 1-to-1 communication include the following parameters, and the derivative relationship of each security parameter is shown in fig. 2:

long-term key: the key is a preset key, which can be a symmetric key/public key private key pair, identified by a long-term identity (Identity Document, ID);

Inter-device key KD: 256-bit secret keys among the devices are mutually authenticated and negotiated by two devices in communication with the assistance of a long-term secret key;

device session key KD-set: derived from KD;

integrity protection key (Prose Integrity Key, PIK) and encryption key (Prose Encryption Key, PEK): derived from KD-sess.

2) The 1-to-1 communication security parameter negotiation procedure is shown in fig. 3, the identity authentication and key establishment of the first device and the second device takes place between steps 1 to 3 and requires that the second device has to know the KD in step 2, which in step 2 may involve multiple messages, and which messages depend on the type of long-term key. The actual establishment of the security context takes place in steps 1, 3 and 4. After the security context establishment is completed, integrity and confidentiality protection can be achieved for subsequent data exchanges at the packet data convergence protocol (Packet Data Convergence Protocol, PDCP) layer, wherein:

step 1. The first device sends a direct communication request to the second device, which contains a long-term key, a first temporary parameter nonce_1 (used to generate the session key), the security function of the first device, the KD identification KD ID to indicate KD, and a number of high-bit values of the device session key identification KD-sess ID (e.g., 8-bit, and which 8-bit may uniquely identify the KD-sess generated in the first device in the process) in the first device; if there is no KD in the direct communication request, then relevant information, such as a long-term key ID, is needed to establish KD.

Step 2, if necessary, carrying out the step, for example, if the direct communication request has no KD ID, and generating KD through the step;

step 3. The second device sends a security mode command to the first device, the security mode command including the most significant bit of the KD ID, a second temporary parameter Nonce 2 (allowing for calculation of session keys) and a selection Algorithm parameter (chosen_algs) to indicate which security algorithms are to be used to protect the data, and a number of low-bit values of the KD-pass ID (e.g. 8 bits, and the 8 bits may uniquely identify the KD-pass generated in the second device in the process in the second device). The second device then calculates KD-pass from KD and nonce_1 and nonce_2, which is used by the second device for the next calculation of the confidentiality and integrity keys, and should form KD-pass ID from the valid bits in the high-order bits received in step 1 and the valid bits in the low-order bits sent in step 3.

Step 4. The first device receives the secure mode command from the second device and will calculate Kd-pass, form Kd-pass ID, and confidentiality and integrity keys in the same manner as the second device described above.

3) As shown in fig. 4, after the step of the security parameter negotiation process is completed, the PDCP data packet of the 1-to-1 communication can obtain Kd-pass, further derive PIK and PEK, and use PEK and PIK to implement integrity protection and encryption protection of the control plane and/or user plane data packet.

Integrity protection and ciphering protection of data packets on an interface for direct communication between the first device and the second device are implemented at the PDCP layer. At the PDCP layer, the session key is identified using the KD-pass ID, PEK is derived for calculating Payload, PIK is derived for calculating message authentication code (Message Authentication Code, MAC) for integrity protection and ciphering protection.

In the embodiment of the present application, the Kd-pass Id is referred to as a parameter for identifying Kd-pass, and the Kd-pass Id field refers to a field in a PDCP packet, where the Kd-pass Id parameter needs to be used to fill the Kd-pass Id field.

The PDCP packet header comprises two parts of a Kd-sess Id field and a Counter field, wherein the Counter field is filled by using the PDCP SN and can be used for reordering the data packets. The total length of the Kd-sess Id field and the Counter field is 32 bits.

4) The integrity protection process is shown in fig. 5, and for the integrity protection, parameters that need to be input when calculating the MAC-I are as follows:

COUNT:32 bits, wherein COUNT [0] to COUNT [ n ] are set to the value of Kd-set Id, COUNT [ n+1] to COUNT [31] are set to the value of the Counter field (i.e., PDCP SN), there are various cases of the value of n because of the various possibilities of PDCP SN;

Message MSSAGE: content to be transmitted;

DIRECTION: may be 1bit;

KEY: PEK;

bearing BEARER: may be 5 bits and set to a Logical Channel ID (LCID) value.

After the first device and the second device use the parameters as input parameters of an integrity protection algorithm, respectively calculating message authentication codes MAC-I and XMAC-I, and if the MAC-I and XMAC-I are the same, the integrity protection verification is passed, where the integrity protection algorithm may be an integrity protection algorithm corresponding to a New air interface (New Radio, NR) of 5G or an integrity protection algorithm corresponding to an evolved packet system (Evolved Packet System, EPS) of 4G.

5) As shown in fig. 6, in the encryption protection process, a Key Stream Block (Key Stream Block) needs to be calculated, and the following parameters are input:

COUNT:32 bits, wherein COUNT [0] to COUNT [ n ] are set to the value of Kd-set Id, and COUNT [ n+1] to COUNT [31] are set to the value of the Counter field (i.e., PDCP SN);

DIRECTION: may be 1bit;

KEY：PEK；

BEARER: may be 5 bits and set to the value of LCID.

The first device and the second device respectively calculate key stream blocks after taking the parameters as input parameters of an encryption algorithm, and then obtain a cipher Text Block (Cipher Text Block) through the key stream blocks and a plaintext Block (Plain Text Block) to carry out encryption protection, wherein the encryption algorithm can be an encryption algorithm corresponding to 5G NR or an encryption algorithm corresponding to 4G EPS.

Referring to fig. 7, fig. 7 is a method for filling a device session key identification field according to an embodiment of the present invention, which is applied to the above communication system, and includes some or all of the following:

in step 701, the first device forms a device session key identifier Kd-pass Id by performing parameter negotiation with the second device.

The parameter negotiation process may be the above-mentioned 1-to-1 communication security parameter negotiation process, in which the formed Kd-set Id may be obtained by the Kd-set Id included in the direct communication request sent to the second device by the first device, or may be obtained by the Kd-set Id included in the security mode command sent to the first device by the second device, or may be formed by a combination of the first portion of the Kd-set Id included in the direct communication request sent to the second device by the first device and the second portion of the Kd-set Id included in the security mode command sent to the first device by the second device, which is not limited herein.

The length of the device session key identifier Kd-pass Id may be between 0-32 bits, which is not limited herein.

In one possible example, the Kd-set Id includes a first portion and a second portion.

Wherein the number of bits included in the first portion of the Kd-set Id and the number of bits included in the second portion of the Kd-set Id may be the same or different, e.g., the first portion of the Kd-set Id and the second portion of the Kd-set Id may each include a value of 8 bits, or the first portion of the Kd-set Id includes a value of 6 bits and the second portion of the Kd-set Id includes a value of 10 bits, without limitation.

Wherein the first portion may uniquely identify the Kd-set key or security context within the first device, or the second portion may uniquely identify the Kd-set key or security context within the second device, or the Kd-set key and respective security context may be uniquely identified by the first portion and the second portion together, or the value of a portion bit in the first portion and the second portion may uniquely identify the Kd-set, without limitation herein.

In this possible example, the first portion of the Kd-set Id includes the same number of bits as the second portion of the Kd-set Id.

Wherein the bits in the first portion of the Kd-sess Id are either high bits relative to the bits in the second portion of the Kd-sess Id or low bits relative to the bits in the second portion of the Kd-sess Id, without limitation, wherein, for example, the Kd-sess Id field comprises a 10bit value, specifically bits [0] through [9], then bits [0] through [ m ] are low bits and bits [ m+1] through [9] are high bits, wherein m is a positive integer less than 9 and greater than 0.

