WO2020154929A1 - Procédé de traitement d'informations clés, nœuds de réseau d'accès et dispositif terminal - Google Patents

Procédé de traitement d'informations clés, nœuds de réseau d'accès et dispositif terminal Download PDF

Info

Publication number
WO2020154929A1
WO2020154929A1 PCT/CN2019/073792 CN2019073792W WO2020154929A1 WO 2020154929 A1 WO2020154929 A1 WO 2020154929A1 CN 2019073792 W CN2019073792 W CN 2019073792W WO 2020154929 A1 WO2020154929 A1 WO 2020154929A1
Authority
WO
WIPO (PCT)
Prior art keywords
access network
network node
node
encryption key
key
Prior art date
Application number
PCT/CN2019/073792
Other languages
English (en)
Chinese (zh)
Inventor
王淑坤
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2019/073792 priority Critical patent/WO2020154929A1/fr
Priority to CN201980060409.3A priority patent/CN112690010B/zh
Publication of WO2020154929A1 publication Critical patent/WO2020154929A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/08Load balancing or load distribution

Definitions

  • This application relates to the field of wireless communication technology, and in particular to a method for processing secret key information, access network nodes, and terminal equipment.
  • the embodiments of the application provide a method for processing secret key information, and access network nodes and terminal equipment.
  • the method for processing secret key information includes: a first access network node determines security information related to a second access network node; the first access network node is The master node to which the terminal is connected; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and at least two second access network nodes; the The first access network node determines the first encryption key based on the security information and/or the basic key, and sends the first encryption key to the second access network node; the basic key is the A key corresponding to the first access network node; the first encryption key is related to the second access network node.
  • the method for processing secret key information includes: a second access network node receives a first encryption key sent by the first access network node; and the first encryption key The key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key is related to the second access network node; the first access network node is The primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second access network nodes; the second access The network access node determines a second encryption key for encryption and integrity protection based on the first encryption key.
  • the method for processing secret key information includes: a terminal device obtains first security information allocated by a first access network node, based on the first security information and/or basic key Determine the first encryption key; the basic key is the key corresponding to the first access network node; the first security information is related to the second access network node; the first encryption key is related to the The second access network node is related; the terminal device obtains the second security information allocated by the second access network node, and determines that it is used for encryption and integrity based on the first encryption key and the second security information The second encryption key for sexual protection; the second security information is related to a second access network node; wherein the terminal is configured with a first access network node and at least two second access network nodes.
  • the first access network node provided by the embodiment of the present application includes: a first determining unit, a second determining unit, and a first communication unit; wherein, the first determining unit is configured to determine and Security information related to the second access network node; the second determining unit is configured to determine a first encryption key based on the security information and/or a basic key; the basic key is the first access The key corresponding to the network node; the first encryption key is related to the second access network node; the first communication unit is configured to send the first encryption key to the second access network Node; wherein the first access network node is a primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and At least two of the second access network nodes.
  • the second access network node provided by the embodiment of the present application includes: a second communication unit and a third determining unit; wherein the second communication unit is configured to receive the first access The first encryption key sent by the network node; the first encryption key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key and the first encryption key The second access network node is related; the third determining unit is configured to determine a second encryption key used for encryption and integrity protection based on the first encryption key; wherein, the first access network node is The main node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second access network nodes.
  • the terminal device includes: a third communication unit and a fourth determining unit; wherein, the third communication unit is configured to obtain the first access network node allocated A security information; the first security information is related to the second access network node; further configured to obtain second security information allocated by the second access network node; the second security information is related to the second access network node
  • the fourth determining unit is configured to determine a first encryption key based on the first security information and/or a basic key; the basic key is a key corresponding to the first access network node; The first encryption key is related to the second access network node; further configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the second security information;
  • the terminal is configured with a first access network node and at least two second access network nodes.
  • the terminal device provided by the embodiment of the present application includes a processor and a memory.
  • the memory is used to store a computer program
  • the processor is used to call and run the computer program stored in the memory to execute the key information processing method of the third aspect of the embodiment of the present application.
  • the access network node provided in the embodiment of the present application includes a processor and a memory.
  • the memory is used to store a computer program
  • the processor is used to call and run the computer program stored in the memory to execute the key information processing method of the first aspect or the second aspect of the embodiment of the present application.
  • the chip provided in the embodiment of the present application is used to implement the aforementioned key information processing method.
  • the chip includes: a processor, used to call and run a computer program from the memory, so that the device installed with the chip executes the key information processing of the first aspect, the second aspect, or the third aspect of the embodiment of the present application. method.
  • the computer-readable storage medium provided by the embodiment of the present application is used to store a computer program that enables a computer to execute the key information processing method of the first, second, or third aspect of the embodiment of the present application. .
  • the computer program product provided by the embodiments of the present application includes computer program instructions that cause the computer to execute the key information processing method of the first, second, or third aspects of the embodiments of the present application.
  • the computer program provided by the embodiment of the present application when it is run on a computer, causes the computer to execute the key information processing method of the first, second, or third aspect of the embodiment of the present application.
  • the first access network node as the master node determines the first encryption key based on the security information related to the second access network node, and sends the first encryption key.
  • FIG. 1 is a schematic diagram of a communication system architecture provided by an embodiment of the present application.
  • FIGS. 2a and 2b are schematic diagrams of system scenarios where the key information processing method according to an embodiment of the present application is applied;
  • FIG. 3 is a first flowchart of a method for processing secret key information according to an embodiment of the present application
  • FIG. 4 is a second schematic flowchart of a method for processing secret key information according to an embodiment of the present application
  • FIG. 5 is a third flowchart of a method for processing secret key information according to an embodiment of the present application.
  • 6a to 6c are respectively schematic diagrams of secret key derivation in the method for processing secret key information according to an embodiment of the present application
  • FIG. 7 is a schematic diagram of a composition structure of a first access network node according to an embodiment of the present application.
  • FIG. 8 is a schematic diagram of another composition structure of a first access network node according to an embodiment of the present application.
  • FIG. 9 is a schematic diagram of a composition structure of a second access network node according to an embodiment of the present application.
  • FIG. 10 is a schematic diagram of another composition structure of a second access network node according to an embodiment of the present application.
  • FIG. 11 is a schematic diagram of a composition structure of a terminal device according to an embodiment of the present application.
  • FIG. 12 is a schematic diagram of another composition structure of a terminal device according to an embodiment of the present application.
  • FIG. 13 is a schematic diagram of the hardware composition structure of a communication device according to an embodiment of the present application.
  • FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application.
  • GSM Global System of Mobile communication
  • CDMA Code Division Multiple Access
  • WCDMA broadband code division multiple access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • the communication system 100 applied in the embodiment of the present application is shown in FIG. 1.
  • the communication system 100 may include a network device 110, and the network device 110 may be a device that communicates with a terminal device 120 (or called a communication terminal or a terminal).
  • the network device 110 may provide communication coverage for a specific geographic area, and may communicate with terminals located in the coverage area.
  • the network device 110 may be a base station (Base Transceiver Station, BTS) in a GSM system or a CDMA system, a base station (NodeB, NB) in a WCDMA system, or an evolved base station in an LTE system (Evolutional Node B, eNB or eNodeB), or the wireless controller in the Cloud Radio Access Network (CRAN), or the network equipment can be a mobile switching center, a relay station, an access point, a vehicle-mounted device, Wearable devices, hubs, switches, bridges, routers, network side devices in 5G networks, or network devices in the future evolution of Public Land Mobile Network (PLMN), etc.
  • BTS Base Transceiver Station
  • NodeB, NB base station
  • LTE Long Term Evolutional Node B
  • eNB evolved base station
  • CRAN Cloud Radio Access Network
  • the network equipment can be a mobile switching center, a relay station, an access point, a vehicle-mounted device, Wearable devices, hubs, switches, bridge
  • the communication system 100 further includes at least one terminal device 120 located within the coverage area of the network device 110.
  • the "terminal equipment” used here includes but is not limited to connection via wired lines, such as via Public Switched Telephone Networks (PSTN), Digital Subscriber Line (DSL), digital cable, and direct cable connection ; And/or another data connection/network; and/or via a wireless interface, such as for cellular networks, wireless local area networks (WLAN), digital TV networks such as DVB-H networks, satellite networks, AM- FM broadcast transmitter; and/or another terminal's device configured to receive/send communication signals; and/or Internet of Things (IoT) equipment.
