CN114765502A

CN114765502A - Message processing method and device, terminal and network side equipment

Info

Publication number: CN114765502A
Application number: CN202110055683.0A
Authority: CN
Inventors: 傅婧; 周叶
Original assignee: Datang Mobile Communications Equipment Co Ltd
Current assignee: Datang Mobile Communications Equipment Co Ltd
Priority date: 2021-01-15
Filing date: 2021-01-15
Publication date: 2022-07-19
Also published as: WO2022151917A1

Abstract

The invention provides a message processing method, a device, a terminal and network side equipment, wherein the method comprises the following steps: the terminal in the inactive state receives a first Radio Resource Control (RRC) message, wherein the first RRC message is used for indicating at least one of the following: instructing the terminal to update the access stratum root key; indicating that anchor transfer occurs; instructing the terminal to execute a synchronous reconfiguration process; instructing the terminal to execute a dedicated random access procedure; the embodiment of the invention ensures the timely transfer of the anchor point and the safety isolation between the safety access network nodes.

Description

Message processing method, device, terminal and network side equipment

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, a terminal, and a network device for processing a message.

Background

In order to enable the terminal to rapidly enter a connected state to transmit data and reduce signaling overhead brought in a moving process and a state transfer process, a New Radio Access Network (RAN) controlled Radio Resource Control (RRC) state is introduced into a New air interface (New Radio, NR): RRC INACTIVE state (RRC _ INACTIVE).

The RAN node instructs the terminal to enter or remain in the RRC inactive state by sending an RRC release message with suspend configuration. Thereafter, the RAN node becomes the "anchor node" of the terminal, holding the context of the terminal.

Wireless communication networks involve the operation of communicating signaling and user data over the air, and are susceptible to eavesdropping or tampering by attackers. Therefore, a complete security system is designed, which aims to encrypt (prevent eavesdropping) and protect integrity (prevent tampering) aiming at signaling and user data interacted through an air interface. In order to realize the encryption and integrity protection of the access layer, the user terminal and the RAN node need to hold the same "access layer root key", which is called K in the 5G/NR system_gNB。

Considering that RAN nodes are usually deployed outdoors and are at high risk of physical attack, in order to ensure the security of the system as much as possible, a 5G system requires that different base stations (gnbs) use different ks when communicating with the same terminal_gNB。

In order to implement secure isolation between nodes, when a large amount of downlink data arrives in an inactive small data transmission process, a corresponding processing scheme is not provided in the prior art.

Disclosure of Invention

The embodiment of the invention aims to provide a message processing method, a message processing device, a terminal and network side equipment, so as to solve the problem that in the prior art, safety isolation cannot be realized between nodes in an inactive state small data transmission process.

In order to achieve the above object, the present invention provides a message processing method, including:

the terminal in the inactive state receives a first Radio Resource Control (RRC) message, wherein the first RRC message is used for indicating at least one of the following items:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

the terminal is instructed to perform a dedicated random access procedure.

Wherein the first RRC message comprises at least one of the following information:

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

Wherein the update related information of the access stratum root key comprises at least one of the following items;

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

Wherein the first RRC message is further configured to indicate at least one of:

the terminal is instructed to encrypt and protect the integrity of the second RRC message according to the updated access layer root key; wherein the second RRC message is a feedback message of the first RRC message;

and instructing the terminal to perform encryption and integrity protection and/or decryption and integrity verification on other messages except the second RRC message according to the updated access stratum root key.

Wherein the method further comprises:

sending a first uplink Protocol Data Unit (PDU), wherein the first uplink PDU carries a second RRC message encrypted and integrity-protected by using an access stratum root key before updating;

alternatively, the first and second electrodes may be,

sending a second uplink PDU, wherein the second uplink PDU carries a second RRC message encrypted and integrity-protected by using the updated access stratum root key;

wherein the second RRC message is a feedback message of the first RRC message.

Wherein the method further comprises:

performing at least one of the following operations according to the first RRC message:

updating an access layer root key;

sending a second RRC message to a first network side device or a second network side device, wherein the second RRC message is a feedback message of the first RRC message;

executing a synchronous reconfiguration process with the second network side equipment;

and executing a special random access process with the second network side equipment.

And the second network side equipment is the current service node of the terminal.

The embodiment of the invention also provides a message processing method, which comprises the following steps:

the first network side equipment sends a first RRC message to a terminal in an inactive state or second network side equipment; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

the first network side device is an anchor node of the terminal, and the second network side device is a current service node of the terminal.

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

Before the first network side device sends a first RRC message to the terminal in the inactive state, the method further includes:

and generating the first RRC message under the condition that the user plane node in the first network side device is determined to be replaced for small data transmission.

Before the first network side device sends the first RRC message to the second network side device, the method further includes:

receiving a first RRC message sent by second network side equipment;

the first network side device sends a first RRC message to a second network side device, and the RRC message comprises:

the first network side equipment encrypts and integrally protects the first RRC message by using the access stratum root key before updating to generate a first downlink PDU; the first downlink PDU carries the first RRC message;

and sending the first downlink PDU to the second network side equipment, so that the second network side equipment sends the first downlink PDU to a non-active terminal.

Before receiving the first RRC message sent by the second network side device, the method further includes:

under the condition that the anchor point transfer is determined, sending a first interface message to the second network side equipment so that the second network side equipment generates the first RRC message; wherein the first interface message comprises: context information of the terminal and/or update related information of the access stratum root key.

The receiving of the first RRC message sent by the second network side device includes:

and receiving a first RRC message sent under the condition that the second network side equipment determines to carry out anchor point transfer.

Wherein the method further comprises:

and sending the updated access layer root key to the second network side equipment.

Wherein the method further comprises:

receiving a first uplink PDU of the terminal forwarded by a second network side device, wherein the first uplink PDU carries a second RRC message encrypted and integrity-protected by using an access stratum root key before updating;

and decrypting and integrity checking the first RRC message by using the access stratum root key before updating to obtain the second RRC message.

Wherein the method further comprises:

and sending a second RRC message and/or anchor point transfer success indication information to the second network side equipment.

Wherein the method further comprises:

receiving a second uplink PDU sent by the terminal; the second uplink PDU carries a second RRC message which is encrypted and integrity protected by using the updated access stratum root key;

and decrypting and verifying the integrity of the second RRC message according to the updated access stratum root key.

the second network side equipment sends a first RRC message to the terminal in the non-activated state; wherein the first RRC message is used to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

The sending, by the second network side device, the first RRC message to the terminal in the inactive state includes:

sending the first RRC message to first network side equipment;

receiving a first downlink PDU sent by a first network side device, wherein the first downlink PDU carries a first RRC message encrypted and integrity protected by using an access stratum root key before updating;

sending the first downlink PDU to the terminal in the inactive state;

the first network side device is an anchor node of the terminal.