In one possible example, the lowest bits in the first portion of the Kd-set Id are higher than the highest bits in the second portion.

For example, the Kd-set Id field includes a 10bit value, the second portion being bits [0] to [ m ], the first portion being bits [ m+1] to [9].

In one possible example, the Kd-set Id is 14 bits, 16 bits, or 20 bits in length.

Wherein, that is, the first device and the second device may form a Kd-pass Id of 14 bits, 16 bits, or 20 bits through parameter negotiation, for example, when the Kd-pass Id has a length of 14 bits, the first portion of the Kd-pass Id may include a 7bit value of high bits, and the second portion of the Kd-pass Id includes a 7bit value of low bits; when the length of the Kd-sess Id is 16 bits, the first portion of the Kd-sess Id may include the 8bit value of the high bits and the second portion of the Kd-sess Id may include the 8bit value of the low bits; when the length of the Kd-set Id is 20 bits, the first portion of the Kd-set Id may include a high bit 10bit value and the second portion of the Kd-set Id includes a low bit 10bit value, where the high bit 10bit value may include 7 bits and additional 3 bits to identify the Kd-set and the low bit 10bit value may also include 7 bits and additional 3 bits to identify the Kd-set, without limitation.

In step 702, the first device fills in a Kd-sess Id field according to the Kd-sess Id and a second length, where the second length is a length of the Kd-sess Id field in the PDCP packet, and the length of the Kd-sess Id field is a difference between a first value and a first length of a Counter field.

The first value may be various, such as 32 bits.

Wherein prior to step 702, the first device may determine the second length by a first length of the Kd-set Id and Counter fields.

For example, since the sum of the first length of the Counter field and the second length of the Kd-set Id field is a fixed 32bit, the 32bit minus the first length is the second length of the Kd-set Id field.

In one possible example, the first length is 12 bits or 18 bits.

Specifically, when the first length is 12 bits, then the second length is 20 bits, or when the first length is 18 bits, then the second length is 14 bits, which is not limited only herein.

The specific implementation manner of filling the Kd-pass Id field by the first device according to the Kd-pass Id and the second length may be various, for example, when the Kd-pass Id length is the same as the second length, the Kd-pass Id is directly used to fill the Kd-pass Id field, or when the Kd-pass Id length is less than the second length, the Kd-pass Id field is filled together by the Kd-pass Id and other parameters, or when the Kd-pass Id length is greater than the second length, the Kd-pass Id field may be filled by intercepting a value of a part of bits of the Kd-pass Id, which is not limited herein.

It can be seen that, in the embodiment of the present invention, the first device performs parameter negotiation with the second device to form a device session key identifier Kd-sess Id, and fills the Kd-sess Id field according to the Kd-sess Id and a second length, where the second length is the length of the Kd-sess Id field in the PDCP packet, and the length of the Kd-sess Id field is the difference between the first value and the first length of the Counter field. It can be seen that the first device can determine the second length of the Kd-pass Id field according to the first length of the Counter field, so as to flexibly fill the Kd-pass Id field in the PDCP packet header according to the Kd-pass Id, promote the rationality of filling the Kd-pass Id field, and provide an effective guarantee for the integrity protection and ciphering protection process of the subsequent inter-device communication through the PDCP packet header.

In one possible example, the first device forming a device session key identification Kd-set Id by parameter negotiation with a second device, comprising:

the first device sends a first message to the second device, wherein the first message comprises a first part of the Kd-set Id;

the first device receives a second message from the second device, wherein the second message comprises a second part of the Kd-set Id;

The first device forms the Kd-pass Id from the first portion and the second portion.

The first message may be a direct communication request message in the above-mentioned 1-to-1 communication security parameter negotiation process, and the second message may be the above-mentioned security mode command message.

It can be seen that, in this example, the first device, through interaction with the second device, determines the partial values of the Kd-pass Id respectively to form the Kd-pass Id together, which is beneficial to improving the security of subsequent data packet communication and reducing the signaling consumption of the message when determining the Kd-pass Id by any one of them.

In one possible example, the first device populates a Kd-set Id field according to the Kd-set Id and a second length, comprising:

when the length of the Kd-pass Id is the same as the second length, the first device populates the Kd-pass Id field with the Kd-pass Id.

For example, the Kd-sess Id is 14 bits in length, the Counter field is 18 bits in length and the Counter field is also 14 bits in length, then the Kd-sess Id field in the PDCP packet header shown in FIG. 4 may be directly used, or when the Kd-sess Id is 20 bits in length, the Kd-sess Id field shown in FIG. 4 may be directly filled with 10 bits including 7 bits and 3 bits that can identify Kd-sess and the Counter field is 12 bits in length and 20 bits in length.

It can be seen that in this example, the first device directly fills the Kd-pass Id field with the Kd-pass Id when the Kd-pass Id is the same length as the second length.

In this possible example, the first portion of the Kd-set Id includes a first segment and a second segment, the second portion of the Kd-set Id includes a third segment and a fourth segment, the first device populating the Kd-set Id field with the Kd-set Id, comprising:

the first device populates from a low bit to a high bit of a Kd-pass Id field in an order of the first portion of the Kd-pass Id, the second portion of the Kd-pass Id; or alternatively, the first and second heat exchangers may be,

the first device populates from a low bit to a high bit of a Kd-pass Id field in an order of the second portion of the Kd-pass Id, the first portion of the Kd-pass Id; or alternatively, the first and second heat exchangers may be,

the first device populates a low order bit to a high order bit of a Kd-set Id field in the order of a first segment of the first portion of the Kd-set Id, a third segment of the second portion of the Kd-set Id, a second segment of the first portion of the Kd-set Id, and a fourth segment of the second portion of the Kd-set Id.

Wherein, as mentioned in the above example, the first segment of the first portion of the Kd-pass Id may be a bit for identifying Kd-pass, the second segment of the first portion of the Kd-pass Id may be a bit other than the bit for identifying Kd-pass, and the second portion of the Kd-pass Id and the first portion of the Kd-pass Id are not described herein.

The specific implementation manner of filling the Kd-pass Id field with the Kd-pass Id by the first device may further include various manners other than the three manners, for example, the first device may fill the Kd-pass Id from the low bit to the high bit of the Kd-pass Id field in the order of the second segment of the first portion of the Kd-pass Id, the fourth segment of the second portion of the Kd-pass Id, the first segment of the first portion of the Kd-pass Id, and the third segment of the second portion of the Kd-pass Id, or may not fill the Kd-pass Id from the low bit to the high bit of the Kd-pass Id field in the order of the first segment of the first portion of the Kd-pass Id, the fourth segment of the second portion of the Kd-pass Id, and the third segment of the second portion of the Kd-pass Id.

It can be seen that in this example, the first device may include various padding modes when padding the Kd-pass Id field with the Kd-pass Id, which is beneficial to improving flexibility of padding the Kd-pass Id field in the PDCP packet header.

When the length of the Kd-pass Id is less than the second length, the first device populates the Kd-pass Id field with the Kd-pass Id and a first parameter.

The specific implementation manner of filling the Kd-pass Id field with the Kd-pass Id and the first parameter by the first device may be various, for example, may be filled with the first parameter generated in the process of negotiating the Kd-pass Id and the parameter, or may be filled with the Kd-pass Id and the default first parameter (for example, superframe number (Hyper Frame Number, HFN) or 0 or 1), or may be filled with part of the first parameter carried by each message in the process of negotiating the Kd-pass Id and the parameter, and the default first parameter, and the filling is jointly filled with the first parameter, which is not limited herein.