  • PSTN Public Switched Telephone Networks
  • DSL Digital Subscriber Line
  • WLAN wireless local area networks
  • Digital TV networks such as DVB-H networks
  • satellite networks such as DVB-H networks
  • AM- FM broadcast transmitter AM- FM broadcast transmitter
  • IoT Internet of Things
  • a terminal device set to communicate through a wireless interface may be referred to as a "wireless communication terminal", a “wireless terminal” or a “mobile terminal”.
  • mobile terminals include, but are not limited to, satellites or cellular phones; Personal Communications System (PCS) terminals that can combine cellular radio phones with data processing, fax, and data communication capabilities; can include radio phones, pagers, Internet/intranet PDA with internet access, web browser, memo pad, calendar, and/or Global Positioning System (GPS) receiver; and conventional laptop and/or palmtop receivers or others including radio phone transceivers Electronic device.
  • PCS Personal Communications System
  • GPS Global Positioning System
  • Terminal can refer to access terminal, user equipment (UE), user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user Device.
  • the access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminals in 5G networks, or terminals in the future evolution of PLMN, etc.
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • direct terminal connection (Device to Device, D2D) communication may be performed between the terminal devices 120.
  • the 5G system or 5G network may also be referred to as a New Radio (NR) system or NR network.
  • NR New Radio
  • Figure 1 exemplarily shows one network device and two terminal devices.
  • the communication system 100 may include multiple network devices and the coverage of each network device may include other numbers of terminal devices. The embodiment does not limit this.
  • the communication system 100 may also include other network entities such as a network controller and a mobility management entity, which are not limited in the embodiment of the present application.
  • network entities such as a network controller and a mobility management entity, which are not limited in the embodiment of the present application.
  • the devices with communication functions in the network/system in the embodiments of the present application may be referred to as communication devices.
  • the communication device may include a network device 110 having a communication function and a terminal device 120.
  • the network device 110 and the terminal device 120 may be the specific devices described above, which will not be repeated here.
  • the communication device may also include other devices in the communication system 100, such as network controllers, mobility management entities, and other network entities, which are not limited in the embodiment of the present application.
  • the technical solutions of the embodiments of the present application are mainly applied to 5G mobile communication systems.
  • the technical solutions of the embodiments of the present application are not limited to 5G mobile communication systems, and may also be applied to other types of mobile communication systems.
  • FIGs 2a and 2b are schematic diagrams of a system scenario where the key information processing method according to an embodiment of the present application is applied; as shown in Figure 2a, it is a scenario based on a 5G core network (NextGen Core) where one MN and multiple SNs are connected. MN and SN are connected to the 5GC core network, MN has a Control Plane (CP) connection and User Plane (UP) connection between MN and 5GC core network, and SN has an UP connection with 5GC core network; MN There may be a CP connection or an UP connection with the SN, or there may be no connection.
  • 5G core network NextGen Core
  • MN and SN are connected to the 5GC core network
  • MN has a Control Plane (CP) connection and User Plane (UP) connection between MN and 5GC core network
  • SN has an UP connection with 5GC core network
  • MN There may be a CP connection or an UP connection with the SN, or there may be no connection.
  • the eLTE eNB or gNB can be used as the MN, and the gNB or eLTE eNB can be used as the SN node.
  • the network coverage between SNs may or may not have overlapping coverage.
  • the network coverage between SN and MN overlaps.
  • MN and SN are connected to EPC core network
  • MN has CP connection and UP connection between EPC core network
  • SN has UP connection with 5GC core network
  • MN and SN can have CP connection or UP connection, or not
  • LTE eNB can be used as MN
  • LTE eNB, gNB, eLTE eNB can all be used as SN.
  • the network coverage between SNs may or may not have overlapping coverage.
  • the key information processing method of the embodiment of this application may be based on the system scenarios shown in Figures 2a and 2b, and is of course not limited to the above system scenarios.
  • the scenarios where there are MN and multiple SNs in other communication systems are all applicable to the embodiments of this application Secret key information processing scheme.
  • Fig. 3 is a schematic flow chart 1 of the method for processing secret key information according to an embodiment of the present application; as shown in Fig. 3, the method includes: Step 301: The first access network node determines the security information related to the second access network node Step 302: The first access network node determines a first encryption key based on the security information and/or the basic key, and sends the first encryption key to the second access network node; The basic key is a key corresponding to the first access network node; the first encryption key is related to the second access network node.
  • the first access network node is the master node connected to the terminal, for example, the eLTE eNB or gNB that can be used as the MN in Figure 2a, or the LTE eNB that can be used as the MN in Figure 2b;
  • the second access network A node is a secondary node connected to the terminal, for example, gNB or eLTE eNB that can be used as SN in Figure 2a, or LTE eNB, gNB, eLTE eNB that can be used as SN in Figure 2b;
  • the terminal is configured with the first connection And at least two of the second access network nodes.
  • the first access network node configures the terminal multi-connection mode, so that the terminal is connected to the first access network node as the master node, and is connected to at least two second access network nodes as the secondary node.
  • each second access network node is assigned a unique identifier for the terminal, that is, the second access network node identifier, which may also be referred to as a secondary node identifier (SN id).
  • the security information includes: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second access At least two second access network nodes in the network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; the first access network node is based on the security information and/or basis
  • the key determining the first encryption key includes: the first access network node determines the first encryption based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key Key; the first encryption key is a key corresponding to the second access network node.
  • the first secondary cell group counter (SCG counter, Secondary Cell Group counter) is an integer value maintained in the first access network node
  • the second access network node identifier (also referred to as SN id) is The assigned unique identifier for the terminal; as an example, the starting value of SN id can start from 0 or 1; if the starting value of SN id starts from 1, the identity of the first access network node (may Marked as MN id) can be 0.
  • the first access network node determines the first encryption key based on at least one of the first secondary cell group count, SN id, and basic key.
  • the basic secret key is the key corresponding to the first access network node; as an implementation manner, the basic secret key may be recorded as K eNB or K gNB , and the first encryption key is used for the The second access network node determines the second encryption key.
  • the first encryption key may be marked as SK eNB/gNB ; when the second access network node is an eNB in an LTE system or an eLTE system, the first encryption key may be marked as SK eNB ; when the second access network node is a gNB in a 5G system or an NR system, the first encryption key can be recorded as SK gNB . It can be understood that the first encryption key in this embodiment may be a key corresponding to the second access network node.
  • the method further includes: the first access network node allocates a corresponding first secondary cell group count to the second access network node; wherein, the at least The initial values of the first secondary cell group counts corresponding to at least two of the two second access network nodes are different. In other embodiments, the initial value of the first secondary cell group count corresponding to at least two of the at least two second access network nodes may also be the same,
  • the first access network node maintains a first secondary cell group count (SCG counter) related to the second access network node, and the first secondary cell group count is an integer value.
  • the first access network node allocates an initial value of the first secondary cell group count for each second access network node; when the first secondary cell group count needs to be updated, the current first secondary cell group count is based on the numerical value Add 1 to it.
  • the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is the same, that is, each second access network node is allocated the same first
  • the initial value of the secondary cell group count can be understood that the first access network node maintains the corresponding first secondary cell group count for each second access network node.
  • the first encryption key corresponding to the second access network node is determined based on the second access network node identifier, the first secondary cell group count, and the basic key.
  • the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is different, that is, each second access network node is allocated a different first secondary cell group count.
  • the starting value of a secondary cell group count may indicate the first secondary cell group corresponding to all the second access network nodes
  • the initial values of the counts are different; or it may also indicate that the initial values of the first secondary cell group counts corresponding to some of the second access network nodes in all the second access network nodes are different.
  • the first access network node allocates the corresponding first secondary cell group count to the second access network node , Including: the first access network node determines the first secondary cell group corresponding to the second access network node based on the maximum value of the first secondary cell group count and the number of the second access network nodes The value range of the count, the value range of the first secondary cell group count corresponding to at least two of the at least two second access network nodes is different; the first access network node Determine the corresponding first secondary cell group count according to the value range of the first secondary cell group count corresponding to the second access network node.
  • the first access network node maintains a first secondary cell group count for each second access network node, and the first secondary cell group count is an integer value; each second access network node
  • the range of the first secondary cell group count that can be used is determined based on the maximum value of the first secondary cell group count and the number of second access network nodes.
  • the range of the count of the first secondary cell group may be determined based on the maximum value of the first secondary cell group count and the number of the second access network nodes divided by rounding up or down.
