CN116249105A - Key update method and device - Google Patents
Key update method and device Download PDFInfo
- Publication number
- CN116249105A CN116249105A CN202111484386.4A CN202111484386A CN116249105A CN 116249105 A CN116249105 A CN 116249105A CN 202111484386 A CN202111484386 A CN 202111484386A CN 116249105 A CN116249105 A CN 116249105A
- Authority
- CN
- China
- Prior art keywords
- key
- mac
- terminal
- network side
- update method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/12—Arrangements for detecting or preventing errors in the information received by using return channel
- H04L1/16—Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
- H04L1/18—Automatic repetition systems, e.g. Van Duuren systems
- H04L1/1812—Hybrid protocols; Hybrid automatic repeat request [HARQ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a key updating method and device, and belongs to the technical field of wireless. The key updating method is executed by the network side equipment and comprises the following steps: transmitting a first MAC CE to a terminal, the first MAC CE including a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE; generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key. The technical scheme of the invention can realize the rapid key updating of the MAC.
Description
Technical Field
The present invention relates to the field of wireless technologies, and in particular, to a method and an apparatus for updating a key.
Background
In a wireless communication system, endogenous security is one of the main features of a wireless network. How to realize safe endogenesis in a wireless communication system becomes a problem to be solved.
The radio access network itself has a set of key management, distribution and control mechanisms. In order to enable the wireless network to have an endogenous security function, a new function is required under the existing key mechanism.
In the prior art, there is no solution yet how to implement secure endogenous in a wireless system.
Disclosure of Invention
The invention aims to provide a key updating method and device which can realize rapid key updating of MAC.
In order to solve the technical problems, the embodiment of the invention provides the following technical scheme:
in one aspect, a method for updating a key is provided, which is executed by a network side device and includes:
transmitting a first Media Access Control (MAC) control unit (CE) to a terminal, wherein the first MAC CE comprises a key seed for generating a first key;
receiving a confirmation message fed back by the terminal aiming at the first MAC CE;
generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, after receiving the acknowledgement message fed back by the terminal for the first MAC CE, the method further includes:
and clearing all HARQ process sending caches.
In some embodiments, after receiving the acknowledgement message fed back by the terminal for the first MAC CE, the method further includes:
for the incorrectly received transport blocks, feeding back a negative acknowledgement message to the terminal;
And for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, encrypting and/or decrypting the transmitted data using the first key comprises:
reconstructing a transmission block which is fed back by the terminal and needs to be retransmitted by using a MAC service data unit SDU corresponding to the transmission block to reconstruct a MAC protocol data unit PDU;
encrypting the MAC PDU with the first key;
and sending the encrypted MAC PDU to the terminal.
In some embodiments, after encrypting and/or decrypting the transmission data using the first key, the method further comprises:
judging whether the first secret key needs to trigger the operation of an upper protocol layer or not;
if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, before sending the first MAC CE to the terminal, the method further includes a step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
Generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
The embodiment of the invention also provides a key updating method which is executed by the terminal and comprises the following steps:
receiving a first Media Access Control (MAC) control unit (CE) of network side equipment, wherein the first MAC CE comprises a key seed and feeds back a confirmation message to the network side equipment;
generating a first key according to the key seed;
and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, after receiving the first MAC CE of the network-side device, the method further includes:
and clearing all HARQ process sending caches.
In some embodiments, after receiving the first MAC CE of the network-side device, the method further includes:
For the transmission block which is not received correctly, feeding back a negative acknowledgement message to the network side equipment;
and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, encrypting and/or decrypting the transmitted data using the first key comprises:
reconstructing a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to an unsuccessfully transmitted transport block and a transport block transmitted for the first time; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the network side equipment.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, generating the first key from the key seed comprises:
inputting the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the invention also provides a key updating device which is applied to the network side equipment and comprises a transceiver and a processor,
The transceiver is configured to send a first medium access control MAC control element CE to the terminal, where the first MAC CE includes a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE;
the processor is used for generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor is further configured to flush all HARQ process transmission buffers.