In this example, when the length of the Kd-pass Id is smaller than the second length, the first device supplements the deficiency of the length of the Kd-pass Id through the first parameter, and further fills the Kd-pass Id field, thereby improving the filling integrity of the Kd-pass Id field.

In this possible example, the first parameter is a hyper frame number HFN and/or a preset number.

The preset value may be, for example, 0 or 1, which is not limited herein.

It can be seen that in this example, the first device populates the Kd-set Id field with the Kd-set Id and superframe number HFN and/or a preset number, rather than by adding new parameters.

In one possible example, the first parameter is included in the first message; or, the second message includes the first parameter; or, a first portion of the first parameter is included in the first message and a second portion of the first parameter is included in the second message.

The number of bits included in the first portion of the first parameter and the second portion of the first parameter may be the same or different, for example, each may include a 3bit value, or the first portion of the first parameter may include a 2bit value, and the second portion of the first parameter may include a 4bit value, which is not limited herein.

Wherein the bits in the first portion of the first parameter are high bits relative to the bits in the second portion of the first parameter, or the bits in the first portion of the first parameter are low bits relative to the bits in the second portion of the first parameter, which is not limited herein.

It can be seen that, in this example, the first device and the second device add a part of the first parameter in the signaling message to supplement the Kd-pass Id to fill the Kd-pass Id field in the PDCP packet header, which is beneficial to strengthening the function of the first parameter, making the first parameter specialized, and improving the reliability of filling the Kd-pass Id field.

In one possible example, the first device populating the Kd-set Id field with the Kd-set Id and a first parameter, comprising:

the first device populates from a low bit to a high bit of a Kd-pass Id field in an order of the Kd-pass Id, the first parameter; or alternatively, the first and second heat exchangers may be,

the first device populates from a low bit to a high bit of a Kd-set Id field in an order of the first parameter, the Kd-set Id; or alternatively, the first and second heat exchangers may be,

the first device populates from a low bit to a high bit of a Kd-pass Id field in the order of the first portion of the Kd-pass Id, the first parameter, and the second portion of the Kd-pass Id; or alternatively, the first and second heat exchangers may be,

the first device populates from a low bit to a high bit of a Kd-pass Id field in the order of the first portion of the first parameter, the first portion of the Kd-pass Id, the second portion of the first parameter, and the second portion of the Kd-pass Id.

It can be seen that in this example, the first device may include various filling manners when filling the Kd-pass Id field with the Kd-pass Id and the first parameter, which is beneficial to improving flexibility of filling the Kd-pass Id field in the PDCP packet header.

and when the length of the Kd-sess Id is larger than the second length, the first device selects target bits with the same number as the second length in the Kd-sess Id, and fills the Kd-sess Id field with the value on the target bits.

The specific implementation manner of the first device to select the target bits with the same number as the second length in the Kd-pass Id may be various, for example, the first device may select the target bits with the same number as the second length from the highest bit of the Kd-pass Id, or the first device may select the target bits with the same number as the second length from the lowest bit of the Kd-pass Id, which is not described herein.

In this example, when the length of the Kd-pass Id is greater than the second length, the first device may select the target bits with the same number as the second length in the Kd-pass Id in multiple manners, and further fill the Kd-pass Id field with the value on the target bits, thereby improving the flexibility of filling the Kd-pass Id field.

In one possible example, the method further comprises: the first device performs encryption protection and integrity protection on a data packet according to the Kd-set Id field and the Counter field in the PDCP, wherein the data packet is a data packet communicated between the first device and the second device.

The specific contents of the encryption protection and the integrity protection are as described in fig. 5 and 6 above:

for example, in the encryption protection and integrity protection flows, the filling method for COUNT [0] to COUNT [31] is as follows: when the length of the Kd-set Id field is 14 bits, filling the value of the Kd-set Id field from COUNT [0] to COUNT [13], and filling the value of the Counter field from COUNT [14] to COUNT [31 ]; or when the length of the Kd-pass Id field is 20 bits, the values of the Kd-pass Id field are filled in from COUNT [0] to COUNT [19], and the values of the Counter field are filled in from COUNT [20] to COUNT [31 ].

It can be seen that, in this example, after determining the padding of the PDCP packet header, the first device may perform confidentiality and integrity protection according to the content of the padding, that is, flexibly and reliably padding the PDCP packet, which is beneficial to improving the confidentiality and integrity protection during subsequent data transmission.

Embodiments of the present invention are illustrated below in conjunction with specific scenarios.

Specifically, the communication system is a D2D communication system, where the first length of the Counter field includes 12 bits or 18 bits, and then the second length should be a difference between 32 bits and the first length, which are respectively: 20bit and 14bit, in which case the Kd-set Id can be formed between the first device and the second device in three ways, as follows:

mode 1: the first device and the second device only generate a Kd-set Id of minimum length, i.e., a Kd-set Id of 14 bits, during the parameter negotiation process.

In the above-mentioned security parameter negotiation process of fig. 3, when the first device sends a direct communication request message, the first device carries a 7bit value of a high bit of the Kd-pass Id, the 7bit may uniquely identify the Kd-pass generated by the first device in the first device, when the second device sends a security mode command message to the first device, the second device carries a 7bit value of a low bit of the Kd-pass Id in the message, the 7bit may uniquely identify the Kd-pass generated by the second device in the second device, and both the direct communication request message and the security mode command message may carry the first parameter, where the first parameter is 6 bits, for example, the direct communication request message carries a high 3bit value of the first parameter, and the security mode command message carries a low 3bit value of the first parameter.

After the security parameter negotiation flow is completed, the first device and the second device both obtain a Kd-pass Id with 14 bits long, and then fill the Kd-ses Id field of the PDCP packet header by using the Kd-pass Id. Specifically, when the first length is 18 bits, then the length of the Kd-ses Id field is 14 bits, so the Kd-ses Id field can be directly filled with the Kd-ses Id field.

When the first length is 12 bits, the Kd-set Id field requires 20 bits to be filled, and then an additional 6bit value needs to be added based on the generated Kd-set Id of 14 bits length, which has two possibilities:

1) If the first device and the second device have negotiated the first parameter, the additional 6bit value is padded with the negotiated first parameter (6 bit length).

2) If no negotiation of the first parameter is performed, an additional 6bit value may be padded using the HFN and/or a specific number as the first parameter.

The additional 6bit value described above may be added before or after or in the negotiated 14bit long Kd-set Id, as shown in fig. 8.

For the integrity protection and ciphering protection processes described in fig. 5 and 6, the value of COUNT (32 bit) is also filled into the COUNT value according to the value of Kd-pass Id field and Counter field in the PDCP header.

For example, for a length of the Kd-pass Id field of 14 bits, COUNT [0] to COUNT [13] fill the value of the Kd-pass Id field, and COUNT [14] to COUNT [31] fill the value of the Counter field.

For a length of 20 bits for the Kd-set Id field, COUNT [0] to COUNT [19] fill the value of the Kd-set Id field and COUNT [20] to COUNT [31] fill the value of the Counter field.

Mode 2: the first device and the second device generate the longest Kd-sess Id value, namely 20 bits, wherein the 20 bits can be divided into a plurality of sections and used under Kd-sess Id fields with different lengths;

in the above-described security parameter negotiation process of fig. 3, the first device and the second device carry, when sending a direct communication request message, a value of 10 bits of the high-order bit of the Kd-pass Id in the message (including a low-order 7bit and an additional 3bit that can indicate the Kd-pass generated by the first device uniquely, and the second device carries, when sending a security mode command message to the first device, a value of 10 bits of the low-order bit of the Kd-pass Id in the message (including a low-order 7bit and an additional 3bit that can indicate the Kd-pass generated by the second device uniquely, in the second device).

