[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2022252969A1 - Communication method and apparatus - Google Patents

Communication method and apparatus Download PDF

Info

Publication number
WO2022252969A1
WO2022252969A1 PCT/CN2022/092844 CN2022092844W WO2022252969A1 WO 2022252969 A1 WO2022252969 A1 WO 2022252969A1 CN 2022092844 W CN2022092844 W CN 2022092844W WO 2022252969 A1 WO2022252969 A1 WO 2022252969A1
Authority
WO
WIPO (PCT)
Prior art keywords
mbs
access network
key
network device
sfn
Prior art date
Application number
PCT/CN2022/092844
Other languages
French (fr)
Chinese (zh)
Inventor
许斌
李秉肇
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022252969A1 publication Critical patent/WO2022252969A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services

Definitions

  • the present application relates to the technical field of communication, and in particular to a communication method and device.
  • Multicast broadcast service/multicast broadcast service is a service for multiple terminal devices, such as live broadcast service, public safety service, batch software update service, etc.
  • the MBS comes from the data server.
  • the data server sends the MBS data to the core network device, then the core network device sends the MBS data to the access network device, and finally the access network device sends the MBS data to the At least one terminal device receiving the MBS.
  • the access network device performs multicast transmission, it does not consider the security processing of the multicast data transmission, which leads to low security of the multicast data transmission process and potential safety hazards.
  • the present application provides a communication method and device for improving the security of multicast data during transmission.
  • the present application provides a communication method, and the execution body of the method may be a first access network device, or may be a chip or a circuit.
  • the method includes: the first access network device receives security information of the MBS, and generates an MBS key according to the security information.
  • the first access network device performs security processing on the MBS data based on the generated MBS key, and then sends it to the terminal device.
  • the security processing includes at least one of the following processing: encryption and integrity protection.
  • the access network device can generate an MBS key based on the security information of the MBS from the core network device, and implement secure processing of the MBS data based on the MBS key, thereby improving the security of multicast broadcast transmission .
  • the first access network device when the first access network device generates the MBS key according to the security information, it may specifically generate the MBS key according to the security information and at least one of the following items: the single frequency network (SFN) of the first access network device capabilities, and the SFN status of the first access network device.
  • the SFN mechanism of the access network device is considered when generating the MBS key, so that the SFN mechanism of the access network device side may not be affected.
  • the first access network device when the first access network device generates the MBS key according to the SFN capability of the first access network device, at least one item of the SFN status of the first access network device, and security information, it may specifically satisfy In the first condition, the MBS key is generated according to the security information and the first information or the MBS key is generated according to the security information, and the first information includes at least one of the following items: the SFN area identifier where the first access network device is located, the tracking area identifier, The paging area identifier of the access network, the first condition includes that the SFN capability is supported and/or the SFN state is enabled.
  • the MBS key is generated according to the security information and the second information, and the second information includes at least one of the following items: the identifier of the first access network device, the physical cell identifier of the first access network device, the first For the frequency information of the cell of the access network device, the second condition includes that the SFN capability is not supported and/or the SFN state is off.
  • the cell signals under the first access network device do not need to be combined with the cell signals of other access network devices.
  • the first access network device When the first access network device generates the MBS key, it only needs to update the MBS key of the first access network device when updating the MBS key by using the relevant information of the access network device (that is, the second information). keys, which can improve security and reduce the overhead of key updates.
  • the cell signals under the first access network device may need to be combined with the cell signals of other access network devices, so different The data sent by the access network device must be exactly the same, and the MBS key used for security processing must also be the same.
  • the first access network device when the first access network device generates the MBS key, it inputs the relevant information of the SFN (that is, the first Information) can ensure that all access network devices or all cells in the same SFN area use the same MBS key.
  • the MBS key may include at least one of the following: a first key and a second key.
  • the above data may be encrypted based on the first key, and the integrity protection of the above data may be performed based on the second key.
  • Security processing such as encryption and integrity protection of MBS data can be realized through the above design.
  • the security information may include at least one of the following information: MBS group key, Temporary Mobile Group Identity (TMGI), key update parameters, and security algorithm identifier.
  • MBS group key Temporary Mobile Group Identity (TMGI)
  • TMGI Temporary Mobile Group Identity
  • key update parameters key update parameters
  • security algorithm identifier security algorithm identifier
  • the security algorithm may include at least one of the following: a first security algorithm and a second security algorithm, wherein the first security algorithm is used for encryption and decryption, and the second security algorithm is used for integrity protection and integrity verify.
  • encryption processing and integrity protection processing adopt different algorithms to improve the security of MBS transmission.
  • the TMGI is an MBS session identifier, an MBS service identifier or an Internet Protocol (IP) multicast address of the MBS.
  • IP Internet Protocol
  • the first access network device may also send first indication information and/or second indication information to the terminal device, where the first indication information is used to indicate the SFN capability of the first access network device, and the second indication information is used to indicate the SFN capability of the first access network device, and the second indication information
  • the indication information is used to indicate the SFN state of the first access network device.
  • the first access network device may also send first indication information and/or second indication information to the terminal device, where the first indication information is used to indicate that the SFN capability of the first access network device is supported, The second indication information is used to indicate that the SFN state of the first access network device is enabled.
  • the terminal device can obtain the SFN mechanism of the first access network device according to the first indication information and the second indication information, so as to generate the MBS key by itself.
  • the first access network device may not send the indication information, that is, when the first access network device does not send the indication information indicating the SFN capability , the terminal device considers that the SFN capability of the access network device is not supported.
  • the SFN state of the first access network device is not enabled (closed)
  • the first access network device may not send indication information, that is, when the first access network device does not send indication information indicating the SFN state , the terminal device considers that the SFN capability of the access network device is not supported. Signaling overhead can be further saved.
  • the first access network device may send the MBS key to the terminal device after generating the MBS key.
  • the terminal device receiving the MBS can use the received MBS key to perform secure processing on the data of the MBS.
  • the first access network device may send the MBS key to the terminal device through the second access network device.
  • the terminal device switching to the first access network device can obtain the MBS key of the first access network device during the switching process, so that after switching to the first access network device, it can obtain the MBS key according to the MBS key Securely handle MBS data.
  • the MBS key can also be updated.
  • the security of MBS transmission can be improved. It can be understood that the access network device can detect whether the terminal device stops receiving the MBS, and update the MBS key according to the detection result.
  • the MBS key may be updated.
  • the SFN mechanism on the access network device side is not affected, and the key update overhead can also be reduced.
  • the present application provides a communication method, and the execution subject of the method may be a terminal device, or may be a chip or a circuit.
  • the method includes: the terminal device obtains the MBS key; the terminal device receives the data of the MBS, and performs security processing on the data based on the obtained MBS key, and the security processing includes at least one of the following processes: decryption, integrity verify.
  • the terminal device can acquire the MBS key, and based on the MBS key, securely process the data of the MBS, thereby improving the security of multicast broadcast transmission.
  • the terminal device when the terminal device obtains the MBS key, it may specifically receive the security information of the MBS, and generate the MBS key according to the security information. In the above design, the terminal device can generate the MBS key based on the security information of the MBS sent by the core network device.
  • the terminal device when the terminal device generates the MBS key according to the security information, it may specifically: obtain the first indication information and/or the second indication information, the first indication information is used to indicate the SFN capability of the first access network device , the second indication information is used to indicate the SFN state of the first access network device; an MBS key is generated according to at least one indication information and security information in the first indication information and the second indication information.
  • the terminal device considers the SFN mechanism of the access network device when generating the MBS key, so that the SFN mechanism of the access network device side may not be affected.
  • the terminal device when the terminal device generates the MBS key according to the security information, it may also: obtain the first indication information and/or the second indication information, the first indication information is used to indicate the SFN capability of the first access network device To support, the second indication information is used to indicate that the SFN state of the first access network device is enabled.
  • the terminal device can obtain the SFN mechanism of the first access network device according to the first indication information and the second indication information, so as to generate the MBS key by itself.
  • the first access network device may not send the indication information, that is, when the first access network device does not send the indication information indicating the SFN capability , the terminal device considers that the SFN capability of the access network device is not supported.
  • the SFN state of the first access network device is not enabled (closed)
  • the first access network device may not send indication information, that is, when the first access network device does not send indication information indicating the SFN state , the terminal device considers that the SFN capability of the access network device is not supported. Signaling overhead can be further saved.
  • the terminal device when the terminal device generates the MBS key according to at least one of the first indication information and the second indication information and security information, it may specifically: when the first condition is met, according to the security information and the first information Generate an MBS key or generate an MBS key according to security information.
  • the first information includes at least one of the following items: the SFN area identifier where the first access network device is located, the tracking area identifier, and the access network paging area identifier.
  • the first condition is The first indication information indicates that the SFN function of the first access network device is supported and/or the second indication information indicates that the SFN status of the first access network device is enabled; or, when the second condition is met, according to the security information and the second
  • the information generates an MBS key
  • the second information includes at least one of the following items: the identifier of the first access network device, the physical cell identifier of the first access network device, the frequency information of the cell of the first access network device, and the second condition
  • the first indication information indicates that the SFN capability of the first access network device is not supported and/or the second indication information indicates that the SFN state of the first access network device is off.
  • the cell signals under the first access network device may need to be combined with the cell signals of other access network devices, so different The data sent by the access network device must be identical, and the MBS key used for security processing must also be the same. In the above design, when the terminal device generates the MBS key, it can ensure that All access network devices or all cells in the same SFN area use the same MBS key.
  • the MBS key may include at least one of the following: a first key and a second key; when performing secure processing on the MBS data based on the MBS key, it may specifically be: based on the first
  • the key encrypts the above data, and the above data is integrity protected based on the second key.
  • Security processing such as encryption and integrity protection of MBS data can be realized through the above design.
  • the security information may include at least one of the following information: MBS group key, Temporary Mobile Group Identity (TMGI), key update parameters, and security algorithm identifier.
  • MBS group key Temporary Mobile Group Identity (TMGI)
  • TMGI Temporary Mobile Group Identity
  • key update parameters key update parameters
  • security algorithm identifier security algorithm identifier
  • the security algorithm may include at least one of the following: a first security algorithm and a second security algorithm, wherein the first security algorithm is used for encryption and decryption, and the second security algorithm is used for integrity protection and integrity verify.
  • encryption processing and integrity protection processing adopt different algorithms to improve the security of MBS transmission.
  • the TMGI is an MBS session identifier, an MBS service identifier or an Internet Protocol (IP) multicast address of the MBS.
  • IP Internet Protocol
  • the terminal device acquires the MBS key, which may specifically: receive the MBS key forwarded by the first access network device through the second access network device.
  • the embodiment of the present application provides a communications apparatus that can implement the method implemented by the first access network device in the first aspect or any possible design thereof.
  • the apparatus comprises corresponding units or components for performing the method described above.
  • the units included in the device may be implemented by software and/or hardware.
  • the apparatus may be, for example, the first access network device, or a component or a baseband chip, a chip system, or a processor that can support the implementation of the above method in the first access network device.
  • the communication device may include modular components such as a transceiver unit (or a communication module, a transceiver module) and a processing unit (or a processing module), and these modules may implement the above-mentioned first aspect or any possible design thereof Corresponding functions of the first access network device.
  • the transceiver unit may be a transmitter and a receiver, or a transceiver obtained by integrating a transmitter and a receiver.
  • the transceiver unit may include an antenna and a radio frequency circuit, etc.
  • the processing unit may be a processor, such as a baseband chip.
  • the transceiver unit When the communication device is a component having the function of the first access network device, the transceiver unit may be a radio frequency unit, and the processing unit may be a processor.
  • the transceiver unit When the communication device is a system-on-a-chip, the transceiver unit may be an input-output interface of the system-on-a-chip, and the processing unit may be a processor of the system-on-a-chip, such as a central processing unit (CPU).
  • CPU central processing unit
  • the transceiver unit may be configured to perform the receiving and/or sending action performed by the first access network device in the first aspect or any possible design thereof.
  • the processing unit may be used to perform actions other than receiving and sending performed by the first access network device in the first aspect or any possible design thereof, such as generating an MBS key according to the security information of the MBS, and pairing the MBS with the MBS key. Data is processed securely, etc.
  • the embodiment of the present application provides a communication device that can implement the method implemented by the terminal device in the above second aspect or any possible design thereof.
  • the apparatus comprises corresponding units or components for performing the method described above.
  • the units included in the device may be implemented by software and/or hardware.
  • the apparatus may be, for example, a terminal device, or a component or a baseband chip, a chip system, or a processor that can support the implementation of the above method in the terminal device.
  • the communication device may include modular components such as a transceiver unit (or communication module, transceiver module) and a processing unit (or processing module), and these modules may implement the above second aspect or any possible design thereof The corresponding functions of the terminal equipment.
  • the transceiver unit may be a transmitter and a receiver, or a transceiver obtained by integrating a transmitter and a receiver.
  • the transceiver unit may include an antenna and a radio frequency circuit, etc.
  • the processing unit may be a processor, such as a baseband chip.
  • the transceiver unit may be a radio frequency unit
  • the processing unit may be a processor.
  • the transceiver unit may be an input-output interface of the system-on-a-chip
  • the processing unit may be a processor of the system-on-a-chip, such as a central processing unit (CPU).
  • CPU central processing unit
  • the transceiver unit may be used to perform receiving and/or sending actions performed by the terminal device in the second aspect or any possible design thereof.
  • the processing unit can be used to perform actions other than reception and transmission performed by the terminal device in the second aspect or any possible design thereof, such as generating an MBS key according to MBS security information, and performing secure processing of MBS data based on the MBS key Wait.
  • a communication system in a fifth aspect, includes the communication devices shown in the third aspect and the fourth aspect.
  • a computer-readable storage medium is provided, and the computer-readable storage medium is used for storing computer instructions, and when the computer instructions are run on a computer, the computer is made to perform the above-mentioned first aspect to the second aspect or any of them.
  • a computer program product containing instructions, the computer program product is used to store computer instructions, and when the computer instructions are run on a computer, the computer is made to execute the first aspect to the second aspect or any one of them The method shown in one possible implementation.
  • a circuit the circuit is coupled to a memory, and the circuit is used to execute the method shown in the above first aspect to the second aspect or any possible implementation manner thereof.
  • the circuitry may include chip circuitry.
  • FIG. 1 is a schematic diagram of a transmission of MBS data according to an embodiment of the present application
  • FIG. 2 is a schematic diagram of a protocol stack for unicast transmission according to an embodiment of the present application
  • FIG. 3 is a schematic diagram of unicast transmission according to an embodiment of the present application.
  • FIG. 4 is a schematic diagram of multicast transmission according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a communication system according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of an access network device according to an embodiment of the present application.
  • FIG. 9 is a schematic flowchart of a communication method according to an embodiment of the present application.
  • FIG. 10 is a schematic diagram of key generation according to an embodiment of the present application.
  • FIG. 11 is a schematic diagram of cell handover by a terminal device according to an embodiment of the present application.
  • MBS is a service transmitted to multiple terminal devices at the same time, such as live broadcast service, public safety service, batch software update service, etc.
  • a multicast service may also be called a multicast service.
  • the MBS comes from the data server. First, the data server sends the MBS data to the core network device, then the core network device sends the MBS data to the access network device, and finally the access network device sends the MBS data to at least one terminal that receives the MBS. equipment. When the core network device sends MBS data to the access network device, the MBS data is transmitted through a common transmission channel, that is, the MBS session.
  • the access network device When the access network device sends the data to the terminal device, there are two transmission methods: the first One can adopt point to multi-point (point to multi-point, PTM) transmission mode; the second can adopt point to point (point to point, PTP) transmission mode. As shown in Figure 1.
  • PTM point to multi-point
  • PTP point to point
  • the data plane protocol stack includes packet data convergence protocol (packet data convergence protocol, PDCP), radio link control (radio link control, RLC) layer, media access control (media access control (MAC) layer and physical (physical, PHY) layer, wherein the PDCP layer is located above the RLC layer, the RLC layer is located above the MAC, and the MAC layer is located above the PHY layer.
  • PDCP packet data convergence protocol
  • RLC radio link control
  • MAC media access control
  • physical (physical, PHY) layer wherein the PDCP layer is located above the RLC layer, the RLC layer is located above the MAC, and the MAC layer is located above the PHY layer.
  • the terminal device that is, downlink transmission
  • the data first arrives at the PDCP layer of the access network device, and after being processed by the PDCP layer, it is transmitted to the RLC layer and the MAC layer.
  • the (physical, PHY) layer is sent out.
  • the PHY layer of the terminal device After receiving the data, the PHY layer of the terminal device transmits the data to the MAC layer and the RLC layer for processing, and then transmits to the PDCP layer for processing, as shown in FIG. 2 .
  • the access network device that is, uplink transmission
  • the direction is reversed.
  • unicast transmission that is, unicast data transmission
  • Security processing of unicast transmission For unicast transmission, when the security function is enabled, security-related processing includes encryption/decryption and integrity protection/integrity verification process, the sending end The data packet is encrypted and/or integrity protected, and the receiving end performs corresponding decryption and/or integrity verification on the data packet.
  • Security functions are divided into access layer security and non-access layer security. Access layer security is used to protect data transmission between access network devices and terminal devices, and non-access layer security is used to protect core network devices and terminal devices. The data transmission among them, wherein, the access layer security processing of the access network device and the terminal device is performed at the PDCP layer.
  • the process of integrity protection and verification is as follows: the sender calculates a parameter A based on parameters such as data packets and keys, and sends A to the verifier; the receiver calculates a parameter B based on the same parameters such as data packets and keys. , the verifier compares the parameters A and B, and if the parameters A and B are consistent, the integrity verification is passed, where the verifier can be the receiving end or a third party, as shown in Figure 3, which is an example of one of the calculation methods.
  • NIA Intelligent Algorithm for 5G
  • COUNT is the count value
  • KEY is the key
  • MESSAGE is the message itself to be integrity protected/verified
  • DIRECTION is the data transmission direction
  • BEARER is the identification of the radio bearer.
  • the single frequency network (single frequency network, SFN) mechanism refers to: in a certain area, multiple synchronous cells transmit the same data to the terminal equipment on the same time and frequency resources at the same time, and the same physical signal sent by multiple cells When the superposition is performed on the air interface, what the terminal equipment receives is a single superimposed data, which can improve the strength of the received signal and eliminate the interference between cells. This mechanism requires that the data sent by multiple cells are exactly the same, otherwise the sent signals cannot be correctly combined.
  • At least one refers to one or more, and “multiple” refers to two or more.
  • “And/or” describes the association relationship of associated objects, indicating that there may be three types of relationships, for example, A and/or B, which can mean: A exists alone, A and B exist simultaneously, and B exists alone, where A, B can be singular or plural.
  • the character “/” generally indicates that the contextual objects are an “or” relationship.
  • “At least one of the following” or similar expressions refer to any combination of these items, including any combination of single or plural items.
  • At least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
  • first and second are used to distinguish multiple objects, and are not used to limit the size, content, order, and timing of multiple objects , priority or importance, etc.
  • first information and the second information are only for distinguishing different information, and do not represent the difference in size, content, priority or importance of the two pieces of information.
  • the unicast service take the access network device sending data to the terminal device as an example, the data first arrives at the PDCP layer of the access network device, and after being processed by the PDCP layer of the access network device, it is transmitted to the RLC layer and the MAC layer , after being processed, it is sent out from the physical layer and transmitted to the terminal device through the air interface. Then, each protocol layer on the terminal device side sequentially performs corresponding processing on the data packets according to the reverse processing order of the access network device.
  • the unicast service can safely process the unicast data through the PDCP layer. However, when a network device performs multicast transmission, the multicast data packet does not pass through the PDCP layer.
  • the multicast data packet directly passes through the RLC layer and the MAC layer, and finally is sent out through the physical layer. Multiple UEs receive the data packet, and then it is processed and sent to a higher layer through the physical layer, MAC layer, and RLC layer, as shown in Figure 4. Show. It can be seen that the multicast data is transmitted without considering the security processing process, which may cause security problems during the data transmission process, resulting in data tampering or eavesdropping. The security processing of data needs to be based on keys, and there is no clear solution for how to generate keys for security processing in multicast transmission.
  • embodiments of the present application provide a communication method and device.
  • the access network device and the terminal device can generate the MBS key according to the MBS security information sent by the core network device, so that the MBS data can be safely processed based on the MBS key, and the multicast transmission can be improved. security.
  • the method and the device are based on the same inventive concept, and since the principles of the method and the device to solve problems are similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.
  • the communication method provided by this application can be applied to various communication systems, for example, it can be Internet of things (internet of things, IoT), narrowband Internet of things (narrow band internet of things, NB-IoT), long term evolution (long term evolution) , LTE), can also be the fifth generation (5 th generation, 5G) communication system, can also be LTE and 5G hybrid architecture, can also be 6G or new communication systems emerging in future communication development, etc.
  • the 5G communication system described in this application may include at least one of a non-standalone (NSA) 5G communication system and a standalone (standalone, SA) 5G communication system.
  • the communication system may also be a machine to machine (machine to machine, M2M) network, a machine type communication (machine type communication, MTC) or other networks.
  • the communication method provided by the embodiment of the present application can be applied to a communication system, and the communication system includes an access network device and six terminal devices, that is, UE1-UE6.
  • UE1-UE6 can send uplink information to access network equipment, and the access network equipment can receive uplink data sent by UE1-UE6.
  • UE4-UE6 may also form a sub-communication system.
  • Access network devices can send downlink information to UE1, UE2, UE3, and UE5, and UE5 can send downlink information to UE4 and UE6 based on device-to-device (D2D) technology, or between UE4 and UE6 can be based on device-to-device (D2D) technology.
  • D2D device-to-device
  • D2D technologies communicate with each other.
  • FIG. 5 is only a schematic diagram, and does not specifically limit the type of the communication system and the quantity and type of devices included in the communication system.
  • the terminal equipment shown above may be user equipment (user equipment, UE), terminal (terminal), access terminal, terminal unit, terminal station, mobile station (mobile station, MS), remote station, remote terminal, mobile terminal (mobile terminal), wireless communication equipment, terminal agent, terminal equipment, cellular telephone, cordless telephone, session initiation protocol (session initiation protocol, SIP) telephone, wireless local loop (wireless local loop, WLL) station, personal digital processing (personal digital assistant, PDA) devices, handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in future 5G networks or terminal devices in future evolved PLMN networks Wait.
  • user equipment user equipment
  • terminal terminal
  • access terminal terminal unit
  • terminal station mobile station
  • mobile station mobile station
  • MS mobile station
  • remote station remote terminal
  • mobile terminal mobile terminal
  • wireless communication equipment terminal agent
  • terminal equipment cellular telephone
  • cordless telephone session initiation protocol (session initiation protocol, SIP) telephone
  • wireless local loop wireless local loop
  • WLL wireless local loop
  • the terminal device may have a wireless transceiver function, which can communicate with one or more access network devices of one or more communication systems (such as wireless communication), and accept network services provided by the access network devices.
  • access The network equipment includes but not limited to the access network equipment shown in FIG. 5 .
  • terminal equipment can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; terminal equipment can also be deployed on water (such as ships, etc.); terminal equipment can also be deployed in the air (such as aircraft, balloons and satellites, etc.) .
  • the terminal device may be a mobile phone, a tablet computer (pad), a computer with a wireless transceiver function, a virtual reality (virtual reality, VR) terminal, an augmented reality (augmented reality, AR) terminal, an industrial control (industrial control ), wireless terminals in self driving, wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety , wireless terminals in smart cities, wireless terminals in smart homes, etc.
  • the terminal device may also be a communication chip with a communication module, or a vehicle with a communication function, or a vehicle-mounted device (such as a vehicle-mounted communication device, a vehicle-mounted communication chip), etc.
  • Access network equipment refers to equipment that provides network access functions, such as wireless access network (radio access network, RAN) base station (or RAN equipment) and so on. Access network equipment can be specific Including a base station (base station, BS), or including a base station and a radio resource management device for controlling the base station, etc.
  • the access network device may also include a relay station (relay device), an access point, and a base station in the future 5G network, The base station or NR base station in the future evolution of the PLMN network.
  • the access network device can be a wearable device or a vehicle-mounted device.
  • the access network device can also be a communication chip with a communication module.
  • access network equipment includes but is not limited to: next-generation base station (g nodeB, gNB) in 5G, evolved node B (evolved node B, eNB) in long term evolution (long term evolution, LTE) system, wireless network A controller (radio network controller, RNC), a wireless controller under a cloud radio access network (cloud radio access network, CRAN) system, a base station controller (base station controller, BSC), a home base station (for example, home evolved nodeB, or home node B, HNB), baseband unit (baseBand unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), mobile switching center, can also be the evolution type in LTE ( The evolutional) NB (eNB or eNodeB) can also be a base station device in a 5G network or an access network device in a future evolved PLMN network, or a wearable device or a vehicle-mounted device.
  • next-generation base station g nodeB,
  • the access network equipment may include a centralized unit (CU) and a distributed unit (DU).
  • the access network device may also include an active antenna unit (active antenna unit, AAU).
  • the CU implements some functions of the access network equipment, and the DU implements some functions of the access network equipment.
  • the CU is responsible for processing non-real-time protocols and services, and realizing radio resource control (radio resource control, RRC) and PDCP layer functions.
  • RRC radio resource control
  • PDCP layer functions radio resource control
  • the DU is responsible for processing physical layer protocols and real-time services, realizing the functions of RLC layer, MAC layer and PHY layer.
  • the AAU implements some physical layer processing functions, radio frequency processing and related functions of active antennas.
  • the access network device may be a device including one or more of CU nodes, DU nodes, and AAU nodes.
  • the CU can be divided into access network devices in the access network (radio access network, RAN), and the CU can also be divided into access network devices in the core network (core network, CN) (which can be referred to as CN devices). ), which is not limited in this application.
  • the access network device can be connected to a core network (core network, CN) device, and the core network device can be used to provide core network services for terminal devices connected to the access network.
  • Core network devices may correspond to different devices in different systems.
  • the core network equipment can correspond to the serving GPRS support node (SGSN) of general packet radio service (GPRS) and/or the gateway GPRS Support Node (GGSN) of GPRS .
  • the core network equipment may correspond to a mobility management entity (mobility management entity, MME) and/or a serving gateway (serving gateway, S-GW), etc.
  • core network equipment can correspond to access and mobility management function (access and mobility management function, AMF) entity, session management function (session management function, SMF) entity or user plane function (user plane function, UPF) entity, etc. .
  • Fig. 6 shows a possible structural schematic diagram of the device.
  • the apparatus shown in FIG. 6 may be a communication device, or a chip applied in a communication device or other combined devices, components (or components) having the functions of the communication device shown in this application, etc., wherein the communication device may be a communication device of this application.
  • the access network device shown in the embodiment or may also be the terminal device shown in the embodiment of the present application.
  • the apparatus may include a processing module 610 and a transceiving module 620 .
  • the transceiver module 620 may be a functional module, and the functional module can complete both the sending operation and the receiving operation.
  • the transceiver module 620 can be used to perform all the sending operations and receiving operations performed by the communication device.
  • the transceiver module 620 when performing During the sending operation, can be considered as a sending module, and when the receiving operation is performed, the transceiver module 620 can be considered as a receiving module; or, the transceiver module 620 can also be two functional modules, and the transceiver module 620 can be regarded as the two A general term for two functional modules, the two functional modules are the sending module and the receiving module, the sending module is used to complete the sending operation, for example, the sending module can be used to perform all the sending operations performed by the communication device, and the receiving module is used to complete the receiving Operation, the receiving module may be used to perform all receiving operations performed by the communication device.
  • the transceiver module 620 may include a transceiver and/or a communication interface.
  • Transceivers may include antennas and radio frequency circuits, among others.
  • the communication interface is such as an optical fiber interface.
  • the processing module 610 may be a processor, such as a baseband processor, and the baseband processor may include one or more central processing units (central processing unit, CPU).
  • the transceiver module 620 may be a radio frequency unit, and the processing module 610 may be a processor, such as a baseband processor.
  • the transceiver module 620 may be an input-output interface of a chip (such as a baseband chip), and the processing module 610 may be a processor of the system-on-a-chip, and may include one or more central processing units.
  • processing module 610 in the embodiment of the present application may be implemented by a processor or a processor-related circuit component
  • transceiver module 620 may be implemented by a transceiver or a transceiver-related circuit component.