Before sending the first RRC message to the first network side device, the method further includes:

receiving a first interface message sent by a first network side device under the condition that the first network side device determines to perform anchor point transfer, wherein the first interface message comprises: context information of the terminal and updating related information of an access stratum root key;

and generating the first RRC message according to the first interface message.

Wherein, sending the first RRC message to a first network side device includes:

under the condition of determining to perform anchor point transfer, generating the first RRC message according to the context information of the terminal and/or the updating related information of the access stratum root key;

the context information of the terminal and/or the update related information of the access stratum root key are obtained by the second network side equipment from the access and mobility management AMF network element or obtained from the first network side equipment.

Wherein the method further comprises:

receiving a second uplink PDU sent by the terminal; the second uplink PDU carries a second RRC message which is encrypted and integrity-protected by using the updated access stratum root key;

and decrypting and integrity checking the second RRC message according to the updated access stratum root key.

Wherein the method further comprises:

receiving a first uplink PDU sent by the terminal, wherein the first uplink PDU carries a second RRC message which utilizes an access stratum root key before updating to carry out encryption and integrity protection;

and sending the first uplink PDU to the first network side equipment, so that the first network side equipment decrypts and verifies the integrity of the first uplink PDU by using the access stratum root key before updating.

Wherein the method further comprises:

and receiving a second RRC message and/or anchor point transfer success indication information sent by the first network side equipment.

An embodiment of the present invention further provides a message processing apparatus, which is applied to a terminal in an inactive state, and includes:

a first receiving unit, configured to receive a first radio resource control RRC message, where the first RRC message is used to indicate at least one of the following:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

the terminal is instructed to perform a dedicated random access procedure.

The embodiment of the invention also provides a terminal, which is in an inactive state and comprises a memory, a transceiver and a processor;

a memory for storing a computer program; a transceiver for transceiving data under control of the processor; a processor for reading the computer program in the memory and performing the following operations:

receiving a first radio resource control, RRC, message, wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

the terminal is instructed to perform a dedicated random access procedure.

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

Wherein the update related information of the access stratum root key comprises at least one of the following information;

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

Wherein the processor is further configured to read the computer program in the memory and perform the following operations:

alternatively, the first and second electrodes may be,

wherein the second RRC message is a feedback message of the first RRC message.

An embodiment of the present invention further provides a message processing apparatus, applied to a first network side device, including:

the first sending unit is used for sending a first RRC message to the terminal in the non-activated state or second network side equipment; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a dedicated random access procedure;

The embodiment of the present invention further provides a network side device, where the network side device is a first network side device, and the network side device includes a memory, a transceiver, and a processor:

sending a first RRC message to a terminal in an inactive state or second network side equipment; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

receiving a first RRC message sent by second network side equipment;

encrypting and integrity protecting the first RRC message by using the access stratum root key before updating to generate a first downlink PDU; the first downlink PDU carries the first RRC message;

An embodiment of the present invention further provides a message processing apparatus, which is applied to a second network device, and includes:

a second sending unit, configured to send the first RRC message to the terminal in the inactive state; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

The embodiment of the invention also provides a network side device, wherein the network side device is a second network side device and comprises a memory, a transceiver and a processor;

a memory for storing a computer program; a transceiver for transceiving data under control of the processor; a processor for reading the computer program in the memory and performing the following:

sending a first RRC message to a terminal in an inactive state; wherein the first RRC message is used to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a dedicated random access procedure;

sending the first RRC message to first network side equipment;

sending the first downlink PDU to the terminal in the inactive state;

the first network side device is an anchor node of the terminal.

wherein, the context information of the terminal and/or the update related information of the access stratum root key are obtained by the second network side device from the access and mobility management AMF network element or from the first network side device.

An embodiment of the present invention further provides a processor-readable storage medium, where the processor-readable storage medium stores a computer program, and the computer program is configured to cause the processor to execute the method described above.

The technical scheme of the invention at least has the following beneficial effects:

in the message processing method, the device, the terminal and the network side equipment of the embodiment of the invention, in the process of inactive small data transmission, if the situation that the anchor point transfer or the user plane node replacement is needed exists, the network side equipment instructs the terminal to update at least one of the access layer root key, the anchor point transfer, the synchronous reconfiguration process and the special random access process through the first RRC message, thereby ensuring the timely transfer of the anchor point and the safety isolation between the safety access network nodes.

Drawings

Fig. 1 illustrates a block diagram of a wireless communication system in which embodiments of the present invention are applicable;

fig. 2 is a schematic diagram illustrating a step of a message processing method according to an embodiment of the present invention;

fig. 3 is a second schematic diagram illustrating steps of a message processing method according to an embodiment of the invention;

fig. 4 is a third schematic diagram illustrating steps of a message processing method according to an embodiment of the present invention;

fig. 5 shows one of the schematic structural diagrams of an example one of the message processing methods provided in the embodiment of the present invention;

fig. 6 is a second schematic structural diagram of an example first message processing method according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram illustrating an example two of a message processing method according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of an example three of a message processing method according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of a terminal according to an embodiment of the present invention;

fig. 11 is a second schematic structural diagram of a message processing apparatus according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of a network-side device according to an embodiment of the present invention;

fig. 13 is a third schematic structural diagram of a message processing apparatus according to an embodiment of the present invention;

fig. 14 shows a second schematic structural diagram of a network device according to an embodiment of the present invention.

Detailed Description

In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments.

Fig. 1 shows a block diagram of a wireless communication system to which embodiments of the present invention are applicable. The wireless communication system includes a terminal 11 and a network-side device 12. The terminal 11 may also be referred to as a terminal device or a User Equipment (UE). It should be noted that the embodiment of the present application does not limit the specific type of the terminal 11. The network side device 12 may be a base station or a core network, and it should be noted that in this embodiment, only the base station in the NR system is taken as an example, but the specific type of the base station is not limited.

The term "and/or" in the embodiments of the present invention describes an association relationship of associated objects, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

In the embodiments of the present application, the term "plurality" means two or more, and other terms are similar thereto.

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.

The embodiment of the application provides a message processing method and a message processing device, which are used for realizing the timely transfer of an anchor point in the process of inactive small data transmission and the safety isolation between safety access network nodes.

The method and the device are based on the same application concept, and because the principles of solving the problems of the method and the device are similar, the implementation of the device and the method can be mutually referred, and repeated parts are not repeated.

