+

WO2018166338A1 - Key update method and apparatus - Google Patents

Key update method and apparatus Download PDF

Info

Publication number
WO2018166338A1
WO2018166338A1 PCT/CN2018/077029 CN2018077029W WO2018166338A1 WO 2018166338 A1 WO2018166338 A1 WO 2018166338A1 CN 2018077029 W CN2018077029 W CN 2018077029W WO 2018166338 A1 WO2018166338 A1 WO 2018166338A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
terminal device
key
new
network device
Prior art date
Application number
PCT/CN2018/077029
Other languages
French (fr)
Chinese (zh)
Inventor
刘亚林
李铕
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2018166338A1 publication Critical patent/WO2018166338A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/20Selecting an access point

Definitions

  • the present application relates to the field of communications technologies, and in particular, to a method and an apparatus for updating a secret key.
  • the data needs to be encrypted for transmission, and the sender encrypts the data with the secret key to send the data.
  • the receiving end performs the decryption operation:
  • the decryption succeeds and the data can be forwarded to the core network. If the keys of the sending and receiving parties are inconsistent, the decryption error occurs and the corresponding data is discarded.
  • the above encryption/decryption operation is performed by the PDCP (Packet Data Convergence Protocol) layer.
  • the key required for data transmission is configured during the RRC (radio resource control) connection establishment process, and can be reconfigured through the connection re-establishment or handover procedure.
  • the 5G communication system defines the inactive state of the terminal device.
  • the inactive state terminal device moves in the location update area and does not send a location update request.
  • Update its location For example, a RAN (radio access network)-based notification area (RAN) is a type of location update area. Therefore, in the RNA region, even if the terminal performs cell reselection, the terminal does not inform the base station of the new cell, nor does it trigger the key update.
  • RAN radio access network
  • the inactive terminal performs cell reselection in the update area move, for example, after moving from one cell of the RNA area to a new serving cell, the new serving cell does not have the key of the terminal; If the terminal is to perform uplink data transmission, the serving base station corresponding to the new serving cell cannot perform the decryption operation.
  • the present application provides a secret key update method to implement key update after cell reselection in a location update area.
  • a method for updating a secret key including: after a terminal device in an inactive state reselects to a serving cell of a new serving network device in a location update region, sending a first data to the serving network device to trigger The key is updated; the terminal device receives a new key that is sent after the serving network device receives the first data.
  • a method for updating a secret key includes: receiving, by a serving network device, a first terminal device that is inactive, reselecting to a serving cell corresponding to the serving network device in a location update area, and transmitting a trigger key update Data, a new secret key is sent to the terminal device.
  • a terminal device comprising: a sending module, configured to: after the terminal device reselects to a serving cell of a new serving network device in the location update area, when the terminal device is in an inactive state, send the first message to the serving network device The data is updated by the triggering key; the receiving module is configured to receive a new key that is sent after the serving network device receives the first data.
  • a network device comprising: a receiving module: receiving, by the terminal device in an inactive state, reselecting the first data of the trigger key update sent by the serving cell corresponding to the network device in the location update area; the sending module: Used to send a new secret key to the terminal device.
  • the network device may be a base station, the terminal device is in an inactive state, and is reselected from a certain cell to a cell of another serving base station in the area in the location update area, and sends data to the serving base station to trigger key update, service. After receiving the first data, the base station performs the key update immediately, and sends the obtained key to the terminal device.
  • the location update area may be an RNA region defined by 3GPP in which the terminal device performs cell reselection.
  • the receiving module can be implemented by a receiver, and the transmitting module can be implemented by a transmitter.
  • the terminal device suspends subsequent data transmission after transmitting the first data, and then sends subsequent data after receiving the new key. This method avoids that the network device receives the data encrypted with the old key and cannot decrypt it.
  • the new key is a secret key generated by the serving network device or a key obtained by the service network device after performing secret key negotiation with other network devices;
  • the other network device may be The core network device, such as an MME (mobility management entity), an HSS (home subscriber server), or an HLR (home location register).
  • MME mobility management entity
  • HSS home subscriber server
  • HLR home location register
  • the new secret key is sent to the terminal device in the same time slot of an ACK (acknowledgement) response of the first data.
  • the DRX window is reset. Send a DRX temporary reconfiguration indication to the terminal device.
  • the DRX temporary reconfiguration indication is sent to the terminal device in the same time slot of the ACK response of the first data.
  • the serving network device receives the data encrypted by the terminal device and encrypted by the old key, the data is forwarded to the anchor network device for decryption or directly discarded; for example:
  • the serving network device Before transmitting the new secret key to the terminal device, if the serving network device receives other data sent by the terminal device, forwarding the other data to the anchor network device for decryption; or
  • the new secret key is sent to the terminal device, if the service network device receives other data sent by the terminal device, if the decryption fails, the other data is forwarded to the anchor network device for decryption.
  • Yet another aspect of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the various aspects above.
  • Yet another aspect of the present application provides a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the methods described in the above aspects.
  • the new service network device when the new service network device receives the first data sent after the inactive terminal device reselects the serving cell, triggers the key update, configures the new key for the terminal device, and implements in time.
  • FIG. 1 is a schematic structural diagram of an application scenario network according to an embodiment of the present disclosure
  • FIG. 2 is a flowchart of a method for updating a secret key according to an embodiment of the present application
  • FIG. 3 is a flowchart of a method for updating a secret key according to another embodiment of the present application.
  • FIG. 4 is a schematic diagram of a terminal device according to an embodiment of the present application.
  • FIG. 5 is a schematic diagram of a network device according to an embodiment of the present application.
  • FIG. 6 is a schematic diagram of a network device/terminal device according to another embodiment of the present application.
  • FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application.
  • the wireless communication network shown in FIG. 1 mainly includes a plurality of network devices and terminal devices.
  • each base station may form one or more cells, and the inactive terminal device moves within the location update region, and reselects from the serving cell of one base station to the serving cell of another base station, and more
  • the serving cell and the terminal device of each base station may be within a range of location update areas; for example, the inactive terminal device reselects from the serving cell of the anchor base station to the serving cell of the new serving base station within the range of the RNA region, Or, after leaving the anchor base station, the serving cell of the old serving base station is reselected to the serving cell of the new serving base station.
  • the terminal device in the embodiment of the present application may refer to an access terminal, a user unit, a user station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent, or a user. Device.
  • the access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol ("SSIP") phone, a Wireless Local Loop (WLL) station, and a personal digital processing (Personal Digital) Assistant, referred to as "PDA" for short, a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a wearable device, a terminal in a 5G network, and the like.
  • SSIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Processing
  • the network device in the implementation of the present application is a network side device that performs wireless communication with the terminal device, for example, a Wireless-Fidelity (Wi-Fi) access point, a base station of a next-generation communication, such as a gNB of 5G. Or a small station, a micro station, a TRP (transmission reception point), or a relay station, an access point, an in-vehicle device, a wearable device, or the like.
  • Wi-Fi Wireless-Fidelity
  • the method includes: after the terminal device in the inactive state reselects to the serving cell of the new serving base station in the location update area, transmitting data to the new serving base station to trigger key update, the new serving base station receiving the location After the first data sent by the terminal device is sent, the new key is sent to the terminal device.
  • the terminal device may perform data encryption processing with the new key and send it to the serving base station; the new serving base station may also perform decryption operation on the data with the new secret key.
  • the terminal device in this embodiment is in an inactive state, and reselects from a certain cell of the RNA region to a serving cell corresponding to the new serving base station; for example, reselecting from the serving cell of the anchor base station to the new serving base station After the serving cell, or leaving the anchor base station, the serving cell of the old serving base station is reselected to the serving cell of the new serving base station.
  • the terminal device sends data to the new serving base station to trigger a key update.
  • the terminal device reselects to the serving cell of the new serving base station, and sends data to the new serving base station to trigger the key update; the data here is still encrypted by the old key, used to trigger the new serving base station to update the key.
  • the data may be one or more.
  • the first data sent may be used to trigger the new serving base station to perform key update.
  • the first data here refers to the first data that the new serving base station can receive after the terminal device transmits.
  • the terminal device sends three data to the new serving base station, but the new serving base station only receives the third data and the first two data are not received, and the third data is considered to be the first sent by the terminal device.
  • a data if the first data sent by the terminal device can be received by the new serving base station, the first data triggers the key update.
  • the new serving base station After receiving the first data sent by the terminal device, the new serving base station sends a new secret key to the terminal device.
  • the new key here may be a secret key generated by a new serving base station, or may be a key obtained by a new serving base station and other network devices, such as a core network device for secret key negotiation, such as MME, HLR or HSS, etc.
  • the network element performs secret key negotiation, and the process of secret key negotiation can be implemented by the prior art, and the specific process is not detailed.
  • the first data here refers to the first data received by the new serving base station from the terminal device, and may be the first data sent by the terminal device cell to the new serving base station after reselection, or may be other Data, for example, the terminal device sends three data to the new serving base station, but the new serving base station receives only the third data and the first two data base stations do not receive it, then the third data sent by the terminal device is new.
  • the first data received by the serving base station; that is, the new serving base station immediately performs the key update upon receiving the first data.
  • the new serving base station Since the first data received by the new serving base station is still encrypted with the old key, it cannot be decrypted, and the new serving base station can forward the first data to the anchor base station for decryption, or can be discarded. .
  • the new serving base station may send the new key to the terminal device in the same time slot of the ACK response, and the ACK response may be the ACK response corresponding to the received first data, and the new key may carry the letter corresponding to the ACK response.
  • the transmission may be performed in other signaling.
  • the MAC CE Media Access Control control element
  • the new key may use the same MAC CE as the ACK response, or may be used.
  • Newly defined MAC CE may be used to carry the ACK response.
  • the new serving base station immediately triggers the key update by receiving the first data.
  • the new serving base station may also set the data to be triggered after the N unrecognizable data is continuously received, and the N value may be set. set.
  • the terminal device may encrypt the data with a new key and send the data to the new serving base station, so that the new serving base station may perform decryption.
  • the terminal device since the key update is triggered by the data sent by the terminal device, for example, triggered by the first data sent, and the terminal device may have other data to be sent during the key update process, the terminal device may be used up.
  • the key is encrypted and the new serving base station cannot decrypt.