  • the maximum value of the first secondary cell group count and the number of second access network nodes are divided and the value rounded up or down is recorded as A; then
  • the value range of the first secondary cell group count can be expressed as greater than or equal to A*SNi less than A*(SNi+A); where SNi represents the i-th second access network node among n second access network nodes ; In practical applications, SNi can be represented by the identifier of the i-th second access network node.
  • the range of the first secondary cell group count corresponding to the second access network node may be expressed as:
  • the method further includes: when the first access network node determines that the basic key is changed, resetting the first secondary cell group count.
  • the first secondary cell group count (SCG counter) maintained in the first access network node is reset, that is, the first access network node counts the first secondary cell group Reset to 0.
  • the method further includes: when the first access network node determines that a first update condition is satisfied and the basic key is unchanged, updating the first secondary cell Group count.
  • the first update condition is an update condition of the first encryption key.
  • the first access network node updates the first secondary cell group count, that is, the first secondary cell group count (SCG counter) )plus one.
  • the security information includes: a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the first An access network node determines the first encryption key based on the security information and/or the basic key, including: the first access network node determines the first encryption key based on the secondary node group identifier, the secondary node group count, and the basic key. At least one kind of information determines the first encryption key; the first encryption key is the key corresponding to the secondary node group.
  • the at least two second access network nodes are divided into at least one secondary node group (SN Group, SNG), one secondary node group includes at least one second access network node, and each secondary node group A secondary node group identifier (SN group id) is correspondingly allocated, that is, the secondary node group identifier corresponds to all second access network nodes in the secondary node group.
  • the grouping principle of at least two second access network nodes can be grouped based on the radio frequency range where the second access network node is located, or can also be based on whether there is a connection between the second access network node and the first access network node. Specific connections (such as Xn connections) are grouped and so on.
  • a secondary node group count (SNG counter) is maintained in the first access network node for each secondary node group, and the secondary node group count (SNG counter) may be an integer value. Then the first access network node determines the first encryption key based on at least one of the secondary node group identifier (SN group id) and the secondary node group count (SNG counter) and the basic secret key (such as K eNB ).
  • the first encryption key can be understood as a key corresponding to the secondary node group.
  • the first encryption key may be recorded as SK SNG .
  • the method further includes: when the first access network node determines that the basic key is changed, resetting the secondary node group count. In this embodiment, when it is determined that K eNB is changed, the first access network node resets the secondary node group count (SNG counter) maintained by itself, that is, the first access network node resets the secondary node group count Is 0.
  • SNG counter secondary node group count
  • the method further includes: when the first access network node determines that the first update condition is satisfied and the basic key is unchanged, updating the secondary node group count .
  • the first update condition is an update condition of the first encryption key.
  • the first access network node updates the secondary node group count, that is, the secondary node group count (SNG counter) plus one.
  • the embodiment of the present application also provides a method for processing secret key information.
  • 4 is a schematic diagram of the second flow of a method for processing secret key information according to an embodiment of the present application; as shown in FIG. 4, the method includes: Step 401: the second access network node receives the first access network node sent by the first access network node An encryption key; the first encryption key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key and the second access network node Related; Step 402: The second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key.
  • the first access network node is the master node connected to the terminal, for example, the eLTE eNB or gNB that can be used as the MN in Figure 2a, or the LTE eNB that can be used as the MN in Figure 2b;
  • the second access network A node is a secondary node connected to the terminal, for example, gNB or eLTE eNB that can be used as SN in Figure 2a, or LTE eNB, gNB, eLTE eNB that can be used as SN in Figure 2b;
  • the terminal is configured with the first connection And at least two of the second access network nodes.
  • the first access network node configures the terminal multi-connection mode, so that the terminal is connected to the first access network node as the master node, and is connected to at least two second access network nodes as the secondary node.
  • each second access network node is assigned a unique identifier for the terminal, that is, the second access network node identifier, which may also be referred to as a secondary node identifier (SN id).
  • the first encryption key is based on the second access network identifier corresponding to the second network node, the first secondary cell group count and the basic secret associated with the second access network node.
  • the at least one type of information in the key determines that the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes
  • the network node corresponds to a different second access network node identifier and/or the first secondary cell group count.
  • the initial values of the first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.
  • the method for determining the first encryption key can refer to the detailed description of the first method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.
  • the second access network node determining the second encryption key based on the first encryption key includes: the second access network node determines based on the first encryption key and the algorithm identifier The second encryption key used for encryption and integrity protection.
  • the second access network node calculates the second encryption key for encryption and integrity protection based on the SK eNB/gNB and the selected algorithm identification (ID).
  • the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the secondary node group identifier corresponds to all second access network nodes in the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which is not repeated here.
  • the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  • the secondary node group identifier corresponds to all second access network nodes in the secondary node group, that is, all second access network nodes in the secondary node group respond based on the first encryption key Confirmation of the secret key.
  • the second access network node determining the second encryption key based on the first encryption key includes: the second access network node determines based on the first encryption key and the algorithm identifier The second encryption key used for encryption and integrity protection.
  • the second access network node calculates the second encryption key for encryption and integrity protection based on the SK SNG and the selected algorithm identification (ID).
  • the first encryption key is determined based on at least one of the secondary node group identifier, the secondary node group count, and the basic key, and the first encryption key is the secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.
  • the second access network node determining the second encryption key based on the first encryption key includes: a specific second access network node in the secondary node group is based on the first encryption At least one of the key, the second access network node identifier, and the second secondary cell group count determines a third encryption key; the third encryption key is the second access in the secondary node group The key corresponding to the access network node; the specific second access network node sends the third encryption key to other second access networks in the secondary node group except the specific second access network node Node; the third encryption key is used for the second access network node other than the specific second access network node in the secondary node group to determine based on the third encryption key and the algorithm identifier for The second encryption key for encryption and integrity protection; the specific second access network node determines to be used for encryption and integrity based on the first encryption key and the algorithm identification corresponding to the specific second access network node The second encryption key for sexual protection.
  • a specific second access network node in the secondary node group maintains a secondary cell group counter (SCG counter) corresponding to the second access network node for each second access network node group, in order to
  • SCG counter secondary cell group counter
  • the number of secondary cell groups maintained in the first access network node is distinguished.
  • the number of secondary cell groups maintained in the first access network node is recorded as the first secondary cell group number, and the second access is specified
  • the count of the secondary cell group maintained in the network node is recorded as the count of the second secondary cell group.
  • the specific second access network node allocates a unique identifier for the terminal to each second access network node in the secondary cell group, which may be referred to as a secondary node identifier (SN id). It can be understood that both the first secondary cell group count and the second secondary cell group count are related to the second access network node.
  • SN id secondary node identifier
  • the first encryption key can be understood as a key corresponding to the secondary node group.
  • the specific second access network node in the secondary node group is based on the first encryption key (such as SK SNG ), the second access network node identifier (SN id), and the second secondary cell group count (SCG counter).
  • At least one type of information determines a third encryption key; the third encryption key is a key corresponding to a second access network node other than the specific second access network node in the secondary node group.
  • other second access network nodes other than the specific second access network node in the auxiliary node group are based on the third encryption key and the selected algorithm
  • the identification determines the second encryption key used for encryption and integrity protection.
  • the second encryption key of the specific second access network node itself, there is no need to calculate the third encryption key. Instead, the second encryption key corresponding to the specific second access network node is calculated according to the first encryption key and the selected algorithm identifier. Encryption key.
  • the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.
  • the second access network node determining the second encryption key based on the first encryption key includes: a specific second access network node in the secondary node group is based on the first encryption At least one of the key, the second access network node identifier, and the second secondary cell group count determines a third encryption key; the third encryption key is the second access in the secondary node group The key corresponding to the access network node; the specific second access network node sends the third encryption key to other second access networks in the secondary node group except the specific second access network node Node; the third encryption key is used for the second access network node in the secondary cell group to determine a second encryption key for encryption and integrity protection based on the third encryption key and algorithm identifier.