  • the processing module 610 can be used to perform all the operations performed by the access network device in the embodiment of the present application except the transceiving operation , such as processing operations, and/or other processes used to support the technology described herein, such as generating MBS keys, and performing secure processing on MBS data.
  • the transceiver module 620 may be used to perform all receiving and sending operations performed by the access network device in the embodiment of the present application, and/or to support other processes of the technologies described herein.
  • the processing module 610 can be used to perform all operations performed by the terminal device in the embodiment of the present application except the sending and receiving operations, such as processing operations, and/or other processes for supporting the techniques described herein, such as generating MBS keys, processing messages, information and/or signaling received by the transceiver module 620, and the like.
  • the transceiver module 620 may be used to perform all the receiving and sending operations performed by the terminal device in the embodiment of the present application, and/or to support other processes of the technologies described herein.
  • Fig. 7 shows another possible structural diagram of a terminal device.
  • the communication device includes structures such as a processor, a memory, a radio frequency unit (or radio frequency circuit), an antenna, and an input and output device.
  • the processor is mainly used to process communication protocols and communication data, control devices, execute software programs, process data of software programs, and the like.
  • Memory is primarily used to store software programs and data.
  • the radio frequency unit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal.
  • Antennas are mainly used to send and receive radio frequency signals in the form of electromagnetic waves.
  • Input and output devices such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users. It should be noted that some types of terminal equipment may not have input and output devices.
  • the processor When data needs to be sent, the processor performs baseband processing on the data to be sent, and outputs the baseband signal to the radio frequency circuit.
  • the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data.
  • FIG. 7 only one memory and processor are shown in FIG. 7 . In an actual terminal device product, there may be one or more processors and one or more memories.
  • a memory may also be called a storage medium or a storage device. The memory may be set independently of the processor, or may be integrated with the processor, which is not limited in this embodiment of the present application.
  • the antenna and the radio frequency circuit with the transceiver function can be regarded as the transceiver unit of the terminal equipment (the transceiver unit can be a functional unit, and the functional unit can realize the sending function and the receiving function; or, the transceiver unit can also be It includes two functional units, namely a receiving unit capable of receiving functions and a sending unit capable of transmitting functions), and the processor with processing functions is regarded as the processing unit of the terminal device.
  • the terminal device includes a transceiver unit 710 and a processing unit 720 .
  • the transceiver unit may also be referred to as a transceiver, a transceiver, a transceiver device, and the like.
  • a processing unit may also be called a processor, a processing board, a processing module, a processing device, and the like.
  • the device in the transceiver unit 710 for realizing the receiving function can be regarded as a receiving unit
  • the device in the transceiver unit 710 for realizing the sending function can be regarded as a sending unit, that is, the transceiver unit 710 includes a receiving unit and a sending unit.
  • the transceiver unit may sometimes also be referred to as a transceiver, a transceiver, or a transceiver circuit.
  • the receiving unit may sometimes be called a receiver, a receiver, or a receiving circuit, etc.
  • the sending unit may sometimes be called a transmitter, a transmitter, or a transmitting circuit, etc.
  • the transceiver unit 710 may correspond to the transceiver module 620 , or in other words, the transceiver module 620 may be implemented by the transceiver unit 710 .
  • the transceiver unit 710 is configured to perform the sending operation and the receiving operation of the terminal device in the embodiments shown in this application, and/or other processes for supporting the technology described herein.
  • the processing unit 720 may correspond to the processing module 610 , or in other words, the processing module 610 may be realized by the processing unit 720 .
  • the processing unit 720 is configured to perform other operations on the terminal device in the embodiment shown in this application except the transceiving operation, for example, to perform all receiving and sending operations performed by the terminal device in the embodiment shown in this application, and/or or other processes used to support the techniques described herein.
  • Fig. 8 shows another possible structural diagram of an access network device.
  • the access network device includes structures such as a processor, a memory, a radio frequency unit (or radio frequency circuit) or an antenna.
  • the processor is mainly used to process communication protocols and communication data, control access network devices, execute software programs, and process data of software programs.
  • Memory is primarily used to store software programs and data.
  • the radio frequency unit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal.
  • the access network device may include a transceiver unit 810 and a processing unit 820, wherein the transceiver unit 810 may include a sending unit and a receiving unit, or the transceiver unit 810 may be a unit.
  • the transceiving unit 810 may correspond to the transceiving module 620 in FIG. 6 , that is, the transceiving unit 810 performs the actions performed by the transceiving module 620 .
  • the transceiver unit 810 may also be called a transceiver, a transceiver circuit, or a transceiver, etc., and may include at least one antenna 811 and a radio frequency unit 812 .
  • the transceiver unit 810 is mainly used for transmitting and receiving radio frequency signals and converting radio frequency signals and baseband signals.
  • the processing unit 820 is mainly used to perform baseband processing, control access network equipment, and the like.
  • the transceiver unit 810 and the processing unit 820 may be physically set together, or may be physically separated, that is, distributed access network equipment.
  • the transceiver unit 810 may include one or more radio frequency units, such as a remote radio unit (remote radio unit, RRU), and the processing unit 820 may include one or more baseband units (baseband unit, BBU) (also called It is a digital unit, digital unit, DU).
  • a remote radio unit remote radio unit
  • BBU baseband unit
  • the processing unit 820 may be composed of one or more single boards, and multiple single boards may jointly support a wireless access network of a single access standard (such as an LTE network), or may separately support wireless access networks of different access standards. Radio access network (such as LTE network, 5G network or other networks).
  • the processing unit 820 also includes a memory 821 and a processor 822 .
  • the memory 821 is used to store necessary instructions and data.
  • the processor 822 is used to control the access network device to perform necessary actions, for example, to control the access network device to execute the operation procedures related to the access network device in the embodiments shown in this application.
  • the memory 821 and the processor 822 may serve one or more single boards. That is to say, memory and processors can be set independently on each single board. It may also be that multiple single boards share the same memory and processor. In addition, necessary circuits can also be set on each single board.
  • the network architecture and business scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the embodiments of the present application. With the evolution of architecture and the emergence of new business scenarios, the technical solutions provided by the embodiments of this application are also applicable to similar technical problems.
  • the method is executed by the access network device and the terminal device as an example.
  • the method can be applied to a multicast (or multicast) scenario.
  • a multicast scenario an access network device can perform multicast transmission with one or more terminal devices receiving MBS, and the one or more terminal devices receiving MBS Can be called a multicast group.
  • the multicast scenario is not limited to one access network device, and multiple access network devices may cooperate to perform multicast transmission with at least one terminal device.
  • multiple access network devices cooperate to send The device sends data.
  • an access network device participating in multicast transmission (hereinafter referred to as the first access network device) in a multicast scenario and a terminal device in the multicast group (hereinafter referred to as the first).
  • the communication process between the first access network device and other terminal devices in the multicast group, and other access network devices that cooperate with the first access network device to perform multicast transmission For the process of communicating between the network device and the terminal device in the multicast group, refer to the process of communicating between the first access network device and the first terminal device.
  • FIG. 9 it is a schematic flowchart of a communication method provided by the present application.
  • the method includes:
  • the core network device sends the security information of the MBS to the first access network device.
  • the first access network device receives the security information of the MBS.
  • the receiving action performed by the first access network device may be performed by the transceiver module 620 in the apparatus shown in FIG. 6 .
  • the core network device can send data to the multiple access network
  • the device sends the MBS security information, or the multiple access network devices can exchange MBS security information.
  • the security information may also be called security context, security context information, etc., including at least one of the following information: MBS group key, temporary mobile group identity (temporary mobile group identity, TMGI), key update parameters, security Algorithm ID.
  • MBS group key may be a root key
  • the subsequent MBS key may be derived based on the key
  • MBS group key may also be an intermediate key for generating the MBS key.
  • Key update parameters can be parameters such as count (COUNT) value, key used for update or token.
  • COUNT count
  • the MBS key is used as an input parameter to ensure the irreversibility, non-replication and security of the deduction process.
  • the TMGI can be an MBS session identifier, an MBS service identifier or an MBS Internet Protocol (internet protocol, IP) multicast address, wherein the MBS IP multicast address can also be called a multicast IP address or a multicast IP address or an IP multicast address or IP multicast address.
  • the security algorithm identifier may include at least one of the following: an identifier of a security algorithm used for encryption or decryption, and an identifier of a security algorithm used for integrity protection or integrity verification.
  • parameter names included in the MBS security information listed above are only examples, and specific parameter names are not limited.
  • the MBS security information may also include other parameters in specific implementations, which are not specifically limited here.
  • this step S901 is optional, and the first access network device may obtain the security information from other access network devices, or set it in advance.
  • the embodiments of this application are not limited.
  • the first access network device generates an MBS key according to the security information.
  • the actions performed by the first access network device may be performed by the processing module 610 in the apparatus shown in FIG. 6 .
  • the MBS key may include at least one of the following: a first key and a second key, wherein the first key is used to encrypt the data of the MBS, and the second key is used to complete the integrity of the data of the MBS.
  • Protect It can be understood that when generating the first key, the identification of the security algorithm used for encryption or decryption in the security information can be used, and when generating the second key, the security algorithm used for integrity protection or integrity verification in the security information can be used. The ID of the algorithm.
  • the first key and the second key are the same, that is, the data encryption and integrity protection processes of the MBS use the same key. In an example, the process of generating an MBS key may be shown in FIG. 10 .
  • the security information can be used as an input parameter when generating the MBS key, and input to the security functional entity used to deduce the key, and the security functional entity can generate output parameters through security algorithm calculation, according to The output parameter gets the MBS key.
  • the input parameters in Figure 10 are only to show the process of generating the MBS key, and do not specifically limit the input parameters of the present invention.
  • the input parameters may include the input parameters shown in the figure Or the input parameters mentioned in the specific embodiment, or may also include other input parameters necessary for generating the MBS key.
  • the following is an exemplary description of the process of generating the MBS key by the first access network device.
  • the first access network device can also input other information besides the security information, such as the SFN area identifier where the first access network device is located, the tracking area identifier, the access network paging area identifier, the first One or more of the identifier of the access network device, the physical cell identifier of the first access network device, and the frequency information of the cell of the first access network device (for example, an absolute radio frequency channel number (ARFCN) item.
  • other information may also include a count value. The count value is used to indicate the corresponding derivation process or deduction times, and different count values correspond to different deduction processes or deduction times.
  • the first access network device can use the count value as input parameters to ensure that different MBS keys are obtained in different derivation processes, so as to ensure key isolation between different derivation processes; or the first access network device can determine from the MBS group key to The number of derivations required to obtain the MBS key.
  • the above security information and other information can be used as input parameters when generating the MBS key and input into the security function entity.
  • the security function entity can generate output parameters through security algorithm calculation, and obtain the MBS key according to the output parameters.
  • the specific content included in the above other information may be related to the SFN capability of the first access network device and the SFN status of the first access network device. Therefore, the first access network device may And at least one of the following items generates the MBS key: the SFN capability of the first access network device, and the SFN status of the first access network device.
  • the SFN capability can also be understood as whether the access network device supports the SFN function, and the SFN status can also be understood as whether the SFN function of the access network device is enabled.
  • the MBS key when the first access network device meets the first condition, the MBS key may be generated according to the security information and the first information, where the first condition includes that the SFN capability of the first access network device is supported and/or Or the SFN state of the first access network device is enabled, and the first information includes at least one of the following items: the SFN area identifier, the tracking area identifier, and the access network paging area identifier where the first access network device is located. Or, when the first access network device satisfies the first condition, it may generate the MBS key according to the security information.
  • the first information may include a tracking area identifier, that is, the first access network device may generate the tracking area identifier when the size of the SFN area is smaller than the size of the tracking area MBS key. If the size of the SFN area is smaller than the size of the paging area of the access network, the first information may include the identifier of the paging area of the access network, that is, the size of the first access network device may be smaller than the paging area of the access network The MBS key is generated according to the paging area identifier of the access network.
  • the first access network device When the first access network device meets the second condition, it can generate the MBS key according to the security information and the second information, wherein the second condition includes that the SFN capability of the first access network device is not supported and/or the first access network device The SFN status of the network device is off, and the second information includes at least one of the following items: an identifier of the first access network device, a physical cell identifier of the first access network device, and frequency information of a cell of the first access network device.
  • the first access network device does not support the SFN function or the SFN function is not enabled (that is, the SFN status is off)
  • the cell signals under the first access network device do not need to be combined with the cell signals of other access network devices, that is, there is no need to For SFN transmission
  • the first access network device can use the relevant information of the access network device or the serving cell (that is, the second information) as an input parameter to generate an MBS key, so that only the MBS key needs to be updated when updating the MBS key.
  • the MBS key of the first access network device or the serving cell is sufficient, so that the overhead of key update is reduced while improving security.
  • the cell signals under the first access network device may need to be combined with the cell signals of other access network devices, so different
  • the data sent by the access network devices must be exactly the same, and the MBS key used for security processing must also be the same, so the first access network device (or the first terminal device) cannot use the first access network device (or the first terminal device) when generating the MBS key.
  • the MBS key can be generated by using the information related to the SFN area (that is, the first information), which can ensure that the MBS keys used by all access network devices or all cells in the same SFN area are the same.
  • the SFN state is enabled only when the first access network device supports the SFN function, and if the first access network device does not support the SFN function, there is no such thing as the SFN state or the SFN state does not exist Therefore, when the SFN status of the first access network device is enabled, the SFN function of the first access network device may be supported by default.
  • the SFN state is on may also be referred to as “SFN state is enabled”, “SFN state is active”, etc.
  • SFN state is off may also be referred to as “SFN state is not enabled”, “SFN status is disabled or disabled”, “SFN status is inactive”, “SFN status is deactivated”, “SFN status is inhibited or dormant”, etc.
  • the first access network device performs security processing on the MBS data based on the MBS key, and the security processing includes at least one of the following processing: encryption and integrity protection.
  • the actions performed by the first access network device may be performed by the processing module 610 in the apparatus shown in FIG. 6 .
  • the first access network device sends the security-processed data to the first terminal device.
  • the first terminal device receives the data.
  • the sending action performed by the first access network device may be performed by the transceiver module 620 in the apparatus shown in FIG. 6 .
  • the receiving action performed by the first terminal device may also be performed by the transceiver module 620 in the apparatus shown in FIG. 6 .
  • the first access network device may send the data to all the multiple terminal devices.
  • the multicast group may include one or more terminal devices receiving the above-mentioned MBS.
  • the first terminal device performs security processing on the received data based on the MBS key, and the security processing includes at least one of the following processing: decryption and integrity verification.
  • the actions performed by the first terminal device may be performed by the processing module 610 in the apparatus shown in FIG. 6 .
  • the MBS key of the first terminal device may be generated by the first access network device and sent to the first terminal device, or may be generated by the first terminal device itself in the same manner as the first access network device.
  • the first access network device may send the MBS key to the first terminal device through the following scheme 1 or scheme 2: key:
  • the first access network device may send the MBS key to the first terminal device after generating the MBS key, and the first access network device
  • the device may send the MBS key to the terminal device through an RRC message, for example, the MBS key is carried in the RRC reconfiguration message.
  • Solution 2 In the scenario where the first terminal device is handed over from the second access network device to the first access network device, the first access network device may send the MBS key to the second access network device, and the second access network device The access network device forwards the MBS key to the first terminal device.
  • the first access network device may send the MBS key to the second access network device through a handover request confirmation message, and the second access network device may send the MBS key in the handover command Carrying the MBS key and sending it to the first terminal device.
  • the MBS key of the first access network device is different from the MBS key of the second access network device.
  • the first access network device satisfies the first condition, that is, the first access network device does not support the SFN function or the SFN status is off, the first access network device according to The relevant information (that is, the second information) of the first access network device generates an MBS key, so the MBS key generated by the first access network device and the MBS key of other access network devices (such as the second access network device) keys are different.
  • the first access network device meets the second condition, that is, the first access network device supports the SFN function and/or the SFN status is enabled
  • the first access network device Related information that is, the first information
  • the first information generates an MBS key, so the MBS keys of the access network devices in the SFN area where the first access network device is located are the same, but the second access network device is not in the SFN where the first access network device is located Therefore, the MBS keys of the first access network device and the second access network device are different.
  • the first The MBS key of the access network device may be sent to the second access network device through a handover request confirmation message.
  • the handover request message of the second access network device may carry the SFN area identifier.
  • the first access network device After the first access network device receives the message, if it determines that the SFN area identifier is different from its own SFN area identifier or the first access network device If the device does not support the SFN function and does not have an SFN area identifier, it can send the MBS key of the first access network device to the second access network device, and then the second access network device sends the MBS key to the second access network device through a handover command.
  • the first terminal device uses the MBS key of the first access network device to securely process the MBS data after the handover is completed.
  • a terminal device which may be the first terminal device or other terminal devices
  • switches between access network devices in the same SFN area if the MBS keys used by different access network devices If they are the same, the MBS key may not be updated.
  • the MBS key of the first terminal device can be generated through the following process: the core network device sends the security information of the MBS to the first terminal device, and the first terminal device can generate the MBS key based on the security information key, wherein the rule information and input parameters for the first terminal device and the first access network device to generate the MBS key need to be the same, so that the first access network device and the first terminal device can securely process the MBS data
  • the keys are the same, so that the accuracy of the first terminal device in obtaining the MBS data can be improved.
  • the rule information for generating the MBS key and the required input parameters can be stipulated in the agreement, or the core network device can send it to the first terminal device in advance, for example, the core network device will generate the MBS key during the authentication or registration process of the first terminal device.
  • the rule information of the key is sent to the first terminal device.
  • the first terminal device may also use the method described in the specific example in step S902 to generate the MBS key.
  • the first terminal device uses the method described in the above example to generate the MBS key, it can obtain the SFN capability of the first access network device according to the first indication information sent by the first access network device, and according to the first access network device
  • the second indication information sent by the network equipment obtains the SFN status of the first access network equipment, wherein the first indication information is used to indicate the SFN capability of the first access network equipment, and the second indication information is used to indicate the SFN status of the first access network equipment.
  • SFN status of the device may also be used to indicate that the SFN capability of the first access network device is supported, and the second indication information may also be used to indicate that the SFN state of the first access network device is enabled.
  • the first access network device may not send the first indication information, that is, when the first access network device does not send the first indication indicating the SFN capability information, the terminal device considers that the SFN capability of the access network device is not supported.
  • the first access network device may not send the second indication information, that is, when the first access network device does not send the first indication of the SFN state 2.
  • the terminal device considers that the SFN capability of the access network device is not supported. The signaling overhead can be further saved through the above manner.
  • the first indication information and the second indication information may be the same information.
  • the first access network device simultaneously indicates the SFN function of the first access network device and the SFN status of the first access network device through a piece of indication information, wherein, if the first access network device does not support the SFN function, the indication The information may indicate that the SFN function is not supported. If the first access network device supports the SFN function, the indication information may indicate the SFN status, thereby implicitly indicating that the SFN function is supported.
  • the first indication information and the second indication information may also be two pieces of information.
  • the first indication information and the second indication information may be sent to the first terminal device through the same message, or may be sent to the first terminal device through two messages.
  • the first access network device may also indicate the SFN area identifier to the first terminal device.
  • the first access network device may indicate the SFN area identifier through the first indication information or the second indication information.
  • the first access network device indicates the SFN function and the SFN area identifier through the first indication information, wherein, if the first access network device supports the SFN function, the first indication information may indicate the SFN area identifier, thereby hiding
  • the formula indicates that the first access network device supports the SFN function, and if the first access network device does not support the SFN function, the first indication information may indicate that the SFN function is not supported.
  • the first access network device indicates the SFN status and the SFN area identifier through the second indication information, wherein, if the SFN status of the first access network device is enabled, the second indication information may indicate the SFN area identifier , so as to implicitly indicate that the SFN state is on. If the SFN state of the first access network device is off, the second indication information may indicate that the SFN state is off.
  • the first access network device indicates the SFN function, SFN status, and SFN area identifier through an indication message, wherein, if the first access network device does not support the SFN function, the indication information may indicate that the SFN function is Not supported; if the first access network device supports the SFN function but the SFN status is closed, the indication information can indicate that the SFN status is closed, so that the SFN function can be implicitly indicated as supported; if the first access network device supports the SFN function and The SFN state is enabled, and the indication information may indicate the SFN area identifier, thereby implicitly indicating that the SFN function is supported and the SFN state is enabled.
  • the first access network device may also indicate the SFN area identifier through the third indication information.
  • All the above-mentioned first indication information, second indication information and third indication information may be sent through a broadcast message, a system message or an RRC message.
  • the access network device and the terminal device can generate an MBS key based on the security information of the MBS from the core network device, and realize the secure processing of the MBS data based on the MBS key, thereby improving multicast broadcast transmission security.
  • the SFN mechanism of the access network device is considered when generating the MBS key, so that the SFN mechanism of the access network device side may not be affected, and the key update overhead may be reduced.
  • the MBS key needs to be updated in some scenarios. For example, when the first terminal device (or other terminal devices in the multicast group) leaves the multicast group, in order to prevent the first terminal device from continuing to receive MBS using the previous MBS key, the core network device or the first terminal device The network access device can update the MBS key (that is, re-deduce). For another example, when the SFN state of the first access network device changes, the first access network device may update the MBS key.
  • the reason for the terminal device (which may be the first terminal device or other terminal devices in the multicast group) to leave the multicast group may be that the terminal device has performed a cell handover, or the terminal device has The MBS is no longer interested, and so on.
  • the terminal device may also leave the multicast group for other reasons. This application is only an example and does not limit the reasons for the terminal device to leave the multicast group.
  • the update of the MBS key may or may not be triggered after the terminal device performs cell handover.
  • An implementation of the update process may include the following steps:
  • Step 1 the core network device or the first access network device determines when to update the MBS key, for example, when a terminal device (which may be the first terminal device or other terminal devices in the multicast group) sends a message to When the core network device or the first access network device indicates that it is no longer interested in a certain MBS, or the core network device or the first access network device determines that the terminal device leaves the multicast group according to the subscription information of the terminal device, then The core network device or the first access network device may update the MBS key based on the departure of the terminal device.
  • a terminal device which may be the first terminal device or other terminal devices in the multicast group
  • the core network device may also instruct the first access network to update the MBS key.
  • Step 2 The core network device or the first access network device determines the scope of updating the MBS key. Assuming that the MBS key is generated based on the first access network device or the relevant information of the serving cell (that is, the second information), then in When updating the MBS key, only the MBS key of the first access network device or the serving cell may be updated.
  • the MBS key of the SFN area may be updated, Assuming that the MBS key is generated based on the tracking area identifier, the MBS key of the tracking area can be updated; assuming that the MBS key is generated based on the paging area identifier of the access network, the access network can be paged The MBS key of the zone is updated.
  • Step 3 The first access network device regenerates a new MBS key and sends it to the terminal device, or the first access network device sends an update instruction to the terminal device, instructing the terminal device to generate a new MBS key.
  • step 1 and step 2 have no strict execution order.
  • the parameters of the derivation key include information related to the access network device or the cell: if the SFN function is enabled, the access network device or cell that participates in the SFN merge Information related to access network devices or cells cannot be included in the process of key generation; if the SFN function is not enabled or does not support the access network device or cell, access network devices or cells can be included in the process of key generation Related information. Therefore, the SFN mechanism on the access network device side is not affected, and the key update overhead can be reduced.
  • An embodiment of the present application provides a communication device.
  • the communication device may be used to implement the terminal device involved in the foregoing embodiments, and the communication device may include the structure shown in FIG. 6 and/or FIG. 7 .
  • An embodiment of the present application provides a communication device.
  • the communication device may be used to implement the first access network device involved in the foregoing embodiments, and the communication device may include the structure shown in FIG. 6 and/or FIG. 8 .
  • the communication system may include at least one terminal device and at least one access network device, where the terminal device and the access network device in the communication system may execute the method shown in any one of the above method embodiments.
  • the embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a computer, the computer can implement any one of the above-mentioned method embodiments. Processes related to end devices or network devices.
  • the embodiment of the present application also provides a computer program product, which is used to store a computer program.
  • the computer program When the computer program is executed by a computer, the computer can realize any one of the above method embodiments shown in the embodiment and the terminal device. Or network device-related processes.
  • the embodiment of the present application also provides a chip or a chip system, the chip may include a processor, and the processor may be used to call programs or instructions in the memory, and execute any one of the above method embodiments shown in the embodiment and the terminal device Or a process related to the first access network device.
  • the system-on-a-chip may include the chip, and other components such as a memory or a transceiver.
  • An embodiment of the present application further provides a circuit, which can be coupled with a memory, and can be used to execute a procedure related to a terminal device or a network device in any one of the foregoing method embodiments.
  • the system-on-a-chip may include the chip, and other components such as a memory or a transceiver.
  • processors mentioned in the embodiments of the present application may be a CPU, or other general-purpose processors, digital signal processors (digital signal processors, DSPs), application specific integrated circuits (application specific integrated circuits, ASICs), off-the-shelf Programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the memory mentioned in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories.
  • the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • Volatile memory can be random access memory (RAM), which acts as external cache memory.
  • RAM random access memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • DRAM synchronous dynamic random access memory
  • SDRAM double data rate synchronous dynamic random access memory
  • double data rate SDRAM double data rate SDRAM
  • DDR SDRAM enhanced synchronous dynamic random access memory
  • ESDRAM enhanced synchronous dynamic random access memory
  • serial link DRAM SLDRAM
  • direct memory bus random access memory direct rambus RAM, DR RAM
  • the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components
  • the memory storage module
  • sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present application.
  • the implementation process constitutes any limitation.
  • modules and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.
  • the disclosed methods and devices may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the modules is only a logical function division. In actual implementation, there may be other division methods.
  • multiple modules or components can be combined or can be Integrate into another system, or some features may be ignored, or not implemented.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
  • each functional module in each embodiment of the present application may be integrated into one processing module, each module may exist separately physically, or two or more modules may be integrated into one module.
  • this function is realized in the form of a software function module and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the computer software product is stored in a storage medium and includes several instructions for Make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method in each embodiment of the present application.
  • the aforementioned computer-readable storage medium may be any available medium that can be accessed by a computer.
  • computer-readable media may include random access memory (random access memory, RAM), read-only memory (read-only memory, ROM), electrically erasable programmable read-only memory (electrically erasable programmable read-only memory) read only memory, EEPROM), compact disc read-only memory (CD-ROM), universal serial bus flash disk (universal serial bus flash disk), mobile hard disk, or other optical disk storage, disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
  • RAM random access memory
  • read-only memory read-only memory
  • ROM electrically erasable programmable read-only memory (electrically erasable programmable read-only memory) read only memory
  • EEPROM electrically erasable programmable read-only memory
  • CD-ROM compact disc read-only memory
  • universal serial bus flash disk universal serial bus flash disk
  • mobile hard disk or other optical disk storage, disk storage medium or other magnetic storage device