In some embodiments, the transceiver is further configured to feed back a negative acknowledgement message to the terminal for an incorrectly received transport block; and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, the processor is specifically configured to reconstruct a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to a transport block that needs to be retransmitted and is fed back to the terminal; encrypting the MAC PDU with the first key;
the transceiver is configured to send the encrypted MAC PDU to the terminal.
In some embodiments, the processor is further configured to determine whether setting the first key requires triggering an operation of an upper protocol layer; if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, the processor is further configured to perform the step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
The embodiment of the invention also provides a key updating device which is applied to the terminal and comprises a transceiver and a processor,
The transceiver is configured to receive a first medium access control MAC control element CE of a network side device, where the first MAC CE includes a key seed, and feed back a confirmation message to the network side device;
the processor is used for generating a first key according to the key seed; and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor is further configured to flush all HARQ process transmission buffers.
In some embodiments, the transceiver is further configured to feed back a negative acknowledgement message to the network side device for an incorrectly received transport block; and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, the processor is specifically configured to reconstruct, for a transport block that is not successfully transmitted and a transport block that is transmitted for the first time, a MAC protocol data unit PDU using a MAC service data unit SDU corresponding to the transport block; encrypting the MAC PDU with the first key;
the transceiver is configured to send the encrypted MAC PDU to the network side device.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, the processor is specifically configured to input the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the invention also provides a key updating device which comprises a memory, a processor and a computer program which is stored in the memory and can run on the processor; the processor, when executing the program, implements the key updating method as described above.
In some embodiments, the processor is configured to send a first medium access control MAC control element CE to the terminal, where the first MAC CE includes a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE; generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor is further configured to flush all HARQ process transmission buffers.
In some embodiments, the processor is further configured to feed back a negative acknowledgement message to the terminal for an incorrectly received transport block; and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, the processor is specifically configured to reconstruct a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to a transport block that needs to be retransmitted and is fed back to the terminal; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the terminal.
In some embodiments, the processor is further configured to determine whether setting the first key requires triggering an operation of an upper protocol layer; if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, the processor is further configured to perform the step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
And judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
Randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
In some embodiments, the processor is configured to receive a first medium access control MAC control element CE of a network side device, where the first MAC CE includes a key seed, and feed back an acknowledgement message to the network side device; generating a first key according to the key seed; and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor is further configured to flush all HARQ process transmission buffers.
In some embodiments, the processor is further configured to feed back a negative acknowledgement message to the network side device for an incorrectly received transport block; and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, the processor is specifically configured to reconstruct, for a transport block that is not successfully transmitted and a transport block that is transmitted for the first time, a MAC protocol data unit PDU using a MAC service data unit SDU corresponding to the transport block; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the network side equipment.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, the processor is specifically configured to input the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the key updating method as described above.
The embodiment of the invention has the following beneficial effects:
in the above scheme, the network side device sends the first MAC CE to the terminal, where the first MAC CE includes a key seed, and then the network side device and the terminal may generate a first key according to the key seed, and encrypt and/or decrypt transmission data using the first key, so as to implement rapid key update by using the MAC.
Drawings
FIG. 1 is a schematic diagram of an endogenous security system;
FIGS. 2 and 3 are schematic flow diagrams of a key updating method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a key update apparatus according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a key updating apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved by the embodiments of the present invention more apparent, the following detailed description will be given with reference to the accompanying drawings and the specific embodiments.
In the current 5G system, a security problem is that an encrypted key is bound to a physical cell ID (PhysicalCell ID), so that when a terminal (UE) moves, the key needs to be replaced. With the increasing of the density of the air interface physical cells, the coverage range of the cells is continuously reduced, and the frequent switching causes a mode of starting key update of a security system to bring about great system overhead, including the overhead of frequent signaling and signaling reliability, and the overhead in the aspects of power consumption, service interruption and the like when the UE establishes connection with the network.