After the above-mentioned security parameter negotiation process is completed, the first device and the second device negotiate a 20-bit value, which includes a Kd-pass Id of 14 bits and an additional 6 bits, that is, when the first length is 12 bits, the first device needs to use 14 bits, and when the first length is 18 bits, the first device needs to use an additional 6 bits. Wherein the lower 14bit value of the 20bit value may uniquely identify the Kd-pass key stored by the first device and the second device. (i.e., the Kd-pass key can also be identified without using an additional 6 bits).

Specifically, when the first length is 18-bits, the length of the Kd-sess Id is 14-bits, so that the 14-bit Kd-sess Id can be used directly for padding.

If the first length is 12-bits, the Kd-set Id portion needs to be padded with 20-bits, and an additional 6-bit value is added based on the generated Kd-set Id of 14-bit length, where the 6-bit value may be an additional 6-bit of the 20-bit values negotiated by the first device and the second device, and may be HFN and/or a specific number (e.g., several 0 s or 1 s). The 6-bit value and the filling of the Kd-set Id to Kd-set Id field may be in a filling order as shown in FIG. 9.

Mode 3: generating a 16bit long Kd-set Id in the security process;

in the above-mentioned security parameter negotiation process of fig. 3, the first device carries the 8-bit value of the high bit of the Kd-pass Id in the message when sending the direct communication request message, and the second device carries the 8-bit value of the low bit of the Kd-pass Id in the message when sending the security mode command message to the first device.

After the security parameter negotiation flow is completed, the first device and the second device both obtain a 16-bit-long Kd-pass Id, and then fill the Kd-pass Id field of the PDCP packet header with the Kd-pass Id.

Specifically, when the first length is 18 bits, the length of the Kd-pass Id field is 14 bits, so that the high-order 2bit or low-order 2bit value in the Kd-pass Id can be intercepted, and the remaining 14bit value fills the Kd-ses Id field.

When the first length is 12 bits, the length of the Kd-set Id field is 20 bits, and 4 bits may be added before or after the Kd-set Id, as shown in fig. 10, where the 4 bits may be generated according to the mechanism for generating the "first parameter" in the above manner 1, or may be generated according to the first parameter in scheme 1 using a default value (such as HFN or a complementary specific value), which will not be described herein.

Further, the last 14 bits of the 16bit long Kd-pass Id can uniquely identify a Kd-pass key in the first device and the second device.

Scheme 4: generating a 16bit long Kd-set Id during security, and filling the Kd-set Id field of the PDCP packet according to the 16bit (i.e., not adding or intercepting the 16bit long Kd-set Id), but filling the value of COUNT (32 bit) using the filling or intercepting method for the integrity protection and ciphering protection described in the above-mentioned fig. 5 and 6, i.e., filling the value of COUNT according to the value of the Kd-set Id field and the Counter field in the above-mentioned PDCP packet header.

Specifically, when the first length is 18 bits, the high 2 bits or low 2 bits of the Kd-set Id may be truncated so that the remaining 14 bits fill from COUNT [0] to COUNT [13] in the COUNT value.

When the first length is 12 bits, 4 bits may be added before or after the Kd-set Id to fill in the COUNT [14] to the COUNT [19] in the COUNT value, where the 4 bits may be generated according to the mechanism of generating the "first parameter" in the above manner 1, or may be generated according to the first parameter in the scheme 1 using a default value (such as HFN or a complementary specific value), which will not be described herein.

Referring to fig. 11, fig. 11 is a method for filling a device session key identification field according to an embodiment of the present invention, which is applied to the above communication system, and includes some or all of the following:

in step 1101, the second device forms a device session key identification Kd-pass Id by performing parameter negotiations with the first device.

In step 1102, the second device fills in a Kd-sess Id field according to the Kd-sess Id and a second length, where the second length is a length of the Kd-sess Id field in the PDCP packet, and the length of the Kd-sess Id field is a difference between the first value and the first length of the Counter field.

In one possible example, the first value is 32 bits.

In one possible example, the first length is 12 bits or 18 bits.

It can be seen that, in the embodiment of the present invention, the second device forms the device session key identifier Kd-sess Id by performing parameter negotiation with the first device, and fills the Kd-sess Id field according to the Kd-sess Id and a second length, where the second length is the length of the Kd-sess Id field in the PDCP packet, and the length of the Kd-sess Id field is the difference between the first value and the first length of the Counter field. It can be seen that the second device can determine the second length of the Kd-pass Id field according to the first length of the Counter field, so as to flexibly fill the Kd-pass Id field in the PDCP packet header according to the Kd-pass Id, promote the rationality of filling the Kd-pass Id field, and provide an effective guarantee for the integrity protection and ciphering protection process of the subsequent inter-device communication through the PDCP packet header.

In one possible example, the second device forming the device session key identification Kd-set Id by parameter negotiation with the first device includes:

the second device receives a first message from the first device, wherein the first message comprises a first part of the Kd-set Id;

a second message sent by the second device to the first device, wherein the second message comprises a second part of the Kd-set Id;

the second device forms the Kd-set Id from the first portion and the second portion.

In one possible example, the second device populates a Kd-set Id field according to the Kd-set Id and a second length, including:

when the length of the Kd-pass Id is the same as the second length, the second device populates the Kd-pass Id field with the Kd-pass Id.

In this possible example, the first portion of the Kd-set Id includes a first segment and a second segment, the second portion of the Kd-set Id includes a third segment and a fourth segment, and the second device populates the Kd-set Id field with the Kd-set Id, comprising:

the second device populates from a low bit to a high bit of a Kd-pass Id field in an order of the first portion of the Kd-pass Id, the second portion of the Kd-pass Id; or alternatively, the first and second heat exchangers may be,

The second device populates from a low bit to a high bit of a Kd-pass Id field in the order of the second portion of the Kd-pass Id, the first portion of the Kd-pass Id; or alternatively, the first and second heat exchangers may be,

the second device populates the first segment of the first portion of the Kd-sess Id, the third segment of the second portion of the Kd-sess Id, the second segment of the first portion of the Kd-sess Id, and the fourth segment of the second portion of the Kd-sess Id in that order from the low order bits to the high order bits of the Kd-sess Id field.

when the length of the Kd-pass Id is less than the second length, the second device populates the Kd-pass Id field with the Kd-pass Id and a first parameter.

In one possible example, the second device populating the Kd-set Id field with the Kd-set Id and a first parameter, comprising:

the second device populates from the low order bits to the high order bits of the Kd-set Id field with the Kd-set Id, the first parameter; or alternatively, the first and second heat exchangers may be,

the second device populates from a low bit to a high bit of a Kd-set Id field in the order of the first parameter, the Kd-set Id; or alternatively, the first and second heat exchangers may be,

the second device populates from a low bit to a high bit of a Kd-pass Id field in the order of the first portion of the Kd-pass Id, the first parameter, and the second portion of the Kd-pass Id; or alternatively, the first and second heat exchangers may be,

the second device populates from a low bit to a high bit of a Kd-pass Id field in the order of the first portion of the first parameter, the first portion of the Kd-pass Id, the second portion of the first parameter, and the second portion of the Kd-pass Id.

and when the length of the Kd-sess Id is larger than the second length, the second device selects target bits with the same number as the second length in the Kd-sess Id, and fills the Kd-sess Id field with the value on the target bits.