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application provides a communication method and apparatus. The method comprises: a first access network device receives security information of a multicast and broadcast service (MBS), and generates an MBS key according to the security information; the first access network device performs security processing on data of the MBS on the basis of the generated MBS key and then sends said data to a terminal device, wherein the security processing comprises at least one of encryption and integrity protection. In the embodiments of the present application, an access network device may generate an MBS key on the basis of security information of an MBS from a core network device, and implement security processing on data of the MBS on the basis of the MBS key, thereby improving the security of multicast and broadcast transmission.

Description

一种通信方法及装置A communication method and device
相关申请的交叉引用Cross References to Related Applications
本申请要求在2021年05月31日提交中国专利局、申请号为202110602607.7、申请名称为“一种通信方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application with application number 202110602607.7 and application title "A Communication Method and Device" submitted to the China Patent Office on May 31, 2021, the entire contents of which are incorporated in this application by reference.
技术领域technical field
本申请涉及通信技术领域,尤其涉及一种通信方法及装置。The present application relates to the technical field of communication, and in particular to a communication method and device.
背景技术Background technique
组播广播业务/多播广播业务(multicast and broadcast service,MBS)是面向多个终端设备的业务,例如直播业务、公共安全业务、批量软件更新业务等。MBS来自数据服务器,首先数据服务器将MBS的数据发送给核心网设备,然后核心网设备将MBS的数据发送给接入网设备,最后接入网设备将MBS的数据通过多播或者广播方式发送给接收MBS的至少一个终端设备。目前,接入网设备在进行多播传输时,没有考虑对多播数据的传输进行安全处理,导致多播数据在传输过程中的安全性较低,存在安全隐患。Multicast broadcast service/multicast broadcast service (MBS) is a service for multiple terminal devices, such as live broadcast service, public safety service, batch software update service, etc. The MBS comes from the data server. First, the data server sends the MBS data to the core network device, then the core network device sends the MBS data to the access network device, and finally the access network device sends the MBS data to the At least one terminal device receiving the MBS. At present, when an access network device performs multicast transmission, it does not consider the security processing of the multicast data transmission, which leads to low security of the multicast data transmission process and potential safety hazards.
发明内容Contents of the invention
本申请提供一种通信方法及装置,用于提高多播数据在传输过程中的安全性。The present application provides a communication method and device for improving the security of multicast data during transmission.
第一方面,本申请提供一种通信方法,该方法的执行主体可以是第一接入网设备,也可以是芯片或电路。以第一接入网设备为例,该方法包括:第一接入网设备接收MBS的安全信息,并根据安全信息生成MBS密钥。第一接入网设备基于生成的MBS密钥对MBS的数据进行安全处理后发送给终端设备,安全处理包括以下至少一种处理:加密、完整性保护。本申请实施例中接入网设备可以基于来自核心网设备的MBS的安全信息生成MBS密钥,并基于该MBS密钥实现对MBS的数据的安全处理,从而可以提高多播广播传输的安全性。In a first aspect, the present application provides a communication method, and the execution body of the method may be a first access network device, or may be a chip or a circuit. Taking the first access network device as an example, the method includes: the first access network device receives security information of the MBS, and generates an MBS key according to the security information. The first access network device performs security processing on the MBS data based on the generated MBS key, and then sends it to the terminal device. The security processing includes at least one of the following processing: encryption and integrity protection. In the embodiment of the present application, the access network device can generate an MBS key based on the security information of the MBS from the core network device, and implement secure processing of the MBS data based on the MBS key, thereby improving the security of multicast broadcast transmission .
一种可能的设计中,第一接入网设备根据安全信息生成MBS密钥时,具体可以根据安全信息以及如下至少一项生成MBS密钥:第一接入网设备的单频网络(SFN)能力、第一接入网设备的SFN状态。上述设计中,在生成MBS密钥时考虑接入网设备的SFN机制,从而可以不影响接入网设备侧的SFN机制。In a possible design, when the first access network device generates the MBS key according to the security information, it may specifically generate the MBS key according to the security information and at least one of the following items: the single frequency network (SFN) of the first access network device capabilities, and the SFN status of the first access network device. In the above design, the SFN mechanism of the access network device is considered when generating the MBS key, so that the SFN mechanism of the access network device side may not be affected.
一种可能的设计中,第一接入网设备根据第一接入网设备的SFN能力、第一接入网设备的SFN状态中至少一项以及安全信息生成MBS密钥时,具体可以在满足第一条件时,根据安全信息和第一信息生成MBS密钥或者根据安全信息生成MBS密钥,第一信息包括如下至少一项:第一接入网设备所在的SFN区域标识、跟踪区标识、接入网寻呼区域标识,第一条件包括SFN能力为支持和/或SFN状态为开启。在满足第二条件时,根据安全信息和第二信息生成MBS密钥,第二信息包括如下至少一项:第一接入网设备的标识、第一接入网设备的物理小区标识、第一接入网设备的小区的频率信息,第二条件包括SFN 能力为不支持和/或SFN状态为关闭。In a possible design, when the first access network device generates the MBS key according to the SFN capability of the first access network device, at least one item of the SFN status of the first access network device, and security information, it may specifically satisfy In the first condition, the MBS key is generated according to the security information and the first information or the MBS key is generated according to the security information, and the first information includes at least one of the following items: the SFN area identifier where the first access network device is located, the tracking area identifier, The paging area identifier of the access network, the first condition includes that the SFN capability is supported and/or the SFN state is enabled. When the second condition is met, the MBS key is generated according to the security information and the second information, and the second information includes at least one of the following items: the identifier of the first access network device, the physical cell identifier of the first access network device, the first For the frequency information of the cell of the access network device, the second condition includes that the SFN capability is not supported and/or the SFN state is off.
如果第一接入网设备不支持SFN功能或者SFN功能未开启(即SFN状态为关闭),该第一接入网设备下面的小区信号无需与其他接入网设备的小区信号进行合并,上述设计中第一接入网设备在生成MBS密钥的时候通过采用接入网设备的相关信息(即第二信息),可以在更新MBS密钥时只需要更新该第一接入网设备的MBS密钥,从而可以提高安全性,并且可以降低密钥更新的开销。If the first access network device does not support the SFN function or the SFN function is not enabled (that is, the SFN status is off), the cell signals under the first access network device do not need to be combined with the cell signals of other access network devices. When the first access network device generates the MBS key, it only needs to update the MBS key of the first access network device when updating the MBS key by using the relevant information of the access network device (that is, the second information). keys, which can improve security and reduce the overhead of key updates.
如果第一接入网设备支持SFN功能或者SFN功能开启(即SFN状态为开启),该第一接入网设备下面的小区信号有可能需要与其他接入网设备的小区信号进行合并,所以不同接入网设备发送的数据必须完全相同,安全处理所使用的MBS密钥也需要相同,上述设计中第一接入网设备在生成MBS密钥的时候,通过输入SFN的相关信息(即第一信息)可以保证同一SFN区域内所有接入网设备或者所有小区所使用的MBS密钥相同。If the first access network device supports the SFN function or the SFN function is enabled (that is, the SFN status is enabled), the cell signals under the first access network device may need to be combined with the cell signals of other access network devices, so different The data sent by the access network device must be exactly the same, and the MBS key used for security processing must also be the same. In the above design, when the first access network device generates the MBS key, it inputs the relevant information of the SFN (that is, the first Information) can ensure that all access network devices or all cells in the same SFN area use the same MBS key.
一种可能的设计中,MBS密钥可以包括如下至少一项:第一密钥、第二密钥。基于所述MBS密钥对所述MBS的数据进行安全处理时,具体可以:基于第一密钥对上述数据进行加密,基于第二密钥对上述数据进行完整性保护。通过上述设计可以实现对MBS的数据的加密、完整性保护等安全处理。In a possible design, the MBS key may include at least one of the following: a first key and a second key. When performing secure processing on the MBS data based on the MBS key, specifically, the above data may be encrypted based on the first key, and the integrity protection of the above data may be performed based on the second key. Security processing such as encryption and integrity protection of MBS data can be realized through the above design.
一种可能的设计中,安全信息可以包括如下信息中至少一项:MBS组密钥,临时移动组标识(TMGI),密钥更新参数,安全算法标识。In a possible design, the security information may include at least one of the following information: MBS group key, Temporary Mobile Group Identity (TMGI), key update parameters, and security algorithm identifier.
一种可能的设计中,安全算法可以包括如下至少一项:第一安全算法,第二安全算法,其中,第一安全算法用于加密和解密,第二安全算法用于完整性保护和完整性验证。上述设计中,加密处理和完整性保护处理采用不同的算法可以提高MBS传输的安全性。In a possible design, the security algorithm may include at least one of the following: a first security algorithm and a second security algorithm, wherein the first security algorithm is used for encryption and decryption, and the second security algorithm is used for integrity protection and integrity verify. In the above design, encryption processing and integrity protection processing adopt different algorithms to improve the security of MBS transmission.
一种可能的设计中,TMGI为MBS会话标识、MBS业务标识或者MBS的互联网协议(IP)多播地址。In a possible design, the TMGI is an MBS session identifier, an MBS service identifier or an Internet Protocol (IP) multicast address of the MBS.
一种可能的设计中,第一接入网设备还可以向终端设备发送第一指示信息和/或第二指示信息,第一指示信息用于指示第一接入网设备的SFN能力,第二指示信息用于指示第一接入网设备的SFN状态。通过上述设计,终端设备可以根据第一指示信息、第二指示信息获取第一接入网设备的SFN机制,从而可以自己生成MBS密钥。In a possible design, the first access network device may also send first indication information and/or second indication information to the terminal device, where the first indication information is used to indicate the SFN capability of the first access network device, and the second indication information is used to indicate the SFN capability of the first access network device, and the second indication information The indication information is used to indicate the SFN state of the first access network device. Through the above design, the terminal device can obtain the SFN mechanism of the first access network device according to the first indication information and the second indication information, so as to generate the MBS key by itself.
一种可能的设计中,第一接入网设备还可以向终端设备发送第一指示信息和/或第二指示信息,第一指示信息用于指示第一接入网设备的SFN能力为支持,第二指示信息用于指示第一接入网设备的SFN状态为开启。通过上述设计,终端设备可以根据第一指示信息、第二指示信息获取第一接入网设备的SFN机制,从而可以自己生成MBS密钥。此时,可以理解的,当第一接入网设备的SFN能力为不支持时,第一接入网设备可以不发送指示信息,即当第一接入网设备没有发送指示SFN能力的指示信息时,终端设备认为接入网设备的SFN能力为不支持。类似的,当第一接入网设备的SFN状态为不开启(关闭)时,第一接入网设备可以不发送指示信息,即当第一接入网设备没有发送指示SFN状态的指示信息时,终端设备认为接入网设备的SFN能力为不支持。可以进一步节省信令开销。In a possible design, the first access network device may also send first indication information and/or second indication information to the terminal device, where the first indication information is used to indicate that the SFN capability of the first access network device is supported, The second indication information is used to indicate that the SFN state of the first access network device is enabled. Through the above design, the terminal device can obtain the SFN mechanism of the first access network device according to the first indication information and the second indication information, so as to generate the MBS key by itself. At this time, it can be understood that when the SFN capability of the first access network device is not supported, the first access network device may not send the indication information, that is, when the first access network device does not send the indication information indicating the SFN capability , the terminal device considers that the SFN capability of the access network device is not supported. Similarly, when the SFN state of the first access network device is not enabled (closed), the first access network device may not send indication information, that is, when the first access network device does not send indication information indicating the SFN state , the terminal device considers that the SFN capability of the access network device is not supported. Signaling overhead can be further saved.
一种可能的设计中,第一接入网设备可以在生成MBS密钥后向终端设备发送该MBS密钥。通过上述设计,使得接收该MBS的终端设备可以采用接收到的MBS密钥对MBS的数据进行安全处理。In a possible design, the first access network device may send the MBS key to the terminal device after generating the MBS key. Through the above design, the terminal device receiving the MBS can use the received MBS key to perform secure processing on the data of the MBS.
一种可能的设计中,针对从第二接入网设备切换到第一接入网设备的终端设备,第一 接入网设备可以通过第二接入网设备向该终端设备发送MBS密钥。通过上述设计,使得切换到第一接入网设备的终端设备在切换过程中可以获取第一接入网设备的MBS密钥,从而在切换到第一接入网设备后可以根据该MBS密钥对MBS的数据进行安全处理。In a possible design, for a terminal device handed over from the second access network device to the first access network device, the first access network device may send the MBS key to the terminal device through the second access network device. Through the above design, the terminal device switching to the first access network device can obtain the MBS key of the first access network device during the switching process, so that after switching to the first access network device, it can obtain the MBS key according to the MBS key Securely handle MBS data.
一种可能的设计中,若终端设备停止接收MBS,还可以对MBS密钥进行更新。通过上述设计可以提高MBS传输的安全性。可以理解的,接入网设备可以检测到终端设备是否停止接收MBS,根据检测结果,对MBS密钥进行更新。In a possible design, if the terminal device stops receiving the MBS, the MBS key can also be updated. Through the above design, the security of MBS transmission can be improved. It can be understood that the access network device can detect whether the terminal device stops receiving the MBS, and update the MBS key according to the detection result.
一种可能的设计中,若第一接入网设备的SFN状态改变,则可以对MBS密钥进行更新。通过上述设计既可以不影响接入网设备侧的SFN机制,还可以降低密钥更新开销。In a possible design, if the SFN state of the first access network device changes, the MBS key may be updated. Through the above design, the SFN mechanism on the access network device side is not affected, and the key update overhead can also be reduced.
第二方面,本申请提供一种通信方法,该方法的执行主体可以是终端设备,也可以是芯片或电路。以终端设备为例,该方法包括:终端设备获取MBS密钥;终端设备接收MBS的数据,并基于获取的MBS密钥对数据进行安全处理,安全处理包括以下至少一种处理:解密、完整性验证。本申请实施例中终端设备可以获取MBS密钥,并基于该MBS密钥实现对MBS的数据的安全处理,从而可以提高多播广播传输的安全性。In a second aspect, the present application provides a communication method, and the execution subject of the method may be a terminal device, or may be a chip or a circuit. Taking the terminal device as an example, the method includes: the terminal device obtains the MBS key; the terminal device receives the data of the MBS, and performs security processing on the data based on the obtained MBS key, and the security processing includes at least one of the following processes: decryption, integrity verify. In the embodiment of the present application, the terminal device can acquire the MBS key, and based on the MBS key, securely process the data of the MBS, thereby improving the security of multicast broadcast transmission.
一种可能的设计中,终端设备获取MBS密钥时,具体可以接收MBS的安全信息,并根据安全信息生成MBS密钥。上述设计中,终端设备可以基于核心网设备发送的MBS的安全信息生成MBS密钥。In a possible design, when the terminal device obtains the MBS key, it may specifically receive the security information of the MBS, and generate the MBS key according to the security information. In the above design, the terminal device can generate the MBS key based on the security information of the MBS sent by the core network device.
一种可能的设计中,终端设备根据安全信息生成MBS密钥时,具体可以:获取第一指示信息和/或第二指示信息,第一指示信息用于指示第一接入网设备的SFN能力,第二指示信息用于指示第一接入网设备的SFN状态;根据第一指示信息和第二指示信息中的至少一个指示信息以及安全信息生成MBS密钥。上述设计中,终端设备在生成MBS密钥时考虑接入网设备的SFN机制,从而可以不影响接入网设备侧的SFN机制。In a possible design, when the terminal device generates the MBS key according to the security information, it may specifically: obtain the first indication information and/or the second indication information, the first indication information is used to indicate the SFN capability of the first access network device , the second indication information is used to indicate the SFN state of the first access network device; an MBS key is generated according to at least one indication information and security information in the first indication information and the second indication information. In the above design, the terminal device considers the SFN mechanism of the access network device when generating the MBS key, so that the SFN mechanism of the access network device side may not be affected.
一种可能的设计中,终端设备根据安全信息生成MBS密钥时,还可以:获取第一指示信息和/或第二指示信息,第一指示信息用于指示第一接入网设备的SFN能力为支持,第二指示信息用于指示第一接入网设备的SFN状态为开启。通过上述设计,终端设备可以根据第一指示信息、第二指示信息获取第一接入网设备的SFN机制,从而可以自己生成MBS密钥。此时,可以理解的,当第一接入网设备的SFN能力为不支持时,第一接入网设备可以不发送指示信息,即当第一接入网设备没有发送指示SFN能力的指示信息时,终端设备认为接入网设备的SFN能力为不支持。类似的,当第一接入网设备的SFN状态为不开启(关闭)时,第一接入网设备可以不发送指示信息,即当第一接入网设备没有发送指示SFN状态的指示信息时,终端设备认为接入网设备的SFN能力为不支持。可以进一步节省信令开销。In a possible design, when the terminal device generates the MBS key according to the security information, it may also: obtain the first indication information and/or the second indication information, the first indication information is used to indicate the SFN capability of the first access network device To support, the second indication information is used to indicate that the SFN state of the first access network device is enabled. Through the above design, the terminal device can obtain the SFN mechanism of the first access network device according to the first indication information and the second indication information, so as to generate the MBS key by itself. At this time, it can be understood that when the SFN capability of the first access network device is not supported, the first access network device may not send the indication information, that is, when the first access network device does not send the indication information indicating the SFN capability , the terminal device considers that the SFN capability of the access network device is not supported. Similarly, when the SFN state of the first access network device is not enabled (closed), the first access network device may not send indication information, that is, when the first access network device does not send indication information indicating the SFN state , the terminal device considers that the SFN capability of the access network device is not supported. Signaling overhead can be further saved.
一种可能的设计中,终端设备根据第一指示信息和第二指示信息中的至少一个指示信息以及安全信息生成MBS密钥时,具体可以:满足第一条件时,根据安全信息和第一信息生成MBS密钥或者根据安全信息生成MBS密钥,第一信息包括如下至少一项:第一接入网设备所在的SFN区域标识、跟踪区标识、接入网寻呼区域标识,第一条件为第一指示信息指示第一接入网设备的SFN功能为支持和/或第二指示信息指示第一接入网设备的SFN状态为开启;或者,满足第二条件时,根据安全信息和第二信息生成MBS密钥,第二信息包括如下至少一项:第一接入网设备的标识、第一接入网设备的物理小区标识、第一接入网设备的小区的频率信息,第二条件包括第一指示信息指示第一接入网设备的SFN能力为不支持和/或第二指示信息指示第一接入网设备的SFN状态为关闭。In a possible design, when the terminal device generates the MBS key according to at least one of the first indication information and the second indication information and security information, it may specifically: when the first condition is met, according to the security information and the first information Generate an MBS key or generate an MBS key according to security information. The first information includes at least one of the following items: the SFN area identifier where the first access network device is located, the tracking area identifier, and the access network paging area identifier. The first condition is The first indication information indicates that the SFN function of the first access network device is supported and/or the second indication information indicates that the SFN status of the first access network device is enabled; or, when the second condition is met, according to the security information and the second The information generates an MBS key, and the second information includes at least one of the following items: the identifier of the first access network device, the physical cell identifier of the first access network device, the frequency information of the cell of the first access network device, and the second condition The first indication information indicates that the SFN capability of the first access network device is not supported and/or the second indication information indicates that the SFN state of the first access network device is off.
如果第一接入网设备支持SFN功能或者SFN功能开启(即SFN状态为开启),该第一接入网设备下面的小区信号有可能需要与其他接入网设备的小区信号进行合并,所以不同接入网设备发送的数据必须完全相同,安全处理所使用的MBS密钥也需要相同,上述设计中终端设备在生成MBS密钥的时候,通过输入SFN的相关信息(即第一信息)可以保证同一SFN区域内所有接入网设备或者所有小区所使用的MBS密钥相同。If the first access network device supports the SFN function or the SFN function is enabled (that is, the SFN status is enabled), the cell signals under the first access network device may need to be combined with the cell signals of other access network devices, so different The data sent by the access network device must be identical, and the MBS key used for security processing must also be the same. In the above design, when the terminal device generates the MBS key, it can ensure that All access network devices or all cells in the same SFN area use the same MBS key.
一种可能的设计中,MBS密钥可以包括如下至少一项:第一密钥、第二密钥;基于所述MBS密钥对所述MBS的数据进行安全处理时,具体可以:基于第一密钥对上述数据进行加密,基于第二密钥对上述数据进行完整性保护。通过上述设计可以实现对MBS的数据的加密、完整性保护等安全处理。In a possible design, the MBS key may include at least one of the following: a first key and a second key; when performing secure processing on the MBS data based on the MBS key, it may specifically be: based on the first The key encrypts the above data, and the above data is integrity protected based on the second key. Security processing such as encryption and integrity protection of MBS data can be realized through the above design.
一种可能的设计中,安全信息可以包括如下信息中至少一项:MBS组密钥,临时移动组标识(TMGI),密钥更新参数,安全算法标识。In a possible design, the security information may include at least one of the following information: MBS group key, Temporary Mobile Group Identity (TMGI), key update parameters, and security algorithm identifier.
一种可能的设计中,安全算法可以包括如下至少一项:第一安全算法,第二安全算法,其中,第一安全算法用于加密和解密,第二安全算法用于完整性保护和完整性验证。上述设计中,加密处理和完整性保护处理采用不同的算法可以提高MBS传输的安全性。In a possible design, the security algorithm may include at least one of the following: a first security algorithm and a second security algorithm, wherein the first security algorithm is used for encryption and decryption, and the second security algorithm is used for integrity protection and integrity verify. In the above design, encryption processing and integrity protection processing adopt different algorithms to improve the security of MBS transmission.
一种可能的设计中,TMGI为MBS会话标识、MBS业务标识或者MBS的互联网协议(IP)多播地址。In a possible design, the TMGI is an MBS session identifier, an MBS service identifier or an Internet Protocol (IP) multicast address of the MBS.
一种可能的设计中,终端设备获取MBS密钥,具体可以:接收来自第一接入网设备的MBS密钥,MBS密钥基于MBS的安全信息生成。In a possible design, the terminal device acquires the MBS key. Specifically, it may: receive the MBS key from the first access network device, and the MBS key is generated based on MBS security information.
一种可能的设计中,终端设备获取MBS密钥,具体可以:接收第一接入网设备通过第二接入网设备转发的MBS密钥。In a possible design, the terminal device acquires the MBS key, which may specifically: receive the MBS key forwarded by the first access network device through the second access network device.
第三方面,本申请实施例提供一种通信装置,可以实现上述第一方面或其任一可能的设计中由第一接入网设备实现的方法。该装置包括用于执行上述方法的相应的单元或部件。该装置包括的单元可以通过软件和/或硬件方式实现。该装置例如可以为第一接入网设备、或者为可支持第一接入网设备中实现上述方法的部件或基带芯片、芯片系统、或处理器等。In a third aspect, the embodiment of the present application provides a communications apparatus that can implement the method implemented by the first access network device in the first aspect or any possible design thereof. The apparatus comprises corresponding units or components for performing the method described above. The units included in the device may be implemented by software and/or hardware. The apparatus may be, for example, the first access network device, or a component or a baseband chip, a chip system, or a processor that can support the implementation of the above method in the first access network device.
示例性的,该通信装置可包括收发单元(或称通信模块、收发模块)和处理单元(或称处理模块)等等模块化组件,这些模块可以执行上述第一方面或其任一可能的设计中第一接入网设备的相应功能。当通信装置是第一接入网设备时,收发单元可以是发送器和接收器,或发送器和接收器整合获得的收发器。收发单元可以包括天线和射频电路等,处理单元可以是处理器,例如基带芯片等。当通信装置是具有上述第一接入网设备功能的部件时,收发单元可以是射频单元,处理单元可以是处理器。当通信装置是芯片系统时,收发单元可以是芯片系统的输入输出接口、处理单元可以是芯片系统的处理器,例如:中央处理单元(central processing unit,CPU)。Exemplarily, the communication device may include modular components such as a transceiver unit (or a communication module, a transceiver module) and a processing unit (or a processing module), and these modules may implement the above-mentioned first aspect or any possible design thereof Corresponding functions of the first access network device. When the communication device is the first access network device, the transceiver unit may be a transmitter and a receiver, or a transceiver obtained by integrating a transmitter and a receiver. The transceiver unit may include an antenna and a radio frequency circuit, etc., and the processing unit may be a processor, such as a baseband chip. When the communication device is a component having the function of the first access network device, the transceiver unit may be a radio frequency unit, and the processing unit may be a processor. When the communication device is a system-on-a-chip, the transceiver unit may be an input-output interface of the system-on-a-chip, and the processing unit may be a processor of the system-on-a-chip, such as a central processing unit (CPU).
收发单元可用于执行第一方面或其任一可能的设计中由第一接入网设备执行的接收和/或发送的动作。处理单元可用于执行第一方面或其任一可能的设计中由第一接入网设备执行的接收和发送以外的动作,如根据MBS的安全信息生成MBS密钥、基于MBS密钥对MBS的数据进行安全处理等。The transceiver unit may be configured to perform the receiving and/or sending action performed by the first access network device in the first aspect or any possible design thereof. The processing unit may be used to perform actions other than receiving and sending performed by the first access network device in the first aspect or any possible design thereof, such as generating an MBS key according to the security information of the MBS, and pairing the MBS with the MBS key. Data is processed securely, etc.
第四方面,本申请实施例提供一种通信装置,可以实现上述第二方面或其任一可能的设计中由终端设备实现的方法。该装置包括用于执行上述方法的相应的单元或部件。该装置包括的单元可以通过软件和/或硬件方式实现。该装置例如可以为终端设备、或者为可支持终端设备中实现上述方法的部件或基带芯片、芯片系统、或处理器等。In a fourth aspect, the embodiment of the present application provides a communication device that can implement the method implemented by the terminal device in the above second aspect or any possible design thereof. The apparatus comprises corresponding units or components for performing the method described above. The units included in the device may be implemented by software and/or hardware. The apparatus may be, for example, a terminal device, or a component or a baseband chip, a chip system, or a processor that can support the implementation of the above method in the terminal device.
示例性的,该通信装置可包括收发单元(或称通信模块、收发模块)和处理单元(或称处理模块)等等模块化组件,这些模块可以执行上述第二方面或其任一可能的设计中终端设备的相应功能。当通信装置是终端设备时,收发单元可以是发送器和接收器,或发送器和接收器整合获得的收发器。收发单元可以包括天线和射频电路等,处理单元可以是处理器,例如基带芯片等。当通信装置是具有上述终端设备功能的部件时,收发单元可以是射频单元,处理单元可以是处理器。当通信装置是芯片系统时,收发单元可以是芯片系统的输入输出接口、处理单元可以是芯片系统的处理器,例如:中央处理单元(central processing unit,CPU)。Exemplarily, the communication device may include modular components such as a transceiver unit (or communication module, transceiver module) and a processing unit (or processing module), and these modules may implement the above second aspect or any possible design thereof The corresponding functions of the terminal equipment. When the communication device is a terminal device, the transceiver unit may be a transmitter and a receiver, or a transceiver obtained by integrating a transmitter and a receiver. The transceiver unit may include an antenna and a radio frequency circuit, etc., and the processing unit may be a processor, such as a baseband chip. When the communication device is a component having the functions of the above-mentioned terminal equipment, the transceiver unit may be a radio frequency unit, and the processing unit may be a processor. When the communication device is a system-on-a-chip, the transceiver unit may be an input-output interface of the system-on-a-chip, and the processing unit may be a processor of the system-on-a-chip, such as a central processing unit (CPU).
收发单元可用于执行第二方面或其任一可能的设计中由终端设备执行的接收和/或发送的动作。处理单元可用于执行第二方面或其任一可能的设计中由终端设备执行的接收和发送以外的动作,如根据MBS的安全信息生成MBS密钥、基于MBS密钥对MBS的数据进行安全处理等。The transceiver unit may be used to perform receiving and/or sending actions performed by the terminal device in the second aspect or any possible design thereof. The processing unit can be used to perform actions other than reception and transmission performed by the terminal device in the second aspect or any possible design thereof, such as generating an MBS key according to MBS security information, and performing secure processing of MBS data based on the MBS key Wait.
第五方面,提供一种通信系统,该通信系统包括第三方面以及第四方面所示的通信装置。In a fifth aspect, a communication system is provided, and the communication system includes the communication devices shown in the third aspect and the fourth aspect.