  • a specific second access network node in the secondary node group maintains a secondary cell group counter (SCG counter) for each second access network node group, in order to compare with the first access network node in the previous embodiment
  • SCG counter secondary cell group counter
  • the number of the secondary cell group maintained in the node is distinguished, the number of the secondary cell group maintained in the first access network node is recorded as the first secondary cell group number, and the secondary cell group maintained in the specific second access network node is recorded The number is recorded as the number of the second secondary cell group.
  • the specific second access network node allocates a unique identifier for the terminal to each second access network node in the secondary cell group, which may be referred to as a secondary node identifier (SN id). It can be understood that both the first secondary cell group count and the second secondary cell group count are related to the second access network node.
  • SN id secondary node identifier
  • the first encryption key can be understood as a key corresponding to the secondary node group.
  • the specific second access network node in the secondary node group determines the first encryption key (such as SK SNG ), the second access network node identifier (SN id), and the second secondary cell group count (SCG counter).
  • the third encryption key is a key corresponding to all second access network nodes in the auxiliary node group.
  • other second access network nodes other than the specific second access network node in the auxiliary node group are based on the third encryption key and the selected algorithm
  • the identification determines the second encryption key used for encryption and integrity protection.
  • the third encryption key is determined, according to the The third encryption key and the selected algorithm identifier calculate the second encryption key corresponding to the specific second access network node.
  • the method further includes: the specific second access network node determines a basic key change for determining the first encryption key, and/or a secondary node group When the corresponding first encryption key changes, reset the second secondary cell group count.
  • the specific second access network node when it is determined that the K eNB is changed, the specific second access network node resets the second secondary cell group counter (SCG counter) maintained by itself, that is, the specific second access network node resets the second secondary cell group counter.
  • SCG counter second secondary cell group counter
  • the method further includes: updating the second secondary cell group count when the specific second access network node determines that a second update condition is satisfied and the basic key used to determine the first encryption key is unchanged .
  • the second update condition is an update condition of the third encryption key.
  • the specific second access network node updates the second secondary cell group count maintained by itself, that is, the second secondary cell
  • the SCG counter is incremented by one.
  • the specific second access network device is used to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
  • the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; for establishing a third signaling radio bearer SRB3;
  • the information of the secondary node group is allocated; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement report ID.
  • Fig. 5 is a third schematic flow chart of the method for processing secret key information according to an embodiment of the present application; as shown in Fig. 5, the method includes: Step 501: the terminal device obtains the first security information allocated by the first access network node, The first security information and/or the basic key determine the first encryption key; the basic key is the key corresponding to the first access network node; the first security information and the second access network node Related; The first encryption key is related to the second access network node; Step 502: The terminal device obtains the second security information allocated by the second access network node, based on the first encryption key The key and the second security information determine a second encryption key used for encryption and integrity protection; the second security information is related to the second access network node.
  • the terminal is configured with a first access network node and at least two second access network nodes, that is, the terminal can establish connections with the first access network node and at least two second access network nodes respectively .
  • the first access network node is the master node connected to the terminal, such as eLTE eNB or gNB that can be used as MN in Figure 2a, or LTE eNB that can be used as MN in Figure 2b;
  • the second access network node is The secondary node to which the terminal is connected, for example, the gNB or eLTE eNB that can be used as the SN in Figure 2a, or the LTE eNB, gNB, or eLTE eNB that can be used as the SN in Figure 2b.
  • the first security information includes; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second At least two second access network nodes in the access network nodes correspond to different second access network node identities and/or first secondary cell group counts; said based on the first security information and/or basic key Determining the first encryption key includes: determining the first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key Is the key corresponding to the second access network node.
  • the terminal device receives the first secondary cell group count and/or the second access network node identifier allocated by the first access network node, based on the second access network node identifier and the first secondary cell group count And at least one of the basic key information determines the first encryption key.
  • the first encryption key For a detailed description of the first encryption key, reference may be made to the detailed description of the first method for determining the first encryption key in the foregoing embodiment applied to the first access network device, and details are not repeated here.
  • that the terminal device obtains the first security information allocated by the first access network node includes: the terminal device obtains the first secondary cell group allocated by the first access network node Count; wherein, at least two of the at least two second access network nodes have different initial values of the first secondary cell group count corresponding to at least two second access network nodes.
  • the first secondary cell group count (SCG counter) related to the second access network node is maintained in the first access network node, and the terminal device obtains the first encryption secret based on the allocation of the first access network node.
  • the first secondary cell group count of the key, the first secondary cell group count is an integer value.
  • the second security information includes an algorithm identifier corresponding to the second access network node; the determination of the encryption and integrity protection based on the first encryption key and the second security information
  • the key includes: determining a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.
  • the terminal device obtains the algorithm identifier selected by each second access network node, and determines that it corresponds to the corresponding second access network node according to the previously determined first encryption key and the algorithm identifier of the second access network node
  • the second encryption key; the second encryption key is used for encryption and integrity protection.
  • the method further includes: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the count for the first secondary cell group .
  • the first update condition is an update condition of the first encryption key.
  • the terminal device updates the first secondary cell group count, that is, increases the first secondary cell group counter (SCG counter) by one .
  • the at least two second access network nodes are divided into at least one auxiliary node group, one auxiliary node group includes at least one second access network node, and each auxiliary node group is assigned a corresponding auxiliary node group.
  • the node group identifier (SN group id), that is, the secondary node group identifier corresponds to all the second access network nodes in the secondary node group.
  • the first security information includes; secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group;
  • the determining of the first encryption key by the security information and/or the basic key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; The first encryption key is the key corresponding to the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .
  • the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  • the first encryption key is a key corresponding to all second access network nodes in the secondary node group. It can be understood that all second access network nodes in the secondary node group are based on the first An encryption key determines the respective keys.
  • the second security information includes an algorithm identifier corresponding to the second access network node; the determination of the encryption and integrity protection based on the first encryption key and the second security information
  • the key includes: determining a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.
  • the terminal device obtains the algorithm identifier selected by each second access network node, and determines that it corresponds to the corresponding second access network node according to the previously determined first encryption key and the algorithm identifier of the second access network node
  • the second encryption key; the second encryption key is used for encryption and integrity protection.
  • For the specific method for determining the second encryption key refer to the related description of the second implementation manner for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment, which is not repeated here.
  • the method further includes: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the secondary node group count.
  • the first update condition is an update condition of the first encryption key.
  • the specific update method is the same as the update method in the first access network node. For details, please refer to the update method in the first access network node, which will not be repeated here.
  • the at least two second access network nodes are divided into at least one secondary node group.
  • the first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the security information is based on the security information and /Or the basic key determining the first encryption key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key Is the key corresponding to the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .
  • obtaining the second security information allocated by the second access network node by the terminal device includes: obtaining the algorithm identifier allocated by the second access network node in the auxiliary node group by the terminal device; and obtaining the auxiliary The second secondary cell group count and/or the second access network node identifier allocated by the specific second access network node in the node group; the determining is used based on the first encryption key and the second security information
  • the encryption and integrity protection key includes: determining a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count, so The third encryption key is a key corresponding to other second access network nodes except for the specific second access network node in the secondary node group; based on the third encryption key and the other first access network node 2.