In one possible example, the first message is a direct communication request message and the second message is a secure mode command message.

In one possible example, the method further comprises: and the second equipment performs encryption protection and integrity protection on a data packet according to the Kd-sess Id field and the Counter field in the PDCP, wherein the data packet is communicated between the first equipment and the second equipment.

The embodiment shown in fig. 11 is similar to the embodiment shown in fig. 7, and will not be described here.

Referring to fig. 12, in accordance with the embodiment shown in fig. 7, fig. 12 is a schematic structural diagram of a first device 1200 provided in the embodiment of the present application, as shown in the fig. 1, the first device 1200 includes a processor 1210, a memory 1220, a communication interface 1230, and one or more programs 1221, where the one or more programs 1221 are stored in the memory 1220 and configured to be executed by the processor 1210, and the one or more programs 1221 include instructions for performing the following operations.

Forming a device session key identifier Kd-sess Id by performing parameter negotiation with the second device;

And filling a Kd-sess Id field according to the Kd-sess Id and a second length, wherein the second length is the length of the Kd-sess Id field in the PDCP data packet of the packet data convergence protocol, and the length of the Kd-sess Id field is the difference between a first value and the first length of a Counter field.

It can be seen that, in this embodiment of the present application, the first device performs parameter negotiation with the second device to form a device session key identifier Kd-sess Id, and fills the Kd-sess Id field according to the Kd-sess Id and a second length, where the second length is the length of the Kd-sess Id field in the packet data convergence protocol PDCP data packet, and the length of the Kd-sess Id field is a difference between the first value and the first length of the Counter field. It can be seen that the first device can determine the second length of the Kd-pass Id field according to the first length of the Counter field, so as to flexibly fill the Kd-pass Id field in the PDCP packet header according to the Kd-pass Id, promote the rationality of filling the Kd-pass Id field, and provide an effective guarantee for the integrity protection and ciphering protection process of the subsequent inter-device communication through the PDCP packet header.

In one possible example, the first value is 32 bits.

In one possible example, in terms of the forming of the device session key identification Kd-set Id by parameter negotiation with the second device, the instructions in the one or more programs 1221 are specifically for performing the following instructions: transmitting a first message to the second device, wherein the first message comprises a first part of the Kd-set Id; and receiving a second message from the second device, the second message including a second portion of the Kd-set Id; and forming said Kd-pass Id from said first portion and said second portion.

In one possible example, in terms of the populating the Kd-set Id field according to the Kd-set Id and second length, the instructions in the one or more programs 1221 are specifically for performing the following instructions: and filling the Kd-sess Id field with the Kd-sess Id when the length of the Kd-sess Id is the same as the second length.

In this possible example, the first portion of the Kd-set Id includes a first segment and a second segment, the second portion of the Kd-set Id includes a third segment and a fourth segment, and the instructions in the one or more programs 1221 are specifically configured to perform the following instructions in terms of populating the Kd-set Id field with the Kd-set Id: filling in the order of the first part of the Kd-sess Id and the second part of the Kd-sess Id from the low order bit to the high order bit of the Kd-sess Id field; or, filling from the low bit to the high bit of the Kd-sess Id field in the order of the second portion of the Kd-sess Id and the first portion of the Kd-sess Id; or, the first segment of the first part of the Kd-sess Id, the third segment of the second part of the Kd-sess Id, the second segment of the first part of the Kd-sess Id, and the fourth segment of the second part of the Kd-sess Id are filled in the order from the low bit to the high bit of the Kd-sess Id field.

In one possible example, in terms of the populating the Kd-set Id field according to the Kd-set Id and second length, the instructions in the one or more programs 1221 are specifically for performing the following instructions: and when the length of the Kd-sess Id is smaller than the second length, filling the Kd-sess Id field with the Kd-sess Id and a first parameter.

In one possible example, in terms of the populating the Kd-set Id field with the Kd-set Id and first parameter, instructions in the one or more programs 1221 are specifically for performing the following instructions: filling from the low bit to the high bit of the Kd-sess Id field in the order of the Kd-sess Id and the first parameter; or, filling from the low bit to the high bit of the Kd-pass Id field in the order of the Kd-pass Id and the first parameter; or, filling from the low bit to the high bit of the Kd-pass Id field in the order of the first part of the Kd-pass Id, the first parameter, and the second part of the Kd-pass Id; or, the first part of the first parameter, the first part of the Kd-sess Id, the second part of the first parameter and the second part of the Kd-sess Id are filled from the low bit to the high bit of the Kd-sess Id field.

In one possible example, in terms of the populating the Kd-set Id field according to the Kd-set Id and second length, instructions in the one or more programs 1221 are specifically to: and when the length of the Kd-sess Id is larger than the second length, selecting target bits with the same number as the second length in the Kd-sess Id, and filling the Kd-sess Id field with the value on the target bits.

In one possible example, the first length is 12 bits or 18 bits.

In one possible example, the one or more programs 1221 further include instructions for: and carrying out encryption protection and integrity protection on a data packet according to the Kd-pass Id field and the Counter field in the PDCP, wherein the data packet is communicated between the first equipment and the second equipment.

Referring to fig. 13, in accordance with the embodiment shown in fig. 11, fig. 13 is a schematic structural diagram of a second device 1300 provided in the embodiment of the present application, as shown in the fig. 13, the second device 1300 includes a processor 1310, a memory 1320, a communication interface 1330, and one or more programs 1321, where the one or more programs 1321 are stored in the memory 1320 and configured to be executed by the processor 1310, and the one or more programs 1321 include instructions for performing the following operations.

Forming a device session key identifier Kd-sess Id through parameter negotiation with the first device;

It can be seen that, in this embodiment of the present application, the second device performs parameter negotiation with the first device to form a device session key identifier Kd-sess Id, and fills a Kd-sess Id field according to the Kd-sess Id and a second length, where the second length is a length of the Kd-sess Id field in a PDCP packet, and the length of the Kd-sess Id field is a difference between the first value and the first length of the Counter field. It can be seen that the second device can determine the second length of the Kd-pass Id field according to the first length of the Counter field, so as to flexibly fill the Kd-pass Id field in the PDCP packet header according to the Kd-pass Id, promote the rationality of filling the Kd-pass Id field, and provide an effective guarantee for the integrity protection and ciphering protection process of the subsequent inter-device communication through the PDCP packet header.

In one possible example, the first value is 32 bits.

In one possible example, in terms of the forming of the device session key identification Kd-set Id by parameter negotiation with the first device, the instructions in the one or more programs 1321 are specifically configured to: receiving a first message from the first device, wherein the first message comprises a first part of the Kd-set Id; and sending a second message to the first device, the second message including a second portion of the Kd-set Id; and forming said Kd-pass Id from said first portion and said second portion.

In one possible example, in terms of the populating the Kd-set Id field according to the Kd-set Id and second length, instructions in the one or more programs 1321 are specifically configured to perform the following instructions: and filling the Kd-sess Id field with the Kd-sess Id when the length of the Kd-sess Id is the same as the second length.

In this possible example, the first portion of the Kd-set Id includes a first segment and a second segment, the second portion of the Kd-set Id includes a third segment and a fourth segment, and the instructions in the one or more programs 1321 are specifically configured to perform the following instructions in terms of populating the Kd-set Id field with the Kd-set Id: filling in the order of the first part of the Kd-sess Id and the second part of the Kd-sess Id from the low order bit to the high order bit of the Kd-sess Id field; or, filling from the low bit to the high bit of the Kd-sess Id field in the order of the second portion of the Kd-sess Id and the first portion of the Kd-sess Id; or, the first segment of the first part of the Kd-sess Id, the third segment of the second part of the Kd-sess Id, the second segment of the first part of the Kd-sess Id, and the fourth segment of the second part of the Kd-sess Id are filled in the order from the low bit to the high bit of the Kd-sess Id field.