第六方面,提供一种计算机可读存储介质,该计算机可读存储介质用于存储计算机指令,当该计算机指令在计算机上运行时,使得该计算机执行上述第一方面至第二方面或其任意一种可能的实施方式中所示的方法。In a sixth aspect, a computer-readable storage medium is provided, and the computer-readable storage medium is used for storing computer instructions, and when the computer instructions are run on a computer, the computer is made to perform the above-mentioned first aspect to the second aspect or any of them. The method shown in one possible implementation.
第七方面,提供一种包含指令的计算机程序产品,该计算机程序产品用于存储计算机指令,当该计算机指令在计算机上运行时,使得该计算机执行上述第一方面至第二方面或其任意一种可能的实施方式中所示的方法。In a seventh aspect, there is provided a computer program product containing instructions, the computer program product is used to store computer instructions, and when the computer instructions are run on a computer, the computer is made to execute the first aspect to the second aspect or any one of them The method shown in one possible implementation.
第八方面,提供一种电路,该电路与存储器耦合,该电路被用于执行上述第一方面至第二方面或其任意一种可能的实施方式中所示的方法。该电路可包括芯片电路。In an eighth aspect, there is provided a circuit, the circuit is coupled to a memory, and the circuit is used to execute the method shown in the above first aspect to the second aspect or any possible implementation manner thereof. The circuitry may include chip circuitry.
附图说明Description of drawings
图1为本申请实施例的一种MBS数据的传输示意图;FIG. 1 is a schematic diagram of a transmission of MBS data according to an embodiment of the present application;
图2为本申请实施例的一种单播传输的协议栈示意图;FIG. 2 is a schematic diagram of a protocol stack for unicast transmission according to an embodiment of the present application;
图3为本申请实施例的一种单播传输示意图;FIG. 3 is a schematic diagram of unicast transmission according to an embodiment of the present application;
图4为本申请实施例的一种多播传输示意图;FIG. 4 is a schematic diagram of multicast transmission according to an embodiment of the present application;
图5为本申请实施例的一种通信系统的架构示意图;FIG. 5 is a schematic structural diagram of a communication system according to an embodiment of the present application;
图6为本申请实施例的一种通信装置的结构示意图;FIG. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application;
图7为本申请实施例的一种终端设备的结构示意图;FIG. 7 is a schematic structural diagram of a terminal device according to an embodiment of the present application;
图8为本申请实施例的一种接入网设备的结构示意图;FIG. 8 is a schematic structural diagram of an access network device according to an embodiment of the present application;
图9为本申请实施例的一种通信方法的流程示意图;FIG. 9 is a schematic flowchart of a communication method according to an embodiment of the present application;
图10为本申请实施例的一种密钥生成示意图;FIG. 10 is a schematic diagram of key generation according to an embodiment of the present application;
图11为本申请实施例的一种终端设备切换小区示意图。FIG. 11 is a schematic diagram of cell handover by a terminal device according to an embodiment of the present application.
具体实施方式Detailed ways
为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。In order to make the purpose, technical solution and advantages of the application clearer, the application will be further described in detail below in conjunction with the accompanying drawings. The specific operation methods in the method embodiments can also be applied to the device embodiments or system embodiments.
以下,对本申请实施例中的部分用语进行解释说明,以便于本领域技术人员理解。In the following, some terms used in the embodiments of the present application are explained, so as to facilitate the understanding of those skilled in the art.
1)MBS:MBS是同时面向多个终端设备传输的业务,例如直播业务、公共安全业务、批量软件更新业务等。多播业务也可以称为组播业务。MBS来自数据服务器,首先数据服务器将MBS的数据发送给核心网设备,然后核心网设备将MBS的数据发送给接入网设备,最后接入网设备将MBS的数据发送给接收MBS的至少一个终端设备。核心网设备向接入网设备发送MBS的数据的时候,MBS的数据通过一个公共的传输通道即MBS会话进行传输,而接入网设备向终端设备发送的时候,有两种传输方式:第一种可以采用点到多点(point to multi-point,PTM)传输方式;第二种可以采用点到点(point to point,PTP)传输方式。如图1所示。1) MBS: MBS is a service transmitted to multiple terminal devices at the same time, such as live broadcast service, public safety service, batch software update service, etc. A multicast service may also be called a multicast service. The MBS comes from the data server. First, the data server sends the MBS data to the core network device, then the core network device sends the MBS data to the access network device, and finally the access network device sends the MBS data to at least one terminal that receives the MBS. equipment. When the core network device sends MBS data to the access network device, the MBS data is transmitted through a common transmission channel, that is, the MBS session. When the access network device sends the data to the terminal device, there are two transmission methods: the first One can adopt point to multi-point (point to multi-point, PTM) transmission mode; the second can adopt point to point (point to point, PTP) transmission mode. As shown in Figure 1.
2)数据面协议栈:在单播传输中,数据面协议栈包括分组数据汇聚层协议(packet data convergence protocol,PDCP),无线链路控制(radio link control,RLC)层,媒体接入控制(media access control,MAC)层和物理(physical,PHY)层其中PDCP层位于RLC层之上,RLC层位于MAC之上,MAC层位于PHY层以上。以数据从接入网设备向终端设备发送(即下行传输)为例,数据首先到达接入网设备的PDCP层,经过PDCP层的处理以后传输到RLC层和MAC层,经过处理之后,从物理(physical,PHY)层发送出去。终端设备的PHY层接收到数据后传输到MAC层和RLC层进行处理,之后传输到PDCP层进行处理,如图2所示。当数据从终端设备向接入网设备发送(即上行传输)时,方向相反。对于单播传输(即单播的数据传输)来说,有上行传输,也有下行传输。2) Data plane protocol stack: In unicast transmission, the data plane protocol stack includes packet data convergence protocol (packet data convergence protocol, PDCP), radio link control (radio link control, RLC) layer, media access control ( media access control (MAC) layer and physical (physical, PHY) layer, wherein the PDCP layer is located above the RLC layer, the RLC layer is located above the MAC, and the MAC layer is located above the PHY layer. Take the data sent from the access network device to the terminal device (that is, downlink transmission) as an example. The data first arrives at the PDCP layer of the access network device, and after being processed by the PDCP layer, it is transmitted to the RLC layer and the MAC layer. The (physical, PHY) layer is sent out. After receiving the data, the PHY layer of the terminal device transmits the data to the MAC layer and the RLC layer for processing, and then transmits to the PDCP layer for processing, as shown in FIG. 2 . When data is sent from the terminal device to the access network device (that is, uplink transmission), the direction is reversed. For unicast transmission (that is, unicast data transmission), there is uplink transmission and downlink transmission.
3)单播传输的安全处理:单播传输的安全处理:对于单播传输来说,当安全功能开启以后,安全相关的处理包括加密/解密和完整性保护/完整性验证过程,发送端对数据包进行加密和/或完整性保护,而接收端对数据包进行相应的解密和/或完整性验证。安全功能分为接入层安全和非接入层安全,接入层安全用于保护接入网设备和终端设备之间的数据传输,非接入层安全用于保护核心网设备和终端设备之间的数据传输,其中,接入网设备和终端设备的接入层安全处理都在PDCP层进行。3) Security processing of unicast transmission: Security processing of unicast transmission: For unicast transmission, when the security function is enabled, security-related processing includes encryption/decryption and integrity protection/integrity verification process, the sending end The data packet is encrypted and/or integrity protected, and the receiving end performs corresponding decryption and/or integrity verification on the data packet. Security functions are divided into access layer security and non-access layer security. Access layer security is used to protect data transmission between access network devices and terminal devices, and non-access layer security is used to protect core network devices and terminal devices. The data transmission among them, wherein, the access layer security processing of the access network device and the terminal device is performed at the PDCP layer.
完整性保护和验证过程为:发送端根据数据包以及密钥等参数,计算出一个参数A,并将A发送给验证方;接收端根据数据包以及密钥等相同的参数计算出一个参数B,验证方比较参数A和B,如果参数A和B一致,则完整性验证通过,其中验证方可以是接收端或者第三方,如图3所示,为其中一种计算方法示例。其中,NIA(Integrity Algorithm for 5G)是5G安全算法,COUNT是计数值,KEY是密钥,MESSAGE是所要进行完整性保护/验证的消息本身,DIRECTION是数据传输方向,BEARER是无线承载的标识。The process of integrity protection and verification is as follows: the sender calculates a parameter A based on parameters such as data packets and keys, and sends A to the verifier; the receiver calculates a parameter B based on the same parameters such as data packets and keys. , the verifier compares the parameters A and B, and if the parameters A and B are consistent, the integrity verification is passed, where the verifier can be the receiving end or a third party, as shown in Figure 3, which is an example of one of the calculation methods. Among them, NIA (Integrity Algorithm for 5G) is the 5G security algorithm, COUNT is the count value, KEY is the key, MESSAGE is the message itself to be integrity protected/verified, DIRECTION is the data transmission direction, and BEARER is the identification of the radio bearer.
4)单频网络(single frequency network,SFN)机制是指:在一定区域内多个互相同步的小区同时在相同的时间频率资源上向终端设备传输相同的数据,多个小区发送的相同物理信号在空口进行叠加,在终端设备看来接收到的是单一的叠加后的数据,这样可以提高接收信号的强度,同时消除了小区间的干扰。该机制要求多个小区发送的数据完全相同,否则发送的信号无法正确合并。4) The single frequency network (single frequency network, SFN) mechanism refers to: in a certain area, multiple synchronous cells transmit the same data to the terminal equipment on the same time and frequency resources at the same time, and the same physical signal sent by multiple cells When the superposition is performed on the air interface, what the terminal equipment receives is a single superimposed data, which can improve the strength of the received signal and eliminate the interference between cells. This mechanism requires that the data sent by multiple cells are exactly the same, otherwise the sent signals cannot be correctly combined.
5)本申请实施例中“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的 至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。5) In the embodiments of this application, "at least one" refers to one or more, and "multiple" refers to two or more. "And/or" describes the association relationship of associated objects, indicating that there may be three types of relationships, for example, A and/or B, which can mean: A exists alone, A and B exist simultaneously, and B exists alone, where A, B can be singular or plural. The character "/" generally indicates that the contextual objects are an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
以及,除非有相反的说明,本申请实施例提及“第一”、“第二”等序数词是用于对多个对象进行区分,不用于限定多个对象的大小、内容、顺序、时序、优先级或者重要程度等。例如,第一信息和第二信息,只是为了区分不同的信息,而并不是表示这两个信息的大小、内容、优先级或者重要程度等的不同。And, unless otherwise stated, the ordinal numerals such as "first" and "second" mentioned in the embodiments of this application are used to distinguish multiple objects, and are not used to limit the size, content, order, and timing of multiple objects , priority or importance, etc. For example, the first information and the second information are only for distinguishing different information, and do not represent the difference in size, content, priority or importance of the two pieces of information.
前文介绍了本申请实施例所涉及到的一些名词概念,下面介绍本申请实施例涉及的技术特征。Some terms and concepts involved in the embodiments of the present application are introduced above, and the technical features involved in the embodiments of the present application are introduced below.
目前,在单播业务中,以接入网设备向终端设备发送数据为例,数据首先到达接入网设备的PDCP层,经过接入网设备的PDCP层的处理以后传输到RLC层和MAC层,经过处理之后,从物理层发送出去,通过空口传输给终端设备。然后终端设备侧的各个协议层按照与接入网设备相反的处理顺序对数据包依次进行对应的处理。单播业务可以通过PDCP层对单播的数据进行安全处理。但是,网络设备在进行多播传输时,多播数据包不经过PDCP层。多播数据包直接经过RLC层和MAC层,最后通过物理层将发送出去,多个UE对此数据包进行接收,依次经过物理层、MAC层、RLC层处理发送到更高层,如图4所示。可见,多播数据在传输的时候没有考虑安全处理过程,这可能会在数据的传输过程中引发安全问题,导致数据被篡改或者窃听。而对数据的安全处理需要基于密钥进行,目前对于多播传输中安全处理的密钥如何生成还没有明确的解决方案。At present, in the unicast service, take the access network device sending data to the terminal device as an example, the data first arrives at the PDCP layer of the access network device, and after being processed by the PDCP layer of the access network device, it is transmitted to the RLC layer and the MAC layer , after being processed, it is sent out from the physical layer and transmitted to the terminal device through the air interface. Then, each protocol layer on the terminal device side sequentially performs corresponding processing on the data packets according to the reverse processing order of the access network device. The unicast service can safely process the unicast data through the PDCP layer. However, when a network device performs multicast transmission, the multicast data packet does not pass through the PDCP layer. The multicast data packet directly passes through the RLC layer and the MAC layer, and finally is sent out through the physical layer. Multiple UEs receive the data packet, and then it is processed and sent to a higher layer through the physical layer, MAC layer, and RLC layer, as shown in Figure 4. Show. It can be seen that the multicast data is transmitted without considering the security processing process, which may cause security problems during the data transmission process, resulting in data tampering or eavesdropping. The security processing of data needs to be based on keys, and there is no clear solution for how to generate keys for security processing in multicast transmission.
基于此,本申请实施例提供一种通信方法及装置。本申请实施例中接入网设备和终端设备可以根据核心网设备发送的MBS的安全信息生成MBS密钥,从而可以基于该MBS密钥实现对MBS的数据的安全处理,进而可以提高多播传输的安全性。其中,方法和装置是基于同一发明构思的,由于方法及装置解决问题的原理相似,因此装置与方法的实施可以相互参见,重复之处不再赘述。Based on this, embodiments of the present application provide a communication method and device. In the embodiment of the present application, the access network device and the terminal device can generate the MBS key according to the MBS security information sent by the core network device, so that the MBS data can be safely processed based on the MBS key, and the multicast transmission can be improved. security. Wherein, the method and the device are based on the same inventive concept, and since the principles of the method and the device to solve problems are similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.
本申请提供的通信方法可以应用于各类通信系统中,例如,可以是物联网(internet of things,IoT)、窄带物联网(narrow band internet of things,NB-IoT)、长期演进(long term evolution,LTE),也可以是第五代(5 th generation,5G)通信系统,还可以是LTE与5G混合架构,也可以是6G或者未来通信发展中出现的新的通信系统等。本申请所述的5G通信系统可以包括非独立组网(non-standalone,NSA)的5G通信系统、独立组网(standalone,SA)的5G通信系统中的至少一种。通信系统还可以是机器到机器(machine to machine,M2M)网络、机器类通信(machine type communication,MTC)或者其他网络。 The communication method provided by this application can be applied to various communication systems, for example, it can be Internet of things (internet of things, IoT), narrowband Internet of things (narrow band internet of things, NB-IoT), long term evolution (long term evolution) , LTE), can also be the fifth generation (5 th generation, 5G) communication system, can also be LTE and 5G hybrid architecture, can also be 6G or new communication systems emerging in future communication development, etc. The 5G communication system described in this application may include at least one of a non-standalone (NSA) 5G communication system and a standalone (standalone, SA) 5G communication system. The communication system may also be a machine to machine (machine to machine, M2M) network, a machine type communication (machine type communication, MTC) or other networks.
如图5所示,本申请实施例提供的通信方法可应用于通信系统,该通信系统包括接入网设备和六个终端设备,即UE1~UE6。在该通信系统中,UE1~UE6可以发送上行信息给接入网设备,接入网设备可以接收UE1~UE6发送的上行数据。此外,UE4~UE6也可以组成一个子通信系统。接入网设备可以发送下行信息给UE1、UE2、UE3、UE5,UE5可以基于设备到设备(device-to-device,D2D)技术发送下行信息给UE4、UE6,或者UE4~UE6之间可以基于设备到设备(device-to-device,D2D)技术相互之间进行通信。As shown in FIG. 5 , the communication method provided by the embodiment of the present application can be applied to a communication system, and the communication system includes an access network device and six terminal devices, that is, UE1-UE6. In the communication system, UE1-UE6 can send uplink information to access network equipment, and the access network equipment can receive uplink data sent by UE1-UE6. In addition, UE4-UE6 may also form a sub-communication system. Access network devices can send downlink information to UE1, UE2, UE3, and UE5, and UE5 can send downlink information to UE4 and UE6 based on device-to-device (D2D) technology, or between UE4 and UE6 can be based on device-to-device (D2D) technology. Device-to-device (D2D) technologies communicate with each other.
本申请实施例也可用于其他通信系统,只要该通信系统中需要进行多播传输。另外申请实施例不仅适用于一个接入网设备和多个UE通信的场景,而且适用于多个接入网设备协作同时与一个或多个UE进行通信的场景(例如SFN)。图5仅是一种示意图,并不对通信系统的类型,以及通信系统内包括的设备的数量、类型等进行具体限定。The embodiments of the present application can also be used in other communication systems, as long as multicast transmission is required in the communication system. In addition, the embodiments of the application are applicable not only to the scenario where one access network device communicates with multiple UEs, but also to the scenario where multiple access network devices cooperate to communicate with one or more UEs at the same time (for example, SFN). FIG. 5 is only a schematic diagram, and does not specifically limit the type of the communication system and the quantity and type of devices included in the communication system.
以上所示终端设备可以是用户设备(user equipment,UE)、终端(terminal)、接入终端、终端单元、终端站、移动台(mobile station,MS)、远方站、远程终端、移动终端(mobile terminal)、无线通信设备、终端代理、终端设备、蜂窝电话、无绳电话、会话启动协议(session initiation protocol,SIP)电话、无线本地环路(wireless local loop,WLL)站、个人数字处理(personal digital assistant,PDA)设备、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备、未来5G网络中的终端装置或者未来演进的PLMN网络中的终端装置等。该终端设备可具备无线收发功能,其能够与一个或多个通信系统的一个或多个接入网设备进行通信(如无线通信),并接受接入网设备提供的网络服务,这里的接入网设备包括但不限于图5所示接入网设备。The terminal equipment shown above may be user equipment (user equipment, UE), terminal (terminal), access terminal, terminal unit, terminal station, mobile station (mobile station, MS), remote station, remote terminal, mobile terminal (mobile terminal), wireless communication equipment, terminal agent, terminal equipment, cellular telephone, cordless telephone, session initiation protocol (session initiation protocol, SIP) telephone, wireless local loop (wireless local loop, WLL) station, personal digital processing (personal digital assistant, PDA) devices, handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in future 5G networks or terminal devices in future evolved PLMN networks Wait. The terminal device may have a wireless transceiver function, which can communicate with one or more access network devices of one or more communication systems (such as wireless communication), and accept network services provided by the access network devices. Here, access The network equipment includes but not limited to the access network equipment shown in FIG. 5 .
另外,终端设备可以部署在陆地上,包括室内或室外、手持或车载;终端设备也可以部署在水面上(如轮船等);终端设备还可以部署在空中(例如飞机、气球和卫星上等)。该终端设备具体可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。终端设备也可以是具有通信模块的通信芯片,也可以是具有通信功能的车辆,或者车载设备(如车载通信装置,车载通信芯片)等。In addition, terminal equipment can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; terminal equipment can also be deployed on water (such as ships, etc.); terminal equipment can also be deployed in the air (such as aircraft, balloons and satellites, etc.) . Specifically, the terminal device may be a mobile phone, a tablet computer (pad), a computer with a wireless transceiver function, a virtual reality (virtual reality, VR) terminal, an augmented reality (augmented reality, AR) terminal, an industrial control (industrial control ), wireless terminals in self driving, wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety , wireless terminals in smart cities, wireless terminals in smart homes, etc. The terminal device may also be a communication chip with a communication module, or a vehicle with a communication function, or a vehicle-mounted device (such as a vehicle-mounted communication device, a vehicle-mounted communication chip), etc.
接入网设备(或称接入网站点是指有提供网络接入功能的设备,如无线接入网(radio access network,RAN)基站(或称RAN设备)等等。接入网设备具体可包括基站(base station,BS),或包括基站以及用于控制基站的无线资源管理设备等。该接入网设备还可包括中继站(中继设备)、接入点以及未来5G网络中的基站、未来演进的PLMN网络中的基站或者NR基站等。接入网设备可以是可穿戴设备或车载设备。接入网设备也可以是具有通信模块的通信芯片。Access network equipment (or access network point refers to equipment that provides network access functions, such as wireless access network (radio access network, RAN) base station (or RAN equipment) and so on. Access network equipment can be specific Including a base station (base station, BS), or including a base station and a radio resource management device for controlling the base station, etc. The access network device may also include a relay station (relay device), an access point, and a base station in the future 5G network, The base station or NR base station in the future evolution of the PLMN network. The access network device can be a wearable device or a vehicle-mounted device. The access network device can also be a communication chip with a communication module.
比如,接入网设备包括但不限于:5G中的下一代基站(g nodeB,gNB)、长期演进(long term evolution,LTE)系统中的演进型节点B(evolved node B,eNB)、无线网络控制器(radio network controller,RNC)、云无线接入网络(cloud radio access network,CRAN)系统下的无线控制器、基站控制器(base station controller,BSC)、家庭基站(例如,home evolved nodeB,或home node B,HNB)、基带单元(baseBand unit,BBU)、传输点(transmitting and receiving point,TRP)、发射点(transmitting point,TP)、移动交换中心,还可以是LTE中的演进型(evolutional)NB(eNB或eNodeB),还可以是5G网络中的基站设备或者未来演进的PLMN网络中的接入网设备,还可以是可穿戴设备或车载设备。For example, access network equipment includes but is not limited to: next-generation base station (g nodeB, gNB) in 5G, evolved node B (evolved node B, eNB) in long term evolution (long term evolution, LTE) system, wireless network A controller (radio network controller, RNC), a wireless controller under a cloud radio access network (cloud radio access network, CRAN) system, a base station controller (base station controller, BSC), a home base station (for example, home evolved nodeB, or home node B, HNB), baseband unit (baseBand unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), mobile switching center, can also be the evolution type in LTE ( The evolutional) NB (eNB or eNodeB) can also be a base station device in a 5G network or an access network device in a future evolved PLMN network, or a wearable device or a vehicle-mounted device.
在一些部署中,接入网设备可以包括集中式单元(centralized unit,CU)和(distributed unit,DU)。接入网设备还可以包括有源天线单元(active antenna unit,AAU)。CU实现接入网设备的部分功能,DU实现接入网设备的部分功能,比如,CU负责处理非实时协议和服务,实现无线资源控制(radio resource control,RRC),PDCP层的功能。DU负责处理物理层协议和实时服务,实现RLC层、MAC层和PHY层的功能。AAU实现部分物理层处理功能、射频处理及有源天线的相关功能。由于RRC层的信息最终会变成PHY层的信息,或者,由PHY层的信息转变而来,因而,在这种架构下,高层信令,如RRC层信令,也可以认为是由DU发送的,或者,由DU+AAU发送的。可以理解的是,接入网设备可以为包括CU节 点、DU节点、AAU节点中一项或多项的设备。此外,可以将CU划分为接入网(radio access network,RAN)中的接入网设备,也可以将CU划分为核心网(core network,CN)中的接入网设备(可称为CN设备),本申请对此不做限定。In some deployments, the access network equipment may include a centralized unit (CU) and a distributed unit (DU). The access network device may also include an active antenna unit (active antenna unit, AAU). The CU implements some functions of the access network equipment, and the DU implements some functions of the access network equipment. For example, the CU is responsible for processing non-real-time protocols and services, and realizing radio resource control (radio resource control, RRC) and PDCP layer functions. The DU is responsible for processing physical layer protocols and real-time services, realizing the functions of RLC layer, MAC layer and PHY layer. The AAU implements some physical layer processing functions, radio frequency processing and related functions of active antennas. Since the information of the RRC layer will eventually become the information of the PHY layer, or be transformed from the information of the PHY layer, under this architecture, high-level signaling, such as RRC layer signaling, can also be considered to be sent by the DU , or, sent by DU+AAU. It can be understood that the access network device may be a device including one or more of CU nodes, DU nodes, and AAU nodes. In addition, the CU can be divided into access network devices in the access network (radio access network, RAN), and the CU can also be divided into access network devices in the core network (core network, CN) (which can be referred to as CN devices). ), which is not limited in this application.
此外,接入网设备可连接至核心网(core network,CN)设备,核心网设备可用于为接入接入网的终端设备提供核心网服务。核心网设备在不同的系统下可对应不同的设备。比如在3G中核心网设备可以对应通用分组无线服务技术(general packet radio service,GPRS)的服务支持节点(serving GPRS support node,SGSN)和/或GPRS的网关支持节点(gateway GPRS Support Node,GGSN)。在4G中核心网设备可以对应移动管理实体(mobility management entity,MME)和/或服务网关(serving gateway,S-GW)等。在5G中核心网设备可以对应接入和移动性管理功能(access and mobility management function,AMF)实体、会话管理功能(session management function,SMF)实体或者用户面功能(user plane function,UPF)实体等。In addition, the access network device can be connected to a core network (core network, CN) device, and the core network device can be used to provide core network services for terminal devices connected to the access network. Core network devices may correspond to different devices in different systems. For example, in 3G, the core network equipment can correspond to the serving GPRS support node (SGSN) of general packet radio service (GPRS) and/or the gateway GPRS Support Node (GGSN) of GPRS . In 4G, the core network equipment may correspond to a mobility management entity (mobility management entity, MME) and/or a serving gateway (serving gateway, S-GW), etc. In 5G, core network equipment can correspond to access and mobility management function (access and mobility management function, AMF) entity, session management function (session management function, SMF) entity or user plane function (user plane function, UPF) entity, etc. .
下面结合附图,对接入网设备和终端设备可能的结构进行介绍。In the following, the possible structures of the access network device and the terminal device will be introduced with reference to the accompanying drawings.
示例性的,图6示出了装置的一种可能的结构示意图。图6所示装置可以是通信设备,也可以是应用于通信设备中的芯片或者其他具有本申请所示通信设备功能的组合器件、部件(或称组件)等,其中,通信设备可以是本申请实施例所示接入网设备,或者,也可以是本申请实施例所示终端设备。该装置可包括处理模块610和收发模块620。其中,收发模块620可以是一个功能模块,该功能模块既能完成发送操作也能完成接收操作,例如收发模块620可以用于执行由通信设备所执行的全部发送操作和接收操作,例如,在执行发送操作时,可以认为收发模块620是发送模块,而在执行接收操作时,可以认为收发模块620是接收模块;或者,收发模块620也可以是两个功能模块,收发模块620可以视为这两个功能模块的统称,这两个功能模块分别为发送模块和接收模块,发送模块用于完成发送操作,例如发送模块可以用于执行由通信设备所执行的全部发送操作,接收模块用于完成接收操作,接收模块可以用于执行由通信设备所执行的全部接收操作。Exemplarily, Fig. 6 shows a possible structural schematic diagram of the device. The apparatus shown in FIG. 6 may be a communication device, or a chip applied in a communication device or other combined devices, components (or components) having the functions of the communication device shown in this application, etc., wherein the communication device may be a communication device of this application. The access network device shown in the embodiment, or may also be the terminal device shown in the embodiment of the present application. The apparatus may include a processing module 610 and a transceiving module 620 . Wherein, the transceiver module 620 may be a functional module, and the functional module can complete both the sending operation and the receiving operation. For example, the transceiver module 620 can be used to perform all the sending operations and receiving operations performed by the communication device. For example, when performing During the sending operation, the transceiver module 620 can be considered as a sending module, and when the receiving operation is performed, the transceiver module 620 can be considered as a receiving module; or, the transceiver module 620 can also be two functional modules, and the transceiver module 620 can be regarded as the two A general term for two functional modules, the two functional modules are the sending module and the receiving module, the sending module is used to complete the sending operation, for example, the sending module can be used to perform all the sending operations performed by the communication device, and the receiving module is used to complete the receiving Operation, the receiving module may be used to perform all receiving operations performed by the communication device.
示例性的,当该装置是通信设备时,收发模块620可包括收发器和/或通信接口。收发器可以包括天线和射频电路等。通信接口例如光纤接口。处理模块610可以是处理器,例如基带处理器,基带处理器中可以包括一个或多个中央处理单元(central processing unit,CPU)。Exemplarily, when the apparatus is a communication device, the transceiver module 620 may include a transceiver and/or a communication interface. Transceivers may include antennas and radio frequency circuits, among others. The communication interface is such as an optical fiber interface. The processing module 610 may be a processor, such as a baseband processor, and the baseband processor may include one or more central processing units (central processing unit, CPU).
当该装置是具有本申请所示通信设备功能的部件时,收发模块620可以是射频单元,处理模块610可以是处理器,例如基带处理器。When the device is a component having the function of the communication device shown in this application, the transceiver module 620 may be a radio frequency unit, and the processing module 610 may be a processor, such as a baseband processor.
当该装置是芯片系统时,收发模块620可以是芯片(例如基带芯片)的输入输出接口,处理模块610可以是芯片系统的处理器,可以包括一个或多个中央处理单元。When the device is a system-on-a-chip, the transceiver module 620 may be an input-output interface of a chip (such as a baseband chip), and the processing module 610 may be a processor of the system-on-a-chip, and may include one or more central processing units.