  • the algorithm identifier corresponding to the access network node determines the second encryption key corresponding to the other second access network node; based on the first encryption key and the algorithm identifier corresponding to the specific second access network node Determine the second encryption key corresponding to the specific second access network node.
  • the specific method for determining the second encryption key can refer to the related description of the third implementation method for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment. I won't repeat it here.
  • the at least two second access network nodes are divided into at least one secondary node group.
  • the first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the security information is based on the security information and
  • the basic key determining the first encryption key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key is the auxiliary The key corresponding to the node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .
  • Obtaining the second security information allocated by the second access network node by the terminal device includes: obtaining, by the terminal device, an algorithm identifier allocated by the second access network node in the auxiliary node group; and obtaining specific information in the auxiliary node group The second secondary cell group count and/or the second access network node identifier allocated by the second access network node; said determining that it is used for encryption and integrity protection based on the first encryption key and the second security information
  • the key includes: determining a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption key The key is the key corresponding to at least one second access network node in the secondary node group; it is determined that it corresponds to the second access based on the third encryption key and the algorithm identifier corresponding to the second access network node The second encryption key of the network node.
  • the specific method for determining the second encryption key can refer to the related description of the fourth implementation method for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment. I won't repeat it here.
  • the specific second access network device is used to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
  • the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used to establish SRB3; used to allocate the secondary node Group information; the secondary node group information includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.
  • the method further includes: when the terminal device determines that the second update condition is satisfied and the basic key used to determine that the first encryption key is unchanged, updating the The second secondary cell group count.
  • the second update condition is an update condition of the third encryption key.
  • the specific second access network node updates the second secondary cell group count maintained by itself, that is, the second secondary cell
  • the SCG counter is incremented by one.
  • FIGS. 6a to 6c are schematic diagrams of secret key derivation in the key information processing method of the embodiment of the present application; the following describes the key information processing method of the embodiment of the present application in detail with reference to FIGS. 6a to 6c and specific examples.
  • the first access network node is MN and the second access network node is SN as an example for description.
  • the MN maintains an SCG counter for each SN, and the SCG counter is an integer value.
  • the first encryption key SK eNB/gNB corresponding to the second access network node is obtained through K eNB (or K gNB ), SCG counter and SN id input key derivation function (KDF); the MN will obtain the first encryption key SK eNB/gNB
  • An encryption key SK eNB/gNB is sent to all SNs, and each SN inputs the first encryption key SK eNB/gNB and the respectively selected algorithm identification into the KDF to determine the secret key used for encryption and integrity protection.
  • the MN maintains an SCG counter for all SNs, and the SCG counter is an integer value.
  • the MN assigns the corresponding SCG counter starting value to the SN, and different SNs correspond to different SCG counter starting values.
  • the range in which each SN can use the SCG Counter is determined based on the maximum value of the SCG counter and the number of SNs. The specific determination rule can be referred to the foregoing embodiment, which will not be repeated here.
  • the MN maintains an SNG counter for each SN group
  • the calculation input parameters of the secret key corresponding to each SN group are at least: KeNB (or KgNB), SNG counter and SN group id , That is, MN enters KeNB (or KgNB), SNG counter and SN group id into KDF to obtain the first encryption key SK SNG corresponding to the SN group; MN sends the obtained first encryption key SK SNG to the specific SN in the SN group ,
  • the specific SN is responsible for calculating the key of each SN in the SN group;
  • the input parameters for calculating the secret key of each SN include at least: SK SNG , SCG counter and SN id, that is, the specific SN inputs SK SNG , SCG counter and SN id KDF obtains the third encryption key S-KgNB, the specific SN sends the third encryption key S-KgNB to other SNs in the SN group
  • the difference is that a specific SN sends the third encryption key S-KgNB to other SNs in the SN group, and other SNs send the third encryption key S-KgNB and their respective
  • the selected algorithm ID is entered into KDF to determine the secret key used for encryption and integrity protection; and for a specific SN, the first encryption key SK SNG and the selected algorithm ID are entered into KDF to determine the secret used for encryption and integrity protection. key.
  • the MN maintains an SNG counter for each SN group, and the calculation input parameters of the secret key corresponding to each SN group are at least: KeNB (or KgNB), SNG counter, and SN group id. Or KgNB), SNG counter and SN group id enter KDF to obtain the first encryption key SK SNG corresponding to the SN group; MN sends the obtained first encryption key SK SNG to all SNs in the SN group; all the SN groups The SN (including the specific SN) inputs the first encryption key SK SNG and the respectively selected algorithm identifier into the KDF to determine the secret key used for encryption and integrity protection.
  • the first access network node as the master node determines the first encryption key based on the security information related to the second access network node, and sends the first encryption key to the second access network node.
  • Access network node make the second access network node determine the second encryption key for encryption and integrity protection based on the first encryption key, and realize the key derivation in the scenario of multiple SN communication systems
  • the first access network node to the maintained secondary cell group count and/or secondary node group count reset or update
  • the second access network node to maintain the secondary cell group count reset or update
  • the update, and the update of the secondary cell group count and/or the secondary node group count through the terminal device realizes the management of the secret key in the scenario of multiple SN communication systems.
  • FIG. 7 is a schematic diagram of a structure of a first access network node according to an embodiment of the present application; as shown in FIG. 7, the node includes: a first determining unit 61, a second determining unit 62, and a first communication unit 63;
  • the first determining unit 61 is configured to determine security information related to the second access network node;
  • the second determining unit 62 is configured to determine the first encryption based on the security information and/or the basic key Key;
  • the basic key is the key corresponding to the first access network node;
  • the first encryption key is related to the second access network node;
  • the first communication unit 63 is configured to Send the first encryption key to the second access network node;
  • the first access network node is the master node connected to the terminal;
  • the second access network node is the auxiliary node connected to the terminal Node;
  • the terminal is configured with the first access network node and at least two second access network nodes.
  • the security information includes: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second access At least two second access network nodes in the network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; the second determining unit 62 is configured to be based on the second access At least one of the network node identifier, the first secondary cell group count, and the basic key determines a first encryption key; the first encryption key is a key corresponding to the second access network node.
  • the first determining unit 61 is further configured to allocate a corresponding first secondary cell group count for the second access network node; wherein, at least two of the at least two second access network nodes The initial value of the first secondary cell group count corresponding to the second access network node is different.
  • the first determining unit 61 is configured to perform a calculation based on the first secondary cell group count
  • the maximum value and the number of second access network nodes determine the value range of the first secondary cell group count corresponding to the second access network node, and at least two of the at least two second access network nodes
  • the value range of the first secondary cell group count corresponding to the second access network node is different; and the corresponding first secondary cell group is determined according to the value range of the first secondary cell group count corresponding to the second access network node count.
  • the node further includes a first resetting unit 64 configured to reset the first secondary cell when determining that the basic key is changed Group count.
  • the node further includes a first update unit 65 configured to determine when the first update condition is satisfied and the basic key is unchanged. To update the first secondary cell group count.
  • the first update condition is an update condition of the first encryption key.
  • the security information includes: secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; In an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group; the second determining unit 62 is configured to be based on the secondary node group identifier, secondary node group count, and basic key At least one type of information in determines a first encryption key; the first encryption key is a key corresponding to the secondary node group.
  • the at least two second access network nodes are divided into at least one auxiliary node group. Each secondary node group corresponds to a secondary node group identifier; different secondary node groups correspond to different secondary node group identifiers.
  • the node further includes a first reset unit 64 configured to reset the secondary node group count when it is determined that the basic key is changed .
  • the node further includes a first update unit 65 configured to determine when the first update condition is satisfied and the basic key is unchanged. To update the secondary node group count.
  • the first update condition is an update condition of the first encryption key.
  • the first access network node provided in the above embodiment performs secret key information processing
  • only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be assigned differently according to needs.
  • the program module is completed, that is, the internal structure of the first access network node is divided into different program modules to complete all or part of the processing described above.
  • the first access network node provided in the foregoing embodiment belongs to the same concept as the embodiment of the secret key information processing method. For the specific implementation process, please refer to the method embodiment, which will not be repeated here.