The technical scheme provided by the embodiment of the application can be suitable for various systems, particularly 5G systems. For example, the applicable system may be a global system for mobile communication (GSM) system, a Code Division Multiple Access (CDMA) system, a Wideband Code Division Multiple Access (WCDMA) General Packet Radio Service (GPRS) system, a long term evolution (long term evolution, LTE) system, an LTE Frequency Division Duplex (FDD) system, an LTE Time Division Duplex (TDD) system, an LTE-a (long term evolution) system, a universal mobile system (universal mobile telecommunications system, UMTS), a Worldwide Interoperability for Mobile Access (WiMAX) system, a New Radio network (NR 5) system, etc. These various systems each include a terminal device and a network-side device. The System may further include a core network portion, such as an Evolved Packet System (EPS), a 5G System (5GS), and the like.

The terminal device referred to in the embodiments of the present application may refer to a device providing voice and/or data connectivity to a user, a handheld device having a wireless connection function, or another processing device connected to a wireless modem. In different systems, the names of the terminal devices may be different, for example, in a 5G system, the terminal device may be called a User Equipment (UE). A wireless terminal device, which may be a mobile terminal device such as a mobile telephone (or "cellular" telephone) and a computer having a mobile terminal device, for example, a portable, pocket, hand-held, computer-included, or vehicle-mounted mobile device, may communicate with one or more Core Networks (CNs) via a Radio Access Network (RAN). Examples of such devices include Personal Communication Service (PCS) phones, cordless phones, Session Initiation Protocol (SIP) phones, Wireless Local Loop (WLL) stations, and Personal Digital Assistants (PDAs). The wireless terminal device may also be referred to as a system, a subscriber unit (subscriber unit), a subscriber station (subscriber station), a mobile station (mobile), a remote station (remote station), an access point (access point), a remote terminal device (remote terminal), an access terminal device (access terminal), a user terminal device (user terminal), a user agent (user agent), and a user device (user device), which are not limited in this embodiment of the present application.

The network side device according to the embodiment of the present application may be a base station, and the base station may include a plurality of cells for providing services for a terminal. A base station may also be referred to as an access point, or a device in an access network that communicates over the air-interface, through one or more sectors, with wireless terminal devices, or by other names, depending on the particular application. The network side device may be configured to exchange the received air frame with an Internet Protocol (IP) packet as a router between the wireless terminal device and the rest of the access network, where the rest of the access network may include an Internet Protocol (IP) communication network. The network side device may also coordinate attribute management for the air interface. For example, the network side device according to the embodiment of the present application may be a Base Transceiver Station (BTS) in a Global System for Mobile communications (GSM) or a Code Division Multiple Access (CDMA), may also be a network side device (NodeB) in a Wideband Code Division Multiple Access (WCDMA), may also be a evolved Node B (eNB) or an e-NodeB) in a Long Term Evolution (LTE) System, may also be a 5G Base Station (gNB) in a 5G network architecture (next generation System), may also be a Home evolved Node B (Home evolved Node B, HeNB), a relay Node (relay Node), a Home Base Station (pico), and the like, and is not limited in the embodiments of the present application. In some network structures, a network device may include a Centralized Unit (CU) node and a Distributed Unit (DU) node, and the centralized unit and the distributed unit may be geographically separated.

The network side device and the terminal device may each use one or more antennas to perform Multiple Input Multiple Output (MIMO) transmission, where the MIMO transmission may be Single User MIMO (SU-MIMO) or Multi-User MIMO (MU-MIMO). The MIMO transmission may be 2D-MIMO, 3D-MIMO, FD-MIMO, or massive-MIMO, or may be diversity transmission, precoding transmission, beamforming transmission, or the like, depending on the form and number of root antenna combinations.

In the inactive state small data transmission process, the method comprises the steps of transmitting small data by using an RRC signal and transmitting the small data without using the RRC signal, wherein the small data is transmitted by using the RRC signal, namely, an RRC recovery request message and a small data packet to be transmitted are sent to a network side together, and a subsequent process is triggered. In the present discussion, it is believed that using RRC signaling to transmit non-connected small data, the current serving gbb may be different from the anchor gbb. In the case of small amounts of small data transmission, there may be no necessity for anchor transfer; in case of arrival of a large amount of downlink data, anchor transfer must be performed; therefore, the anchor transfer may exist or may not be performed in the unconnected small data transmission process. The small packets in the unconnected state can only be subjected to related operations of the PDCP layer by the anchor gNB without performing anchor transfer, including encryption/decryption and integrity protection/validation.

As shown in fig. 2, an embodiment of the present invention provides a message processing method, where the method includes:

step 201, a terminal in an INACTIVE state (INACTIVE) receives a first radio resource control RRC message, where the first RRC message is used to indicate at least one of the following:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

the terminal is instructed to perform a dedicated random access procedure.

updating relevant information of the access layer root key, and updating the access layer root key by the terminal according to the updated relevant information;

indicating information indicating that anchor transfer occurs, and carrying out anchor transfer by the terminal according to the indicating information;

access stratum security algorithm configuration information, which is applied by the terminal; for example, the access stratum security algorithm configuration information is used to update a specific algorithm that subsequently uses an updated access stratum root key;

executing configuration information required by synchronous reconfiguration, and executing a synchronous process by the terminal according to the configuration information;

and executing the resource configuration information of the special random access, and carrying out a non-competitive random access process by the terminal according to the resource configuration information.

Optionally, in at least one embodiment of the present invention, the update-related information of the access stratum root key includes at least one of the following items;

instructing the terminal to execute a horizontal key updating process;

next hop link calculation value ncc (nexthop Chaining count).

The terminal can determine the updated access layer root key according to the update related information of the access layer root key.

As an optional embodiment, the first RRC message is further configured to indicate at least one of:

For example, the terminal encrypts and integrity-protects and/or decrypts and integrity-checks subsequent messages (including the second RRC message and other messages) using the updated access stratum root key; or, the terminal encrypts and integrity-protects the second RRC message by using the access stratum root key before updating, and encrypts and integrity-protects and/or decrypts and integrity-verifies other messages (such as a Signaling Radio Bearer (SRB) and a Data Radio Bearer (DRB)) except the second RRC message by using the access stratum root key after updating.

In at least one optional embodiment of the present invention, after the terminal receives the first RRC message, the method further includes:

alternatively, the first and second electrodes may be,

sending a second uplink PDU, wherein the second uplink PDU carries a second RRC message which is encrypted and integrity-protected by using the updated access stratum root key;

wherein the second RRC message is a feedback message of the first RRC message.