  • step 101 after the terminal device sends the first data, the subsequent data transmission may be suspended, and after receiving the new key, the subsequent data is encrypted and sent by using the new key.
  • step 101 after the terminal device sends the first data, the subsequent data may not be suspended, and the terminal device still encrypts and transmits the data by using the old key before receiving the new key.
  • the data cannot be decrypted.
  • the data encrypted by the old key can be forwarded to the anchor base station for decryption.
  • the anchor base station After receiving the base station, the anchor base station sends an ACK to the new serving base station.
  • the specific procedure is shown in FIG. 101a. This process is optional. After receiving the data encrypted by the old key, the new serving base station can also directly discard it.
  • the above process is also applicable to the data sent by the terminal device to the new serving base station for triggering the key update in step 101.
  • Step 101a occurs before the terminal device obtains a new key, as long as the new serving base station receives the data encrypted by the terminal device and encrypted by the old key, it can be forwarded or discarded.
  • a secret key negotiation with another network entity such as an entity located in the core network, is required to obtain a new key, and the new serving base station obtains the new key.
  • the process of the secret key introduces a delay.
  • the method includes:
  • the terminal device in this embodiment is in an inactive state, and is reselected from a certain cell of the RNA region to a new serving cell; for example, reselecting from the anchor base station serving cell to a new service After the serving cell of the base station, or leaving the anchor base station, the serving cell of the old serving base station is reselected to the serving cell of the new serving base station.
  • the terminal device sends data to the new serving base station to trigger a key update.
  • the terminal device reselects to the serving cell of the new serving base station, and sends data to the new serving base station to trigger the key update; the data here is still encrypted by the old key, used to trigger the new serving base station to update the key.
  • the data may be one or more.
  • the first data sent may be used to trigger the new serving base station to perform key update.
  • the first data here refers to the first data that the new serving base station can receive after the terminal device transmits.
  • the terminal device sends three data to the new serving base station, but the new serving base station only receives the third data and the first two data are not received, and the third data is considered to be the first sent by the terminal device.
  • a data if the first data sent by the terminal device can be received by the new serving base station, the first data triggers the key update.
  • the new serving base station After receiving the first data sent by the terminal device, the new serving base station obtains a new key.
  • obtaining a new key may be that the new serving base station directly generates a new key, or the new serving base station and other network devices, such as the core network device, obtain a new key after performing key key negotiation.
  • the key element negotiation is performed with a network element such as an MME, an HLR, or an HSS.
  • the process of secret key negotiation can be implemented by the prior art, and the specific process will not be detailed.
  • the first data here refers to the first data received by the new serving base station from the terminal device, and may be the first data sent by the terminal device cell to the new serving base station after reselection, or may be other Data, for example, the terminal device sends three data to the new serving base station, but the new serving base station only receives the third data and the first two data base stations do not receive it, then the third data sent by the terminal device is new.
  • the first data received by the serving base station; that is, the new serving base station immediately performs the key update upon receiving the first data.
  • the new serving base station Since the first data received by the new serving base station is still encrypted with the old key, it cannot be decrypted, and the new serving base station can forward the first data to the anchor base station for decryption, or can be discarded. .
  • the new serving base station immediately triggers the key update by receiving the first data.
  • the new serving base station may also set the data to be triggered after the N unrecognizable data is continuously received, and the N value may be set. set.
  • the new serving base station may determine, according to the DRX configuration, whether the DRX window needs to be reset: if the new serving base station still does not obtain the key before the end of the DRX window, for example: no key is generated or not
  • the DRX window is reset, and the new serving base station sends a DRX temporary reconfiguration indication to the terminal device, where the DRX temporary reconfiguration indication carries a timer or a counter, and may also carry a specific subframe.
  • step 202a if the new serving base station has obtained the key before the end of the DRX window, for example, a new key has been generated or the key agreement with the core network device is completed, no reset is required.
  • DRX window no step 202a in the figure.
  • the DRX temporary reconfiguration indication may be sent to the terminal device in the same time slot of the ACK response, or may be separately sent. Referring to the sending manner of the new key in the foregoing embodiment, .
  • the new serving base station sends the new secret key to the terminal device.
  • the new serving base station may send the new key to the terminal device in the same time slot of the ACK response, and the ACK response may be the ACK response corresponding to the received first data, and the new key may carry the letter corresponding to the ACK response.
  • the MAC (media access control) CE control element
  • the new key can use the same MAC CE as the ACK response, and the newly defined MAC CE can also be used.
  • the terminal device if the terminal device does not receive the DRX temporary reconfiguration indication, the terminal device receives the new key in the original DRX window; if the DRX temporary reconfiguration indication is received, the DRX window is extended according to the DRX temporary reconfiguration indication, in the corresponding Receive a new key in the window;
  • the DRX window is extended, and the downstream signal is continued after the old DRX window ends until the counter or timer expires, or the reconfigured timer or counter is used directly instead of the old one.
  • the DRX window is listening. If the DRX temporary reconfiguration indication carries a specific subframe number or slot number, the downlink signal is continuously monitored until the subframe number configured by the new serving base station.
  • the above DRX temporary reset is valid only in the current DRX cycle, and the terminal device still receives data according to the initial DRX configuration in the next DRX cycle.
  • the terminal device may encrypt the data with a new secret key and send the data to the new serving base station, so that the new serving base station may perform decryption.
  • the terminal device since the key update is triggered by the data sent by the terminal device, for example, triggered by the first data sent, and the terminal device may have other data to be sent during the key update process, the terminal device may be used up.
  • the key is encrypted and the new serving base station cannot decrypt.
  • step 201 after the terminal device sends the first data, the subsequent data transmission may be suspended. After receiving the new key, the subsequent data is encrypted and sent by using the new key.
  • step 201 after the terminal device sends the first data, the terminal device may not suspend the transmission of the subsequent data, and the terminal device still encrypts and transmits the data by using the old key before receiving the new key. Then, after receiving the new serving base station, the data cannot be decrypted, and the data encrypted by the old key is forwarded to the anchor base station for decryption, and after receiving by the anchor base station, the ACK is sent to the new serving base station, and the specific procedure refers to 201a in the figure. This process is optional. After receiving the data encrypted by the old key, the new serving base station can also directly discard it. The above process is also applicable to the data sent by the terminal device to the new serving base station for triggering the key update in step 201. Step 201a occurs before the terminal device obtains a new key, as long as the new serving base station receives the data encrypted by the terminal device and encrypted by the old key, it can be forwarded or discarded.
  • the key update is triggered immediately, and the new key is configured for the terminal device, and the location is realized in time. Updating the key of the terminal device cell after reselection in the update range, further avoiding frequent data forwarding between the new serving cell and the anchor serving cell due to the transmission of subsequent data using the old key, thereby significantly reducing the base station between The load of interface interaction.
  • a terminal device is further disclosed. Referring to FIG. 4, the method includes:
  • the sending module 401 is configured to: after the terminal device reselects the serving cell of the new serving network device in the location update area, when the terminal device is in the inactive state, send the first data to the serving network device to trigger the key update. ;
  • the receiving module 402 is configured to receive a new key that is sent after the serving network device receives the first data.
  • a processing module (not shown) may be further included for encrypting the data with a new secret key and transmitting by the transmitting module 401.
  • the terminal device is completely corresponding to the terminal device in the method embodiment, and the corresponding module performs corresponding steps, for example, the sending module method performs the steps sent in the method embodiment, the receiving module performs the steps received in the method embodiment, and other steps,
  • the encryption/decryption of the data, the suspension of the data transmission, etc. can be implemented by the processing module (not shown).
  • the above content only lists some functions, and other functions can refer to the corresponding steps of the embodiment and the description of the content of the invention.
  • a network device is also disclosed. Referring to FIG. 5, the method includes:
  • the receiving module 501 is configured to: receive, by the terminal device in the inactive state, reselecting the first data of the trigger key update sent after the serving cell corresponding to the network device in the location update area;
  • the sending module 502 is configured to send a new secret key to the terminal device.
  • a processing module may be further included for decrypting data received by the receiving module 501 and encrypted with the new key.
  • the network device is completely corresponding to the base station in the method embodiment, and the corresponding module performs corresponding steps, for example, the sending module method performs the steps sent in the method embodiment, the receiving module performs the steps received in the method embodiment, and other steps, such as Encrypting/decrypting the data, determining whether it is necessary to reset the reset DRX window, generating a secret key, discarding the data, etc., may be implemented by a processing module (not shown), and the above content only lists some functions, and other functions may refer to The corresponding steps of the embodiment and the description of the content of the invention.
  • the network device and the terminal device have another form of embodiment, the processing module can be replaced by a processor, the sending module can be replaced by a transmitter, and the receiving module can be replaced by a receiver, respectively performing the sending operation and receiving in the method embodiment.
  • the transmitter and receiver can form a transceiver for operation and associated processing operations.
  • the processor may be a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array, or other programmable logic device.
  • the transmitter and receiver can form a transceiver. It is also possible to further include an antenna, and the number of antennas may be one or more.
  • bus includes a power bus, a control bus, and a status signal bus in addition to the data bus.
  • bus includes a power bus, a control bus, and a status signal bus in addition to the data bus.
  • the various buses are labeled as buses in the figure.
  • Figure 6 above is only a schematic diagram, and may include other components or only some components, including, for example, a transmitter and a receiver; or only a transmitter, a receiver, and a processor.
  • a memory (not shown) may be further included for storing computer executable program code, wherein when the program code includes an instruction, when the processor executes The instructions cause the network device or terminal device to perform the corresponding steps in the method embodiments.
  • the computer program product includes one or more computer instructions.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transfer to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL), or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a solid state disk (SSD)).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application provides a key update method, comprising: a terminal device in an inactive state reselects a serving cell of a new service network device in a location update region, then sends first data to said service network device so as to trigger a key update; said terminal device receives a new key sent after the service network device receives said first data. By means of the described key update method and apparatus, a key update is triggered after a new service network device receives first data upon an inactive-state terminal device reselecting a serving cell, and a new key is configured for the terminal device, achieving key update after cell reselection within a location update range.