In order to realize the endophytic security concept, a base station-based clouding solution is provided, as shown in fig. 1, through the computing capability of a cloud platform, the perception function of a network and a flexible and real-time password control mechanism are newly defined, and the endophytic security is realized.
The embodiment of the invention provides a key updating method and device, which can realize rapid key updating of MAC.
An embodiment of the present invention provides a method for updating a key, which is executed by a network side device, as shown in fig. 2, and includes:
step 101: transmitting a first Media Access Control (MAC) control unit (CE) to a terminal, wherein the first MAC CE comprises a key seed for generating a first key;
step 102: receiving a confirmation message fed back by the terminal aiming at the first MAC CE;
step 103: generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In this embodiment, the network side device sends the first MAC CE to the terminal, where the first MAC CE includes a key seed, and then the network side device and the terminal may generate a first key according to the key seed, and encrypt and/or decrypt transmission data using the first key, so as to implement rapid key update by using the MAC.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In this embodiment, the terminal side and the network side use the air interface sending time point fed back by the ACK (acknowledgement message) of the first MAC CE as the common effective time point of the new keys (i.e. the first key) of the two parties. After the MAC of the network side sends the first MAC CE, the key takes effect immediately after receiving the ACK received by the UE aiming at the first MAC CE, and the data is encrypted or decrypted by using the key generated by the key seed. In this embodiment, the network side device triggers the MAC on the network side and the MAC on the terminal side to synchronize to complete the reestablishment process through the first MAC CE.
In some embodiments, after receiving the acknowledgement message fed back by the terminal for the first MAC CE, the method further includes:
and clearing all HARQ process sending caches.
In some embodiments, after receiving the acknowledgement message fed back by the terminal for the first MAC CE, the method further includes:
for the incorrectly received transport blocks, feeding back a negative acknowledgement message to the terminal;
and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, encrypting and/or decrypting the transmitted data using the first key comprises:
reconstructing a transmission block which is fed back by the terminal and needs to be retransmitted by using a MAC service data unit SDU corresponding to the transmission block to reconstruct a MAC protocol data unit PDU;
encrypting the MAC PDU with the first key;
and sending the encrypted MAC PDU to the terminal.
In some embodiments, after encrypting and/or decrypting the transmission data using the first key, the method further comprises:
judging whether the first secret key needs to trigger the operation of an upper protocol layer or not;
if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
The MAC of the network side device decides whether the present rekeying needs to trigger the upper layer to operate, if so, the MAC of the network side device sends a request to the upper layer, including generating end-to-end RRC signaling (configuring end-to-end functions of the network side and the terminal side), where each protocol sub-layer of the upper layer needs to process data, and even triggers a re-establishment procedure of the upper layer.
In some embodiments, before sending the first MAC CE to the terminal, the method further includes a step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
The MAC layer may generate a security policy for the UE by using an AI algorithm according to a statistical feature of receiving and transmitting a UE packet, a feature of transmitting and receiving a service packet applied by the UE, a mobility feature of the UE, mobility and service features of other UEs in the cell, an occupation statistical feature of air interface resources (including power, time-frequency domain resources, and the like), and the like. Taking the characteristics of a data packet sent by UE as an example: the MAC of the base station records the packet size of the uplink data transmitted by the UE each time, and the frequency of transmitting the packet. And comparing the characteristics with a corresponding service model when the UE applies for establishing service, and judging whether the service is in an abnormal state or not if the deviation is higher than an expected threshold (a traditional threshold comparison algorithm) or through an AI algorithm (a nonlinear characteristic value analysis method). If N times of abnormal states occur in a certain time, the state of the UE is judged to have a safety problem, and the secret key needs to be updated.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured. The configuration can be carried out by RRC signaling of the network side, or the MAC of the network side can be defined by itself. Either user-level or bearer-level.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
The present embodiment defines a new MAC CE, i.e. the first MAC CE, which may be identified using LCID or using ellid.
If LCID is used, then a value of available LCID is selected to identify the MAC CE. As shown in table 1 below.