In one possible example, in terms of the populating the Kd-set Id field according to the Kd-set Id and second length, instructions in the one or more programs 1321 are specifically configured to perform the following instructions: and when the length of the Kd-sess Id is smaller than the second length, filling the Kd-sess Id field with the Kd-sess Id and a first parameter.

In one possible example, in terms of the populating the Kd-set Id field with the Kd-set Id and first parameter, instructions in the one or more programs 1321 are specifically configured to perform the following instructions: filling from the low bit to the high bit of the Kd-sess Id field in the order of the Kd-sess Id and the first parameter; or, filling from the low bit to the high bit of the Kd-pass Id field in the order of the Kd-pass Id and the first parameter; or, filling from the low bit to the high bit of the Kd-pass Id field in the order of the first part of the Kd-pass Id, the first parameter, and the second part of the Kd-pass Id; or, the first part of the first parameter, the first part of the Kd-sess Id, the second part of the first parameter and the second part of the Kd-sess Id are filled from the low bit to the high bit of the Kd-sess Id field.

In one possible example, in terms of the populating the Kd-set Id field according to the Kd-set Id and second length, instructions in the one or more programs 1321 are specifically configured to perform the following instructions: and when the length of the Kd-sess Id is larger than the second length, selecting target bits with the same number as the second length in the Kd-sess Id, and filling the Kd-sess Id field with the value on the target bits.

In one possible example, the first length is 12 bits or 18 bits.

In one possible example, the one or more programs 1321 further include instructions for: and carrying out encryption protection and integrity protection on a data packet according to the Kd-pass Id field and the Counter field in the PDCP, wherein the data packet is communicated between the first equipment and the second equipment.

The foregoing description of the solution of the embodiment of the present application has been mainly presented from the perspective of interaction between network elements. It will be appreciated that the first device and the second device, in order to implement the above-described functions, comprise corresponding hardware structures and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The embodiment of the present application may divide the functional units of the first device and the second device according to the above method example, for example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated in one processing unit. The integrated units described above may be implemented either in hardware or in software program modules. It should be noted that, in the embodiment of the present application, the division of the units is schematic, which is merely a logic function division, and other division manners may be implemented in actual practice.

In case of using integrated units, fig. 14 shows a block diagram of one possible functional unit composition of the first device involved in the above-described embodiment. The first device 1400 includes: a processing unit 1402 and a communication unit 1403. The processing unit 1402 is configured to control and manage an action of the first device. The communication unit 1403 is used to support communication between the first device and other devices, for example, communication with the second device shown in fig. 13. The first device may further comprise a storage unit 1401 for storing program code and data of the first device.

The processing unit 1402 may be a processor or controller, such as a central processing unit (Central Processing Unit, CPU), a general purpose processor, a digital signal processor (Digital Signal Processor, DSP), an Application-specific integrated circuit (ASIC), a field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. The processor may also be a combination that performs the function of a computation, e.g., a combination comprising one or more microprocessors, a combination of a DSP and a microprocessor, and the like. The communication unit 1403 may be a communication interface, a transceiver circuit, or the like, and the storage unit 1401 may be a memory. When the processing unit 1402 is a processor, the communication unit 1403 is a communication interface, and the storage unit 1401 is a memory, the first device according to the embodiment of the present application may be the first device shown in fig. 12.

In particular implementation, the processing unit 1402 is configured to perform any of the steps performed by the first device in the above-described method embodiments, and when performing data transmission such as sending, optionally invokes the communication unit 1403 to complete a corresponding operation. The following is a detailed description.

The processing unit 1402 is configured to perform parameter negotiation with the second device through the communication unit 1403 to form a device session key identifier Kd-pass Id; and the Kd-sess Id field is filled according to the Kd-sess Id and a second length, wherein the second length is the length of the Kd-sess Id field in the PDCP data packet of the packet data convergence protocol, and the length of the Kd-sess Id field is the difference between the first value and the first length of the Counter field.

It can be seen that, in this embodiment of the present application, the first device performs parameter negotiation with the second device to form a device session key identifier Kd-sess Id, and fills a Kd-sess Id field according to the Kd-sess Id and a second length, where the second length is a length of the Kd-sess Id field in a PDCP packet, and the length of the Kd-sess Id field is a difference between the first value and the first length of the Counter field. It can be seen that the first device can determine the second length of the Kd-pass Id field according to the first length of the Counter field, so as to flexibly fill the Kd-pass Id field in the PDCP packet header according to the Kd-pass Id, promote the rationality of filling the Kd-pass Id field, and provide an effective guarantee for the integrity protection and ciphering protection process of the subsequent inter-device communication through the PDCP packet header.

In one possible example, the first value is 32 bits.

In one possible example, in terms of the forming of the device session key identity Kd-set Id by the parameter negotiation with the second device by the communication unit 1403, the processing unit 1402 is specifically configured to: transmitting a first message to the second device through the communication unit 1403, the first message including a first portion of the Kd-set Id; and receiving, by the communication unit 1403, a second message from the second device, the second message including a second portion of the Kd-set Id; and forming said Kd-pass Id from said first portion and said second portion.

In one possible example, in terms of the filling of Kd-pass Id fields according to the Kd-pass Id and second length, the processing unit 1402 is specifically configured to: and filling the Kd-sess Id field with the Kd-sess Id when the length of the Kd-sess Id is the same as the second length.

In this possible example, the first portion of the Kd-sess Id includes a first segment and a second segment, the second portion of the Kd-sess Id includes a third segment and a fourth segment, and the processing unit 1402 is specifically configured to, in terms of the filling of the Kd-sess Id field with the Kd-sess Id: filling in the order of the first part of the Kd-sess Id and the second part of the Kd-sess Id from the low order bit to the high order bit of the Kd-sess Id field; or, filling from the low bit to the high bit of the Kd-sess Id field in the order of the second portion of the Kd-sess Id and the first portion of the Kd-sess Id; or, the first segment of the first part of the Kd-sess Id, the third segment of the second part of the Kd-sess Id, the second segment of the first part of the Kd-sess Id, and the fourth segment of the second part of the Kd-sess Id are filled in the order from the low bit to the high bit of the Kd-sess Id field.

In one possible example, in terms of the filling of Kd-pass Id fields according to the Kd-pass Id and second length, the processing unit 1402 is specifically configured to: and when the length of the Kd-sess Id is smaller than the second length, filling the Kd-sess Id field with the Kd-sess Id and a first parameter.

In one possible example, in terms of said populating said Kd-set Id field with said Kd-set Id and a first parameter, said processing unit 1402 is specifically configured to: filling from the low bit to the high bit of the Kd-sess Id field in the order of the Kd-sess Id and the first parameter; or, filling from the low bit to the high bit of the Kd-pass Id field in the order of the Kd-pass Id and the first parameter; or, filling from the low bit to the high bit of the Kd-pass Id field in the order of the first part of the Kd-pass Id, the first parameter, and the second part of the Kd-pass Id; or, the first part of the first parameter, the first part of the Kd-sess Id, the second part of the first parameter and the second part of the Kd-sess Id are filled from the low bit to the high bit of the Kd-sess Id field.

In one possible example, in terms of the filling of Kd-pass Id fields according to the Kd-pass Id and second length, the processing unit 1402 is specifically configured to: and when the length of the Kd-sess Id is larger than the second length, selecting target bits with the same number as the second length in the Kd-sess Id, and filling the Kd-sess Id field with the value on the target bits.

In one possible example, the first length is 12 bits or 18 bits.

In one possible example, the processing unit 1402 is further configured to: and carrying out encryption protection and integrity protection on a data packet according to the Kd-pass Id field and the Counter field in the PDCP, wherein the data packet is communicated between the first equipment and the second equipment.

In case of using integrated units, fig. 15 shows a block diagram of one possible functional unit composition of the second device involved in the above-described embodiment. The second apparatus 1500 includes: a processing unit 1502 and a communication unit 1503. The second device 1500 further includes a processing unit 1502 configured to control and manage actions of the second device. The communication unit 1503 is used to support communication between the second device and other devices, for example, communication with the first device shown in fig. 12. The second device may further comprise a storage unit 1501 for storing program code and data of the second device.

The processing unit 1502 may be a processor or controller, such as a central processing unit (Central Processing Unit, CPU), a general purpose processor, a digital signal processor (Digital Signal Processor, DSP), an Application-specific integrated circuit (ASIC), a field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. The processor may also be a combination that performs the function of a computation, e.g., a combination comprising one or more microprocessors, a combination of a DSP and a microprocessor, and the like. The communication unit 1503 may be a communication interface, a transceiver circuit, or the like, and the storage unit 1501 may be a memory. When the processing unit 1502 is a processor, the communication unit 1503 is a communication interface, and the storage unit 1501 is a memory, the second device according to the embodiment of the present application may be the second device shown in fig. 13.

In particular implementation, the processing unit 1502 is configured to perform any step performed by the second device in the method embodiment described above, and when performing data transmission such as sending, optionally invoke the communication unit 1503 to complete the corresponding operation. The following is a detailed description.

The processing unit 1502 is configured to perform parameter negotiation with the first device through the communication unit 1503 to form a device session key identifier Kd-pass Id; and the Kd-sess Id field is filled according to the Kd-sess Id and a second length, wherein the second length is the length of the Kd-sess Id field in the PDCP data packet of the packet data convergence protocol, and the length of the Kd-sess Id field is the difference between the first value and the first length of the Counter field.

In one possible example, the first value is 32 bits.

In one possible example, in terms of the forming of the device session key identity Kd-set Id by the parameter negotiation of the communication unit 1503 with the first device, the processing unit 1502 is specifically configured to: receiving, by the communication unit 1503, a first message from the first device, the first message including a first portion of the Kd-set Id; and transmitting a second message to the first device through the communication unit 1503, the second message including a second portion of the Kd-set Id; and forming said Kd-pass Id from said first portion and said second portion.

In one possible example, in terms of the filling of Kd-set Id fields according to the Kd-set Id and second length, the processing unit 1502 is specifically configured to: and filling the Kd-sess Id field with the Kd-sess Id when the length of the Kd-sess Id is the same as the second length.

In this possible example, the first portion of the Kd-sess Id includes a first segment and a second segment, the second portion of the Kd-sess Id includes a third segment and a fourth segment, and the processing unit 1502 is specifically configured to, in terms of the filling of the Kd-sess Id field with the Kd-sess Id: filling in the order of the first part of the Kd-sess Id and the second part of the Kd-sess Id from the low order bit to the high order bit of the Kd-sess Id field; or, filling from the low bit to the high bit of the Kd-sess Id field in the order of the second portion of the Kd-sess Id and the first portion of the Kd-sess Id; or, the first segment of the first part of the Kd-sess Id, the third segment of the second part of the Kd-sess Id, the second segment of the first part of the Kd-sess Id, and the fourth segment of the second part of the Kd-sess Id are filled in the order from the low bit to the high bit of the Kd-sess Id field.

In one possible example, in terms of the filling of Kd-set Id fields according to the Kd-set Id and second length, the processing unit 1502 is specifically configured to: and when the length of the Kd-sess Id is smaller than the second length, filling the Kd-sess Id field with the Kd-sess Id and a first parameter.

In one possible example, in terms of the filling the Kd-set Id field with the Kd-set Id and the first parameter, the processing unit 1502 is specifically configured to: filling from the low bit to the high bit of the Kd-sess Id field in the order of the Kd-sess Id and the first parameter; or, filling from the low bit to the high bit of the Kd-pass Id field in the order of the Kd-pass Id and the first parameter; or, filling from the low bit to the high bit of the Kd-pass Id field in the order of the first part of the Kd-pass Id, the first parameter, and the second part of the Kd-pass Id; or, the first part of the first parameter, the first part of the Kd-sess Id, the second part of the first parameter and the second part of the Kd-sess Id are filled from the low bit to the high bit of the Kd-sess Id field.

In one possible example, in terms of the filling of Kd-set Id fields according to the Kd-set Id and second length, the processing unit 1502 is specifically configured to: and when the length of the Kd-sess Id is larger than the second length, selecting target bits with the same number as the second length in the Kd-sess Id, and filling the Kd-sess Id field with the value on the target bits.

In one possible example, the first length is 12 bits or 18 bits.

In one possible example, the processing unit 1502 is further configured to: and carrying out encryption protection and integrity protection on a data packet according to the Kd-pass Id field and the Counter field in the PDCP, wherein the data packet is communicated between the first equipment and the second equipment.

The embodiment of the application also provides a chip, wherein the chip comprises a processor, and the processor is used for calling and running the computer program from the memory, so that the device provided with the chip executes part or all of the steps described in the first device in the embodiment of the method.

The embodiment of the application also provides a chip, wherein the chip comprises a processor, and the processor is used for calling and running the computer program from the memory, so that the device provided with the chip executes part or all of the steps described in the second device in the embodiment of the method.

The present application also provides a computer readable storage medium, where the computer readable storage medium stores a computer program for electronic data exchange, where the computer program causes a computer to perform some or all of the steps described in the first device in the method embodiment above.

The present application also provides a computer readable storage medium, where the computer readable storage medium stores a computer program for electronic data exchange, where the computer program causes a computer to perform some or all of the steps described in the second device in the method embodiment above.

Embodiments of the present application also provide a computer program product, wherein the computer program product comprises a computer program operable to cause a computer to perform some or all of the steps described in the first device in the above method embodiments. The computer program product may be a software installation package.

Embodiments of the present application also provide a computer program product, wherein the computer program product comprises a computer program operable to cause a computer to perform some or all of the steps described in the second device in the above method embodiments. The computer program product may be a software installation package.

The steps of a method or algorithm described in the embodiments of the present application may be implemented in hardware, or may be implemented by executing software instructions by a processor. The software instructions may be comprised of corresponding software modules that may be stored in random access Memory (Random Access Memory, RAM), flash Memory, read Only Memory (ROM), erasable programmable Read Only Memory (Erasable Programmable ROM), electrically Erasable Programmable Read Only Memory (EEPROM), registers, hard disk, a removable disk, a compact disc Read Only Memory (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. In addition, the ASIC may reside in an access network device, a target network device, or a core network device. It is of course also possible that the processor and the storage medium reside as discrete components in an access network device, a target network device, or a core network device.

Those of skill in the art will appreciate that in one or more of the above examples, the functions described in the embodiments of the present application may be implemented, in whole or in part, in software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a digital video disc (Digital Video Disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

The foregoing embodiments have been provided for the purpose of illustrating the embodiments of the present application in further detail, and it should be understood that the foregoing embodiments are merely illustrative of the embodiments of the present application and are not intended to limit the scope of the embodiments of the present application, and any modifications, equivalents, improvements, etc. made on the basis of the technical solutions of the embodiments of the present application are included in the scope of the embodiments of the present application.

Claims

1. A method for populating a device session key identification field, comprising:

when the length of the Kd-sess Id is the same as the second length, the first device fills a Kd-sess Id field in a packet data convergence protocol PDCP data packet with the Kd-sess Id;

when the length of the Kd-pass Id is less than the second length, the first device populates the Kd-pass Id field with the Kd-pass Id and a first parameter;

when the length of the Kd-sess Id is larger than the second length, the first device selects target bits with the same number as the second length in the Kd-sess Id, and fills the Kd-sess Id field with a value on the target bits;

The second length is the length of the Kd-pass Id field, which is the difference between the first value and the first length of the Counter field in the PDCP packet.

2. The method of claim 1, the first value is 32 bits.

3. The method of claim 1, wherein the Kd-set Id comprises a first portion and a second portion.

4. The method of claim 3, wherein the first portion of the Kd-set Id comprises the same number of bits as the second portion of the Kd-set Id.

5. The method of claim 3 wherein the lowest bits in the first portion of the Kd-set Id are higher than the highest bits in the second portion.

6. The method of claim 1, wherein the first device forms a device session key identification Kd-set Id by parameter negotiation with a second device, comprising:

7. The method of claim 1, wherein the first portion of the Kd-sess Id comprises a first segment and a second segment, wherein the second portion of the Kd-sess Id comprises a third segment and a fourth segment, wherein the first device populates the Kd-sess Id field with the Kd-sess Id, comprising:

8. The method according to claim 1, wherein the first parameter is a superframe number HFN and/or a preset number.

9. The method of claim 6, wherein the first parameter is included in the first message; or, the second message includes the first parameter; or, a first portion of the first parameter is included in the first message and a second portion of the first parameter is included in the second message.

10. The method of claim 1, wherein the first device populating the Kd-set Id field with the Kd-set Id and a first parameter, comprising:

the first device populates from a low bit to a high bit of the Kd-set Id field in the order of the Kd-set Id, the first parameter; or alternatively, the first and second heat exchangers may be,

the first device populates from a low bit to a high bit of the Kd-set Id field in the order of the first parameter, the Kd-set Id; or alternatively, the first and second heat exchangers may be,

the first device populates from a low bit to a high bit of the Kd-pass Id field in the order of the first portion of the Kd-pass Id, the first parameter, and the second portion of the Kd-pass Id; or alternatively, the first and second heat exchangers may be,

the first device populates from a low bit to a high bit of the Kd-sess Id field in the order of the first portion of the first parameter, the first portion of the Kd-sess Id, the second portion of the first parameter, and the second portion of the Kd-sess Id.

11. The method of claim 1, wherein the first length is 12 bits or 18 bits.

12. The method of claim 1, wherein the Kd-set Id is 14, 16 or 20 bits in length.

13. The method of claim 6, wherein the first message is a direct communication request message and the second message is a secure mode command message.

14. The method according to any one of claims 1-13, further comprising:

and the first device performs encryption protection and integrity protection on a data packet according to the Kd-sess Id field and the Counter field, wherein the data packet is a data packet communicated between the first device and the second device.

15. A method for populating a device session key identification field, comprising:

when the length of the Kd-sess Id is the same as the second length, the second device fills a Kd-sess Id field in a packet data convergence protocol PDCP data packet with the Kd-sess Id;

when the length of the Kd-pass Id is less than the second length, the second device populates the Kd-pass Id field with the Kd-pass Id and a first parameter;

When the length of the Kd-sess Id is larger than the second length, the second device selects target bits with the same number as the second length in the Kd-sess Id, and fills the Kd-sess Id field with a value on the target bits;

16. The method of claim 15, wherein the first value is 32 bits.

17. The method of claim 15, wherein the Kd-set Id comprises a first portion and a second portion.

18. The method of claim 17, wherein the first portion of the Kd-sess Id comprises the same number of bits as the second portion of the Kd-sess Id.

19. The method of claim 17, wherein a lowest bit in a first portion of the Kd-sess Id is higher than a highest bit in the second portion.

20. The method of claim 15, wherein the second device forms the device session key identification Kd-set Id by parameter negotiation with the first device, comprising:

the second device sends a second message to the first device, wherein the second message comprises a second part of the Kd-set Id;

21. The method of claim 15, wherein the first portion of the Kd-sess Id comprises a first segment and a second segment, wherein the second portion of the Kd-sess Id comprises a third segment and a fourth segment, wherein the second device populates the Kd-sess Id field with the Kd-sess Id, comprising:

22. The method according to claim 15, wherein the first parameter is a superframe number HFN and/or a preset number.

23. The method of claim 20, wherein the first parameter is included in the first message; or, the second message includes the first parameter; or, a first portion of the first parameter is included in the first message and a second portion of the first parameter is included in the second message.

24. The method of claim 15, wherein the second device populating the Kd-set Id field with the Kd-set Id and a first parameter, comprising:

25. The method of claim 15, wherein the first length is 12 bits or 18 bits.

26. The method of claim 15, wherein the Kd-set Id is 14, 16 or 20 bits in length.

27. The method of claim 20, wherein the first message is a direct communication request message and the second message is a secure mode command message.

28. The method according to any one of claims 15-27, further comprising:

and the second equipment performs encryption protection and integrity protection on a data packet according to the Kd-sess Id field and the Counter field in the PDCP, wherein the data packet is communicated between the first equipment and the second equipment.

29. A first device comprising a processing unit and a communication unit, wherein the processing unit is configured to:

Performing parameter negotiation with the second device through the communication unit to form a device session key identifier Kd-sess Id;

filling a Kd-sess Id field in a packet data convergence protocol PDCP data packet with the Kd-sess Id when the length of the Kd-sess Id is the same as the second length;

filling the Kd-pass Id field with the Kd-pass Id and a first parameter when the length of the Kd-pass Id is less than the second length;

when the length of the Kd-sess Id is larger than the second length, selecting target bits with the same number as the second length in the Kd-sess Id, and filling the Kd-sess Id field with a value on the target bits;

30. A second device, comprising a processing unit and a communication unit, wherein the processing unit is configured to:

performing parameter negotiation with the first device through the communication unit to form a device session key identifier Kd-sess Id;

filling a Kd-sess Id field according to the Kd-sess Id and the second length, and filling the Kd-sess Id field in a packet data convergence protocol PDCP data packet with the Kd-sess Id when the length of the Kd-sess Id is the same as the second length;

31. A chip, comprising: a processor for calling and running a computer program from a memory, causing a device on which the chip is mounted to perform the method of any of claims 1-14.

32. A chip, comprising: a processor for calling and running a computer program from a memory, causing a device on which the chip is mounted to perform the method of any of claims 15-28.

33. A first device comprising a processor, a memory, a communication interface, and one or more programs stored in the memory and configured to be executed by the processor, the programs comprising instructions for performing the steps in the method of any of claims 1-14.

34. A second device comprising a processor, a memory, a communication interface, and one or more programs stored in the memory and configured to be executed by the processor, the programs comprising instructions for performing the steps in the method of any of claims 15-28.

35. A computer-readable storage medium, characterized in that it stores a computer program for electronic data exchange, wherein the computer program causes a computer to perform the method according to any one of claims 1-14.

36. A computer readable storage medium, characterized in that it stores a computer program for electronic data exchange, wherein the computer program causes a computer to perform the method according to any of claims 15-28.