Description

一种秘钥更新方法及装置Secret key updating method and device 技术领域Technical field

本申请涉及通信技术领域,尤其涉及一种秘钥更新方法及装置。The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for updating a secret key.

背景技术Background technique

通信系统中,对数据进行传输需要加密,发送端用秘钥key对数据加密后发送,相应的,接收端会执行解密操作:In the communication system, the data needs to be encrypted for transmission, and the sender encrypts the data with the secret key to send the data. Correspondingly, the receiving end performs the decryption operation:

如果收发双方key一致则可以解密成功,数据可以转往核心网;如果收发双方key不一致,则解密错误,对应数据被丢弃。If the key of the sending and receiving parties is the same, the decryption succeeds and the data can be forwarded to the core network. If the keys of the sending and receiving parties are inconsistent, the decryption error occurs and the corresponding data is discarded.

上述加密/解密操作由PDCP(Packet Data Convergence Protocol,分组数据汇聚层协议)层执行。数据传输所需的key是在RRC(radio resource control,无线资源控制)连接建立过程中配置,并且可以通过连接重建或切换过程重配。The above encryption/decryption operation is performed by the PDCP (Packet Data Convergence Protocol) layer. The key required for data transmission is configured during the RRC (radio resource control) connection establishment process, and can be reconfigured through the connection re-establishment or handover procedure.

5G通信系统定义了终端设备的非激活态(inactive state),非激活(inactive)态的终端设备在位置更新区域移动,不会发送位置更新请求,当终端设备离开位置更新区域后,会向网络更新其位置。例如:3GPP定义的RNA(RAN(radio access network)-based Notification Area,无线接入网通知区域)就是一种类型的位置更新区域。因此,在RNA区域内,即便终端进行了小区重选,终端也不会告知新的小区的基站,也不会触发秘钥更新。The 5G communication system defines the inactive state of the terminal device. The inactive state terminal device moves in the location update area and does not send a location update request. When the terminal device leaves the location update area, it will go to the network. Update its location. For example, a RAN (radio access network)-based notification area (RAN) is a type of location update area. Therefore, in the RNA region, even if the terminal performs cell reselection, the terminal does not inform the base station of the new cell, nor does it trigger the key update.

因此,当inactive的终端在更新区域移动中进行了小区重选后,例如:从RNA区域的一个小区移动到了新的服务小区(serving cell)后,此时新的服务小区没有终端的秘钥;如果终端要进行上行数据发送,则新的服务小区对应的服务基站无法进行解密操作。Therefore, after the inactive terminal performs cell reselection in the update area move, for example, after moving from one cell of the RNA area to a new serving cell, the new serving cell does not have the key of the terminal; If the terminal is to perform uplink data transmission, the serving base station corresponding to the new serving cell cannot perform the decryption operation.

发明内容Summary of the invention

本申请提供一种秘钥更新方法,以实现位置更新区域范围内小区重选后的秘钥更新。The present application provides a secret key update method to implement key update after cell reselection in a location update area.

一方面,公开了一种秘钥更新方法,包括:非激活态的终端设备重选到位置更新区域内新的服务网络设备的服务小区后,向所述服务网络设备发送第一个数据以触发秘钥更新;所述终端设备接收所述服务网络设备接收到所述第一个数据后发送的新的秘钥。In one aspect, a method for updating a secret key is disclosed, including: after a terminal device in an inactive state reselects to a serving cell of a new serving network device in a location update region, sending a first data to the serving network device to trigger The key is updated; the terminal device receives a new key that is sent after the serving network device receives the first data.

另一方面,一种秘钥更新方法,包括:服务网络设备接收非激活态的终端设备重选到位置更新区域内所述服务网络设备对应的服务小区后发送的触发秘钥更新的第一个数据,将新的秘钥发送给所述终端设备。In another aspect, a method for updating a secret key includes: receiving, by a serving network device, a first terminal device that is inactive, reselecting to a serving cell corresponding to the serving network device in a location update area, and transmitting a trigger key update Data, a new secret key is sent to the terminal device.

以上两方面分别从终端设备及网络设备的角度对本申请的方案进行描述,以下还公开了与上述两个方法对应的装置:The above two aspects respectively describe the solution of the present application from the perspective of the terminal device and the network device, and the following devices corresponding to the above two methods are also disclosed:

一种终端设备,包括:发送模块:用于:当所述终端设备在非激活态时重选到位置更新区域内新的服务网络设备的服务小区后,向所述服务网络设备发送第一个数据以触发秘钥更新;接收模块:用于接收所述服务网络设备接收到所述第一个数据后发送的新的秘钥。A terminal device, comprising: a sending module, configured to: after the terminal device reselects to a serving cell of a new serving network device in the location update area, when the terminal device is in an inactive state, send the first message to the serving network device The data is updated by the triggering key; the receiving module is configured to receive a new key that is sent after the serving network device receives the first data.

一种网络设备,包括:接收模块:用于接收非激活态的终端设备重选到位置更新区域内所述网络设备对应的服务小区后发送的触发秘钥更新的第一个数据;发送模块:用于将新的秘钥发送给所述终端设备。A network device, comprising: a receiving module: receiving, by the terminal device in an inactive state, reselecting the first data of the trigger key update sent by the serving cell corresponding to the network device in the location update area; the sending module: Used to send a new secret key to the terminal device.

例如:网络设备可以是基站,终端设备处于非激活态,并且在位置更新区域内从某个小区重选到该区域另一个服务基站的小区,向该服务基站发送数据以触发秘钥更新,服务基站接收到第一个数据后,立即进行秘钥更新,将获得的秘钥发送给所述终端设备。For example, the network device may be a base station, the terminal device is in an inactive state, and is reselected from a certain cell to a cell of another serving base station in the area in the location update area, and sends data to the serving base station to trigger key update, service. After receiving the first data, the base station performs the key update immediately, and sends the obtained key to the terminal device.