应理解,本申请实施例中的处理模块610可以由处理器或处理器相关电路组件实现,收发模块620可以由收发器或收发器相关电路组件实现。It should be understood that the processing module 610 in the embodiment of the present application may be implemented by a processor or a processor-related circuit component, and the transceiver module 620 may be implemented by a transceiver or a transceiver-related circuit component.
一种实现方式中,当通信设备为本申请实施例所示接入网设备时,处理模块610可以用于执行本申请实施例中由接入网设备所执行的除了收发操作之外的全部操作,例如处理操作,和/或用于支持本文所描述的技术的其它过程,比如生成MBS密钥,和对MBS的数据进行安全处理等。收发模块620可以用于执行本申请实施例中由接入网设备所执行的全部接收和发送操作,和/或用于支持本文所描述的技术的其它过程。In one implementation, when the communication device is the access network device shown in the embodiment of the present application, the processing module 610 can be used to perform all the operations performed by the access network device in the embodiment of the present application except the transceiving operation , such as processing operations, and/or other processes used to support the technology described herein, such as generating MBS keys, and performing secure processing on MBS data. The transceiver module 620 may be used to perform all receiving and sending operations performed by the access network device in the embodiment of the present application, and/or to support other processes of the technologies described herein.
另一种实现方式中,当通信设备为本申请实施例所示终端设备时,处理模块610可以 用于执行本申请实施例中由终端设备所执行的除了收发操作之外的全部操作,例如处理操作,和/或用于支持本文所描述的技术的其它过程,比如生成MBS密钥,对由收发模块620接收的消息、信息和/或信令进行处理等。收发模块620可以用于执行本申请实施例中由终端设备所执行的全部接收和发送操作,和/或用于支持本文所描述的技术的其它过程。In another implementation manner, when the communication device is the terminal device shown in the embodiment of the present application, the processing module 610 can be used to perform all operations performed by the terminal device in the embodiment of the present application except the sending and receiving operations, such as processing operations, and/or other processes for supporting the techniques described herein, such as generating MBS keys, processing messages, information and/or signaling received by the transceiver module 620, and the like. The transceiver module 620 may be used to perform all the receiving and sending operations performed by the terminal device in the embodiment of the present application, and/or to support other processes of the technologies described herein.
图7示出了终端设备的另一种可能的结构示意图。如图7所示,该通信设备包括处理器、存储器、射频单元(或射频电路)、天线以及输入输出装置等结构。处理器主要用于对通信协议以及通信数据进行处理,以及对装置进行控制,执行软件程序,处理软件程序的数据等。存储器主要用于存储软件程序和数据。射频单元主要用于基带信号与射频信号的转换以及对射频信号的处理。天线主要用于收发电磁波形式的射频信号。输入输出装置,例如触摸屏、显示屏、键盘等主要用于接收用户输入的数据以及对用户输出数据。需要说明的是,有些种类的终端设备可以不具有输入输出装置。Fig. 7 shows another possible structural diagram of a terminal device. As shown in FIG. 7 , the communication device includes structures such as a processor, a memory, a radio frequency unit (or radio frequency circuit), an antenna, and an input and output device. The processor is mainly used to process communication protocols and communication data, control devices, execute software programs, process data of software programs, and the like. Memory is primarily used to store software programs and data. The radio frequency unit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal. Antennas are mainly used to send and receive radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users. It should be noted that some types of terminal equipment may not have input and output devices.
当需要发送数据时,处理器对待发送的数据进行基带处理后,输出基带信号至射频电路,射频电路将基带信号进行射频处理后将射频信号通过天线以电磁波的形式向外发送。当有数据发送到终端设备时,射频电路通过天线接收到射频信号,将射频信号转换为基带信号,并将基带信号输出至处理器,处理器将基带信号转换为数据并对该数据进行处理。为便于说明,图7中仅示出了一个存储器和处理器。在实际的终端设备产品中,可以存在一个或多个处理器和一个或多个存储器。存储器也可以称为存储介质或者存储设备等。存储器可以是独立于处理器设置,也可以是与处理器集成在一起,本申请实施例对此不做限制。When data needs to be sent, the processor performs baseband processing on the data to be sent, and outputs the baseband signal to the radio frequency circuit. When data is sent to the terminal device, the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data. For ease of illustration, only one memory and processor are shown in FIG. 7 . In an actual terminal device product, there may be one or more processors and one or more memories. A memory may also be called a storage medium or a storage device. The memory may be set independently of the processor, or may be integrated with the processor, which is not limited in this embodiment of the present application.
在本申请实施例中,可以将具有收发功能的天线和射频电路视为终端设备的收发单元(收发单元可以是一个功能单元,该功能单元能够实现发送功能和接收功能;或者,收发单元也可以包括两个功能单元,分别为能够实现接收功能的接收单元和能够实现发送功能的发送单元),将具有处理功能的处理器视为终端设备的处理单元。如图7所示,终端设备包括收发单元710和处理单元720。收发单元也可以称为收发器、收发机、收发装置等。处理单元也可以称为处理器,处理单板,处理模块、处理装置等。可选的,可以将收发单元710中用于实现接收功能的器件视为接收单元,将收发单元710中用于实现发送功能的器件视为发送单元,即收发单元710包括接收单元和发送单元。收发单元有时也可以称为收发机、收发器、或收发电路等。接收单元有时也可以称为接收机、接收器、或接收电路等。发送单元有时也可以称为发射机、发射器或者发射电路等。In the embodiment of the present application, the antenna and the radio frequency circuit with the transceiver function can be regarded as the transceiver unit of the terminal equipment (the transceiver unit can be a functional unit, and the functional unit can realize the sending function and the receiving function; or, the transceiver unit can also be It includes two functional units, namely a receiving unit capable of receiving functions and a sending unit capable of transmitting functions), and the processor with processing functions is regarded as the processing unit of the terminal device. As shown in FIG. 7 , the terminal device includes a transceiver unit 710 and a processing unit 720 . The transceiver unit may also be referred to as a transceiver, a transceiver, a transceiver device, and the like. A processing unit may also be called a processor, a processing board, a processing module, a processing device, and the like. Optionally, the device in the transceiver unit 710 for realizing the receiving function can be regarded as a receiving unit, and the device in the transceiver unit 710 for realizing the sending function can be regarded as a sending unit, that is, the transceiver unit 710 includes a receiving unit and a sending unit. The transceiver unit may sometimes also be referred to as a transceiver, a transceiver, or a transceiver circuit. The receiving unit may sometimes be called a receiver, a receiver, or a receiving circuit, etc. The sending unit may sometimes be called a transmitter, a transmitter, or a transmitting circuit, etc.
应理解,收发单元710可与收发模块620对应,或者说,收发模块620可由收发单元710实现。收发单元710用于执行本申请所示实施例中终端设备的发送操作和接收操作,和/或用于支持本文所描述的技术的其它过程。处理单元720可与处理模块610对应,或者说,处理模块610可由处理单元720实现。处理单元720用于执行本申请所示实施例中终端设备上除了收发操作之外的其他操作,例如用于执行本申请所示实施例中由终端设备所执行的全部接收和发送操作,和/或用于支持本文所描述的技术的其它过程。It should be understood that the transceiver unit 710 may correspond to the transceiver module 620 , or in other words, the transceiver module 620 may be implemented by the transceiver unit 710 . The transceiver unit 710 is configured to perform the sending operation and the receiving operation of the terminal device in the embodiments shown in this application, and/or other processes for supporting the technology described herein. The processing unit 720 may correspond to the processing module 610 , or in other words, the processing module 610 may be realized by the processing unit 720 . The processing unit 720 is configured to perform other operations on the terminal device in the embodiment shown in this application except the transceiving operation, for example, to perform all receiving and sending operations performed by the terminal device in the embodiment shown in this application, and/or or other processes used to support the techniques described herein.
图8示出了接入网设备另一种可能的结构示意图。如图8所示,接入网设备包括处理器、存储器、射频单元(或射频电路)或者天线等结构。处理器主要用于对通信协议以及通信数据进行处理,以及对接入网设备进行控制,执行软件程序,处理软件程序的数据等。存储器主要用于存储软件程序和数据。射频单元主要用于基带信号与射频信号的转换以及对射频信号的处理。Fig. 8 shows another possible structural diagram of an access network device. As shown in FIG. 8 , the access network device includes structures such as a processor, a memory, a radio frequency unit (or radio frequency circuit) or an antenna. The processor is mainly used to process communication protocols and communication data, control access network devices, execute software programs, and process data of software programs. Memory is primarily used to store software programs and data. The radio frequency unit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal.
如图8所示,接入网设备可包括收发单元810和处理单元820,其中,该收发单元810可以包括发送单元和接收单元,或者,该收发单元810可以是一个能够实现发送和接收功能的单元。该收发单元810可以与图6中的收发模块620对应,即可由收发单元810执行由收发模块620执行的动作。可选地,该收发单元810还可以称为收发机、收发电路、或者收发器等等,其可以包括至少一个天线811和射频单元812。该收发单元810部分主要用于射频信号的收发以及射频信号与基带信号的转换。该处理单元820部分主要用于进行基带处理,对接入网设备进行控制等。该收发单元810与处理单元820可以是物理上设置在一起,也可以物理上分离设置的,即分布式接入网设备。As shown in FIG. 8, the access network device may include a transceiver unit 810 and a processing unit 820, wherein the transceiver unit 810 may include a sending unit and a receiving unit, or the transceiver unit 810 may be a unit. The transceiving unit 810 may correspond to the transceiving module 620 in FIG. 6 , that is, the transceiving unit 810 performs the actions performed by the transceiving module 620 . Optionally, the transceiver unit 810 may also be called a transceiver, a transceiver circuit, or a transceiver, etc., and may include at least one antenna 811 and a radio frequency unit 812 . The transceiver unit 810 is mainly used for transmitting and receiving radio frequency signals and converting radio frequency signals and baseband signals. The processing unit 820 is mainly used to perform baseband processing, control access network equipment, and the like. The transceiver unit 810 and the processing unit 820 may be physically set together, or may be physically separated, that is, distributed access network equipment.
示例性的,收发单元810可包括一个或多个射频单元,如远端射频单元(remote radio unit,RRU),处理单元820可包括一个或多个基带单元(baseband unit,BBU)(也可称为数字单元,digital unit,DU)。Exemplarily, the transceiver unit 810 may include one or more radio frequency units, such as a remote radio unit (remote radio unit, RRU), and the processing unit 820 may include one or more baseband units (baseband unit, BBU) (also called It is a digital unit, digital unit, DU).
在一个示例中,该处理单元820可以由一个或多个单板构成,多个单板可以共同支持单一接入制式的无线接入网(如LTE网络),也可以分别支持不同接入制式的无线接入网(如LTE网络,5G网络或其他网络)。该处理单元820还包括存储器821和处理器822。该存储器821用以存储必要的指令和数据。该处理器822用于控制接入网设备进行必要的动作,例如用于控制接入网设备执行本申请所示实施例中关于接入网设备的操作流程。该存储器821和处理器822可以服务于一个或多个单板。也就是说,可以每个单板上单独设置存储器和处理器。也可以是多个单板共用相同的存储器和处理器。此外每个单板上还可以设置有必要的电路。In an example, the processing unit 820 may be composed of one or more single boards, and multiple single boards may jointly support a wireless access network of a single access standard (such as an LTE network), or may separately support wireless access networks of different access standards. Radio access network (such as LTE network, 5G network or other networks). The processing unit 820 also includes a memory 821 and a processor 822 . The memory 821 is used to store necessary instructions and data. The processor 822 is used to control the access network device to perform necessary actions, for example, to control the access network device to execute the operation procedures related to the access network device in the embodiments shown in this application. The memory 821 and the processor 822 may serve one or more single boards. That is to say, memory and processors can be set independently on each single board. It may also be that multiple single boards share the same memory and processor. In addition, necessary circuits can also be set on each single board.
本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题同样适用。The network architecture and business scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the embodiments of the present application. With the evolution of architecture and the emergence of new business scenarios, the technical solutions provided by the embodiments of this application are also applicable to similar technical problems.
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。为了便于介绍,在下文中,以该方法由接入网设备和终端设备执行为例。该方法可以应用于多播(或者组播)场景,在多播场景中,接入网设备可以与一个或多个接收MBS的终端设备进行多播传输,该一个或多个接收MBS的终端设备可以称为多播组。应理解,多播场景并不仅限于一个接入网设备,可以有多个接入网设备协作与至少一个终端设备进行多播传输,例如,在SFN场景中,多个接入网设备协作向终端设备发送数据。为了便于对方案的理解,下面针对多播场景中的一个参与多播传输的接入网设备(下面称为第一接入网设备)与多播组中的一个终端设备(下面称为第一终端设备)之间的通信流程进行描述,应理解,第一接入网设备与多播组中的其他终端设备进行通信的过程、与第一接入网设备协作进行多播传输的其他接入网设备与多播组中终端设备进行通信的过程可以参阅第一接入网设备与第一终端设备进行通信的流程。The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. For ease of introduction, in the following, it is taken that the method is executed by the access network device and the terminal device as an example. The method can be applied to a multicast (or multicast) scenario. In a multicast scenario, an access network device can perform multicast transmission with one or more terminal devices receiving MBS, and the one or more terminal devices receiving MBS Can be called a multicast group. It should be understood that the multicast scenario is not limited to one access network device, and multiple access network devices may cooperate to perform multicast transmission with at least one terminal device. For example, in the SFN scenario, multiple access network devices cooperate to send The device sends data. In order to facilitate the understanding of the solution, an access network device participating in multicast transmission (hereinafter referred to as the first access network device) in a multicast scenario and a terminal device in the multicast group (hereinafter referred to as the first It should be understood that the communication process between the first access network device and other terminal devices in the multicast group, and other access network devices that cooperate with the first access network device to perform multicast transmission For the process of communicating between the network device and the terminal device in the multicast group, refer to the process of communicating between the first access network device and the first terminal device.
参见图9,为本申请提供的一种通信方法的流程示意图。该方法包括:Referring to FIG. 9 , it is a schematic flowchart of a communication method provided by the present application. The method includes:
S901,核心网设备向第一接入网设备发送MBS的安全信息。相应的,第一接入网设备接收MBS的安全信息。S901. The core network device sends the security information of the MBS to the first access network device. Correspondingly, the first access network device receives the security information of the MBS.
在该步骤S901中,第一接入网设备执行的接收动作可以由图6所示装置中的收发模块620执行。In this step S901, the receiving action performed by the first access network device may be performed by the transceiver module 620 in the apparatus shown in FIG. 6 .
可以理解的,当有多个接入网设备协作进行多播传输时(例如,在SFN场景中多个接 入网设备协作向终端设备发送数据),核心网设备可以向该多个接入网设备发送该MBS的安全信息,或者该多个接入网设备之间可以交互MBS安全信息。It can be understood that when multiple access network devices cooperate to perform multicast transmission (for example, in an SFN scenario, multiple access network devices cooperate to send data to terminal devices), the core network device can send data to the multiple access network The device sends the MBS security information, or the multiple access network devices can exchange MBS security information.
示例性的,安全信息也可以称为安全上下文、安全上下文信息等,包括如下信息中至少一项:MBS组密钥,临时移动组标识(temporary mobile group identity,TMGI),密钥更新参数,安全算法标识。其中,MBS组密钥可以是一个根密钥,后续MBS密钥可以基于该密钥进行推演的得到,或者,MBS组密钥也可以是一个生成MBS密钥的中间密钥。密钥更新参数可以为计数(COUNT)值、用于更新的密钥或者令牌等参数,密钥更新参数的作用是在根据MBS组密钥推演MBS密钥或者根据旧的MBS密钥推演新的MBS密钥的时候作为输入参数,确保推演过程的不可逆性、不可复制性和安全性。TMGI可以是MBS会话标识、MBS业务标识或者MBS互联网协议(internet protocol,IP)多播地址,其中,MBS IP多播地址也可以称为组播IP地址或者多播IP地址或者IP组播地址或者IP多播地址。安全算法标识可以包括如下至少一项:用于加密或者解密的安全算法的标识、用于完整性保护或者完整性验证的安全算法的标识。Exemplarily, the security information may also be called security context, security context information, etc., including at least one of the following information: MBS group key, temporary mobile group identity (temporary mobile group identity, TMGI), key update parameters, security Algorithm ID. Wherein, the MBS group key may be a root key, and the subsequent MBS key may be derived based on the key, or the MBS group key may also be an intermediate key for generating the MBS key. Key update parameters can be parameters such as count (COUNT) value, key used for update or token. The MBS key is used as an input parameter to ensure the irreversibility, non-replication and security of the deduction process. The TMGI can be an MBS session identifier, an MBS service identifier or an MBS Internet Protocol (internet protocol, IP) multicast address, wherein the MBS IP multicast address can also be called a multicast IP address or a multicast IP address or an IP multicast address or IP multicast address. The security algorithm identifier may include at least one of the following: an identifier of a security algorithm used for encryption or decryption, and an identifier of a security algorithm used for integrity protection or integrity verification.
需要说明的是,上面列举的MBS的安全信息中包含的参数名称仅为示例,具体参数名称不做限定,另外在具体实施中MBS的安全信息还可以包括其他参数,这里不做具体限定。It should be noted that the parameter names included in the MBS security information listed above are only examples, and specific parameter names are not limited. In addition, the MBS security information may also include other parameters in specific implementations, which are not specifically limited here.
可以理解的,该步骤S901为可选,第一接入网设备可以从其它接入网设备获得该安全信息,或者预先设置。本申请各实施例不作限制。It can be understood that this step S901 is optional, and the first access network device may obtain the security information from other access network devices, or set it in advance. The embodiments of this application are not limited.
S902,第一接入网设备根据该安全信息生成MBS密钥。S902. The first access network device generates an MBS key according to the security information.
在该步骤S902中,第一接入网设备执行的动作可以由图6所示装置中的处理模块610执行。In this step S902, the actions performed by the first access network device may be performed by the processing module 610 in the apparatus shown in FIG. 6 .
其中,MBS密钥可以包括如下至少一项:第一密钥、第二密钥,其中,第一密钥用于对MBS的数据进行加密,第二密钥用于对MBS的数据进行完整性保护。可以理解的,在生成第一密钥时可以采用安全信息中用于加密或者解密的安全算法的标识,在生成第二密钥时可以采用安全信息中用于完整性保护或者完整性验证的安全算法的标识。在另外一种可能的实现方式中,第一密钥和第二密钥相同,即MBS的数据加密和完整性保护过程使用相同的密钥。一个示例中,生成MBS密钥的过程可以如图10所示。可选的,在图10中,安全信息可在生成MBS密钥的时候作为输入参数,输入到用于推演密钥的安全功能实体中,该安全功能实体可以通过安全算法计算生成输出参数,根据输出参数得到MBS密钥。值得注意的是,图10中的输入参数仅为展示生成MBS密钥的过程,而不对本发明的输入参数做具体限定,在不同的实现方式中,输入参数可以包含图中所示的输入参数或者具体实施例中提到的输入参数,或者还可以包括其他生成MBS密钥所必需的输入参数。Wherein, the MBS key may include at least one of the following: a first key and a second key, wherein the first key is used to encrypt the data of the MBS, and the second key is used to complete the integrity of the data of the MBS. Protect. It can be understood that when generating the first key, the identification of the security algorithm used for encryption or decryption in the security information can be used, and when generating the second key, the security algorithm used for integrity protection or integrity verification in the security information can be used. The ID of the algorithm. In another possible implementation manner, the first key and the second key are the same, that is, the data encryption and integrity protection processes of the MBS use the same key. In an example, the process of generating an MBS key may be shown in FIG. 10 . Optionally, in Figure 10, the security information can be used as an input parameter when generating the MBS key, and input to the security functional entity used to deduce the key, and the security functional entity can generate output parameters through security algorithm calculation, according to The output parameter gets the MBS key. It is worth noting that the input parameters in Figure 10 are only to show the process of generating the MBS key, and do not specifically limit the input parameters of the present invention. In different implementations, the input parameters may include the input parameters shown in the figure Or the input parameters mentioned in the specific embodiment, or may also include other input parameters necessary for generating the MBS key.
下面对第一接入网设备生成MBS密钥的过程进行示例性描述。The following is an exemplary description of the process of generating the MBS key by the first access network device.
第一接入网设备在生成MBS密钥时除了输入安全信息以外还可以输入其他信息,例如第一接入网设备所在的SFN区域标识、跟踪区标识、接入网寻呼区域标识、第一接入网设备的标识、第一接入网设备的物理小区标识、第一接入网设备的小区的频率信息(例如绝对无线频道编号(absolute radio frequency channel number,ARFCN)中的一项或多项。另外其他信息还可以包括计数值。其中计数值用于指示对应的推演过程或者推演次数,不同的计数值对应不同的推演过程或者推演次数,第一接入网设备可以将计数值作为输入参 数来保证在不同的推演过程中的到不同的MBS密钥,从而保证不同的推演过程之间的密钥隔离;或者第一接入网设备可以根据将计数值确定从MBS组密钥开始到得到MBS密钥所需要的推演次数。When generating the MBS key, the first access network device can also input other information besides the security information, such as the SFN area identifier where the first access network device is located, the tracking area identifier, the access network paging area identifier, the first One or more of the identifier of the access network device, the physical cell identifier of the first access network device, and the frequency information of the cell of the first access network device (for example, an absolute radio frequency channel number (ARFCN) item. In addition, other information may also include a count value. The count value is used to indicate the corresponding derivation process or deduction times, and different count values correspond to different deduction processes or deduction times. The first access network device can use the count value as input parameters to ensure that different MBS keys are obtained in different derivation processes, so as to ensure key isolation between different derivation processes; or the first access network device can determine from the MBS group key to The number of derivations required to obtain the MBS key.
以上安全信息和其他信息均可在生成MBS密钥的时候作为输入参数,输入上述安全功能实体中,该安全功能实体可以通过安全算法计算生成输出参数,根据输出参数得到MBS密钥。The above security information and other information can be used as input parameters when generating the MBS key and input into the security function entity. The security function entity can generate output parameters through security algorithm calculation, and obtain the MBS key according to the output parameters.
一种可能的实施方式中,上述其他信息包括的具体内容可以与第一接入网设备的SFN能力、第一接入网设备的SFN状态相关,因此,第一接入网设备可以根据安全信息以及如下至少一项生成MBS密钥:第一接入网设备的SFN能力、第一接入网设备的SFN状态。其中SFN能力也可以理解为接入网设备是否支持SFN功能,SFN状态也可以理解为接入网设备的SFN功能是否开启。In a possible implementation manner, the specific content included in the above other information may be related to the SFN capability of the first access network device and the SFN status of the first access network device. Therefore, the first access network device may And at least one of the following items generates the MBS key: the SFN capability of the first access network device, and the SFN status of the first access network device. The SFN capability can also be understood as whether the access network device supports the SFN function, and the SFN status can also be understood as whether the SFN function of the access network device is enabled.
一个具体的示例中,第一接入网设备满足第一条件时,可以根据安全信息和第一信息生成MBS密钥,其中,第一条件包括第一接入网设备的SFN能力为支持和/或第一接入网设备的SFN状态为开启,第一信息包括如下至少一项:第一接入网设备所在的SFN区域标识、跟踪区标识、接入网寻呼区域标识。或者,第一接入网设备满足第一条件时,可以根据安全信息生成MBS密钥。可选的,若SFN区域的大小小于跟踪区的大小,则第一信息可以包括跟踪区标识,也就是第一接入网设备可以在SFN区域的大小小于跟踪区的大小时根据跟踪区标识生成MBS密钥。若SFN区域的大小小于接入网寻呼区域的大小,则第一信息可以包括接入网寻呼区域标识,也就是第一接入网设备可以在SFN区域的大小小于接入网寻呼区域的大小时根据接入网寻呼区域标识生成MBS密钥。In a specific example, when the first access network device meets the first condition, the MBS key may be generated according to the security information and the first information, where the first condition includes that the SFN capability of the first access network device is supported and/or Or the SFN state of the first access network device is enabled, and the first information includes at least one of the following items: the SFN area identifier, the tracking area identifier, and the access network paging area identifier where the first access network device is located. Or, when the first access network device satisfies the first condition, it may generate the MBS key according to the security information. Optionally, if the size of the SFN area is smaller than the size of the tracking area, the first information may include a tracking area identifier, that is, the first access network device may generate the tracking area identifier when the size of the SFN area is smaller than the size of the tracking area MBS key. If the size of the SFN area is smaller than the size of the paging area of the access network, the first information may include the identifier of the paging area of the access network, that is, the size of the first access network device may be smaller than the paging area of the access network The MBS key is generated according to the paging area identifier of the access network.
第一接入网设备满足第二条件时,可以根据安全信息和第二信息生成MBS密钥,其中,第二条件包括第一接入网设备的SFN能力为不支持和/或第一接入网设备的SFN状态为关闭,第二信息包括如下至少一项:第一接入网设备的标识、第一接入网设备的物理小区标识、第一接入网设备的小区的频率信息。When the first access network device meets the second condition, it can generate the MBS key according to the security information and the second information, wherein the second condition includes that the SFN capability of the first access network device is not supported and/or the first access network device The SFN status of the network device is off, and the second information includes at least one of the following items: an identifier of the first access network device, a physical cell identifier of the first access network device, and frequency information of a cell of the first access network device.
如果第一接入网设备不支持SFN功能或者SFN功能未开启(即SFN状态为关闭),该第一接入网设备下面的小区信号无需与其他接入网设备的小区信号进行合并,即无需进行SFN传输,第一接入网设备可以使用接入网设备或者服务小区的相关信息(即第二信息)来作为输入参数生成MBS密钥,这样可以在更新MBS密钥的时候只需要更新该第一接入网设备或者服务小区的MBS密钥即可,从而在提高安全性的同时降低密钥更新的开销。If the first access network device does not support the SFN function or the SFN function is not enabled (that is, the SFN status is off), the cell signals under the first access network device do not need to be combined with the cell signals of other access network devices, that is, there is no need to For SFN transmission, the first access network device can use the relevant information of the access network device or the serving cell (that is, the second information) as an input parameter to generate an MBS key, so that only the MBS key needs to be updated when updating the MBS key. The MBS key of the first access network device or the serving cell is sufficient, so that the overhead of key update is reduced while improving security.
如果第一接入网设备支持SFN功能或者SFN功能开启(即SFN状态为开启),该第一接入网设备下面的小区信号有可能需要与其他接入网设备的小区信号进行合并,所以不同接入网设备发送的数据必须完全相同,安全处理所使用的MBS密钥也需要相同,所以第一接入网设备(或者第一终端设备)在生成MBS密钥的时候,不能使用第一接入网设备或者服务小区独有的参数,对于执行同一SFN功能的所有接入网设备或者小区来说,生成MBS密钥使用的参数需要一致。此时,可以通过使用SFN区域相关的信息(即第一信息)来生成MBS密钥,可以保证同一SFN区域内所有接入网设备或者所有小区所使用的MBS密钥相同。If the first access network device supports the SFN function or the SFN function is enabled (that is, the SFN status is enabled), the cell signals under the first access network device may need to be combined with the cell signals of other access network devices, so different The data sent by the access network devices must be exactly the same, and the MBS key used for security processing must also be the same, so the first access network device (or the first terminal device) cannot use the first access network device (or the first terminal device) when generating the MBS key. For all access network devices or cells that perform the same SFN function, the parameters unique to network access devices or serving cells must be consistent for generating MBS keys. At this time, the MBS key can be generated by using the information related to the SFN area (that is, the first information), which can ensure that the MBS keys used by all access network devices or all cells in the same SFN area are the same.
应理解,只有当第一接入网设备支持SFN功能时才存在SFN状态为开启的情况,若第一接入网设备不支持SFN功能,则不会存在SFN状态的说法或者说SFN状态不存在开启的情况,因此当第一接入网设备的SFN状态为开启时可以默认第一接入网设备的SFN 功能为支持。It should be understood that the SFN state is enabled only when the first access network device supports the SFN function, and if the first access network device does not support the SFN function, there is no such thing as the SFN state or the SFN state does not exist Therefore, when the SFN status of the first access network device is enabled, the SFN function of the first access network device may be supported by default.
需要说明的是,本申请实施例中,“SFN状态为开启”也可以称为“SFN状态为使能”、“SFN状态为激活”等,“SFN状态为关闭”也可以称为“SFN状态为未开启”、“SFN状态为未使能或者去使能”、“SFN状态为未激活”、“SFN状态为去激活”、“SFN状态为抑制态或者休眠态”等。It should be noted that, in this embodiment of the application, "the SFN state is on" may also be referred to as "SFN state is enabled", "SFN state is active", etc., and "SFN state is off" may also be referred to as "SFN state is not enabled", "SFN status is disabled or disabled", "SFN status is inactive", "SFN status is deactivated", "SFN status is inhibited or dormant", etc.
S903,第一接入网设备基于上述MBS密钥对MBS的数据进行安全处理,安全处理包括以下至少一种处理:加密、完整性保护。S903. The first access network device performs security processing on the MBS data based on the MBS key, and the security processing includes at least one of the following processing: encryption and integrity protection.
在该步骤S903中,第一接入网设备执行的动作可以由图6所示装置中的处理模块610执行。In this step S903, the actions performed by the first access network device may be performed by the processing module 610 in the apparatus shown in FIG. 6 .