  • FIG. 9 is a schematic diagram of a composition structure of a second access network node according to an embodiment of the present application; as shown in FIG. 9, the node includes: a second communication unit 71 and a third determination unit 72; wherein, the second The communication unit 71 is configured to receive a first encryption key sent by the first access network node; the first encryption key is based on security information and/or a basic key related to the second access network node Determine; the first encryption key is related to the second access network node; the third determining unit 72 is configured to determine a second encryption for encryption and integrity protection based on the first encryption key Key; wherein, the first access network node is the primary node connected to the terminal; the second access network node is the secondary node connected to the terminal; the terminal is configured with the first access network node and at least Two second access network nodes.
  • the first encryption key is based on the second access network identifier corresponding to the second network node, the first secondary cell group count and the basic secret associated with the second access network node.
  • the at least one type of information in the key determines that the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes
  • the network node corresponds to a different second access network node identifier and/or the first secondary cell group count.
  • the initial values of the first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.
  • the third determining unit 72 is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the algorithm identifier.
  • the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the secondary node group identifier corresponds to all second access network nodes in the secondary node group.
  • the first encryption key is a key corresponding to at least one second access network node in the auxiliary node group.
  • the first encryption key is a key corresponding to all second access network nodes in the secondary node group.
  • the third determining unit 72 is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identifier.
  • the first encryption key is determined based on at least one of the secondary node group identifier, the secondary node group count, and the basic key, and the first encryption key is the secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the second access network node is a specific second access network node in the secondary node group
  • the third determining unit 72 is configured to be based on the first encryption key and the second access network node identifier And at least one information in the second secondary cell group count to determine a third encryption key
  • the third encryption key is a key corresponding to the secondary node group; and it is also configured to be based on the first encryption key and
  • the algorithm identifier determines the second encryption key used for encryption and integrity protection
  • the second communication unit 71 is further configured to send the third encryption key to the secondary node group except for the specific second connection Access network nodes other than the second access network node
  • the third encryption key is used for the other second access network nodes in the secondary node group except the specific second access network node based on the The third encryption key and the algorithm identifier determine the second encryption key used for encryption and integrity protection.
  • the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node The network node is used for generating the secret key of the second access network node in the auxiliary node group.
  • the specific second access network node determines the third encryption key based on the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption The key is the key corresponding to the secondary node group, and the third encryption key is sent to other second access network nodes in the group, so that other second access network nodes in the group are based on the third encryption key and The corresponding algorithm identification calculates the second encryption key; on the other hand, the specific second access network node determines its own second encryption key for encryption and security protection based on the obtained first encryption key and algorithm identification, Instead of recalculating the second encryption key based on the third encryption key.
  • the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the second access network node is a specific second access network node in the secondary node group
  • the third determining unit 72 is configured to be based on the first encryption key and the second access network node identifier And at least one type of information in the count of the second secondary cell group to determine a third encryption key
  • the third encryption key is a key corresponding to the secondary node group
  • the second communication unit 71 is further configured to send The third encryption key is sent to other second access network nodes in the secondary node group except for the specific second access network node; the third encryption key is used for the secondary cell group
  • the second access network node determines a second encryption key for encryption and integrity protection based on the third encryption key and the algorithm identifier.
  • the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node The network node is used for generating the secret key of the second access network node in the auxiliary node group.
  • the specific second access network node determines the third encryption key based on the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption The key is the key corresponding to the secondary node group, and the third encryption key is sent to other second access network nodes in the group, so that all second access network nodes in the group (including specific second access (Inside the network node) calculate the second encryption key based on the third encryption key and the corresponding algorithm identifier.
  • the node further includes a second reset unit 73 configured to determine a basic key change for determining the first encryption key , And/or when the first encryption key corresponding to the secondary node group is changed, reset the second secondary cell group count.
  • the node further includes a second update unit 74, configured to determine that the second update condition is satisfied, and is used to determine the first encryption When the basic key of the key is unchanged, update the second secondary cell group count.
  • the second update condition is an update condition of the third encryption key.
  • the specific second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
  • the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used for establishing SRB3; used for allocating information of the secondary node group;
  • the information of the secondary node group includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.
  • the second access network node provided in the above embodiment performs secret key information processing
  • only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be assigned differently according to needs.
  • the program module is completed, that is, the internal structure of the second access network node is divided into different program modules to complete all or part of the processing described above.
  • the second access network node provided in the foregoing embodiment belongs to the same concept as the embodiment of the secret key information processing method. For the specific implementation process, please refer to the method embodiment, which will not be repeated here.
  • FIG. 11 is a schematic diagram of a structure of a terminal device of an embodiment of the present application; as shown in FIG. 11, the terminal device includes: a third communication unit 81 and a fourth determination unit 82; wherein, the third communication unit 81 , Configured to obtain the first security information allocated by the first access network node; the first security information is related to the second access network node; further configured to obtain the second security information allocated by the second access network node; The second security information is related to the second access network node; the fourth determining unit 82 is configured to determine the first encryption key based on the first security information and/or the basic key; the basic key is The key corresponding to the first access network node; the first encryption key is related to the second access network node; further configured to determine based on the first encryption key and the second security information The second encryption key used for encryption and integrity protection;
  • the terminal is configured with a first access network node and at least two second access network nodes.
  • the first security information includes; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second At least two second access network nodes in the access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; then the fourth determining unit 82 is configured to be based on the first 2. At least one of the access network node identifier, the first secondary cell group count, and the basic key determines the first encryption key; the first encryption key is the key corresponding to the second access network node .
  • the second security information includes an algorithm identifier corresponding to the second access network node; the fourth determining unit 82 is configured to be based on the first encryption key and the algorithm corresponding to the second access network node The identification determines the second encryption key.
  • the third communication unit 81 is configured to obtain the first secondary cell group count allocated by the first access network node; wherein, at least two of the at least two second access network nodes The initial value of the first secondary cell group count corresponding to the second access network node is different.
  • the terminal device further includes a third update unit 83 configured to determine that the first update condition is satisfied and the basic key is unchanged Update the first secondary cell group count.
  • the first update condition is an update condition of the first encryption key.
  • the at least two second access network nodes are divided into at least one secondary node group.
  • the first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; as an implementation manner, the The secondary node group identifier corresponds to all the second access network nodes in the secondary node group.
  • the fourth determining unit 82 is configured to determine a first encryption key based on at least one of the secondary node group identifier, the secondary node group count, and the basic key; the first encryption key is the secondary node group The corresponding key.
  • the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  • the first encryption key is a key corresponding to all second access network nodes in the secondary node group.
  • the second security information includes an algorithm identifier corresponding to the second access network node; the fourth determining unit 82 is configured to be based on the first encryption key and corresponding to the second access The algorithm identifier of the network node determines the second encryption key.
  • the terminal device further includes a third update unit 83 configured to determine that the first update condition is satisfied and the basic key is unchanged Update the secondary node group count.
  • the first update condition is an update condition of the first encryption key.
  • the third communication unit 81 is configured to obtain the algorithm identifier assigned by the second access network node in the secondary node group; and obtain the algorithm identifier assigned by the specific second access network node in the secondary node group.
  • the second secondary cell group count and/or the second access network node identifier; the fourth determining unit 82 is configured to be based on the first encryption key, the second access network node identifier, and the second secondary cell
  • At least one type of information in the group count determines a third encryption key