位置更新区域可以为3GPP定义的RNA区域,终端设备在该区域内进行小区重选。The location update area may be an RNA region defined by 3GPP in which the terminal device performs cell reselection.

在另一种形式的装置实施例中,接收模块可以由接收机来实现,发送模块可以由发射机来实现。In another form of device embodiment, the receiving module can be implemented by a receiver, and the transmitting module can be implemented by a transmitter.

结合上述各方面,其中,所述终端设备发送所述第一个数据后暂停后续数据发送,直到收到所述新的秘钥后,进行后续数据的发送。该方式避免了网络设备接收到用旧秘钥加密的数据而无法解密。In combination with the above aspects, the terminal device suspends subsequent data transmission after transmitting the first data, and then sends subsequent data after receiving the new key. This method avoids that the network device receives the data encrypted with the old key and cannot decrypt it.

结合上述各方面,其中,所述新的秘钥为所述服务网络设备生成的秘钥或所述服务网络设备与其它网络设备进行秘钥协商后得到的秘钥;所述其它网络设备可以是核心网设备,如MME(mobility management entity,移动性管理实体),HSS(home subscriber server,归属用户服务器)或HLR(home location register,归属位置寄存器)等。In combination with the foregoing aspects, the new key is a secret key generated by the serving network device or a key obtained by the service network device after performing secret key negotiation with other network devices; the other network device may be The core network device, such as an MME (mobility management entity), an HSS (home subscriber server), or an HLR (home location register).

结合上述各方面,其中,所述新的秘钥在所述第一个数据的ACK(acknowledgement,应答)响应的同一时隙发送给所述终端设备。In combination with the above aspects, the new secret key is sent to the terminal device in the same time slot of an ACK (acknowledgement) response of the first data.

结合上述各方面,其中,所述服务网络设备接收到所述第一个数据后,如果在DRX(discontinuous reception,非连续接收)窗口结束前没得到所述新的秘钥,则重置DRX窗口,发送DRX临时重配指示给终端设备。In combination with the above aspects, after the service network device receives the first data, if the new key is not obtained before the end of the DRX (discontinuous reception) window, the DRX window is reset. Send a DRX temporary reconfiguration indication to the terminal device.

结合上述各方面,所述DRX临时重配指示在所述第一个数据的ACK响应的同一时隙发送给所述终端设备。In combination with the above aspects, the DRX temporary reconfiguration indication is sent to the terminal device in the same time slot of the ACK response of the first data.

结合上述各方面,其中,如果所述服务网络设备接收到终端设备发送的用旧秘钥加密的数据,则将所述数据转发到锚点网络设备进行解密或直接丢弃;例如:In combination with the above aspects, if the serving network device receives the data encrypted by the terminal device and encrypted by the old key, the data is forwarded to the anchor network device for decryption or directly discarded; for example:

将所述新的秘钥发送给所述终端设备之前,如果所述服务网络设备接收到终端设备发送 的其它数据,则将所述其它数据转发到锚点网络设备进行解密;或Before transmitting the new secret key to the terminal device, if the serving network device receives other data sent by the terminal device, forwarding the other data to the anchor network device for decryption; or

将所述新的秘钥发送给所述终端设备后,如果所述服务网络设备接收到终端设备发送的其它数据,如果解密失败,则将所述其它数据转发到锚点网络设备进行解密。After the new secret key is sent to the terminal device, if the service network device receives other data sent by the terminal device, if the decryption fails, the other data is forwarded to the anchor network device for decryption.

本申请的又一方面提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。Yet another aspect of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the various aspects above.

本申请的又一方面提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。Yet another aspect of the present application provides a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the methods described in the above aspects.

通过上述秘钥更新方法及装置,当新的服务网络设备接收到非激活态终端设备重选服务小区后发送的第一个数据后触发秘钥更新,为终端设备配置新秘钥,及时的实现了位置更新范围内小区重选后的秘钥更新。Through the above-mentioned key update method and device, when the new service network device receives the first data sent after the inactive terminal device reselects the serving cell, triggers the key update, configures the new key for the terminal device, and implements in time. The key update after cell reselection in the location update range.

附图说明DRAWINGS

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings to be used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present application, and other drawings can be obtained according to the drawings without any creative work for those skilled in the art.

图1为本申请实施例提供的应用场景网络架构示意图;FIG. 1 is a schematic structural diagram of an application scenario network according to an embodiment of the present disclosure;

图2为本申请实施例提供的一种秘钥更新方法流程图;2 is a flowchart of a method for updating a secret key according to an embodiment of the present application;

图3为本申请另一实施例提供的一种秘钥更新方法流程图;FIG. 3 is a flowchart of a method for updating a secret key according to another embodiment of the present application;

图4是本申请实施例提供的终端设备示意图;4 is a schematic diagram of a terminal device according to an embodiment of the present application;

图5是本申请实施例提供的网络设备的示意图;FIG. 5 is a schematic diagram of a network device according to an embodiment of the present application;

图6是本申请另一实施例提供的网络设备/终端设备的示意图。FIG. 6 is a schematic diagram of a network device/terminal device according to another embodiment of the present application.

具体实施方式detailed description

图1为本申请实施例提供的一种应用场景的示意图。如图1所示的无线通信网络主要包括多个网络设备和终端设备。以网络设备是基站为例,每个基站可以形成一个或多个小区,非激活态的终端设备在位置更新区域范围内移动,从一个基站的服务小区重新选择到另一个基站的服务小区,多个基站的服务小区及终端设备均可以在一个位置更新区域的范围内;例如,非激活态的终端设备在RNA区域范围内从锚点基站的服务小区重新选择到新的服务基站的服务小区,或者离开锚点基站后,由旧的服务基站的服务小区重选到新的服务基站的服务小区。FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application. The wireless communication network shown in FIG. 1 mainly includes a plurality of network devices and terminal devices. Taking a network device as a base station as an example, each base station may form one or more cells, and the inactive terminal device moves within the location update region, and reselects from the serving cell of one base station to the serving cell of another base station, and more The serving cell and the terminal device of each base station may be within a range of location update areas; for example, the inactive terminal device reselects from the serving cell of the anchor base station to the serving cell of the new serving base station within the range of the RNA region, Or, after leaving the anchor base station, the serving cell of the old serving base station is reselected to the serving cell of the new serving base station.

其中,本申请实施例中的终端设备可以指接入终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。接入终端可以是蜂窝电话、无绳电话、会话启动协议(Session Initiation Protocol,简称为“SIP”)电话、无线本地环路(Wireless Local Loop,简称为“WLL”)站、个人数字处理(Personal Digital Assistant,简称为“PDA”)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备,5G网络中的终端等。The terminal device in the embodiment of the present application may refer to an access terminal, a user unit, a user station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent, or a user. Device. The access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol ("SSIP") phone, a Wireless Local Loop (WLL) station, and a personal digital processing (Personal Digital) Assistant, referred to as "PDA" for short, a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a wearable device, a terminal in a 5G network, and the like.

本申请实施中的网络设备是与所述终端设备进行无线通信的网络侧设备,例如,无线保真(Wireless-Fidelity,Wi-Fi)的接入点、下一代通信的基站,如5G的gNB或小站、微站,TRP(transmission reception point,传输接收点),还可以是中继站、接入点、车载设备、可穿戴设备等。The network device in the implementation of the present application is a network side device that performs wireless communication with the terminal device, for example, a Wireless-Fidelity (Wi-Fi) access point, a base station of a next-generation communication, such as a gNB of 5G. Or a small station, a micro station, a TRP (transmission reception point), or a relay station, an access point, an in-vehicle device, a wearable device, or the like.

以下各个实施例以网络设备是基站为例进行说明:The following embodiments are described by taking a network device as a base station as an example:

该方法包括:非激活态的终端设备重新选择到位置更新区域内新的服务基站的服务小区后,向所述新的服务基站发送数据以触发秘钥更新,所述新的服务基站接收到所述终端设备发送的第一个数据后,将新的秘钥发送给所述终端设备。The method includes: after the terminal device in the inactive state reselects to the serving cell of the new serving base station in the location update area, transmitting data to the new serving base station to trigger key update, the new serving base station receiving the location After the first data sent by the terminal device is sent, the new key is sent to the terminal device.

随后,终端设备可以用新秘钥进行数据加密处理并发送给所述服务基站;所述新的服务基站也可以用新秘钥对数据进行解密操作。Subsequently, the terminal device may perform data encryption processing with the new key and send it to the serving base station; the new serving base station may also perform decryption operation on the data with the new secret key.