S904,第一接入网设备向第一终端设备发送经过安全处理后的数据。相应的,第一终端设备接收该数据。S904. The first access network device sends the security-processed data to the first terminal device. Correspondingly, the first terminal device receives the data.
在该步骤S901中,假设图6所示装置为接入网设备,第一接入网设备执行的发送动作可以由图6所示装置中的收发模块620执行。假设图6所示装置为终端设备,第一终端设备执行的接收动作也可以由图6所示装置中的收发模块620执行。In this step S901, assuming that the apparatus shown in FIG. 6 is an access network device, the sending action performed by the first access network device may be performed by the transceiver module 620 in the apparatus shown in FIG. 6 . Assuming that the apparatus shown in FIG. 6 is a terminal device, the receiving action performed by the first terminal device may also be performed by the transceiver module 620 in the apparatus shown in FIG. 6 .
可以理解的,当多播组中包括多个终端设备时,第一接入网设备可以向该多个终端设备均发送该数据。其中,多播组可以包括接收上述MBS的一个或多个终端设备。It can be understood that when the multicast group includes multiple terminal devices, the first access network device may send the data to all the multiple terminal devices. Wherein, the multicast group may include one or more terminal devices receiving the above-mentioned MBS.
S905,第一终端设备基于MBS密钥对接收到的数据进行安全处理,安全处理包括以下至少一种处理:解密、完整性验证。S905. The first terminal device performs security processing on the received data based on the MBS key, and the security processing includes at least one of the following processing: decryption and integrity verification.
在该步骤S905中,第一终端设备执行的动作可以由图6所示装置中的处理模块610执行。In this step S905, the actions performed by the first terminal device may be performed by the processing module 610 in the apparatus shown in FIG. 6 .
其中,第一终端设备的MBS密钥可以由第一接入网设备生成并向第一终端设备发送的,也可以由第一终端设备使用与第一接入网设备相同的方式自己生成的。Wherein, the MBS key of the first terminal device may be generated by the first access network device and sent to the first terminal device, or may be generated by the first terminal device itself in the same manner as the first access network device.
示例性的,若第一终端设备的MBS密钥是第一接入网设备向第一终端设备发送的,第一接入网设备可以通过如下方案一或者方案二向第一终端设备发送MBS密钥:Exemplarily, if the MBS key of the first terminal device is sent by the first access network device to the first terminal device, the first access network device may send the MBS key to the first terminal device through the following scheme 1 or scheme 2: key:
方案一,第一终端设备接入第一接入网设备的小区的场景中,第一接入网设备在生成MBS密钥后可以向第一终端设备发送该MBS密钥,第一接入网设备可以通过RRC消息向终端设备发送MBS密钥,例如在RRC重配消息中携带MBS密钥。 Solution 1, in the scenario where the first terminal device accesses the cell of the first access network device, the first access network device may send the MBS key to the first terminal device after generating the MBS key, and the first access network device The device may send the MBS key to the terminal device through an RRC message, for example, the MBS key is carried in the RRC reconfiguration message.
方案二,在第一终端设备由第二接入网设备切换到第一接入网设备的场景中,第一接入网设备可以将MBS密钥发送给第二接入网设备,由第二接入网设备转发给第一终端设备,示例性的,第一接入网设备可以通过切换请求确认消息向第二接入网设备发送MBS密钥,第二接入网设备可以在切换命令中携带MBS密钥发送给第一终端设备。其中,第一接入网设备的MBS密钥和第二接入网设备的MBS密钥不同。例如,基于步骤S902中生成MBS密钥的具体示例,若第一接入网设备满足第一条件,即第一接入网设备不支持SFN功能或者SFN状态为关闭,第一接入网设备根据第一接入网设备的相关信息(即第二信息)生成MBS密钥,因此第一接入网设备生成的MBS密钥和其他接入网设备(如第二接入网设备)的MBS密钥不同。又例如,若第一接入网设备满足第二条件,即第一接入网设备支持SFN功能和/或SFN状态为开启,第一接入网设备根据第一接入网设备所在SFN区域的相关信息(即第一信息)生成MBS密钥,因此第一接入网设备所在SFN区域的接入网设备的MBS密钥相同,但是第二接入网设备不在第一接入网设备所在SFN区域内,因此第一接入网设备与第二接入网设备的MBS密钥不同。Solution 2: In the scenario where the first terminal device is handed over from the second access network device to the first access network device, the first access network device may send the MBS key to the second access network device, and the second access network device The access network device forwards the MBS key to the first terminal device. Exemplarily, the first access network device may send the MBS key to the second access network device through a handover request confirmation message, and the second access network device may send the MBS key in the handover command Carrying the MBS key and sending it to the first terminal device. Wherein, the MBS key of the first access network device is different from the MBS key of the second access network device. For example, based on the specific example of generating the MBS key in step S902, if the first access network device satisfies the first condition, that is, the first access network device does not support the SFN function or the SFN status is off, the first access network device according to The relevant information (that is, the second information) of the first access network device generates an MBS key, so the MBS key generated by the first access network device and the MBS key of other access network devices (such as the second access network device) keys are different. For another example, if the first access network device meets the second condition, that is, the first access network device supports the SFN function and/or the SFN status is enabled, the first access network device Related information (that is, the first information) generates an MBS key, so the MBS keys of the access network devices in the SFN area where the first access network device is located are the same, but the second access network device is not in the SFN where the first access network device is located Therefore, the MBS keys of the first access network device and the second access network device are different.
以第一终端设备从一个SFN区域(第二接入网设备所在的SFN区域)切换到另一个SFN区域(第一接入网设备所在的SFN区域),如图11所示为例,第一接入网设备的MBS密钥可以通过切换请求确认消息发送给第二接入网设备。具体来说,第二接入网设备的切换请求消息中可以携带SFN区域标识,第一接入网设备接收到该消息后若确定SFN区域标识与自身的SFN区域标识不同或者第一接入网设备不支持SFN功能,没有SFN区域标识,则可以将第一接入网设备的MBS密钥发送给第二接入网设备,然后第二接入网设备将MBS密钥通过切换命令发送给该第一终端设备,第一终端设备完成切换以后使用第一接入网设备的MBS密钥对MBS数据进行安全处理。Taking the first terminal device switching from one SFN area (the SFN area where the second access network device is located) to another SFN area (the SFN area where the first access network device is located), as shown in Figure 11 as an example, the first The MBS key of the access network device may be sent to the second access network device through a handover request confirmation message. Specifically, the handover request message of the second access network device may carry the SFN area identifier. After the first access network device receives the message, if it determines that the SFN area identifier is different from its own SFN area identifier or the first access network device If the device does not support the SFN function and does not have an SFN area identifier, it can send the MBS key of the first access network device to the second access network device, and then the second access network device sends the MBS key to the second access network device through a handover command. The first terminal device uses the MBS key of the first access network device to securely process the MBS data after the handover is completed.
可选的,终端设备(可以是第一终端设备,也可以是其他终端设备)在同一个SFN区域内的接入网设备之间进行切换的时候,如果不同接入网设备使用的MBS密钥相同,则可以不更新MBS密钥。Optionally, when a terminal device (which may be the first terminal device or other terminal devices) switches between access network devices in the same SFN area, if the MBS keys used by different access network devices If they are the same, the MBS key may not be updated.
若第一终端设备的MBS密钥是第一终端设备生成,可以通过如下过程生成MBS密钥:核心网设备向第一终端设备发送MBS的安全信息,第一终端设备可以基于该安全信息生成MBS密钥,其中,第一终端设备与第一接入网设备生成MBS密钥的规则信息和输入参数需要相同,使得第一接入网设备与第一终端设备对MBS的数据进行安全处理的密钥一致,从而可以提升第一终端设备获取MBS的数据的准确性。其中,生成MBS密钥的规则信息以及所需要的输入参数可以通过协议约定,或者核心网设备提前发送给第一终端设备,例如核心网设备在第一终端设备鉴权或者注册过程中将生成MBS密钥的规则信息发送给第一终端设备。If the MBS key of the first terminal device is generated by the first terminal device, the MBS key can be generated through the following process: the core network device sends the security information of the MBS to the first terminal device, and the first terminal device can generate the MBS key based on the security information key, wherein the rule information and input parameters for the first terminal device and the first access network device to generate the MBS key need to be the same, so that the first access network device and the first terminal device can securely process the MBS data The keys are the same, so that the accuracy of the first terminal device in obtaining the MBS data can be improved. Among them, the rule information for generating the MBS key and the required input parameters can be stipulated in the agreement, or the core network device can send it to the first terminal device in advance, for example, the core network device will generate the MBS key during the authentication or registration process of the first terminal device. The rule information of the key is sent to the first terminal device.
示例性的,第一终端设备也可以采用步骤S902中具体示例所述方法生成MBS密钥。具体的,第一终端设备在采用上述示例所述方法生成MBS密钥时,可以根据第一接入网设备发送的第一指示信息获取第一接入网设备的SFN能力,根据第一接入网设备发送的第二指示信息获取第一接入网设备的SFN状态,其中,第一指示信息用于指示第一接入网设备的SFN能力,第二指示信息用于指示第一接入网设备的SFN状态。或者,第一指示信息也可以用于指示第一接入网设备的SFN能力为支持,第二指示信息也可以用于指示第一接入网设备的SFN状态为开启。Exemplarily, the first terminal device may also use the method described in the specific example in step S902 to generate the MBS key. Specifically, when the first terminal device uses the method described in the above example to generate the MBS key, it can obtain the SFN capability of the first access network device according to the first indication information sent by the first access network device, and according to the first access network device The second indication information sent by the network equipment obtains the SFN status of the first access network equipment, wherein the first indication information is used to indicate the SFN capability of the first access network equipment, and the second indication information is used to indicate the SFN status of the first access network equipment. SFN status of the device. Alternatively, the first indication information may also be used to indicate that the SFN capability of the first access network device is supported, and the second indication information may also be used to indicate that the SFN state of the first access network device is enabled.
可以理解的,当第一接入网设备的SFN能力为不支持时,第一接入网设备可以不发送第一指示信息,即当第一接入网设备没有发送指示SFN能力的第一指示信息时,终端设备认为接入网设备的SFN能力为不支持。类似的,当第一接入网设备的SFN状态为不开启(关闭)时,第一接入网设备可以不发送第二指示信息,即当第一接入网设备没有发送指示SFN状态的第二指示信息时,终端设备认为接入网设备的SFN能力为不支持。通过上述方式可以进一步节省信令开销。It can be understood that when the SFN capability of the first access network device is not supported, the first access network device may not send the first indication information, that is, when the first access network device does not send the first indication indicating the SFN capability information, the terminal device considers that the SFN capability of the access network device is not supported. Similarly, when the SFN state of the first access network device is not enabled (closed), the first access network device may not send the second indication information, that is, when the first access network device does not send the first indication of the SFN state 2. When the information is indicated, the terminal device considers that the SFN capability of the access network device is not supported. The signaling overhead can be further saved through the above manner.
其中,第一指示信息与第二指示信息可以是同一个信息。例如,第一接入网设备通过一个指示信息同时指示第一接入网设备的SFN功能以及第一接入网设备的SFN状态,其中,若第一接入网设备不支持SFN功能,该指示信息可以指示SFN功能为不支持,若第一接入网设备支持SFN功能,该指示信息可以指示SFN状态,从而隐式指示SFN功能为支持。Wherein, the first indication information and the second indication information may be the same information. For example, the first access network device simultaneously indicates the SFN function of the first access network device and the SFN status of the first access network device through a piece of indication information, wherein, if the first access network device does not support the SFN function, the indication The information may indicate that the SFN function is not supported. If the first access network device supports the SFN function, the indication information may indicate the SFN status, thereby implicitly indicating that the SFN function is supported.
当然,第一指示信息与第二指示信息也可以是两个信息。这种方式中,第一指示信息与第二指示信息可以通过同一个消息发送给第一终端设备,也可以通过两个消息发送给第一终端设备。Certainly, the first indication information and the second indication information may also be two pieces of information. In this manner, the first indication information and the second indication information may be sent to the first terminal device through the same message, or may be sent to the first terminal device through two messages.
此外,第一接入网设备还可以向第一终端设备指示SFN区域标识。In addition, the first access network device may also indicate the SFN area identifier to the first terminal device.
一种实现方式中,第一接入网设备可以通过第一指示信息或者第二指示信息指示SFN区域标识。一种举例说明中,第一接入网设备通过第一指示信息指示SFN功能和SFN区域标识,其中,若第一接入网设备支持SFN功能,第一指示信息可以指示SFN区域标识,从而隐式指示第一接入网设备支持SFN功能,若第一接入网设备不支持SFN功能,第一指示信息可以指示SFN功能为不支持。另一种举例说明中,第一接入网设备通过第二指示信息指示SFN状态和SFN区域标识,其中,若第一接入网设备的SFN状态为开启,第二指示信息可以指示SFN区域标识,从而隐式指示SFN状态为开启,若第一接入网设备的SFN状态为关闭,第二指示信息可以指示SFN状态为关闭。再一种举例说明中,第一接入网设备通过一个指示信息指示SFN功能、SFN状态和SFN区域标识,其中,若第一接入网设备不支持SFN功能,该指示信息可以指示SFN功能为不支持;若第一接入网设备支持SFN功能但是SFN状态为关闭,该指示信息可以指示SFN状态为关闭,从而可以隐式指示SFN功能为支持;若第一接入网设备支持SFN功能且SFN状态为开启,该指示信息可以指示SFN区域标识,从而可以隐式指示SFN功能为支持且SFN状态为开启。In an implementation manner, the first access network device may indicate the SFN area identifier through the first indication information or the second indication information. In an example, the first access network device indicates the SFN function and the SFN area identifier through the first indication information, wherein, if the first access network device supports the SFN function, the first indication information may indicate the SFN area identifier, thereby hiding The formula indicates that the first access network device supports the SFN function, and if the first access network device does not support the SFN function, the first indication information may indicate that the SFN function is not supported. In another example, the first access network device indicates the SFN status and the SFN area identifier through the second indication information, wherein, if the SFN status of the first access network device is enabled, the second indication information may indicate the SFN area identifier , so as to implicitly indicate that the SFN state is on. If the SFN state of the first access network device is off, the second indication information may indicate that the SFN state is off. In another example, the first access network device indicates the SFN function, SFN status, and SFN area identifier through an indication message, wherein, if the first access network device does not support the SFN function, the indication information may indicate that the SFN function is Not supported; if the first access network device supports the SFN function but the SFN status is closed, the indication information can indicate that the SFN status is closed, so that the SFN function can be implicitly indicated as supported; if the first access network device supports the SFN function and The SFN state is enabled, and the indication information may indicate the SFN area identifier, thereby implicitly indicating that the SFN function is supported and the SFN state is enabled.
另一种实现方式中,第一接入网设备也可以通过第三指示信息指示SFN区域标识。In another implementation manner, the first access network device may also indicate the SFN area identifier through the third indication information.
上述第一指示信息、第二指示信息以及第三指示信息均可以通过广播消息、系统消息或者RRC消息发送。All the above-mentioned first indication information, second indication information and third indication information may be sent through a broadcast message, a system message or an RRC message.
本申请实施例中接入网设备和终端设备可以基于来自核心网设备的MBS的安全信息生成MBS密钥,并基于该MBS密钥实现对MBS的数据的安全处理,从而可以提高多播广播传输的安全性。In the embodiment of the present application, the access network device and the terminal device can generate an MBS key based on the security information of the MBS from the core network device, and realize the secure processing of the MBS data based on the MBS key, thereby improving multicast broadcast transmission security.
并且,在生成MBS密钥时考虑接入网设备的SFN机制,从而可以不影响接入网设备侧的SFN机制,并且可以降低密钥更新开销。Moreover, the SFN mechanism of the access network device is considered when generating the MBS key, so that the SFN mechanism of the access network device side may not be affected, and the key update overhead may be reduced.
一种可能的实施方式中,在第一接入网设备生成MBS密钥之后,在一些场景下需要对MBS密钥进行更新。例如,当第一终端设备(也可以是多播组中的其他终端设备)离开多播组的时候,为了防止第一终端设备使用之前的MBS密钥继续接收MBS,核心网设备或者第一接入网设备可以对MBS密钥进行更新(即重新推演)。又例如,当第一接入网设备的SFN状态改变时,第一接入网设备可以对MBS密钥进行更新。In a possible implementation manner, after the first access network device generates the MBS key, the MBS key needs to be updated in some scenarios. For example, when the first terminal device (or other terminal devices in the multicast group) leaves the multicast group, in order to prevent the first terminal device from continuing to receive MBS using the previous MBS key, the core network device or the first terminal device The network access device can update the MBS key (that is, re-deduce). For another example, when the SFN state of the first access network device changes, the first access network device may update the MBS key.
一种示例性说明中,终端设备(可以是第一终端设备,也可以是多播组中的其他终端设备)离开多播组的原因可以为终端设备进行了小区切换,或者,该终端设备对该MBS不再感兴趣,等等,当然,该终端设备也可以因为其他原因离开多播组,本申请仅是举例说明,并不限定终端设备离开多播组的原因。In an exemplary description, the reason for the terminal device (which may be the first terminal device or other terminal devices in the multicast group) to leave the multicast group may be that the terminal device has performed a cell handover, or the terminal device has The MBS is no longer interested, and so on. Of course, the terminal device may also leave the multicast group for other reasons. This application is only an example and does not limit the reasons for the terminal device to leave the multicast group.
需要说明的是,终端设备进行了小区切换后可以触发MBS密钥的更新,也可以不触发MBS密钥的更新。It should be noted that the update of the MBS key may or may not be triggered after the terminal device performs cell handover.
更新过程的一种实现方式可以包括如下步骤:An implementation of the update process may include the following steps:
步骤1,核心网设备或者第一接入网设备确定何时进行MBS密钥的更新,例如,当终端设备(可以是第一终端设备,也可以是多播组中的其他终端设备)发送向核心网设备或者第一接入网设备指示信息指示不再对某一MBS感兴趣,或者核心网设备或者第一接入网设备根据该终端设备的订阅信息确定终端设备离开多播组时,则核心网设备或者第一接入网设备可以基于该终端设备的离开进行MBS密钥更新。 Step 1, the core network device or the first access network device determines when to update the MBS key, for example, when a terminal device (which may be the first terminal device or other terminal devices in the multicast group) sends a message to When the core network device or the first access network device indicates that it is no longer interested in a certain MBS, or the core network device or the first access network device determines that the terminal device leaves the multicast group according to the subscription information of the terminal device, then The core network device or the first access network device may update the MBS key based on the departure of the terminal device.
可选的,核心网设备检测到终端设备停止接收MBS的数据后,也可以指示第一接入 网进行MBS密钥的更新。Optionally, after the core network device detects that the terminal device stops receiving MBS data, it may also instruct the first access network to update the MBS key.
步骤2,核心网设备或者第一接入网设备确定MBS密钥更新的范围,假设MBS密钥是基于第一接入网设备或者服务小区的相关信息(即第二信息)生成的,则在更新MBS密钥时可以只对该第一接入网设备或者服务小区的MBS密钥进行更新,假设MBS密钥是基于SFN区域标识生成的,则可以对该SFN区域的MBS密钥进行更新,假设MBS密钥是基于跟踪区标识生成的,则可以对该跟踪区的MBS密钥进行更新,假设MBS密钥是基于接入网寻呼区域标识生成的,则可以对该接入网寻呼区域的MBS密钥进行更新。Step 2: The core network device or the first access network device determines the scope of updating the MBS key. Assuming that the MBS key is generated based on the first access network device or the relevant information of the serving cell (that is, the second information), then in When updating the MBS key, only the MBS key of the first access network device or the serving cell may be updated. Assuming that the MBS key is generated based on the SFN area identifier, the MBS key of the SFN area may be updated, Assuming that the MBS key is generated based on the tracking area identifier, the MBS key of the tracking area can be updated; assuming that the MBS key is generated based on the paging area identifier of the access network, the access network can be paged The MBS key of the zone is updated.
步骤3,第一接入网设备重新生成新的MBS密钥并发送给终端设备,或者第一接入网设备向终端设备发送更新指示,指示终端设备生成新的MBS密钥。Step 3: The first access network device regenerates a new MBS key and sends it to the terminal device, or the first access network device sends an update instruction to the terminal device, instructing the terminal device to generate a new MBS key.
其中,步骤1和步骤2没有严格的执行顺序。Wherein, step 1 and step 2 have no strict execution order.
本申请实施例中根据接入网设备是否开启SFN功能,决定推演密钥的参数中是否包含接入网设备或者小区相关的信息:如果开启SFN功能,则参与SFN合并的接入网设备或者小区在生成密钥的过程中不能包含接入网设备或者小区相关的信息;如果没有开启或者不支持SFN功能,则接入网设备或者小区在生成密钥的过程中可以包含接入网设备或者小区相关的信息。从而可以既不影响接入网设备侧的SFN机制,又可以降低密钥更新开销。In the embodiment of this application, according to whether the access network device has enabled the SFN function, it is determined whether the parameters of the derivation key include information related to the access network device or the cell: if the SFN function is enabled, the access network device or cell that participates in the SFN merge Information related to access network devices or cells cannot be included in the process of key generation; if the SFN function is not enabled or does not support the access network device or cell, access network devices or cells can be included in the process of key generation Related information. Therefore, the SFN mechanism on the access network device side is not affected, and the key update overhead can be reduced.
本申请实施例提供一种通信装置。该通信装置可用于实现上述实施例所涉及的终端设备,该通信装置可包括图6和/或图7所示结构。An embodiment of the present application provides a communication device. The communication device may be used to implement the terminal device involved in the foregoing embodiments, and the communication device may include the structure shown in FIG. 6 and/or FIG. 7 .
本申请实施例提供一种通信装置。该通信装置可用于实现上述实施例所涉及的第一接入网设备,该通信装置可包括图6和/或图8所示结构。An embodiment of the present application provides a communication device. The communication device may be used to implement the first access network device involved in the foregoing embodiments, and the communication device may include the structure shown in FIG. 6 and/or FIG. 8 .
本申请实施例提供一种通信系统。该通信系统可以包括至少一个终端设备和至少一个接入网设备,其中,该通信系统中的终端设备和接入网设备可执行上述方法实施例中任一所示的方法。An embodiment of the present application provides a communication system. The communication system may include at least one terminal device and at least one access network device, where the terminal device and the access network device in the communication system may execute the method shown in any one of the above method embodiments.
本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,该计算机程序被计算机执行时,该计算机可以实现上述方法实施例中任一所示的实施例中与终端设备或网络设备相关的流程。The embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a computer, the computer can implement any one of the above-mentioned method embodiments. Processes related to end devices or network devices.
本申请实施例还提供一种计算机程序产品,该计算机程序产品用于存储计算机程序,该计算机程序被计算机执行时,该计算机可以实现上述方法实施例中任一所示的实施例中与终端设备或网络设备相关的流程。The embodiment of the present application also provides a computer program product, which is used to store a computer program. When the computer program is executed by a computer, the computer can realize any one of the above method embodiments shown in the embodiment and the terminal device. Or network device-related processes.
本申请实施例还提供一种芯片或芯片系统,该芯片可包括处理器,该处理器可用于调用存储器中的程序或指令,执行上述方法实施例中任一所示的实施例中与终端设备或第一接入网设备相关的流程。该芯片系统可包括该芯片,还可存储器或收发器等其他组件。The embodiment of the present application also provides a chip or a chip system, the chip may include a processor, and the processor may be used to call programs or instructions in the memory, and execute any one of the above method embodiments shown in the embodiment and the terminal device Or a process related to the first access network device. The system-on-a-chip may include the chip, and other components such as a memory or a transceiver.
本申请实施例还提供一种电路,该电路可与存储器耦合,可用于执行上述方法实施例中任一所示的实施例中与终端设备或网络设备相关的流程。该芯片系统可包括该芯片,还可存储器或收发器等其他组件。An embodiment of the present application further provides a circuit, which can be coupled with a memory, and can be used to execute a procedure related to a terminal device or a network device in any one of the foregoing method embodiments. The system-on-a-chip may include the chip, and other components such as a memory or a transceiver.
应理解,本申请实施例中提及的处理器可以是CPU,还可以是其他通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that the processor mentioned in the embodiments of the present application may be a CPU, or other general-purpose processors, digital signal processors (digital signal processors, DSPs), application specific integrated circuits (application specific integrated circuits, ASICs), off-the-shelf Programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
还应理解,本申请实施例中提及的存储器可以是易失性存储器或非易失性存储器,或 可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。It should also be understood that the memory mentioned in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories. Among them, the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, many forms of RAM are available such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM ) and direct memory bus random access memory (direct rambus RAM, DR RAM).
需要说明的是,当处理器为通用处理器、DSP、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件时,存储器(存储模块)集成在处理器中。It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components, the memory (storage module) is integrated in the processor.
应注意,本文描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.
应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present application. The implementation process constitutes any limitation.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的模块及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art can appreciate that the modules and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device, and module can refer to the corresponding process in the foregoing method embodiment, and details are not repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的方法和装置,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,该模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed methods and devices may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the modules is only a logical function division. In actual implementation, there may be other division methods. For example, multiple modules or components can be combined or can be Integrate into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
该作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本申请各实施例方案的目的。The modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in one place, or may also be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solutions in the embodiments of the present application.
另外,在本申请各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。In addition, each functional module in each embodiment of the present application may be integrated into one processing module, each module may exist separately physically, or two or more modules may be integrated into one module.
该功能如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例该方法的全部或部分步骤。而前述的计算机可读 存储介质,可以是计算机能够存取的任何可用介质。以此为例但不限于:计算机可读介质可以包括随机存取存储器(random access memory,RAM)、只读存储器(read-only memory,ROM)、电可擦可编程只读存储器(electrically erasable programmable read only memory,EEPROM)、紧凑型光盘只读存储器(compact disc read-only memory,CD-ROM)、通用串行总线闪存盘(universal serial bus flash disk)、移动硬盘、或其他光盘存储、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质。If this function is realized in the form of a software function module and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of this application or the part that contributes or the part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for Make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method in each embodiment of the present application. The aforementioned computer-readable storage medium may be any available medium that can be accessed by a computer. Take this as an example but not limited to: computer-readable media may include random access memory (random access memory, RAM), read-only memory (read-only memory, ROM), electrically erasable programmable read-only memory (electrically erasable programmable read-only memory) read only memory, EEPROM), compact disc read-only memory (CD-ROM), universal serial bus flash disk (universal serial bus flash disk), mobile hard disk, or other optical disk storage, disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
以上所示,仅为本申请的具体实施方式,但本申请实施例的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请实施例揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请实施例的保护范围之内。因此,本申请实施例的保护范围应以权利要求的保护范围为准。The above is only a specific implementation of the application, but the scope of protection of the embodiment of the application is not limited thereto, and any skilled person familiar with the technical field can easily think of changes within the technical scope disclosed in the embodiment of the application Or replacement, should be covered within the scope of protection of the embodiments of the present application. Therefore, the protection scope of the embodiments of the present application should be determined by the protection scope of the claims.

Claims (40)

  1. 一种通信方法,其特征在于,所述方法适用于第一接入网设备,所述方法包括:A communication method, characterized in that the method is applicable to a first access network device, and the method includes:
    接收多播广播业务MBS的安全信息;Receive the security information of the multicast broadcast service MBS;
    根据所述安全信息生成MBS密钥;generate an MBS key according to the security information;
    基于所述MBS密钥对所述MBS的数据进行安全处理,所述安全处理包括以下至少一种处理:加密、完整性保护;Perform security processing on the MBS data based on the MBS key, and the security processing includes at least one of the following processing: encryption and integrity protection;
    向终端设备发送所述数据。Send the data to the terminal device.
  2. 如权利要求1所述的方法,其特征在于,所述根据所述安全信息生成MBS密钥,包括:The method according to claim 1, wherein said generating an MBS key according to said security information comprises:
    根据所述安全信息以及如下至少一项生成所述MBS密钥:所述第一接入网设备的单频网络SFN能力、所述第一接入网设备的SFN状态。The MBS key is generated according to the security information and at least one of the following items: the single frequency network SFN capability of the first access network device, and the SFN status of the first access network device.
  3. 如权利要求2所述的方法,其特征在于,所述根据所述安全信息以及如下至少一项生成所述MBS密钥:所述第一接入网设备的单频网络SFN能力、所述第一接入网设备的SFN状态,包括:The method according to claim 2, wherein the MBS key is generated according to the security information and at least one of the following items: the single frequency network (SFN) capability of the first access network device, the second - The SFN state of the access network equipment, including:
    满足第一条件时,根据所述安全信息和第一信息生成所述MBS密钥或者根据所述安全信息生成所述MBS密钥,所述第一信息包括如下至少一项:所述第一接入网设备所在的SFN区域标识、跟踪区标识、接入网寻呼区域标识,所述第一条件包括所述SFN能力为支持和/或所述SFN状态为开启;When the first condition is met, the MBS key is generated according to the security information and first information or the MBS key is generated according to the security information, and the first information includes at least one of the following items: the first connection The SFN area identifier, the tracking area identifier, and the paging area identifier of the access network where the network access device is located, the first condition includes that the SFN capability is supported and/or the SFN status is enabled;
    满足第二条件时,根据所述安全信息和第二信息生成所述MBS密钥,所述第二信息包括如下至少一项:所述第一接入网设备的标识、所述第一接入网设备的物理小区标识、所述第一接入网设备的小区的频率信息,所述第二条件包括所述SFN能力为不支持和/或所述SFN状态为关闭。When the second condition is met, generate the MBS key according to the security information and second information, where the second information includes at least one of the following: the identifier of the first access network device, the first access network device The physical cell identity of the network device, the frequency information of the cell of the first access network device, and the second condition includes that the SFN capability is not supported and/or the SFN state is off.
  4. 如权利要求1-3任一项所述的方法,其特征在于,所述MBS密钥包括如下至少一项:第一密钥、第二密钥;所述基于所述MBS密钥对所述MBS的数据进行安全处理包括:基于所述第一密钥对所述数据进行加密,基于所述第二密钥对所述数据进行完整性保护。The method according to any one of claims 1-3, wherein the MBS key includes at least one of the following: a first key, a second key; Performing security processing on the MBS data includes: encrypting the data based on the first key, and performing integrity protection on the data based on the second key.
  5. 如权利要求1-4任一项所述的方法,其特征在于,所述安全信息包括如下信息中至少一项:MBS组密钥,临时移动组标识TMGI,密钥更新参数,安全算法标识。The method according to any one of claims 1-4, wherein the security information includes at least one of the following information: MBS group key, temporary mobile group identifier TMGI, key update parameters, and security algorithm identifier.
  6. 如权利要求5所述的方法,其特征在于,所述TMGI为MBS会话标识、MBS业务标识或者所述MBS的互联网协议IP多播地址。The method according to claim 5, wherein the TMGI is an MBS session identifier, an MBS service identifier or an Internet Protocol IP multicast address of the MBS.
  7. 如权利要求2或3所述的方法,其特征在于,所述方法还包括:The method according to claim 2 or 3, wherein the method further comprises:
    向所述终端设备发送第一指示信息和/或第二指示信息,所述第一指示信息用于指示所述第一接入网设备的SFN能力,所述第二指示信息用于指示所述第一接入网设备的SFN状态。sending first indication information and/or second indication information to the terminal device, where the first indication information is used to indicate the SFN capability of the first access network device, and where the second indication information is used to indicate the The SFN status of the first access network device.
  8. 如权利要求1-7任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-7, wherein the method further comprises:
    若所述终端设备停止接收所述MBS,则对所述MBS密钥进行更新。If the terminal device stops receiving the MBS, update the MBS key.
  9. 如权利要求2或3所述的方法,其特征在于,所述方法还包括:The method according to claim 2 or 3, wherein the method further comprises:
    若所述第一接入网设备的SFN状态改变,则对所述MBS密钥进行更新。If the SFN state of the first access network device changes, the MBS key is updated.
  10. 一种通信方法,其特征在于,所述方法适用于终端设备,所述方法包括:A communication method, characterized in that the method is applicable to a terminal device, and the method includes:
    获取多播广播业务MBS密钥;Obtain the MBS key of the multicast broadcast service;
    接收MBS的数据;Receive MBS data;
    基于所述MBS密钥对所述数据进行安全处理,所述安全处理包括以下至少一种处理: 解密、完整性验证。Perform security processing on the data based on the MBS key, and the security processing includes at least one of the following processing: decryption and integrity verification.
  11. 如权利要求10所述的方法,其特征在于,所述获取多播广播业务MBS密钥,包括:The method according to claim 10, wherein said obtaining the MBS key of a multicast broadcast service comprises:
    接收所述MBS的安全信息;receiving security information of said MBS;
    根据所述安全信息生成所述MBS密钥。Generate the MBS key according to the security information.
  12. 如权利要求11所述的方法,其特征在于,所述根据所述安全信息生成所述MBS密钥,包括:The method according to claim 11, wherein said generating said MBS key according to said security information comprises:
    获取第一指示信息和/或第二指示信息,所述第一指示信息用于指示所述第一接入网设备的SFN能力,所述第二指示信息用于指示所述第一接入网设备的SFN状态;Acquire first indication information and/or second indication information, where the first indication information is used to indicate the SFN capability of the first access network device, and where the second indication information is used to indicate that the first access network device SFN status of the device;
    根据所述第一指示信息和所述第二指示信息中的至少一个指示信息以及所述安全信息生成所述MBS密钥。generating the MBS key according to at least one indication information of the first indication information and the second indication information and the security information.
  13. 如权利要求12所述的方法,其特征在于,所述根据所述第一指示信息和所述第二指示信息中的至少一个指示信息以及所述安全信息生成所述MBS密钥,包括:The method according to claim 12, wherein the generating the MBS key according to at least one of the first indication information and the second indication information and the security information comprises:
    满足第一条件时,根据所述安全信息和第一信息生成所述MBS密钥或者根据所述安全信息生成所述MBS密钥,所述第一信息包括如下至少一项:所述第一接入网设备所在的SFN区域标识、跟踪区标识、接入网寻呼区域标识,所述第一条件为所述第一指示信息指示所述第一接入网设备的SFN功能为支持和/或所述第二指示信息指示所述第一接入网设备的SFN状态为开启;或者When the first condition is met, the MBS key is generated according to the security information and first information or the MBS key is generated according to the security information, and the first information includes at least one of the following items: the first connection The SFN area identifier, tracking area identifier, and access network paging area identifier of the network access device, the first condition is that the first indication information indicates that the SFN function of the first access network device is supported and/or The second indication information indicates that the SFN state of the first access network device is enabled; or
    满足第二条件时,根据所述安全信息和第二信息生成所述MBS密钥,所述第二信息包括如下至少一项:所述第一接入网设备的标识、所述第一接入网设备的物理小区标识、所述第一接入网设备的小区的频率信息,所述第二条件包括所述第一指示信息指示所述第一接入网设备的SFN能力为不支持和/或所述第二指示信息指示所述第一接入网设备的SFN状态为关闭。When the second condition is met, generate the MBS key according to the security information and second information, where the second information includes at least one of the following: the identifier of the first access network device, the first access network device The physical cell identity of the network device, the frequency information of the cell of the first access network device, the second condition includes that the first indication information indicates that the SFN capability of the first access network device is not supported and/or Or the second indication information indicates that the SFN state of the first access network device is closed.
  14. 如权利要求10-13任一项所述的方法,其特征在于,所述MBS密钥包括如下至少一项:第一密钥、第二密钥,其中,所述基于所述MBS密钥对所述数据进行安全处理包括:基于所述第一密钥对所述数据进行解密,基于所述第二密钥对所述数据进行完整性验证。The method according to any one of claims 10-13, wherein the MBS key includes at least one of the following: a first key and a second key, wherein the Performing security processing on the data includes: decrypting the data based on the first key, and performing integrity verification on the data based on the second key.
  15. 如权利要求10-14任一项所述的方法,其特征在于,所述安全信息包括如下信息中至少一项:MBS组密钥,临时移动组标识TMGI,密钥更新参数,安全算法标识。The method according to any one of claims 10-14, wherein the security information includes at least one of the following information: MBS group key, temporary mobile group identifier TMGI, key update parameters, and security algorithm identifier.
  16. 如权利要求15所述的方法,其特征在于,所述TMGI为MBS会话标识、MBS业务标识或者MBS互联网协议IP多播地址。The method according to claim 15, wherein the TMGI is an MBS session identifier, an MBS service identifier or an MBS Internet Protocol IP multicast address.
  17. 如权利要求10所述的方法,其特征在于,所述获取多播广播业务MBS密钥,包括:The method according to claim 10, wherein said obtaining the MBS key of a multicast broadcast service comprises:
    接收来自第一接入网设备的所述MBS密钥,所述MBS密钥基于所述MBS的安全信息生成。Receive the MBS key from the first access network device, where the MBS key is generated based on the security information of the MBS.
  18. 一种通信装置,其特征在于,包括:A communication device, characterized by comprising:
    收发模块,用于接收多播广播业务MBS的安全信息;The transceiver module is used to receive the security information of the multicast broadcast service MBS;
    处理模块,用于根据所述安全信息生成MBS密钥;A processing module, configured to generate an MBS key according to the security information;
    以及,基于所述MBS密钥对所述MBS的数据进行安全处理,所述安全处理包括以下至少一种处理:加密、完整性保护;And, perform security processing on the MBS data based on the MBS key, and the security processing includes at least one of the following processing: encryption, integrity protection;
    所述收发模块,还用于向终端设备发送所述数据。The transceiver module is further configured to send the data to the terminal device.
  19. 如权利要求18所述的装置,其特征在于,所述处理模块,在根据所述安全信息生成MBS密钥时,具体用于:The device according to claim 18, wherein the processing module, when generating the MBS key according to the security information, is specifically configured to:
    根据所述安全信息以及如下至少一项生成所述MBS密钥:所述第一接入网设备的单 频网络SFN能力、所述第一接入网设备的SFN状态。Generate the MBS key according to the security information and at least one of the following items: the single frequency network SFN capability of the first access network device, and the SFN status of the first access network device.
  20. 如权利要求19所述的装置,其特征在于,所述处理模块,在根据所述安全信息以及如下至少一项生成所述MBS密钥:所述第一接入网设备的单频网络SFN能力、所述第一接入网设备的SFN状态时,具体用于:The apparatus according to claim 19, wherein the processing module generates the MBS key according to the security information and at least one of the following items: the single frequency network (SFN) capability of the first access network device . When in the SFN state of the first access network device, it is specifically used for:
    满足第一条件时,根据所述安全信息和第一信息生成所述MBS密钥或者根据所述安全信息生成所述MBS密钥,所述第一信息包括如下至少一项:所述第一接入网设备所在的SFN区域标识、跟踪区标识、接入网寻呼区域标识,所述第一条件包括所述SFN能力为支持和/或所述SFN状态为开启;When the first condition is met, the MBS key is generated according to the security information and first information or the MBS key is generated according to the security information, and the first information includes at least one of the following items: the first connection The SFN area identifier, the tracking area identifier, and the paging area identifier of the access network where the network access device is located, the first condition includes that the SFN capability is supported and/or the SFN status is enabled;
    满足第二条件时,根据所述安全信息和第二信息生成所述MBS密钥,所述第二信息包括如下至少一项:所述第一接入网设备的标识、所述第一接入网设备的物理小区标识、所述第一接入网设备的小区的频率信息,所述第二条件包括所述SFN能力为不支持和/或所述SFN状态为关闭。When the second condition is met, generate the MBS key according to the security information and second information, where the second information includes at least one of the following: the identifier of the first access network device, the first access network device The physical cell identity of the network device, the frequency information of the cell of the first access network device, and the second condition includes that the SFN capability is not supported and/or the SFN state is off.
  21. 如权利要求18-20任一项所述的装置,其特征在于,所述MBS密钥包括如下至少一项:第一密钥、第二密钥;所述处理模块在基于所述MBS密钥对所述MBS的数据进行安全处理时,具体用于:基于所述第一密钥对所述数据进行加密,基于所述第二密钥对所述数据进行完整性保护。The device according to any one of claims 18-20, wherein the MBS key includes at least one of the following: a first key and a second key; When performing security processing on the data of the MBS, it is specifically used to: encrypt the data based on the first key, and perform integrity protection on the data based on the second key.
  22. 如权利要求18-21任一项所述的装置,其特征在于,所述安全信息包括如下信息中至少一项:MBS组密钥,临时移动组标识TMGI,密钥更新参数,安全算法标识。The device according to any one of claims 18-21, wherein the security information includes at least one of the following information: MBS group key, temporary mobile group identifier TMGI, key update parameters, and security algorithm identifier.
  23. 如权利要求22所述的装置,其特征在于,所述TMGI为MBS会话标识、MBS业务标识或者所述MBS的互联网协议IP多播地址。The device according to claim 22, wherein the TMGI is an MBS session identifier, an MBS service identifier or an Internet Protocol IP multicast address of the MBS.
  24. 如权利要求19或20所述的装置,其特征在于,所述收发模块,还用于:The device according to claim 19 or 20, wherein the transceiver module is also used for:
    向所述终端设备发送第一指示信息和/或第二指示信息,所述第一指示信息用于指示所述第一接入网设备的SFN能力,所述第二指示信息用于指示所述第一接入网设备的SFN状态。sending first indication information and/or second indication information to the terminal device, where the first indication information is used to indicate the SFN capability of the first access network device, and where the second indication information is used to indicate the The SFN status of the first access network device.
  25. 如权利要求18-24任一项所述的装置,其特征在于,所述处理模块,还用于:The device according to any one of claims 18-24, wherein the processing module is further configured to:
    若所述终端设备停止接收所述MBS,则对所述MBS密钥进行更新。If the terminal device stops receiving the MBS, update the MBS key.
  26. 如权利要求19或20所述的装置,其特征在于,所述处理模块,还用于:The device according to claim 19 or 20, wherein the processing module is further used for:
    若所述第一接入网设备的SFN状态改变,则对所述MBS密钥进行更新。If the SFN state of the first access network device changes, the MBS key is updated.
  27. 一种通信装置,其特征在于,所述装置包括:A communication device, characterized in that the device includes:
    处理模块,用于获取多播广播业务MBS密钥;A processing module, configured to acquire a multicast broadcast service MBS key;
    收发模块,用于接收MBS的数据;A transceiver module, configured to receive data from the MBS;
    所述处理模块,还用于基于所述MBS密钥对所述数据进行安全处理,所述安全处理包括以下至少一种处理:解密、完整性验证。The processing module is further configured to perform security processing on the data based on the MBS key, and the security processing includes at least one of the following processing: decryption and integrity verification.
  28. 如权利要求27所述的装置,其特征在于,所述处理模块,在获取多播广播业务MBS密钥时,具体用于:The device according to claim 27, wherein the processing module, when acquiring the multicast broadcast service MBS key, is specifically used for:
    通过所述收发模块接收所述MBS的安全信息;receiving the security information of the MBS through the transceiver module;
    根据所述安全信息生成所述MBS密钥。Generate the MBS key according to the security information.
  29. 如权利要求28所述的装置,其特征在于,所述处理模块,在根据所述安全信息生成所述MBS密钥时,具体用于:The device according to claim 28, wherein the processing module, when generating the MBS key according to the security information, is specifically configured to:
    获取第一指示信息和/或第二指示信息,所述第一指示信息用于指示所述第一接入网设 备的SFN能力,所述第二指示信息用于指示所述第一接入网设备的SFN状态;Acquire first indication information and/or second indication information, where the first indication information is used to indicate the SFN capability of the first access network device, and where the second indication information is used to indicate that the first access network device SFN status of the device;
    根据所述第一指示信息和所述第二指示信息中的至少一个指示信息以及所述安全信息生成所述MBS密钥。generating the MBS key according to at least one indication information of the first indication information and the second indication information and the security information.
  30. 如权利要求29所述的装置,其特征在于,所述处理模块,在根据所述第一指示信息和所述第二指示信息中的至少一个指示信息以及所述安全信息生成所述MBS密钥时,具体用于:The device according to claim 29, wherein the processing module generates the MBS key according to at least one of the first indication information and the second indication information and the security information , specifically for:
    满足第一条件时,根据所述安全信息和第一信息生成所述MBS密钥或者根据所述安全信息生成所述MBS密钥,所述第一信息包括如下至少一项:所述第一接入网设备所在的SFN区域标识、跟踪区标识、接入网寻呼区域标识,所述第一条件为所述第一指示信息指示所述第一接入网设备的SFN功能为支持和/或所述第二指示信息指示所述第一接入网设备的SFN状态为开启;或者When the first condition is met, the MBS key is generated according to the security information and first information or the MBS key is generated according to the security information, and the first information includes at least one of the following items: the first connection The SFN area identifier, tracking area identifier, and access network paging area identifier of the network access device, the first condition is that the first indication information indicates that the SFN function of the first access network device is supported and/or The second indication information indicates that the SFN state of the first access network device is enabled; or
    满足第二条件时,根据所述安全信息和第二信息生成所述MBS密钥,所述第二信息包括如下至少一项:所述第一接入网设备的标识、所述第一接入网设备的物理小区标识、所述第一接入网设备的小区的频率信息,所述第二条件包括所述第一指示信息指示所述第一接入网设备的SFN能力为不支持和/或所述第二指示信息指示所述第一接入网设备的SFN状态为关闭。When the second condition is met, generate the MBS key according to the security information and second information, where the second information includes at least one of the following: the identifier of the first access network device, the first access network device The physical cell identity of the network device, the frequency information of the cell of the first access network device, the second condition includes that the first indication information indicates that the SFN capability of the first access network device is not supported and/or Or the second indication information indicates that the SFN state of the first access network device is off.
  31. 如权利要求27-30任一项所述的装置,其特征在于,所述MBS密钥包括如下至少一项:第一密钥、第二密钥;所述处理模块,在基于所述MBS密钥对所述数据进行安全处理时,具体用于:基于所述第一密钥对所述数据进行解密,基于所述第二密钥对所述数据进行完整性验证。The device according to any one of claims 27-30, wherein the MBS key includes at least one of the following: a first key and a second key; the processing module, based on the MBS key, When performing security processing on the data with a key, it is specifically used to: decrypt the data based on the first key, and verify the integrity of the data based on the second key.
  32. 如权利要求27-31任一项所述的装置,其特征在于,所述安全信息包括如下信息中至少一项:MBS组密钥,临时移动组标识TMGI,密钥更新参数,安全算法标识。The device according to any one of claims 27-31, wherein the security information includes at least one of the following information: MBS group key, temporary mobile group identifier TMGI, key update parameters, and security algorithm identifier.
  33. 如权利要求32所述的装置,其特征在于,所述TMGI为MBS会话标识、MBS业务标识或者MBS互联网协议IP多播地址。The device according to claim 32, wherein the TMGI is an MBS session identifier, an MBS service identifier or an MBS Internet Protocol IP multicast address.
  34. 如权利要求27所述的装置,其特征在于,所述处理模块,在获取多播广播业务MBS密钥时,具体用于:The device according to claim 27, wherein the processing module, when acquiring the multicast broadcast service MBS key, is specifically used for:
    通过所述收发模块接收来自第一接入网设备的所述MBS密钥,所述MBS密钥基于所述MBS的安全信息生成。receiving the MBS key from the first access network device through the transceiving module, where the MBS key is generated based on the security information of the MBS.
  35. 一种通信装置,其特征在于,包括:A communication device, characterized by comprising:
    存储器,用于存储指令;memory for storing instructions;
    处理器,用于从所述存储器中调用并运行所述指令,使得所述通信装置执行如权利要求1-9中任一项所述的方法。A processor, configured to call and execute the instruction from the memory, so that the communication device executes the method according to any one of claims 1-9.
  36. 一种通信装置,其特征在于,包括:A communication device, characterized by comprising:
    存储器,用于存储指令;memory for storing instructions;
    处理器,用于从所述存储器中调用并运行所述指令,使得所述通信装置执行如权利要求10-17中任一项所述的方法。A processor, configured to call and execute the instruction from the memory, so that the communication device executes the method according to any one of claims 10-17.
  37. 一种通信系统,其特征在于,包括如权利要求18-26中任一所述的通信装置和27-34中任一所述的通信装置。A communication system, characterized by comprising the communication device according to any one of claims 18-26 and the communication device according to any one of claims 27-34.
  38. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当所述指令在计算机上被调用执行时,使得所述计算机执行如权利要求1-17中任一项所述 的方法。A computer-readable storage medium, characterized in that instructions are stored in the computer-readable storage medium, and when the instructions are invoked and executed on a computer, the computer executes any one of claims 1-17. method described in the item.
  39. 一种计算机程序产品,其特征在于,当所述计算机程序产品在计算机上运行时,使得所述计算机执行如权利要求1-17中任一项所述的方法。A computer program product, characterized in that, when the computer program product is run on a computer, the computer is made to execute the method according to any one of claims 1-17.
  40. 一种电路,其特征在于,所述电路与存储器耦合,所述电路用于读取并执行所述存储器中存储的程序以执行如权利要求1-17中任一项所述的方法。A circuit, characterized in that the circuit is coupled to a memory, and the circuit is used to read and execute a program stored in the memory to perform the method according to any one of claims 1-17.
PCT/CN2022/092844 2021-05-31 2022-05-13 Communication method and apparatus WO2022252969A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110602607.7A CN115484552A (en) 2021-05-31 2021-05-31 Communication method and device
CN202110602607.7 2021-05-31