  • the third encryption key is corresponding to other second access network nodes in the secondary node group except for the specific second access network node Key; determining a second encryption key corresponding to the other second access network node based on the third encryption key and the algorithm identifier corresponding to the other second access network node; based on the first encryption
  • the secret key and the algorithm identifier corresponding to the specific second access network node determine the second encryption secret key corresponding to the specific second access network node.
  • the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node uses To maintain the second secondary cell group count and the second access network node identifier.
  • the terminal device determines the second encryption key based on the first encryption key and the algorithm identifier, instead of recalculating the second encryption key based on the third encryption key.
  • Two encryption keys for specific second access network nodes other than the specific second access network node in the auxiliary node group, the terminal first based on the first encryption key, the second access network node identifier and The second secondary cell group count determines the third encryption key, and then calculates the second encryption key based on the third encryption key and the corresponding algorithm identifier.
  • the third communication unit 81 is configured to obtain an algorithm identifier assigned by a second access network node in the secondary node group; and obtain an algorithm identifier assigned by a specific second access network node in the secondary node group
  • the fourth determining unit 82 is configured to be based on the first encryption key, the second access network node identifier, and the second secondary cell
  • At least one type of information in the group count determines a third encryption key
  • the third encryption key is a key corresponding to the second access network node in the secondary node group; based on the third encryption key and
  • the algorithm identifier corresponding to the second access network node determines the second encryption key corresponding to the second access network node.
  • the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node uses To maintain the second secondary cell group count and the second access network node identifier.
  • the terminal determines the second access network node based on the first encryption key, the second access network node identifier, and the second secondary cell group count. Three encryption keys, and then calculate the second encryption key based on the third encryption key and the algorithm identifier corresponding to each second access network node.
  • the specific second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
  • the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used for establishing SRB3; used for allocating information of the secondary node group;
  • the information of the secondary node group includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.
  • the terminal device further includes a third update unit 83, configured to determine that the second update condition is satisfied and used to determine the first update condition.
  • the second update condition is an update condition of the third encryption key.
  • the terminal device provided in the above embodiment performs key information processing
  • only the division of the above program modules is used as an example for illustration.
  • the above processing can be allocated to different program modules according to needs. , That is, divide the internal structure of the terminal device into different program modules to complete all or part of the processing described above.
  • the terminal device provided in the foregoing embodiment and the embodiment of the secret key information processing method belong to the same concept. For the specific implementation process, refer to the method embodiment for details, and will not be repeated here.
  • FIG. 13 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • the communication device may be a terminal device or an access network node.
  • the communication device shown in FIG. 13 includes a processor 910.
  • the processor 910 may call and run a computer program from a memory to implement Methods.
  • the communication device may further include a memory 920.
  • the processor 910 can call and run a computer program from the memory 920 to implement the method in the embodiment of the present application.
  • the memory 920 may be a separate device independent of the processor 910, or may be integrated in the processor 910.
  • the communication device may further include a transceiver 930, and the processor 910 may control the transceiver 930 to communicate with other devices, specifically, it may send information or data to other devices, or receive other devices. Information or data sent.
  • the transceiver 930 may include a transmitter and a receiver.
  • the transceiver 930 may further include an antenna, and the number of antennas may be one or more.
  • the communication device may specifically be a terminal device or an access network node in an embodiment of the application, and the communication device may implement the terminal device, the first network node, or the second access network node in each method in the embodiment of the application.
  • the corresponding process implemented by the network node will not be repeated here.
  • FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application.
  • the chip shown in FIG. 14 includes a processor 710, and the processor 710 can call and run a computer program from the memory to implement the method in the embodiment of the present application.
  • the chip may further include a memory 720.
  • the processor 710 may call and run a computer program from the memory 720 to implement the method in the embodiment of the present application.
  • the memory 720 may be a separate device independent of the processor 710, or may be integrated in the processor 710.
  • the chip may also include an input interface 730.
  • the processor 710 can control the input interface 730 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.
  • the chip may also include an output interface 740.
  • the processor 710 can control the output interface 740 to communicate with other devices or chips, and specifically, can output information or data to other devices or chips.
  • the chip can be applied to the terminal device or the access network node in the embodiment of the present application, and the chip can implement the terminal device, the first access network node or the second access node in each method of the embodiment of the present application.
  • the corresponding process implemented by the entry network node will not be repeated here.
  • chips mentioned in the embodiments of the present application may also be referred to as system-level chips, system-on-chips, system-on-chips, or system-on-chips.
  • An embodiment of the present application also provides a communication system, which includes a terminal device, a first access network node, and at least two second access network nodes.
  • the terminal device may be used to implement the corresponding function implemented by the terminal device in the foregoing method
  • the first access network node may be used to implement the corresponding function implemented by the first access network node in the foregoing method.
  • the second access network node may be used to implement the corresponding functions implemented by the second access network node in the foregoing method, and for brevity, details are not described here.
  • the processor of the embodiment of the present application may be an integrated circuit chip with signal processing capability.
  • the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software.
  • the above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a ready-made programmable gate array (Field Programmable Gate Array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA ready-made programmable gate array
  • the methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the steps of the method disclosed in combination with the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers.
  • the storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.
  • the memory in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be Read-Only Memory (ROM), Programmable Read-Only Memory (Programmable ROM, PROM), Erasable Programmable Read-Only Memory (Erasable PROM, EPROM), and Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be a random access memory (Random Access Memory, RAM), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • DRAM synchronous dynamic random access memory
  • SDRAM double data rate synchronous dynamic random access memory
  • Double Data Rate SDRAM DDR SDRAM
  • ESDRAM enhanced synchronous dynamic random access memory
  • Synchlink DRAM SLDRAM
  • DR RAM Direct Rambus RAM
  • the memory in the embodiment of the present application may also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is to say, the memory in the embodiments of the present application is intended to include but not limited to these and any other suitable types of memory.
  • the embodiments of the present application also provide a computer-readable storage medium for storing computer programs.
  • the computer-readable storage medium can be applied to the terminal device, the first access network node, or the second access network node in the embodiments of the present application, and the computer program enables the computer to execute each method of the embodiments of the present application
  • the corresponding process implemented by the terminal device, the first access network node, or the second access network node in the terminal device is not repeated here.
  • the embodiments of the present application also provide a computer program product, including computer program instructions.
  • the computer program product can be applied to the terminal device, the first access network node, or the second access network node in the embodiments of the present application, and the computer program instructions cause the computer to execute each method in the embodiments of the present application
  • the corresponding procedures implemented by the terminal device, the first access network node, or the second access network node are not repeated here for brevity.
  • the embodiment of the application also provides a computer program.
  • the computer program can be applied to the terminal device, the first access network node, or the second access network node in the embodiment of the present application.
  • the computer program runs on the computer, the computer can execute the embodiment of the present application.
  • the corresponding procedures implemented by the terminal device, the first access network node, or the second access network node in each method are not repeated here.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory,) ROM, random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Les modes de réalisation de la présente invention concernent un procédé de traitement d'informations clés, des nœuds de réseau d'accès et un terminal. Le procédé comprend les étapes suivantes : un premier nœud de réseau d'accès détermine des informations de sécurité relatives à un second nœud de réseau d'accès ; le premier nœud de réseau d'accès étant un nœud maître connecté à un terminal ; le second nœud de réseau d'accès étant un nœud secondaire connecté au terminal ; le terminal étant configuré avec l'un desdits premiers nœuds de réseau d'accès et au moins deux desdits seconds nœuds de réseau d'accès ; le premier nœud de réseau d'accès détermine une première clé de chiffrement sur la base des informations de sécurité et d'une clé de base et envoie la première clé de chiffrement au second nœud de réseau d'accès ; la clé de base étant une clé correspondant au premier nœud de réseau d'accès.
PCT/CN2019/073792 2019-01-29 2019-01-29 Procédé de traitement d'informations clés, nœuds de réseau d'accès et dispositif terminal WO2020154929A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2019/073792 WO2020154929A1 (fr) 2019-01-29 2019-01-29 Procédé de traitement d'informations clés, nœuds de réseau d'accès et dispositif terminal
CN201980060409.3A CN112690010B (zh) 2019-01-29 2019-01-29 一种密钥信息处理方法和接入网络节点、终端设备