以下参考图2对本实施例秘钥更新的方法进行详细说明:The method for updating the secret key of this embodiment will be described in detail below with reference to FIG. 2:

首先,本实施例中的终端设备处于非激活态,并且从RNA区域的某个小区重新选择到新的服务基站对应的服务小区;例如,从锚点基站的服务小区重新选择到新的服务基站的服务小区,或者离开锚点基站后,由旧的服务基站的服务小区重选到新的服务基站的服务小区。First, the terminal device in this embodiment is in an inactive state, and reselects from a certain cell of the RNA region to a serving cell corresponding to the new serving base station; for example, reselecting from the serving cell of the anchor base station to the new serving base station After the serving cell, or leaving the anchor base station, the serving cell of the old serving base station is reselected to the serving cell of the new serving base station.

101、终端设备向新的服务基站发送数据以触发秘钥更新;101. The terminal device sends data to the new serving base station to trigger a key update.

终端设备重选到新的服务基站的服务小区,发送数据到所述新的服务基站以触发秘钥更新;这里的数据仍然采用旧的秘钥进行加密,用来触发新的服务基站更新秘钥,数据可以是一个或多个,例如,可以用发送的第一个数据来触发所述新的服务基站进行秘钥更新。The terminal device reselects to the serving cell of the new serving base station, and sends data to the new serving base station to trigger the key update; the data here is still encrypted by the old key, used to trigger the new serving base station to update the key. The data may be one or more. For example, the first data sent may be used to trigger the new serving base station to perform key update.

这里的第一个数据指的是终端设备发送后,新的服务基站可以接收到的第一个数据。例如,终端设备向新的服务基站发送了三个数据,但新的服务基站只收到第三个数据而前两个数据都没收到,则第三个数据认为是所述终端设备发送的第一个数据;如果终端设备发送的第一个数据新的服务基站可以接收到,则该第一个数据触发秘钥更新。The first data here refers to the first data that the new serving base station can receive after the terminal device transmits. For example, the terminal device sends three data to the new serving base station, but the new serving base station only receives the third data and the first two data are not received, and the third data is considered to be the first sent by the terminal device. A data; if the first data sent by the terminal device can be received by the new serving base station, the first data triggers the key update.

102、所述新的服务基站收到终端设备发送的第一个数据后,将新的秘钥发送给所述终端设备;102. After receiving the first data sent by the terminal device, the new serving base station sends a new secret key to the terminal device.

这里的新秘钥可以是新的服务基站产生的秘钥,也可以是新的服务基站与其它网络设备, 如核心网设备进行秘钥协商后得到的秘钥,例如与MME,HLR或HSS等网元进行秘钥协商,秘钥协商的过程可由现有技术实现,不再详述具体过程。The new key here may be a secret key generated by a new serving base station, or may be a key obtained by a new serving base station and other network devices, such as a core network device for secret key negotiation, such as MME, HLR or HSS, etc. The network element performs secret key negotiation, and the process of secret key negotiation can be implemented by the prior art, and the specific process is not detailed.

这里的第一个数据是指新的服务基站接收到的第一个来自所述终端设备的数据,可以是终端设备小区重选后向新的服务基站发送的第一个数据,也可以是其它数据,例如,终端设备向新的服务基站发送了三个数据,但新的服务基站只收到第三个数据而前二个数据基站都没收到,则终端设备发送的第三个数据就是新的服务基站收到的第一个数据;即新的服务基站收到第一个数据就立即进行秘钥更新。The first data here refers to the first data received by the new serving base station from the terminal device, and may be the first data sent by the terminal device cell to the new serving base station after reselection, or may be other Data, for example, the terminal device sends three data to the new serving base station, but the new serving base station receives only the third data and the first two data base stations do not receive it, then the third data sent by the terminal device is new. The first data received by the serving base station; that is, the new serving base station immediately performs the key update upon receiving the first data.

由于新的服务基站收到的第一个数据仍然用旧的秘钥进行加密,因此无法解密,所述新的服务基站可以将所述第一个数据转发到锚点基站进行解密,也可以丢弃。Since the first data received by the new serving base station is still encrypted with the old key, it cannot be decrypted, and the new serving base station can forward the first data to the anchor base station for decryption, or can be discarded. .

新的服务基站可以将新的秘钥在ACK响应的同一时隙发送给终端设备,ACK响应可以是接到的第一个数据对应的ACK响应,新的秘钥可以携带在ACK响应对应的信令中发送,也可以在其它信令中进行发送;例如,可以使用MAC CE(Media Access Control control element)携带上述ACK响应,那么新的密钥可以和ACK响应使用相同的MAC CE,也可以使用新定义的MAC CE。The new serving base station may send the new key to the terminal device in the same time slot of the ACK response, and the ACK response may be the ACK response corresponding to the received first data, and the new key may carry the letter corresponding to the ACK response. The transmission may be performed in other signaling. For example, the MAC CE (Media Access Control control element) may be used to carry the ACK response, and the new key may use the same MAC CE as the ACK response, or may be used. Newly defined MAC CE.

上述例子,新的服务基站收到第一个数据立即触发秘钥更新,其它例子中,也可以设定新的服务基站连续收到N个无法解密的数据后触发秘钥更新,N值可以设定。In the above example, the new serving base station immediately triggers the key update by receiving the first data. In other examples, the new serving base station may also set the data to be triggered after the N unrecognizable data is continuously received, and the N value may be set. set.

103、终端设备接收到所述新的秘钥后,便可以用新的秘钥对数据进行加密,并发送到所述新的服务基站,便于所述新的服务基站进行解密。103. After receiving the new key, the terminal device may encrypt the data with a new key and send the data to the new serving base station, so that the new serving base station may perform decryption.

需要说明的是,由于秘钥更新是由终端设备发送的数据触发,例如由发送的第一个数据触发,而在秘钥更新过程中终端设备可能有其它数据需要发送,可能出现终端设备用旧的秘钥进行加密处理而新的服务基站无法解密的情况。It should be noted that, since the key update is triggered by the data sent by the terminal device, for example, triggered by the first data sent, and the terminal device may have other data to be sent during the key update process, the terminal device may be used up. The key is encrypted and the new serving base station cannot decrypt.

步骤101中,终端设备发送第一个数据后可以暂停后续数据发送,直到接收到所述新的秘钥后,再用新的秘钥对后续数据进行加密处理并发送。In step 101, after the terminal device sends the first data, the subsequent data transmission may be suspended, and after receiving the new key, the subsequent data is encrypted and sent by using the new key.

另外,步骤101中,终端设备发送第一个数据后,可以不暂停后续数据的发送,则该终端设备接收到所述新的秘钥之前,仍然采用旧的秘钥对数据加密并发送,则新的服务基站接收后,无法解密,可以将所述用旧秘钥加密的数据转发到锚点基站进行解密,锚点基站接收后,向新的服务基站发送ACK,具体过程参考图中101a,该过程属于可选,新的服务基站接收到旧的秘钥加密的数据后,也可以直接丢弃。步骤101中终端设备向新的服务基站发送的用于触发秘钥更新的数据也同样适用上述流程。步骤101a发生在终端设备获得新的秘钥之前,只要新的服务基站接收到终端设备发送的用旧秘钥加密的数据即可转发或丢弃。In addition, in step 101, after the terminal device sends the first data, the subsequent data may not be suspended, and the terminal device still encrypts and transmits the data by using the old key before receiving the new key. After receiving the new serving base station, the data cannot be decrypted. The data encrypted by the old key can be forwarded to the anchor base station for decryption. After receiving the base station, the anchor base station sends an ACK to the new serving base station. The specific procedure is shown in FIG. 101a. This process is optional. After receiving the data encrypted by the old key, the new serving base station can also directly discard it. The above process is also applicable to the data sent by the terminal device to the new serving base station for triggering the key update in step 101. Step 101a occurs before the terminal device obtains a new key, as long as the new serving base station receives the data encrypted by the terminal device and encrypted by the old key, it can be forwarded or discarded.

如果新的服务基站生成秘钥过程比较长,或者无法完成本地的秘钥更新,需要与其它网 实体,如位于核心网的实体进行秘钥协商来获取新秘钥,此时新的服务基站获取秘钥的过程会引入时延。If the process of generating a key for a new serving base station is relatively long, or the local key update cannot be completed, a secret key negotiation with another network entity, such as an entity located in the core network, is required to obtain a new key, and the new serving base station obtains the new key. The process of the secret key introduces a delay.