TABLE 1 Values of LCID for DL-SCH (logical channel identification value of downlink control channel)
If eclcid is used, then a value of eclcid available of 1 byte (one-oct eclcid) or 2 bytes (two-oct eclcid) is selected to identify the MAC CE. As shown in tables 2 and 3 below. The determination of the MAC CE type can be determined by a combination of LCID (extended eclpid value of value 33 or 34) and eclpid, as specified by the protocol.
TABLE 2 Values of two-octet eLCID for DL-SCH
TABLE 3 Values of one-octet eLCID for DL-SCH
| Codepoint | Index | LCID values |
| XXX | XXX | Quick controlling of keys |
| 0to 255 | 64to 319 | reserved |
As shown in table 4, the first MAC CE transmits a seed (the seed) for producing a key from which the receiving end produces a key for use.
TABLE 4 Table 4
The key seed is n bytes in length, n=1, 2,3, … …. The length of the key seed can be variable length, or can be Fixed length, and the key seed corresponds to the variable length MAC CE (Flexible MAC CE) and the Fixed length MAC CE (Fixed MAC CE); if the length of the first MAC CE is variable, the length of the key seed is variable; if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, long key seeds or short key seeds may be employed as desired for the encryption level.
The Key seed (the seed of Key) is an input to the Key generator, and by inputting the Key seed to the Key generator, a Key satisfying the requirement is generated.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
Calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
In the embodiment, the quick key replacement or updating of the MAC can be realized, and the safety of the system is enhanced; the method can realize the lossless transmission of the data packet, and if the MAC is reestablished, the MAC SDU is continuously transmitted, and the data packet which is transmitted to the edge from the cloud end does not need to be lost; the influence of the security key variation on data transmission is reduced by only reestablishing the MAC layers of the network side and the terminal.
The embodiment of the invention also provides a key updating method, which is executed by the terminal, as shown in fig. 3, and comprises the following steps:
step 201: receiving a first Media Access Control (MAC) control unit (CE) of network side equipment, wherein the first MAC CE comprises a key seed and feeds back a confirmation message to the network side equipment;
step 202: generating a first key according to the key seed;
step 203: and encrypting and/or decrypting the transmission data by using the first key.
In this embodiment, the network side device sends the first MAC CE to the terminal, where the first MAC CE includes a key seed, and then the network side device and the terminal may generate a first key according to the key seed, and encrypt and/or decrypt transmission data using the first key, so as to implement rapid key update by using the MAC.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message. After feeding back the ACK for the first MAC CE, the terminal side uses the new key (i.e., the first key) to decrypt or encrypt data after feeding back the air interface subframe of the ACK.
In some embodiments, after receiving the first MAC CE of the network-side device, the method further includes:
and clearing all HARQ process sending caches.
In some embodiments, after receiving the first MAC CE of the network-side device, the method further includes:
for the transmission block which is not received correctly, feeding back a negative acknowledgement message to the network side equipment;
and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, encrypting and/or decrypting the transmitted data using the first key comprises:
reconstructing a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to an unsuccessfully transmitted transport block and a transport block transmitted for the first time; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the network side equipment.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, generating the first key from the key seed comprises:
inputting the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The key generator can be configured by the network side when the UE accesses the network, or can be pre-implanted into the terminal; the network side and the terminal side use the same or peer-to-peer key generators.
The embodiment of the invention also provides a key updating device which is applied to network side equipment, as shown in fig. 4, and comprises a transceiver 11 and a processor 12,
the transceiver 11 is configured to send a first medium access control MAC control element CE to a terminal, where the first MAC CE includes a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE;
the processor 12 is configured to generate a first key from the key seed, and to encrypt and/or decrypt transmission data using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor 12 is further configured to flush all HARQ process transmission buffers.
In some embodiments, the transceiver 11 is further configured to feed back a negative acknowledgement message to the terminal for an incorrectly received transport block; and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, the processor 12 is specifically configured to reconstruct a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to a transport block that needs to be retransmitted and is fed back to the terminal; encrypting the MAC PDU with the first key;
the transceiver 11 is configured to send the encrypted MAC PDU to the terminal.