It should be noted that the first uplink PDU or the second uplink PDU may be sent to the first network side device, or may be sent to the second network side device. For example, if the first RRC message is directly sent to the terminal by the first network side device, the first uplink PDU or the second uplink PDU is sent to the first network side device; for another example, the first RRC message is forwarded to the terminal by the second network side device, and then the first uplink PDU or the second uplink PDU is sent to the second network side device.

The first network side device is a network side device which indicates the terminal to enter or keep an inactive state last time, and the second network side device is a current service node of the terminal (namely, a network side device directly connected to the air interface side of the current terminal). The first network side device and the second network side device may be the same node or different nodes.

Bearing in mind the above, in at least one embodiment of the present invention, the method further includes:

updating an access layer root key;

In summary, in the embodiment of the present invention, if there is a need to perform anchor point transfer or replace a user plane node in the inactive small data transmission process, the network side device instructs the terminal to update at least one of the access layer root key, perform anchor point transfer, perform a synchronous reconfiguration process, and perform a dedicated random access process through the first RRC message, thereby ensuring timely transfer of an anchor point and security isolation between security access network nodes.

As shown in fig. 3, an embodiment of the present invention further provides a message processing method, where the method includes:

step 301, a first network side device sends a first RRC message to a terminal in an inactive state or a second network side device; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a dedicated random access procedure;

access stratum security algorithm configuration information is applied by the terminal; for example, the access stratum security algorithm configuration information is used to update a specific algorithm that subsequently uses the updated access stratum root key;

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

And the terminal can determine the updated access layer root key according to the update related information of the access layer root key.

In at least one embodiment of the present invention, there are at least two scenarios for step 301:

in scenario 1, a first network side device directly sends a first RRC message to an inactive terminal, and before step 301, the method further includes:

It should be noted that, a network side device may further include a plurality of user plane nodes, and these user plane nodes also need to have security isolation, so that when a user plane node is replaced, the network side device and the terminal also need to replace the used access stratum root key.

For example, the terminal remains in the unconnected state, and transmits/receives the small packet via the anchor node (i.e., the first network-side device) itself. Due to the excessive number of small data packets to be sent, the first network side device needs to replace its internal user plane node. In order to ensure the security isolation between the user plane nodes inside the anchor node, the access stratum root key also needs to be replaced, and at this time, the anchor node generates the first RRC message and sends the first RRC message to the terminal.

In scenario 2, a first network side device forwards a first RRC message to an inactive terminal through a second network side device, before step 301, the method further includes:

receiving a first RRC message sent by second network side equipment; optionally, the first RRC message is transmitted to the first network side device in a plaintext form;

accordingly, step 301 includes:

sending the first downlink PDU to the second network side equipment, so that the second network side equipment sends the first downlink PDU to a terminal in an inactive state;

For example, the terminal remains in the unconnected state, and the network side does not have anchor transfer by sending/receiving a small packet through a current serving node different from the anchor node. Because the anchor point transfer is determined when the downlink non-access stratum message arrives, or the downlink non-small data packet arrives, or the small data packet to be sent is excessive, the first network side device performs PDCP processing (including ciphering and integrity protection) according to the first RRC message sent by the second network side device to generate a first downlink PDU, and sends the first downlink PDU to the second network side device, and the second network side device passes through the first downlink PDU encapsulating the first RRC message to the terminal in the inactive state.

As to scenario 2, as an optional embodiment, before receiving the first RRC message sent by the second network side device, the method further includes:

For example, due to the arrival of a downlink non-access stratum message, or the arrival of a downlink non-small data packet, or the excessive number of small data packets to be sent, or the request of the current service node, the anchor node decides to perform anchor transfer. At this time, the anchor node deduces the updated access layer root key, and sends a first interface message to the current service node to inform the current service node that anchor transfer is required, wherein the first interface message comprises: context information of the terminal, and/or the updated access stratum root key and the associated NCC.

Or, for scenario 2, as another optional embodiment, receiving a first RRC message sent by a second network side device includes:

For example, the current serving node determines to trigger an anchor transfer process based on its own decision, and if the current serving node finds that there is currently non-small data to be sent or a small data to be transmitted process, the current serving node determines to trigger the anchor transfer process and generates the first RRC message.

As an alternative embodiment, the method further comprises:

and sending the updated access stratum root key to the second network side device, so that the second network side device receives the second RRC message and/or other subsequent messages sent by the terminal according to the updated access stratum root key.

In at least one optional embodiment of the invention, the method further comprises:

Optionally, the method further includes:

In the embodiment of the invention, after receiving the first uplink PDU containing the second RRC message, the second network side device does not process the first uplink PDU, but transparently forwards the first uplink PDU to the first network side device. After decrypting and integrity checking the received first uplink PDU, the first network side device executes at least one of the following processes:

forwarding the second RRC message to second network side equipment;

and replying the anchor point transfer success indication information to the second network side equipment.

In another optional embodiment of the invention, the method further comprises:

As shown in fig. 4, an embodiment of the present invention further provides a message processing method, where the method includes:

step 401, a second network side device sends a first RRC message to a terminal in an inactive state; wherein the first RRC message is used to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

It should be noted that the first network-side device is a network-side device that last indicates that the terminal enters or maintains an inactive state, and the second network-side device is a current service node of the terminal (i.e., a network-side device directly connected to the air interface side of the current terminal). The first network side device and the second network side device may be the same node or different nodes.

For the case that the first network side device and the second network side device are different nodes, step 401 includes:

sending the first RRC message to first network side equipment;

receiving a first downlink PDU (protocol data Unit) sent by first network side equipment, wherein the first downlink PDU carries a first RRC (radio resource control) message which is encrypted and integrity-protected by using an access stratum root key before updating;

sending the first downlink PDU to the terminal in the inactive state;

the first network side device is an anchor node of the terminal.

For example, the terminal remains in a non-connected state, and the anchor transfer does not occur on the network side by sending/receiving a small packet through a current service node different from the anchor node. Because the anchor point transfer is determined when the downlink non-access stratum message arrives, or the downlink non-small data packet arrives, or the small data packet to be sent is excessive, the first network side device performs PDCP processing (including ciphering and integrity protection) according to the first RRC message sent by the second network side device to generate a first downlink PDU, and sends the first downlink PDU to the second network side device, and the second network side device passes through the first downlink PDU encapsulating the first RRC message to the terminal in the inactive state.

As an optional embodiment, before sending the first RRC message to the first network side device, the method further includes:

and generating the first RRC message according to the first interface message.