进一步的,考虑终端设备DRX(discontinuous reception,非连续接收)特性,如果新的服务基站无法在终端设备的DRX窗口(例如DRX中的ON duration)之内生成或获取新的秘钥并完成秘钥发送,则需调整DRX窗口;因此,新的秘钥发送前需触发DRX窗口临时调整。参考图3,该方法包括:Further, considering the terminal device DRX (discontinuous reception) feature, if the new serving base station cannot generate or acquire a new key and complete the key within the DRX window of the terminal device (for example, ON duration in DRX) To send, you need to adjust the DRX window; therefore, the DRX window should be temporarily adjusted before the new key is sent. Referring to Figure 3, the method includes:

首先,和上述实施例类似,本实施例中的终端设备处于非激活态,并且从RNA区域的某个小区重新选择到新的服务小区;例如,从锚点基站服务小区重新选择到新的服务基站的服务小区,或者离开锚点基站后,由旧的服务基站的服务小区重选到新的服务基站的服务小区。First, similar to the above embodiment, the terminal device in this embodiment is in an inactive state, and is reselected from a certain cell of the RNA region to a new serving cell; for example, reselecting from the anchor base station serving cell to a new service After the serving cell of the base station, or leaving the anchor base station, the serving cell of the old serving base station is reselected to the serving cell of the new serving base station.

201、终端设备向新的服务基站发送数据以触发秘钥更新;201. The terminal device sends data to the new serving base station to trigger a key update.

终端设备重选到新的服务基站的服务小区,发送数据到所述新的服务基站以触发秘钥更新;这里的数据仍然采用旧的秘钥进行加密,用来触发新的服务基站更新秘钥,数据可以是一个或多个,例如,可以用发送的第一个数据来触发所述新的服务基站进行秘钥更新。The terminal device reselects to the serving cell of the new serving base station, and sends data to the new serving base station to trigger the key update; the data here is still encrypted by the old key, used to trigger the new serving base station to update the key. The data may be one or more. For example, the first data sent may be used to trigger the new serving base station to perform key update.

这里的第一个数据指的是终端设备发送后,新的服务基站可以接收到的第一个数据。例如,终端设备向新的服务基站发送了三个数据,但新的服务基站只收到第三个数据而前两个数据都没收到,则第三个数据认为是所述终端设备发送的第一个数据;如果终端设备发送的第一个数据新的服务基站可以接收到,则该第一个数据触发秘钥更新。The first data here refers to the first data that the new serving base station can receive after the terminal device transmits. For example, the terminal device sends three data to the new serving base station, but the new serving base station only receives the third data and the first two data are not received, and the third data is considered to be the first sent by the terminal device. A data; if the first data sent by the terminal device can be received by the new serving base station, the first data triggers the key update.

202、所述新的服务基站收到终端设备发送的第一个数据后,获得新的秘钥;202. After receiving the first data sent by the terminal device, the new serving base station obtains a new key.

与上述实施例类似,获得新的秘钥可以是新的服务基站直接生成新的秘钥,也可以是新的服务基站与其它网络设备,如核心网设备进行秘钥协商后得到新的秘钥,例如与MME,HLR或HSS等网元进行秘钥协商,秘钥协商的过程可由现有技术实现,不再详述具体过程。Similar to the foregoing embodiment, obtaining a new key may be that the new serving base station directly generates a new key, or the new serving base station and other network devices, such as the core network device, obtain a new key after performing key key negotiation. For example, the key element negotiation is performed with a network element such as an MME, an HLR, or an HSS. The process of secret key negotiation can be implemented by the prior art, and the specific process will not be detailed.

这里的第一个数据是指新的服务基站接收到的第一个来自所述终端设备的数据,可以是终端设备小区重选后向新的服务基站发送的第一个数据,也可以是其它数据,例如,终端设备向新的服务基站发送了三个数据,但新的服务基站只收到第三个数据而前两个数据基站都没收到,则终端设备发送的第三个数据就是新的服务基站收到的第一个数据;即新的服务基站收到第一个数据就立即进行秘钥更新。The first data here refers to the first data received by the new serving base station from the terminal device, and may be the first data sent by the terminal device cell to the new serving base station after reselection, or may be other Data, for example, the terminal device sends three data to the new serving base station, but the new serving base station only receives the third data and the first two data base stations do not receive it, then the third data sent by the terminal device is new. The first data received by the serving base station; that is, the new serving base station immediately performs the key update upon receiving the first data.

由于新的服务基站收到的第一个数据仍然用旧的秘钥进行加密,因此无法解密,所述新的服务基站可以将所述第一个数据转发到锚点基站进行解密,也可以丢弃。Since the first data received by the new serving base station is still encrypted with the old key, it cannot be decrypted, and the new serving base station can forward the first data to the anchor base station for decryption, or can be discarded. .

上述例子,新的服务基站收到第一个数据立即触发秘钥更新,其它例子中,也可以设定新的服务基站连续收到N个无法解密的数据后触发秘钥更新,N值可以设定。In the above example, the new serving base station immediately triggers the key update by receiving the first data. In other examples, the new serving base station may also set the data to be triggered after the N unrecognizable data is continuously received, and the N value may be set. set.

可选的,触发秘钥更新后,新的服务基站可以根据DRX配置判断是否需要重置DRX窗 口:如果在DRX窗口结束前新的服务基站仍没获得秘钥,例如:没有生成秘钥或没有完成与核心网设备的秘钥协商,则重置DRX窗口,新的服务基站向终端设备发送DRX临时重配指示,其中,DRX临时重配指示携带计时器或计数器,也可以携带具体的子帧号或时隙号,如图步骤202a所示;如果DRX窗口结束前新的服务基站已经获得秘钥,例如:已经生成新的秘钥或完成与核心网设备的秘钥协商,则不用重置DRX窗口,无图中202a步骤。Optionally, after the trigger key is updated, the new serving base station may determine, according to the DRX configuration, whether the DRX window needs to be reset: if the new serving base station still does not obtain the key before the end of the DRX window, for example: no key is generated or not After the key agreement with the core network device is completed, the DRX window is reset, and the new serving base station sends a DRX temporary reconfiguration indication to the terminal device, where the DRX temporary reconfiguration indication carries a timer or a counter, and may also carry a specific subframe. Number or slot number, as shown in step 202a; if the new serving base station has obtained the key before the end of the DRX window, for example, a new key has been generated or the key agreement with the core network device is completed, no reset is required. DRX window, no step 202a in the figure.

与上述实施例中新秘钥的发送方式类似,所述DRX临时重配指示可以在ACK响应的同一时隙发送给终端设备,也可以单独发送,可以参考上述实施例中新秘钥的发送方式。Similar to the manner in which the new key is transmitted in the foregoing embodiment, the DRX temporary reconfiguration indication may be sent to the terminal device in the same time slot of the ACK response, or may be separately sent. Referring to the sending manner of the new key in the foregoing embodiment, .

203、所述新的服务基站将所述新的秘钥发送给终端设备;203. The new serving base station sends the new secret key to the terminal device.

新的服务基站可以将新的秘钥在ACK响应的同一时隙发送给终端设备,ACK响应可以是接到的第一个数据对应的ACK响应,新的秘钥可以携带在ACK响应对应的信令中发送,例如,使用MAC(media access control)CE(control element)携带上述ACK响应,那么新的密钥可以和ACK响应使用相同的MAC CE,也可以使用新定义的MAC CE。The new serving base station may send the new key to the terminal device in the same time slot of the ACK response, and the ACK response may be the ACK response corresponding to the received first data, and the new key may carry the letter corresponding to the ACK response. In the command, for example, the MAC (media access control) CE (control element) is used to carry the above ACK response, then the new key can use the same MAC CE as the ACK response, and the newly defined MAC CE can also be used.

相应的,终端设备如果没有收到所述DRX临时重配指示,则在原有DRX窗口接收新秘钥;如果收到DRX临时重配指示,则根据DRX临时重配指示延长DRX窗口,在对应的窗口内接收新秘钥;Correspondingly, if the terminal device does not receive the DRX temporary reconfiguration indication, the terminal device receives the new key in the original DRX window; if the DRX temporary reconfiguration indication is received, the DRX window is extended according to the DRX temporary reconfiguration indication, in the corresponding Receive a new key in the window;

如果DRX临时重配指示携带计时器或计数器,则对DRX窗口进行延长,在旧的DRX窗口结束后继续监听下行信号,直到计数器或计时器超时,或者直接使用重配的计时器或计数器代替旧的DRX窗口进行监听。如果DRX临时重配指示携带具体的子帧号或时隙号,则持续监听下行信号直至新的服务基站配置的子帧号。If the DRX temporary reconfiguration indication carries a timer or counter, the DRX window is extended, and the downstream signal is continued after the old DRX window ends until the counter or timer expires, or the reconfigured timer or counter is used directly instead of the old one. The DRX window is listening. If the DRX temporary reconfiguration indication carries a specific subframe number or slot number, the downlink signal is continuously monitored until the subframe number configured by the new serving base station.

上述DRX临时重置,只在当前DRX周期有效,下一个DRX周期终端设备仍按初始DRX配置进行数据接收。The above DRX temporary reset is valid only in the current DRX cycle, and the terminal device still receives data according to the initial DRX configuration in the next DRX cycle.