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/073792 WO2020154929A1 (fr) 2019-01-29 2019-01-29 Procédé de traitement d'informations clés, nœuds de réseau d'accès et dispositif terminal

Publications (1)

Publication Number Publication Date
WO2020154929A1 true WO2020154929A1 (fr) 2020-08-06

Family

ID=71841709

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/073792 WO2020154929A1 (fr) 2019-01-29 2019-01-29 Procédé de traitement d'informations clés, nœuds de réseau d'accès et dispositif terminal

Country Status (2)

Country Link
CN (1) CN112690010B (fr)
WO (1) WO2020154929A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116545638A (zh) * 2022-01-25 2023-08-04 华为技术有限公司 一种密钥协商过程主从设备的确定方法及相关装置
CN117835235A (zh) * 2022-09-29 2024-04-05 大唐移动通信设备有限公司 Scg侧安全密钥的确定方法、设备、装置及存储介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104969592A (zh) * 2014-01-17 2015-10-07 三星电子株式会社 无线通信网络中用户设备的双连通操作模式
CN105557007A (zh) * 2013-09-11 2016-05-04 三星电子株式会社 用于使能用于enb间的传输的安全通信的方法和***
CN106105143A (zh) * 2014-03-21 2016-11-09 太阳专利信托公司 双连接性中的安全性密钥推导
CN108810888A (zh) * 2017-05-05 2018-11-13 华为技术有限公司 秘钥更新方法和设备
WO2018212539A1 (fr) * 2017-05-15 2018-11-22 Samsung Electronics Co., Ltd. Appareil et procédé de gestion de clés de sécurité dans un système de communication sans fil
CN109246696A (zh) * 2017-06-16 2019-01-18 华为技术有限公司 密钥处理方法以及相关装置

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PL2951975T3 (pl) * 2013-01-30 2017-01-31 Telefonaktiebolaget Lm Ericsson (Publ) Generowanie klucza bezpieczeństwa dla połączeń podwójnych
CN109691155B (zh) * 2016-08-09 2023-05-30 三星电子株式会社 无线通信***中管理用户平面操作的方法和装置
CN108737045B (zh) * 2017-04-19 2021-05-04 华为技术有限公司 重复传输的方法及装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105557007A (zh) * 2013-09-11 2016-05-04 三星电子株式会社 用于使能用于enb间的传输的安全通信的方法和***
CN104969592A (zh) * 2014-01-17 2015-10-07 三星电子株式会社 无线通信网络中用户设备的双连通操作模式
CN106105143A (zh) * 2014-03-21 2016-11-09 太阳专利信托公司 双连接性中的安全性密钥推导
CN108810888A (zh) * 2017-05-05 2018-11-13 华为技术有限公司 秘钥更新方法和设备
WO2018212539A1 (fr) * 2017-05-15 2018-11-22 Samsung Electronics Co., Ltd. Appareil et procédé de gestion de clés de sécurité dans un système de communication sans fil
CN109246696A (zh) * 2017-06-16 2019-01-18 华为技术有限公司 密钥处理方法以及相关装置

Also Published As

Publication number Publication date
CN112690010A (zh) 2021-04-20
CN112690010B (zh) 2023-05-05

Similar Documents

Publication Publication Date Title
WO2020248261A1 (fr) Procédé et appareil de détermination d'intervalle de mesure, et terminal
WO2020186529A1 (fr) Procédé et appareil de détermination de politique, et terminal
WO2021087828A1 (fr) Procédé d'activation ou de mise à jour de rs de perte de voie de srs et dispositif
WO2019242712A1 (fr) Procédé d'interaction de capacités et dispositif associé
WO2021184263A1 (fr) Procédé et appareil de transmission de données, et dispositif de communication
WO2021164017A1 (fr) Procédé et appareil de commande de qos, et support de stockage lisible
WO2020155076A1 (fr) Procédé de traitement de service, dispositif, puce et programme d'ordinateur
WO2021087910A1 (fr) Procédé et dispositif de connexion à un réseau
WO2021030989A1 (fr) Procédé et appareil de sélection de trajet, et terminal
WO2020014846A1 (fr) Procédé et dispositif de détermination de priorité de source de synchronisation, et support d'enregistrement informatique
WO2021056576A1 (fr) Procédé et dispositif pour la transmission de service, et dispositif de communication
WO2019136611A1 (fr) Procédé de transfert cellulaire, dispositif de réseau d'accès, et dispositif de terminal
WO2021046778A1 (fr) Procédé de communication sans fil, dispositif terminal et dispositif de réseau
WO2021081824A1 (fr) Procédé de communication sans fil et dispositif terminal
WO2020154929A1 (fr) Procédé de traitement d'informations clés, nœuds de réseau d'accès et dispositif terminal
WO2021087827A1 (fr) Procédé d'activation ou de mise à jour de rs d'affaiblissement de propagation de pusch et dispositif
WO2020164075A1 (fr) Procédé de communication sans fil, dispositif de terminal et dispositif de réseau
WO2020199105A1 (fr) Procédé de liaison de données, procédé et dispositif de mise à jour d'informations et terminal
US20220124550A1 (en) Methods for service transmission, core network device, and access network device
WO2020010619A1 (fr) Procédé de transmission de données, dispositif terminal et dispositif de réseau
WO2020061851A1 (fr) Procédé de communication sans fil et station de base
CN111132222A (zh) 一种数据传输的方法及装置
WO2019080111A1 (fr) Procédé et dispositif de radiocommunication
WO2020103050A1 (fr) Procédé et appareil d'établissement de canal de données et dispositif de réseau
WO2020215323A1 (fr) Procédé ou dispositif de protection d'intégrité

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19913458

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19913458

Country of ref document: EP

Kind code of ref document: A1