For example, due to the arrival of a downlink non-access stratum message, or the arrival of a downlink non-small data packet, or the excessive number of small data packets to be sent, or the request of the current service node, the anchor node decides to perform anchor transfer. At this time, the anchor node deduces the updated access layer root key, and sends a first interface message to the current service node to inform the current service node that anchor transfer is required, wherein the first interface message comprises: context information of the terminal, and/or the updated access stratum root key and associated NCC.

As another optional embodiment, sending the first RRC message to the first network side device includes:

As another alternative embodiment, the method further comprises:

The updated access stratum key may be notified to the second network side device by the first network side device, or may be determined by the second network side device, which is not limited specifically herein.

Optionally, the method further includes:

and receiving a second RRC message and/or anchor point transfer success indication information sent by the first network side equipment. In the embodiment of the invention, after receiving the first uplink PDU containing the second RRC message, the second network side device does not process the first uplink PDU, but transparently forwards the first uplink PDU to the first network side device. After decrypting and integrity checking the received first uplink PDU, the first network side device executes at least one of the following processes:

forwarding the second RRC message to second network side equipment;

In summary, in the embodiment of the present invention, if there is a need to perform anchor point transfer or replace a user plane node in the inactive small data transmission process, the network side device instructs the terminal to update at least one of an access stratum root key, perform anchor point transfer, perform a synchronous reconfiguration process, and perform a dedicated random access process through the first RRC message, thereby ensuring timely transfer of an anchor point and security isolation between security access network nodes.

In order to more clearly describe the message processing method provided by the embodiment of the present invention, the following description is made with reference to several examples.

As an example, as shown in fig. 5, the terminal remains in an inactive state, and sends/receives a small packet through a current serving node different from an anchor node, and no anchor transfer occurs on the network side:

step 1a, an anchor node decides to perform anchor transfer due to arrival of a downlink non-access stratum message, or arrival of a downlink non-small data packet, or excessive small data packets to be sent, or a request of a current service node.

Step 2a, at this time, the anchor node deduces the updated access layer root key, and sends a first interface message to the current service node to inform the current service node that anchor transfer needs to be performed, wherein the first interface message comprises: context information of the terminal, and/or updated access stratum root key and associated NCC;

and step 3a, the current service node generates an RRC message to be sent to the terminal according to the context of the terminal. The RRC message includes one or more of the following information:

indicating that anchor transfer occurs;

the content of the AS (access stratum) layer root key update can comprise: directly instructing the UE to perform a horizontal key update procedure; or an NCC value, after receiving the value, the terminal performs a key update process, which is similar to the current operation that the UE receives NCC through other processes.

Configuring an AS layer security algorithm;

performing a configuration required for the synchronous reconfiguration;

allocating dedicated RA resources;

the RRC message may be a rrcreesume message, or a rrcreeconfiguration message, or a newly defined RRC message.

And 4a, the current service node takes the RRC message as an RRC container (container) in an interface message and transmits the RRC message to the anchor node in a clear text form.

Step 5a, the anchor node performs PDCP processing (including using the current key, ciphering and integrity protection) on the received RRC message, generates a downlink PDU, and sends the downlink PDU to the current serving node.

Step 6a, the current service node transparently transmits the downlink PDU encapsulated with the RRC message to the terminal;

step 7a, the terminal receives the RRC message, and performs related operations according to the content of the RRC message, including one or more of the following:

updating the root key K of the access layer according to the indication and/or the content carried in the RRC message_gNBAnd from new K_gNBDerivation of K_RRCint，K_RRCenc，K_UPintAnd K_UPencWaiting for the algorithm key for the subsequent transmission of the SRB and the DRB;

applying the configured AS layer security algorithm;

configuring a lower layer (i.e., a PDCP layer) to use a new ciphering key and algorithm; i.e. means that new encryption keys and algorithms are applied to all subsequent involved processes;

configuring a lower layer (i.e., a PDCP layer) to use a new integrity protection key and algorithm; meaning that new integrity protection keys and algorithms are applied to all subsequent involved processes.

Entering an RRC connection state;

determining that anchor point switching occurs to the current network side;

according to the configuration, executing a synchronous reconfiguration process;

according to the configuration, a non-contention random access procedure is performed.

Step 8a, the terminal feeds back an RRC response message, wherein the response message is contained in the uplink PDU; optionally, the RRC response message uses a newly derived algorithm key for encryption and integrity protection; the RRC response message may be a RRCResumeComplete (RRC recovery complete) message, or a rrcreeconfiguration complete (RRC reconfiguration complete) message, or a newly defined response message for informing the network that the RRC configuration is updated.

And 9a, after the current service node receives the uplink PDU containing the RRC response message, decrypting and verifying the integrity of the uplink PDU according to the new AS layer root key and the AS layer security algorithm. After success, the terminal and the current service node can directly interact RRC messages.

In the above process, the network side may also perform the anchor transfer process, and the anchor transfer process is specifically performed at which step of the above steps, which is not limited herein.

It should be noted that, in step 1a, the current serving node may decide to trigger the anchor transfer process based on its own decision, for example, in step 1b in fig. 6, the serving node decides to execute the anchor transfer, for example, when the current serving node finds that there is currently non-small data to be sent, or when there is too much data to be sent, the current serving node decides to trigger the anchor transfer process, and generates the RRC message to be sent to the terminal in step 3. Optionally, at this time, the information of the access stratum root key update carried in the RRC message generated by the current serving node may be obtained from the AMF or the anchor node.

Example two, as shown in fig. 7, the terminal remains in the inactive state, and a small packet is sent/received through a current serving node different from the anchor node, and no anchor transfer occurs on the network side:

step 1a or step 1b is the same as the step in example one, and in step 1a, the current service node determines to trigger an anchor point transfer process based on self decision; or, in step 1b, the anchor node decides to perform anchor transfer due to the arrival of a downlink non-access stratum message, or the arrival of a downlink non-small data packet, or the excessive number of small data packets to be sent, or the request of the current service node;

steps 2c to 7c are the same as steps 2a to 7a in example one, and are not repeated herein.

Step 8c, the terminal feeds back an RRC response message, wherein the response message is contained in the uplink PDU; optionally, the RRC response message uses an algorithm key before updating to perform encryption and integrity protection;

and 9c, after the current service node receives the uplink PDU containing the RRC response message, the current service node does not process the uplink PDU but transparently forwards the uplink PDU to the anchor point node.

Step 10c, the anchor point node decrypts and verifies the integrity of the received PDU;

step 11c, the anchor node performs one or more actions in the following processes:

forwarding the RRC response message;

and replying to the current service node to indicate that the anchor point transfer is successful.