204、终端设备接收到所述新的秘钥后,便可以用新的秘钥对数据进行加密,并发送到所述新的服务基站,便于所述新的服务基站进行解密。204. After receiving the new key, the terminal device may encrypt the data with a new secret key and send the data to the new serving base station, so that the new serving base station may perform decryption.

需要说明的是,由于秘钥更新是由终端设备发送的数据触发,例如由发送的第一个数据触发,而在秘钥更新过程中终端设备可能有其它数据需要发送,可能出现终端设备用旧的秘钥进行加密处理而新的服务基站无法解密的情况。It should be noted that, since the key update is triggered by the data sent by the terminal device, for example, triggered by the first data sent, and the terminal device may have other data to be sent during the key update process, the terminal device may be used up. The key is encrypted and the new serving base station cannot decrypt.

步骤201中,终端设备发送第一个数据后可以暂停后续数据发送,直到接收到所述新的秘钥后,再用新的秘钥对后续数据进行加密处理并发送。In step 201, after the terminal device sends the first data, the subsequent data transmission may be suspended. After receiving the new key, the subsequent data is encrypted and sent by using the new key.

另外,步骤201中,终端设备发送第一个数据后,也可以不暂停后续数据的发送,则该终端设备接收到所述新的秘钥之前,仍然采用旧的秘钥对数据加密并发送,则新的服务基站接收后,无法解密,将所述用旧秘钥加密的数据转发到锚点基站进行解密,锚点基站接收后, 向新的服务基站发送ACK,具体过程参考图中201a,该过程属于可选,新的服务基站接收到旧的秘钥加密的数据后,也可以直接丢弃。步骤201中终端设备向新的服务基站发送的用于触发秘钥更新的数据也同样适用上述流程。步骤201a发生在终端设备获得新的秘钥之前,只要新的服务基站接收到终端设备发送的用旧秘钥加密的数据即可转发或丢弃。In addition, in step 201, after the terminal device sends the first data, the terminal device may not suspend the transmission of the subsequent data, and the terminal device still encrypts and transmits the data by using the old key before receiving the new key. Then, after receiving the new serving base station, the data cannot be decrypted, and the data encrypted by the old key is forwarded to the anchor base station for decryption, and after receiving by the anchor base station, the ACK is sent to the new serving base station, and the specific procedure refers to 201a in the figure. This process is optional. After receiving the data encrypted by the old key, the new serving base station can also directly discard it. The above process is also applicable to the data sent by the terminal device to the new serving base station for triggering the key update in step 201. Step 201a occurs before the terminal device obtains a new key, as long as the new serving base station receives the data encrypted by the terminal device and encrypted by the old key, it can be forwarded or discarded.

通过本申请的方法,当新的服务基站接收到非激活态终端设备重选后服务小区后发送的第一个数据后立即触发秘钥更新,为终端设备配置新秘钥,及时的实现了位置更新范围内终端设备小区重选后的秘钥更新,进一步的,避免因为后续数据的发送使用旧秘钥而在新服务小区与锚点服务小区之间频繁的数据转发,从而显著减轻基站之间接口交互的负荷。Through the method of the present application, when the new serving base station receives the first data sent after the serving cell is reselected by the inactive terminal device, the key update is triggered immediately, and the new key is configured for the terminal device, and the location is realized in time. Updating the key of the terminal device cell after reselection in the update range, further avoiding frequent data forwarding between the new serving cell and the anchor serving cell due to the transmission of subsequent data using the old key, thereby significantly reducing the base station between The load of interface interaction.

基于上述方法实施例中的终端设备,还公开了一种终端设备,参考图4,包括:Based on the terminal device in the foregoing method embodiment, a terminal device is further disclosed. Referring to FIG. 4, the method includes:

发送模块401:用于:当所述终端设备在非激活态时重选到位置更新区域内新的服务网络设备的服务小区后,向所述服务网络设备发送第一个数据以触发秘钥更新;The sending module 401 is configured to: after the terminal device reselects the serving cell of the new serving network device in the location update area, when the terminal device is in the inactive state, send the first data to the serving network device to trigger the key update. ;

接收模块402:用于接收所述服务网络设备接收到所述第一个数据后发送的新的秘钥。The receiving module 402 is configured to receive a new key that is sent after the serving network device receives the first data.

还可以进一步包括处理模块(图中未示出),用于采用新的秘钥对数据进行加密,由发送模块401进行发送。A processing module (not shown) may be further included for encrypting the data with a new secret key and transmitting by the transmitting module 401.

上述终端设备与方法实施例中的终端设备完全对应,由相应的模块执行相应的步骤,例如发送模块方法执行方法实施例中发送的步骤,接收模块执行方法实施例中接收的步骤,其它步骤,如对数据进行加密/解密,暂停数据发送等,可以由处理模块实现(图中未示出),上述内容只列举了一部分功能,其它功能可以参考实施例相应的步骤及发明内容部分的描述。The terminal device is completely corresponding to the terminal device in the method embodiment, and the corresponding module performs corresponding steps, for example, the sending module method performs the steps sent in the method embodiment, the receiving module performs the steps received in the method embodiment, and other steps, For example, the encryption/decryption of the data, the suspension of the data transmission, etc., can be implemented by the processing module (not shown). The above content only lists some functions, and other functions can refer to the corresponding steps of the embodiment and the description of the content of the invention.

基于方法实施例中的网络设备,还公开了一种网络设备,参考图5,包括:Based on the network device in the method embodiment, a network device is also disclosed. Referring to FIG. 5, the method includes:

接收模块501:用于接收非激活态的终端设备重选到位置更新区域内所述网络设备对应的服务小区后发送的触发秘钥更新的第一个数据;The receiving module 501 is configured to: receive, by the terminal device in the inactive state, reselecting the first data of the trigger key update sent after the serving cell corresponding to the network device in the location update area;

发送模块502:用于将新的秘钥发送给所述终端设备。The sending module 502 is configured to send a new secret key to the terminal device.

还可以进一步包括处理模块(图中未示出),用于对接收模块501接收的采用新的秘钥加密的数据进行解密。A processing module (not shown) may be further included for decrypting data received by the receiving module 501 and encrypted with the new key.

上述网络设备与方法实施例中的基站完全对应,由相应的模块执行相应的步骤,例如发送模块方法执行方法实施例中发送的步骤,接收模块执行方法实施例中接收的步骤,其它步骤,如对数据进行加密/解密,判断是否需要重置重置DRX窗口,生成秘钥,丢弃数据等,可以由处理模块实现(图中未示出),上述内容只列举了一部分功能,其它功能可以参考实施例相应的步骤及发明内容部分的描述。The network device is completely corresponding to the base station in the method embodiment, and the corresponding module performs corresponding steps, for example, the sending module method performs the steps sent in the method embodiment, the receiving module performs the steps received in the method embodiment, and other steps, such as Encrypting/decrypting the data, determining whether it is necessary to reset the reset DRX window, generating a secret key, discarding the data, etc., may be implemented by a processing module (not shown), and the above content only lists some functions, and other functions may refer to The corresponding steps of the embodiment and the description of the content of the invention.

上述网络设备与终端设备还有另一形式的实施例,处理模块可以由处理器替代,发送模块可以由发射机替代,接收模块可以由接收机替代,分别执行方法实施例中的发送操作、接 收操作以及相关的处理操作,发射机及接收机可以组成收发器。The network device and the terminal device have another form of embodiment, the processing module can be replaced by a processor, the sending module can be replaced by a transmitter, and the receiving module can be replaced by a receiver, respectively performing the sending operation and receiving in the method embodiment. The transmitter and receiver can form a transceiver for operation and associated processing operations.

上述另一形式的装置实施例具体结构可参看图6,其中,处理器可以是通用处理器、数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件。For a specific structure of another form of apparatus described above, reference may be made to FIG. 6, wherein the processor may be a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array, or other programmable logic device.

发射机和接收机可以组成收发机。还可以进一步包括天线,天线的数量可以为一个或多个。The transmitter and receiver can form a transceiver. It is also possible to further include an antenna, and the number of antennas may be one or more.

上述各个组件可以通过总线耦合在一起,其中总线除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图中将各种总线都标为总线。The various components described above may be coupled together by a bus, wherein the bus includes a power bus, a control bus, and a status signal bus in addition to the data bus. However, for the sake of clarity, the various buses are labeled as buses in the figure.

上述图6只是示意图,还有可以包括其它元件或只包括部分元件,例如包括发射机及接收机;或者只包括发射机、接收机及处理器。Figure 6 above is only a schematic diagram, and may include other components or only some components, including, for example, a transmitter and a receiver; or only a transmitter, a receiver, and a processor.

进一步的,在一种具体的实施例中,还可以包括存储器(图中未示出),用于存储计算机可执行程序代码,其中,当所述程序代码包括指令,当所述处理器执行所述指令时,所述指令使所述网络设备或终端设备执行方法实施例中的相应步骤。Further, in a specific embodiment, a memory (not shown) may be further included for storing computer executable program code, wherein when the program code includes an instruction, when the processor executes The instructions cause the network device or terminal device to perform the corresponding steps in the method embodiments.

在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘Solid State Disk(SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transfer to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL), or wireless (eg, infrared, wireless, microwave, etc.). The computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media. The usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a solid state disk (SSD)).

以上所揭露的仅为本申请实施例而已,当然不能以此来限定本申请之权利范围,因此依本申请权利要求所作的等同变化,仍属本申请所涵盖的范围。The above disclosure is only the embodiment of the present application, and the scope of the application is not limited thereto, and the equivalent changes made in the claims of the present application are still within the scope of the present application.

Claims (10)

一种秘钥更新方法,包括:A method for updating a secret key, including: 非激活态的终端设备重选到位置更新区域内新的服务网络设备的服务小区后,向所述服务网络设备发送第一个数据以触发秘钥更新;After the inactive terminal device reselects to the serving cell of the new serving network device in the location update area, the first data is sent to the serving network device to trigger the key update; 所述终端设备接收所述服务网络设备接收到所述第一个数据后发送的新的秘钥。The terminal device receives a new secret key that is sent after the serving network device receives the first data. 如权利要求1所述的方法,其中,所述终端设备发送所述第一个数据后暂停后续数据发送,直到收到所述新的秘钥后,进行后续数据的发送。The method according to claim 1, wherein the terminal device suspends subsequent data transmission after transmitting the first data, and after receiving the new secret key, performs subsequent data transmission. 一种秘钥更新方法,包括:A method for updating a secret key, including: 服务网络设备接收非激活态的终端设备重选到位置更新区域内所述服务网络设备对应的服务小区后发送的触发秘钥更新的第一个数据,将新的秘钥发送给所述终端设备。Receiving, by the serving network device, the first data of the triggered key update sent by the terminal device in the inactive state to the serving cell corresponding to the serving network device in the location update area, and sending the new key to the terminal device . 如权利要求3所述的方法,其中,所述新的秘钥为所述服务网络设备生成的秘钥或所述服务网络设备与其它网络设备进行秘钥协商后得到的秘钥。The method according to claim 3, wherein the new secret key is a secret key generated by the service network device or a secret key obtained by the service network device after performing secret key negotiation with other network devices. 如权利要求3或4所述的方法,其中,所述新的秘钥在所述第一个数据的ACK响应的同一时隙发送给所述终端设备。The method of claim 3 or 4, wherein the new secret key is transmitted to the terminal device in the same time slot of the ACK response of the first data. 如权利要求3或4所述的方法,其中,所述服务网络设备接收到所述第一个数据后,如果在非连续接收DRX窗口结束前没得到所述新的秘钥,则重置DRX窗口,发送DRX临时重配指示给终端设备。The method according to claim 3 or 4, wherein after the service network device receives the first data, if the new key is not obtained before the end of the discontinuous reception DRX window, the DRX is reset. The window sends a DRX temporary reconfiguration indication to the terminal device. 如权利要求6所述的方法,其中,所述DRX临时重配指示在所述第一个数据的ACK响应的同一时隙发送给所述终端设备。The method of claim 6, wherein the DRX temporary reconfiguration indication is sent to the terminal device in the same time slot of the ACK response of the first data. 如权利要求3-7任意一项所述的方法,其中,如果所述服务网络设备接收到终端设备发送的用旧秘钥加密的数据,则将所述数据转发到锚点网络设备进行解密或直接丢弃。The method according to any one of claims 3-7, wherein if the serving network device receives data encrypted by the terminal device and encrypted by the old key, the data is forwarded to the anchor network device for decryption or Discard directly. 一种终端设备,包括:A terminal device comprising: 发送模块:用于:当所述终端设备在非激活态时重选到位置更新区域内新的服务网络设备的服务小区后,向所述服务网络设备发送第一个数据以触发秘钥更新;a sending module: configured to: after the terminal device reselects a serving cell of a new serving network device in the location update area, in an inactive state, send the first data to the serving network device to trigger a key update; 接收模块:用于接收所述服务网络设备接收到所述第一个数据后发送的新的秘钥。The receiving module is configured to receive a new key that is sent after the serving network device receives the first data. 一种网络设备,包括:A network device, including: 接收模块:用于接收非激活态的终端设备重选到位置更新区域内所述网络设备对应的服务小区后发送的触发秘钥更新的第一个数据;a receiving module: receiving, by the terminal device that is in an inactive state, reselecting the first data of the trigger key update sent after the serving cell corresponding to the network device in the location update area; 发送模块:用于将新的秘钥发送给所述终端设备。Sending module: for transmitting a new secret key to the terminal device.
PCT/CN2018/077029 2017-03-17 2018-02-23 Key update method and apparatus WO2018166338A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710161989.8 2017-03-17
CN201710161989.8A CN108632022B (en) 2017-03-17 2017-03-17 A kind of secret key update method, device and computer readable storage medium

Publications (1)

Publication Number Publication Date
WO2018166338A1 true WO2018166338A1 (en) 2018-09-20

Family

ID=63522761

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/077029 WO2018166338A1 (en) 2017-03-17 2018-02-23 Key update method and apparatus

Country Status (2)

Country Link
CN (1) CN108632022B (en)
WO (1) WO2018166338A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111148279B (en) * 2018-11-02 2022-02-25 华为技术有限公司 Connection reestablishment method and device
WO2022141025A1 (en) * 2020-12-29 2022-07-07 华为技术有限公司 Method and apparatus for transmitting data
CN114222294B (en) * 2021-12-09 2023-02-03 北京航空航天大学 Method and device for updating MAC CE message indication key
CN114554483B (en) * 2022-02-09 2024-06-11 成都中科微信息技术研究院有限公司 Method for increasing key forward isolation in NR system XN switching process, base station, UE and NR system
CN114614985B (en) * 2022-05-12 2022-08-05 施维智能计量系统服务(长沙)有限公司 Communication key updating method, key server and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338500A (en) * 2012-12-24 2013-10-02 上海华为技术有限公司 Method, device and system for data transmission, network side equipment and terminal equipment
CN104812010A (en) * 2014-01-28 2015-07-29 北京三星通信技术研究有限公司 Method for supporting UE recovery under small community reinforced scene
CN105898894A (en) * 2016-05-13 2016-08-24 华为技术有限公司 Method and device for controlling RRC state
WO2016195735A1 (en) * 2015-05-29 2016-12-08 Yujian Zhang Seamless mobility for 5g and lte systems and devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338500A (en) * 2012-12-24 2013-10-02 上海华为技术有限公司 Method, device and system for data transmission, network side equipment and terminal equipment
CN104812010A (en) * 2014-01-28 2015-07-29 北京三星通信技术研究有限公司 Method for supporting UE recovery under small community reinforced scene
WO2016195735A1 (en) * 2015-05-29 2016-12-08 Yujian Zhang Seamless mobility for 5g and lte systems and devices
CN105898894A (en) * 2016-05-13 2016-08-24 华为技术有限公司 Method and device for controlling RRC state

Also Published As

Publication number Publication date
CN108632022A (en) 2018-10-09
CN108632022B (en) 2021-08-13

Similar Documents

Publication Publication Date Title
CN108966220B (en) A kind of method and the network equipment of secret key deduction
WO2018171703A1 (en) Communication method and device
US11889405B2 (en) Handling a UE that is in the idle state
US10798082B2 (en) Network authentication triggering method and related device
US10812973B2 (en) System and method for communicating with provisioned security protection
US11445365B2 (en) Communication method and communications apparatus
WO2018166338A1 (en) Key update method and apparatus
EP2936876B1 (en) Methods and apparatus for differencitating security configurations in a radio local area network
CN109246696B (en) Key processing method and related device
CN113382404B (en) Method and equipment for acquiring UE security capability
WO2017133021A1 (en) Security processing method and relevant device
WO2019095840A1 (en) Layer 2 processing method, cu, and du
WO2022252867A1 (en) Communication method and communication apparatus
CN109936444A (en) A method and device for generating a key
CN113795024A (en) Method and device for obtaining secret key
WO2017128306A1 (en) Communication method and equipment
CN114930887B (en) A key management method and communication device
CN115250469A (en) A communication method and related device
CN104770002A (en) Distribution method, base station and user equipmen
CN112154682B (en) Key update method, device and storage medium
WO2018228444A1 (en) Method and terminal for connection management and radio access network device
US20240179661A1 (en) Deregistration Method and Communication Apparatus
CN103609153A (en) User recognition method, device and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18766837

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18766837

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载