In some embodiments, the processor 12 is further configured to determine whether setting the first key requires triggering an operation of an upper protocol layer; if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, the processor 12 is further configured to perform the step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
Judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
If the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
The embodiment of the invention also provides a key updating device which is applied to the terminal, as shown in fig. 4, and comprises a transceiver 11 and a processor 12,
the transceiver 11 is configured to receive a first medium access control MAC control element CE of a network side device, where the first MAC CE includes a key seed, and feed back a confirmation message to the network side device;
the processor 12 is configured to generate a first key from the key seed; and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor 12 is further configured to flush all HARQ process transmission buffers.
In some embodiments, the transceiver 11 is further configured to feed back a negative acknowledgement message to the network side device for an incorrectly received transport block; and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, the processor 12 is specifically configured to reconstruct, for an unsuccessfully transmitted transport block and a first transmitted transport block, a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to the transport block; encrypting the MAC PDU with the first key;
the transceiver 11 is configured to send the encrypted MAC PDU to the network side device.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, the processor 12 is specifically configured to input the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the invention also provides a key updating device, as shown in fig. 5, comprising a memory 21, a processor 22 and a computer program stored on the memory 21 and capable of running on the processor 22; the processor 22 implements the key update method described above when executing the program.
In some embodiments, the processor 22 is configured to send a first medium access control MAC control element CE to the terminal, where the first MAC CE includes a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE; generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor 22 is further configured to flush all HARQ process transmission buffers.
In some embodiments, the processor 22 is further configured to feed back a negative acknowledgement message to the terminal for an incorrectly received transport block; and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, the processor 22 is specifically configured to reconstruct a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to a transport block that needs to be retransmitted and is fed back to the terminal; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the terminal.
In some embodiments, the processor 22 is further configured to determine whether setting the first key requires triggering an operation of an upper protocol layer; if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, the processor 22 is further configured to perform the step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
In some embodiments, the processor 22 is configured to receive a first MAC control element CE of a network side device, where the first MAC CE includes a key seed, and feed back an acknowledgement message to the network side device; generating a first key according to the key seed; and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor 22 is further configured to flush all HARQ process transmission buffers.
In some embodiments, the processor 22 is further configured to feed back a negative acknowledgement message to the network side device for an incorrectly received transport block; and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, the processor 22 is specifically configured to reconstruct, for an unsuccessfully transmitted transport block and a first transmitted transport block, a MAC protocol data unit PDU using a MAC service data unit SDU corresponding to the transport block; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the network side equipment.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, the processor 22 is specifically configured to input the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the key updating method as described above.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices to be detected, or any other non-transmission medium which can be used to store information that can be accessed by a computing device to be detected. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.
Claims (25)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111484386.4A CN116249105B (en) | 2021-12-07 | 2021-12-07 | Key updating method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111484386.4A CN116249105B (en) | 2021-12-07 | 2021-12-07 | Key updating method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116249105A true CN116249105A (en) | 2023-06-09 |
| CN116249105B CN116249105B (en) | 2026-01-30 |
Family