In a third example, as shown in fig. 8, in the same-node data transmission process, the anchor node needs to change its internal user plane node:

the terminal is kept in a non-connection state, and small data packets are sent/received through the anchor node.

And step 1d, the anchor node needs to replace the internal user plane node because of excessive small data packets to be sent. In order to ensure the security isolation between the user plane nodes inside the access network, the access stratum root key also needs to be replaced. At which point the anchor node generates an RRC message.

The RRC message includes one or more of the following information:

The method comprises the steps of AS layer security algorithm configuration;

performing a configuration required for the synchronous reconfiguration;

allocating dedicated RA resources;

Step 2d, the anchor node directly sends the RRC message to the terminal;

step 3d, the terminal receives the RRC message, and executes related operations according to the content of the RRC message, wherein the related operations comprise one or more of the following operations:

updating the root key K of the access layer according to the indication and/or the content carried in the RRC message_gNBAnd from new K_gNBDerivation of K_RRCint，K_RRCenc，K_UPintAnd K_UPencThe equal algorithm key is used for the transmission of the subsequent SRB and DRB;

applying the configured AS layer security algorithm;

configuring a lower layer (i.e., a PDCP layer) to use a new ciphering key and algorithm; meaning that new encryption keys and algorithms are applied to all subsequent involved processes;

Entering an RRC connection state;

Step 4d, the terminal feeds back an RRC response message, wherein the response message is contained in the uplink PDU; optionally, the RRC response message uses a newly derived algorithm key for encryption and integrity protection; the RRC response message may be an RRCResumeComplete (RRC recovery complete) message, an rrcreeconfigurationcomplete message, or a newly defined response message for informing the network that the RRC configuration is updated.

And step 5d, after the anchor point node receives the uplink PDU containing the RRC response message, the anchor point node decrypts and verifies the integrity of the uplink PDU according to the new AS layer root key and the AS layer security algorithm. After success, the terminal and the anchor node can directly interact RRC messages.

In the embodiment of the invention, if the situation that the anchor point transfer or the user plane node replacement is needed exists in the inactive state small data transmission process, the network side equipment instructs the terminal to update at least one of the access layer root key, execute the anchor point transfer, execute the synchronous reconfiguration process and execute the special random access process through the first RRC message, thereby ensuring the timely transfer of the anchor point and the safety isolation between the safety access network nodes.

As shown in fig. 9, an embodiment of the present invention further provides a message processing apparatus, which is applied to a terminal in an inactive state, and includes:

a first receiving unit 901, configured to receive a first radio resource control RRC message, where the first RRC message is used to indicate at least one of the following:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

the terminal is instructed to perform a dedicated random access procedure.

As an optional embodiment, the first RRC message includes at least one of the following information:

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

As an optional embodiment, the update related information of the access stratum root key comprises at least one of the following items;

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

As an optional embodiment, the apparatus further comprises:

a third sending unit, configured to send a first uplink protocol data unit PDU, where the first uplink PDU carries a second RRC message that is encrypted and integrity protected by using an access stratum root key before update;

or, the ue is configured to send a second uplink PDU, where the second uplink PDU carries a second RRC message encrypted and integrity protected by using the updated access stratum root key;

wherein the second RRC message is a feedback message of the first RRC message.

As an alternative embodiment, the apparatus comprises:

an execution unit, configured to perform at least one of the following operations according to the first RRC message:

updating an access layer root key;

It should be noted that, the message processing apparatus provided in the embodiment of the present invention is an apparatus capable of executing the message processing method, and all embodiments of the message processing method are applicable to the apparatus and can achieve the same or similar beneficial effects.

As shown in fig. 10, an embodiment of the present invention further provides a terminal, where the terminal is in an inactive state, and the terminal includes a memory 120, a transceiver 110, a processor 100, and a user interface 130;

a memory 120 for storing a computer program; a transceiver 110 for transceiving data under the control of the processor; a processor 100 for reading the computer program in the memory 120 and performing the following operations:

receiving a first radio resource control, RRC, message, wherein the first RRC message indicates at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

the terminal is instructed to perform a dedicated random access procedure.

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

As an alternative embodiment, the processor 100 is further configured to read the computer program in the memory 120 and perform the following operations:

alternatively, the first and second electrodes may be,

wherein the second RRC message is a feedback message of the first RRC message.

As an alternative embodiment, the processor 100 is further adapted to read the computer program in the memory 120 and perform the following operations:

according to the first RRC message, performing at least one of the following operations:

updating an access layer root key;

Where, in fig. 10, the bus architecture may include any number of interconnected buses and bridges, in particular one or more processors, represented by processor 100, and various circuits of memory, represented by memory 120, linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 110 may be a plurality of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over transmission media including wireless channels, wired channels, fiber optic cables, and the like. For different user devices, the user interface 130 may also be an interface capable of interfacing with a desired device externally, including but not limited to a keypad, display, speaker, microphone, joystick, etc.

The processor 100 is responsible for managing the bus architecture and general processing, and the memory 120 may store data used by the processor 100 in performing operations.

Alternatively, the processor 100 may be a CPU (central processing unit), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or a CPLD (Complex Programmable Logic Device), and the processor may also adopt a multi-core architecture.

The processor is used for executing any method provided by the embodiment of the application according to the obtained executable instructions by calling the computer program stored in the memory. The processor and memory may also be physically separated.

It should be noted that, the terminal provided in the embodiments of the present invention is a terminal capable of executing the message processing method, and all embodiments of the message processing method are applicable to the terminal, and can achieve the same or similar beneficial effects.

As shown in fig. 11, an embodiment of the present invention further provides a message processing apparatus, which is applied to a first network device, and includes:

a first sending unit 1101, configured to send a first RRC message to an inactive terminal or a second network side device; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

updating relevant information of an access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

As an alternative embodiment, the apparatus further comprises:

a first generating unit, configured to generate the first RRC message when it is determined that a user plane node inside the first network-side device is replaced to perform small data transmission.

As an alternative embodiment, the apparatus further comprises:

a second receiving unit, configured to receive a first RRC message sent by a second network side device;

the first transmission unit includes:

the first subunit is configured to perform encryption and integrity protection on the first RRC message by using the access stratum root key before update, and generate a first downlink PDU; the first downlink PDU carries the first RRC message;

and the second subunit is configured to send the first downlink PDU to the second network side device, so that the second network side device sends the first downlink PDU to an inactive terminal.

As an alternative embodiment, the apparatus further comprises:

a fourth sending unit, configured to send a first interface message to the second network-side device to generate the first RRC message by the second network-side device, when it is determined that the anchor transfer is performed; wherein the first interface message comprises: context information of the terminal and/or update related information of the access stratum root key.

As an alternative embodiment, the second receiving unit comprises:

and the receiving subunit is configured to receive the first RRC message sent when the second network-side device determines to perform the anchor point transfer.

As an alternative embodiment, the apparatus further comprises:

a fifth sending unit, configured to send the updated access stratum root key to the second network side device.

As an alternative embodiment, the apparatus further comprises:

a third receiving unit, configured to receive a first uplink PDU of the terminal forwarded by a second network side device, where the first uplink PDU carries a second RRC message that is encrypted and integrity protected by using an access stratum root key before updating;

and the first decryption verification unit is used for decrypting and verifying the integrity of the first RRC message by using the access stratum root key before updating to obtain the second RRC message.

As an alternative embodiment, the apparatus further comprises:

a first feedback unit, configured to send a second RRC message and/or anchor point transfer success indication information to the second network side device.

As an alternative embodiment, the apparatus further comprises:

a fourth receiving unit, configured to receive a second uplink PDU sent by the terminal; the second uplink PDU carries a second RRC message which is encrypted and integrity protected by using the updated access stratum root key;

and the second decryption verification unit is used for decrypting and verifying the integrity of the second RRC message according to the updated access stratum root key.

In the embodiment of the invention, if the situation that the anchor point transfer or the user plane node replacement is needed exists in the inactive small data transmission process, the network side equipment instructs the terminal to update at least one of the access layer root key, execute the anchor point transfer, execute the synchronous reconfiguration process and execute the special random access process through the first RRC message, thereby ensuring the timely transfer of the anchor point and the safety isolation between the safety access network nodes.

As shown in fig. 12, an embodiment of the present invention further provides a network side device, where the network side device is a first network side device, and the network side device includes a memory 1220, a transceiver 1210, and a processor 1200:

a memory 1220 for storing computer programs; a transceiver 1210 for transceiving data under the control of the processor; a processor 1200 for reading the computer program in the memory 1220 and performing the following operations:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

executing configuration information required for synchronous reconfiguration;

resource configuration information for performing dedicated random access.

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

As an alternative embodiment, the processor 1200 is further adapted to read the computer program in the memory 1220 and perform the following operations:

receiving a first RRC message sent by second network side equipment;

under the condition that the anchor point transfer is determined, sending a first interface message to the second network side equipment so that the second network side equipment generates the first RRC message; wherein the first interface message comprises: context information of the terminal and/or update related information of an access stratum root key.

Where in fig. 12, the bus architecture may include any number of interconnected buses and bridges, with various circuits of one or more processors represented by processor 1200 and memory represented by memory 1220 being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1210 may be a number of elements including a transmitter and receiver that provide a means for communicating with various other apparatus over a transmission medium including wireless channels, wired channels, fiber optic cables, and the like. The processor 1200 is responsible for managing the bus architecture and general processing, and the memory 1220 may store data used by the processor 1200 in performing operations.

The processor 1200 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or a Complex Programmable Logic Device (CPLD), and may also have a multi-core architecture.

It should be noted that, the network side device provided in the embodiments of the present invention is a network side device capable of executing the message processing method, and all embodiments of the message processing method are applicable to the network side device and can achieve the same or similar beneficial effects.

As shown in fig. 13, an embodiment of the present invention further provides a message processing apparatus, which is applied to a second network device, and includes:

a second sending unit 1301, configured to send a first RRC message to an inactive terminal; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

As an alternative embodiment, the second sending unit includes:

a fifth subunit, configured to send the first RRC message to a first network side device;

a sixth subunit, configured to receive a first downlink PDU sent by a first network side device, where the first downlink PDU carries a first RRC message that is encrypted and integrity protected by using an access stratum root key before update;

a seventh subunit, configured to send the first downlink PDU to the terminal in the inactive state;

the first network side device is an anchor node of the terminal.

As an alternative embodiment, the apparatus further comprises:

a fifth receiving unit, configured to receive a first interface message sent when a first network-side device determines to perform anchor point transfer, where the first interface message includes: context information of the terminal and updating related information of an access stratum root key;

a second generating unit, configured to generate the first RRC message according to the first interface message.

As an alternative embodiment, the fifth subunit is further configured to:

As an optional embodiment, the apparatus further comprises:

a sixth receiving unit, configured to receive a second uplink PDU sent by the terminal; the second uplink PDU carries a second RRC message which is encrypted and integrity protected by using the updated access stratum root key;

and the third decryption verification unit is used for decrypting and verifying the integrity of the second RRC message according to the updated access stratum root key.

As an alternative embodiment, the apparatus further comprises:

a seventh receiving unit, configured to receive a first uplink PDU sent by the terminal, where the first uplink PDU carries a second RRC message that is encrypted and integrity protected by using an access stratum root key before updating;

a tenth sending unit, configured to send the first uplink PDU to the first network side device, so that the first network side device performs decryption and integrity check on the first uplink PDU by using an access stratum root key before update.

As an alternative embodiment, the apparatus further comprises:

and a feedback receiving unit, configured to receive a second RRC message and/or anchor point transfer success indication information sent by the first network side device.

As shown in fig. 14, an embodiment of the present invention further provides a network-side device, where the network-side device is a second network-side device, and the network-side device includes a memory 1420, a transceiver 1410, and a processor 1400;

a memory 1420 for storing a computer program; a transceiver 1410 for transceiving data under the control of the processor 1400; a processor 1400 for reading the computer program in the memory 1420 and performing the following operations:

sending a first RRC message to a terminal in an inactive state; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a dedicated random access procedure;

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

As an alternative embodiment, the processor 1400 is further configured to read the computer program in the memory 1420 and perform the following operations:

sending the first RRC message to first network side equipment;

sending the first downlink PDU to the terminal in the inactive state;

the first network side device is an anchor node of the terminal.

and generating the first RRC message according to the first interface message.

generating the first RRC message according to the context information of the terminal and/or the updating related information of the access stratum root key under the condition of determining to perform the anchor point transfer;

receiving a first uplink PDU sent by the terminal, wherein the first uplink PDU carries a second RRC message which is encrypted and integrity-protected by using an access stratum root key before updating;

and sending the first uplink PDU to the first network side equipment, so that the first network side equipment utilizes an access stratum root key before updating to decrypt and verify the integrity of the first uplink PDU.

Where, in fig. 14, the bus architecture may include any number of interconnected buses and bridges, particularly one or more processors, represented by processor 1400, and various circuits, represented by memory 1420, linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1410 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium including wireless channels, wired channels, fiber optic cables, and the like. The processor 1400 is responsible for managing the bus architecture and general processing, and the memory 1420 may store data used by the processor 1400 in performing operations.

The processor 1400 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or a Complex Programmable Logic Device (CPLD), and may also have a multi-core architecture.

It should be noted that, in the embodiment of the present application, the division of the unit is schematic, and is only one logic function division, and when the actual implementation is realized, another division manner may be provided. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.

The integrated unit, if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a processor readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network-side device, etc.) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.

Embodiments of the present invention further provide a processor-readable storage medium, where a computer program is stored, where the computer program is configured to enable a processor to execute the method embodiments described above. The processor-readable storage medium can be any available medium or data storage device that can be accessed by a processor, including, but not limited to, magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs)), etc.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer-executable instructions. These computer-executable instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These processor-executable instructions may also be stored in a processor-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the processor-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These processor-executable instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A method of message processing, the method comprising:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

the terminal is instructed to perform a dedicated random access procedure.

2. The method of claim 1, wherein the first RRC message comprises at least one of the following information:

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

executing configuration information required for synchronous reconfiguration;

resource configuration information for performing dedicated random access.

3. The method of claim 2, wherein the update-related information of the access stratum root key comprises at least one of the following;

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

4. The method of claim 1, wherein the first RRC message is further configured to indicate at least one of:

5. The method of claim 1, further comprising:

sending a first uplink Protocol Data Unit (PDU), wherein the first uplink PDU carries a second RRC message which is encrypted and integrity-protected by using an access stratum root key before updating;

alternatively, the first and second electrodes may be,

wherein the second RRC message is a feedback message of the first RRC message.

6. The method of claim 1, further comprising:

updating an access layer root key;

executing a special random access process with a second network side device;

7. A method of message processing, the method comprising:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

8. The method of claim 7, wherein the first RRC message comprises at least one of the following information:

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

9. The method of claim 8, wherein the update-related information of the access stratum root key comprises at least one of the following;

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

10. The method of claim 7, wherein the first RRC message is further configured to indicate at least one of:

11. The method according to claim 7, wherein before the first network-side device sends the first RRC message to the terminal in the inactive state, the method further comprises:

12. The method according to claim 7, wherein before the first network-side device sends the first RRC message to the second network-side device, the method further comprises:

receiving a first RRC message sent by second network side equipment;

the first network side device sends a first RRC message to a second network side device, including:

and sending the first downlink PDU to the second network side equipment, so that the second network side equipment sends the first downlink PDU to a terminal in an inactive state.

13. The method according to claim 12, wherein before receiving the first RRC message sent by the second network side device, the method further comprises:

14. The method of claim 12, wherein receiving the first RRC message sent by the second network side device comprises:

15. The method of claim 12, further comprising:

16. The method of claim 12, further comprising:

17. The method of claim 16, further comprising:

18. The method according to claim 11 or 12, characterized in that the method further comprises:

19. A method of message processing, the method comprising:

the second network side equipment sends a first RRC message to the terminal in the non-activated state; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

20. The method of claim 19, wherein the first RRC message includes at least one of the following information:

updating relevant information of the access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

executing configuration information required for synchronous reconfiguration;

resource configuration information for performing dedicated random access.

21. The method of claim 20, wherein the update-related information of the access stratum root key comprises at least one of the following;

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

22. The method of claim 19, wherein the first RRC message is further configured to indicate at least one of:

23. The method of claim 19, wherein the sending, by the second network side device, the first RRC message to the terminal in the inactive state comprises:

sending the first RRC message to first network side equipment;

sending the first downlink PDU to the terminal in the inactive state;

the first network side device is an anchor node of the terminal.

24. The method of claim 23, wherein before sending the first RRC message to the first network side device, the method further comprises:

and generating the first RRC message according to the first interface message.

25. The method of claim 23, wherein sending the first RRC message to a first network side device comprises:

26. The method of claim 19, further comprising:

27. The method of claim 19, further comprising:

and sending the first uplink PDU to a first network side device, so that the first network side device utilizes an access stratum root key before updating to decrypt and verify the integrity of the first uplink PDU.

28. The method of claim 27, further comprising:

29. A message processing apparatus, applied to a terminal in an inactive state, comprising:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

the terminal is instructed to perform a dedicated random access procedure.

30. A terminal, the terminal is a non-activated terminal, and is characterized by comprising a memory, a transceiver and a processor;

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

the terminal is instructed to perform a dedicated random access procedure.

31. The terminal of claim 30, wherein the first RRC message includes at least one of the following information:

updating relevant information of an access layer root key;

indication information indicating that anchor transfer occurs;

access stratum security algorithm configuration information;

configuration information required to perform a synchronous reconfiguration;

resource configuration information for performing dedicated random access.

32. The terminal of claim 31, wherein the update-related information of the access stratum root key comprises at least one of the following;

instructing the terminal to execute a horizontal key updating process;

the next hop link calculates the value NCC.

33. The terminal of claim 31, wherein the processor is further configured to read the computer program in the memory and perform the following operations:

alternatively, the first and second electrodes may be,

wherein the second RRC message is a feedback message of the first RRC message.

34. A message processing device applied to a first network side device is characterized by comprising:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

35. A network-side device, the network-side device being a first network-side device, comprising a memory, a transceiver, and a processor:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a dedicated random access procedure;

36. The network-side device of claim 35, wherein the processor is further configured to read the computer program in the memory and perform the following operations:

37. The network-side device of claim 35, wherein the processor is further configured to read the computer program in the memory and perform the following operations:

receiving a first RRC message sent by second network side equipment;

38. A message processing device applied to a second network side device includes:

a second sending unit, configured to send the first RRC message to a terminal in an inactive state; wherein the first RRC message is configured to indicate at least one of:

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

39. A network side device is a second network side device and is characterized by comprising a memory, a transceiver and a processor;

instructing the terminal to update the access stratum root key;

indicating that anchor transfer occurs;

instructing the terminal to execute a synchronous reconfiguration process;

instructing the terminal to execute a special random access process;

40. The network-side device of claim 39, wherein the processor is further configured to read the computer program stored in the memory and perform the following operations:

sending the first RRC message to first network side equipment;

sending the first downlink PDU to the terminal in the inactive state;

the first network side device is an anchor node of the terminal.

41. The network-side device of claim 40, wherein the processor is further configured to read the computer program stored in the memory and perform the following operations:

42. A processor-readable storage medium, wherein the processor-readable storage medium stores a computer program for causing a processor to perform the method of any one of claims 1 to 6; or, the computer program is for causing the processor to perform the method of any one of claims 7 to 18; alternatively, the computer program is for causing the processor to perform the method of any of claims 19 to 28.