Publications (1)

Publication Number Publication Date
WO2022252969A1 true WO2022252969A1 (en) 2022-12-08

Family

ID=84322766

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/092844 WO2022252969A1 (en) 2021-05-31 2022-05-13 Communication method and apparatus

Country Status (2)

Country Link
CN (1) CN115484552A (en)
WO (1) WO2022252969A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1893632A (en) * 2005-04-19 2007-01-10 三星电子株式会社 Apparatus and method for offering broadcast service in a dmb system having single frequency network and system
CN101631275A (en) * 2008-07-15 2010-01-20 财团法人工业技术研究院 Systems and methods for authorization and data transmission for multicast broadcast services
US20120294221A1 (en) * 2010-01-11 2012-11-22 Jin Soo Choi Mbs data transmission method, base station, mbs data receiving method, and user equipment
CN106341813A (en) * 2015-07-07 2017-01-18 电信科学技术研究院 Information sending/receiving method and device
US20210067958A1 (en) * 2019-08-26 2021-03-04 Qualcomm Incorporated 5g broadcast/multicast security

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1893632A (en) * 2005-04-19 2007-01-10 三星电子株式会社 Apparatus and method for offering broadcast service in a dmb system having single frequency network and system
CN101631275A (en) * 2008-07-15 2010-01-20 财团法人工业技术研究院 Systems and methods for authorization and data transmission for multicast broadcast services
US20120294221A1 (en) * 2010-01-11 2012-11-22 Jin Soo Choi Mbs data transmission method, base station, mbs data receiving method, and user equipment
CN106341813A (en) * 2015-07-07 2017-01-18 电信科学技术研究院 Information sending/receiving method and device
US20210067958A1 (en) * 2019-08-26 2021-03-04 Qualcomm Incorporated 5g broadcast/multicast security

Also Published As

Publication number Publication date
CN115484552A (en) 2022-12-16

Similar Documents

Publication Publication Date Title
WO2021185136A1 (en) Method and apparatus for updating configuration information
US20160262019A1 (en) Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment
CN115707036A (en) Method and device for transmitting data
WO2021238813A1 (en) Method and apparatus for obtaining key
WO2021180209A1 (en) Method for transmitting paging information and communication apparatus
WO2022073246A1 (en) Communication method and apparatus
WO2019148404A1 (en) Method for paging, terminal equipment, and network equipment
WO2021023088A1 (en) Data transmission method and device
WO2022252969A1 (en) Communication method and apparatus
WO2018049689A1 (en) Key negotiation method and apparatus
WO2021056464A1 (en) Data safety processing method and communication apparatus
WO2020191782A1 (en) Data transmission method and device
WO2023102940A1 (en) Wireless communication method, remote terminal and relay terminal
WO2022021811A1 (en) Wireless communication method, terminal device and network device
WO2021212413A1 (en) Key transmission method and apparatus
WO2021212371A1 (en) Sidelink resource allocation method and terminal device
WO2019149105A1 (en) Communication method and communication apparatus
CN114600507A (en) Business safety transmission method and device, terminal equipment and network equipment
WO2024000597A1 (en) Method, device and computer program product for wireless communication
WO2023125342A1 (en) Communication method, apparatus, and system
WO2022205413A1 (en) Wireless communication method, terminal device, and network device
EP4247029B1 (en) Privacy enhancement beacon frames
WO2023143022A1 (en) Method and apparatus for data processing in random access process
TWI820874B (en) Transmission method and apparatus applied to channel direct link establishment
WO2023137760A1 (en) Wireless communication methods, remote ue, ausf, and amf

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22815016

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22815016

Country of ref document: EP

Kind code of ref document: A1