ID=86631789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111484386.4A Active CN116249105B (en) | 2021-12-07 | 2021-12-07 | Key updating method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116249105B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024254871A1 (en) * | 2023-06-16 | 2024-12-19 | 华为技术有限公司 | Secure communication method and apparatus |
| WO2024254870A1 (en) * | 2023-06-16 | 2024-12-19 | 华为技术有限公司 | Communication method and apparatus |
| CN119276481A (en) * | 2024-09-27 | 2025-01-07 | 中国移动通信有限公司研究院 | A key filling method, related equipment, medium and product |
| CN120150938A (en) * | 2025-03-07 | 2025-06-13 | 北京北斗弘鹏科技有限公司 | A method and device for updating and transmitting keys between hardware devices based on network layer |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20100092768A (en) * | 2009-02-13 | 2010-08-23 | 삼성전자주식회사 | Method for providing mac protocol for data communication security in wireless network communication |
| US20120177199A1 (en) * | 2011-01-10 | 2012-07-12 | Samsung Electronics., Ltd. | Method and apparatus for encrypting short data in a wireless communication system |
| US20160021066A1 (en) * | 2014-07-21 | 2016-01-21 | Imagination Technologies Limited | Encryption key updates in wireless communication systems |
| WO2017091959A1 (en) * | 2015-11-30 | 2017-06-08 | 华为技术有限公司 | Data transmission method, user equipment and network side device |
-
2021
- 2021-12-07 CN CN202111484386.4A patent/CN116249105B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20100092768A (en) * | 2009-02-13 | 2010-08-23 | 삼성전자주식회사 | Method for providing mac protocol for data communication security in wireless network communication |
| US20120177199A1 (en) * | 2011-01-10 | 2012-07-12 | Samsung Electronics., Ltd. | Method and apparatus for encrypting short data in a wireless communication system |
| US20160021066A1 (en) * | 2014-07-21 | 2016-01-21 | Imagination Technologies Limited | Encryption key updates in wireless communication systems |
| WO2017091959A1 (en) * | 2015-11-30 | 2017-06-08 | 华为技术有限公司 | Data transmission method, user equipment and network side device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024254871A1 (en) * | 2023-06-16 | 2024-12-19 | 华为技术有限公司 | Secure communication method and apparatus |
| WO2024254870A1 (en) * | 2023-06-16 | 2024-12-19 | 华为技术有限公司 | Communication method and apparatus |
| CN119276481A (en) * | 2024-09-27 | 2025-01-07 | 中国移动通信有限公司研究院 | A key filling method, related equipment, medium and product |
| CN120150938A (en) * | 2025-03-07 | 2025-06-13 | 北京北斗弘鹏科技有限公司 | A method and device for updating and transmitting keys between hardware devices based on network layer |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116249105B (en) | 2026-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116249105B (en) | Key updating method and device | |
| US11546752B2 (en) | System and method for user equipment identification and communications | |
| US11722942B2 (en) | Method and apparatus for controlling packet transmission | |
| CN109417706B (en) | Method and apparatus for storing contextual information in a mobile device | |
| US10863356B2 (en) | Communications method, apparatus, and system | |
| US10897509B2 (en) | Dynamic detection of inactive virtual private network clients | |
| US8441974B2 (en) | Method of providing multicast broadcast service | |
| JP2007184938A (en) | Method and apparatus of modifying integrity protection configuration of user end in wireless communications system | |
| RU2008130047A (en) | METHOD AND DEVICE FOR PERFORMANCE OF DATA PROTECTION AND AUTOMATIC REQUEST FOR REPEAT TRANSFER IN A WIRELESS COMMUNICATION SYSTEM | |
| KR101461236B1 (en) | How to authenticate an entity during a wireless call connection | |
| KR20090032624A (en) | Method and device for providing MAC frame which can be set in security in IEEE 802.15.4 network | |
| CN103313393A (en) | Method and apparatus for performing direct communication | |
| CN117749355A (en) | Communication method and related device | |
| Du et al. | Security enhancement for multicast over internet of things by dynamically constructed fountain codes | |
| CN105074650A (en) | Network supervised device-to-device communication | |
| CN108430080A (en) | A kind of information transferring method, radio reception device and terminal | |
| WO2020191782A1 (en) | Data transmission method and device | |
| US20210282004A1 (en) | Addressing system for a wireless communication network | |
| Vučinić et al. | Requirements for a Lightweight AKE for OSCORE | |
| CN116615930A (en) | Method for public key infrastructure-based authentication of access stratum considering handover in next generation wireless communication system | |
| CN106936786A (en) | A kind of data encryption and transmission method, base station and PDT terminals | |
| US20240284172A1 (en) | Secure communication method and related device | |
| WO2025000304A1 (en) | Communication method and devices | |
| CN111756498B (en) | Information transmission methods, devices, related equipment and storage media | |
| WO2024254871A1 (en) | Secure communication method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |





