CN116249105A - Key update method and device - Google Patents

Key update method and device Download PDF

Info

Publication number
CN116249105A
CN116249105A CN202111484386.4A CN202111484386A CN116249105A CN 116249105 A CN116249105 A CN 116249105A CN 202111484386 A CN202111484386 A CN 202111484386A CN 116249105 A CN116249105 A CN 116249105A
Authority
CN
China
Prior art keywords
key
mac
terminal
network side
update method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111484386.4A
Other languages
Chinese (zh)
Other versions
CN116249105B (en
Inventor
孙军帅
王莹莹
赵芸
李娜
刘光毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Research Institute of China Mobile Communication Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Research Institute of China Mobile Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, Research Institute of China Mobile Communication Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202111484386.4A priority Critical patent/CN116249105B/en
Publication of CN116249105A publication Critical patent/CN116249105A/en
Application granted granted Critical
Publication of CN116249105B publication Critical patent/CN116249105B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/18Automatic repetition systems, e.g. Van Duuren systems
    • H04L1/1812Hybrid protocols; Hybrid automatic repeat request [HARQ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a key updating method and device, and belongs to the technical field of wireless. The key updating method is executed by the network side equipment and comprises the following steps: transmitting a first MAC CE to a terminal, the first MAC CE including a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE; generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key. The technical scheme of the invention can realize the rapid key updating of the MAC.

Description

Key updating method and device
Technical Field
The present invention relates to the field of wireless technologies, and in particular, to a method and an apparatus for updating a key.
Background
In a wireless communication system, endogenous security is one of the main features of a wireless network. How to realize safe endogenesis in a wireless communication system becomes a problem to be solved.
The radio access network itself has a set of key management, distribution and control mechanisms. In order to enable the wireless network to have an endogenous security function, a new function is required under the existing key mechanism.
In the prior art, there is no solution yet how to implement secure endogenous in a wireless system.
Disclosure of Invention
The invention aims to provide a key updating method and device which can realize rapid key updating of MAC.
In order to solve the technical problems, the embodiment of the invention provides the following technical scheme:
in one aspect, a method for updating a key is provided, which is executed by a network side device and includes:
transmitting a first Media Access Control (MAC) control unit (CE) to a terminal, wherein the first MAC CE comprises a key seed for generating a first key;
receiving a confirmation message fed back by the terminal aiming at the first MAC CE;
generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, after receiving the acknowledgement message fed back by the terminal for the first MAC CE, the method further includes:
and clearing all HARQ process sending caches.
In some embodiments, after receiving the acknowledgement message fed back by the terminal for the first MAC CE, the method further includes:
for the incorrectly received transport blocks, feeding back a negative acknowledgement message to the terminal;
And for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, encrypting and/or decrypting the transmitted data using the first key comprises:
reconstructing a transmission block which is fed back by the terminal and needs to be retransmitted by using a MAC service data unit SDU corresponding to the transmission block to reconstruct a MAC protocol data unit PDU;
encrypting the MAC PDU with the first key;
and sending the encrypted MAC PDU to the terminal.
In some embodiments, after encrypting and/or decrypting the transmission data using the first key, the method further comprises:
judging whether the first secret key needs to trigger the operation of an upper protocol layer or not;
if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, before sending the first MAC CE to the terminal, the method further includes a step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
Generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
The embodiment of the invention also provides a key updating method which is executed by the terminal and comprises the following steps:
receiving a first Media Access Control (MAC) control unit (CE) of network side equipment, wherein the first MAC CE comprises a key seed and feeds back a confirmation message to the network side equipment;
generating a first key according to the key seed;
and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, after receiving the first MAC CE of the network-side device, the method further includes:
and clearing all HARQ process sending caches.
In some embodiments, after receiving the first MAC CE of the network-side device, the method further includes:
For the transmission block which is not received correctly, feeding back a negative acknowledgement message to the network side equipment;
and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, encrypting and/or decrypting the transmitted data using the first key comprises:
reconstructing a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to an unsuccessfully transmitted transport block and a transport block transmitted for the first time; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the network side equipment.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, generating the first key from the key seed comprises:
inputting the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the invention also provides a key updating device which is applied to the network side equipment and comprises a transceiver and a processor,
The transceiver is configured to send a first medium access control MAC control element CE to the terminal, where the first MAC CE includes a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE;
the processor is used for generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor is further configured to flush all HARQ process transmission buffers.
In some embodiments, the transceiver is further configured to feed back a negative acknowledgement message to the terminal for an incorrectly received transport block; and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, the processor is specifically configured to reconstruct a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to a transport block that needs to be retransmitted and is fed back to the terminal; encrypting the MAC PDU with the first key;
the transceiver is configured to send the encrypted MAC PDU to the terminal.
In some embodiments, the processor is further configured to determine whether setting the first key requires triggering an operation of an upper protocol layer; if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, the processor is further configured to perform the step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
The embodiment of the invention also provides a key updating device which is applied to the terminal and comprises a transceiver and a processor,
The transceiver is configured to receive a first medium access control MAC control element CE of a network side device, where the first MAC CE includes a key seed, and feed back a confirmation message to the network side device;
the processor is used for generating a first key according to the key seed; and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor is further configured to flush all HARQ process transmission buffers.
In some embodiments, the transceiver is further configured to feed back a negative acknowledgement message to the network side device for an incorrectly received transport block; and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, the processor is specifically configured to reconstruct, for a transport block that is not successfully transmitted and a transport block that is transmitted for the first time, a MAC protocol data unit PDU using a MAC service data unit SDU corresponding to the transport block; encrypting the MAC PDU with the first key;
the transceiver is configured to send the encrypted MAC PDU to the network side device.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, the processor is specifically configured to input the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the invention also provides a key updating device which comprises a memory, a processor and a computer program which is stored in the memory and can run on the processor; the processor, when executing the program, implements the key updating method as described above.
In some embodiments, the processor is configured to send a first medium access control MAC control element CE to the terminal, where the first MAC CE includes a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE; generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor is further configured to flush all HARQ process transmission buffers.
In some embodiments, the processor is further configured to feed back a negative acknowledgement message to the terminal for an incorrectly received transport block; and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, the processor is specifically configured to reconstruct a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to a transport block that needs to be retransmitted and is fed back to the terminal; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the terminal.
In some embodiments, the processor is further configured to determine whether setting the first key requires triggering an operation of an upper protocol layer; if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, the processor is further configured to perform the step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
And judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
Randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
In some embodiments, the processor is configured to receive a first medium access control MAC control element CE of a network side device, where the first MAC CE includes a key seed, and feed back an acknowledgement message to the network side device; generating a first key according to the key seed; and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor is further configured to flush all HARQ process transmission buffers.
In some embodiments, the processor is further configured to feed back a negative acknowledgement message to the network side device for an incorrectly received transport block; and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, the processor is specifically configured to reconstruct, for a transport block that is not successfully transmitted and a transport block that is transmitted for the first time, a MAC protocol data unit PDU using a MAC service data unit SDU corresponding to the transport block; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the network side equipment.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, the processor is specifically configured to input the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the key updating method as described above.
The embodiment of the invention has the following beneficial effects:
in the above scheme, the network side device sends the first MAC CE to the terminal, where the first MAC CE includes a key seed, and then the network side device and the terminal may generate a first key according to the key seed, and encrypt and/or decrypt transmission data using the first key, so as to implement rapid key update by using the MAC.
Drawings
FIG. 1 is a schematic diagram of an endogenous security system;
FIGS. 2 and 3 are schematic flow diagrams of a key updating method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a key update apparatus according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a key updating apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved by the embodiments of the present invention more apparent, the following detailed description will be given with reference to the accompanying drawings and the specific embodiments.
In the current 5G system, a security problem is that an encrypted key is bound to a physical cell ID (PhysicalCell ID), so that when a terminal (UE) moves, the key needs to be replaced. With the increasing of the density of the air interface physical cells, the coverage range of the cells is continuously reduced, and the frequent switching causes a mode of starting key update of a security system to bring about great system overhead, including the overhead of frequent signaling and signaling reliability, and the overhead in the aspects of power consumption, service interruption and the like when the UE establishes connection with the network.
In order to realize the endophytic security concept, a base station-based clouding solution is provided, as shown in fig. 1, through the computing capability of a cloud platform, the perception function of a network and a flexible and real-time password control mechanism are newly defined, and the endophytic security is realized.
The embodiment of the invention provides a key updating method and device, which can realize rapid key updating of MAC.
An embodiment of the present invention provides a method for updating a key, which is executed by a network side device, as shown in fig. 2, and includes:
step 101: transmitting a first Media Access Control (MAC) control unit (CE) to a terminal, wherein the first MAC CE comprises a key seed for generating a first key;
step 102: receiving a confirmation message fed back by the terminal aiming at the first MAC CE;
step 103: generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In this embodiment, the network side device sends the first MAC CE to the terminal, where the first MAC CE includes a key seed, and then the network side device and the terminal may generate a first key according to the key seed, and encrypt and/or decrypt transmission data using the first key, so as to implement rapid key update by using the MAC.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In this embodiment, the terminal side and the network side use the air interface sending time point fed back by the ACK (acknowledgement message) of the first MAC CE as the common effective time point of the new keys (i.e. the first key) of the two parties. After the MAC of the network side sends the first MAC CE, the key takes effect immediately after receiving the ACK received by the UE aiming at the first MAC CE, and the data is encrypted or decrypted by using the key generated by the key seed. In this embodiment, the network side device triggers the MAC on the network side and the MAC on the terminal side to synchronize to complete the reestablishment process through the first MAC CE.
In some embodiments, after receiving the acknowledgement message fed back by the terminal for the first MAC CE, the method further includes:
and clearing all HARQ process sending caches.
In some embodiments, after receiving the acknowledgement message fed back by the terminal for the first MAC CE, the method further includes:
for the incorrectly received transport blocks, feeding back a negative acknowledgement message to the terminal;
and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, encrypting and/or decrypting the transmitted data using the first key comprises:
reconstructing a transmission block which is fed back by the terminal and needs to be retransmitted by using a MAC service data unit SDU corresponding to the transmission block to reconstruct a MAC protocol data unit PDU;
encrypting the MAC PDU with the first key;
and sending the encrypted MAC PDU to the terminal.
In some embodiments, after encrypting and/or decrypting the transmission data using the first key, the method further comprises:
judging whether the first secret key needs to trigger the operation of an upper protocol layer or not;
if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
The MAC of the network side device decides whether the present rekeying needs to trigger the upper layer to operate, if so, the MAC of the network side device sends a request to the upper layer, including generating end-to-end RRC signaling (configuring end-to-end functions of the network side and the terminal side), where each protocol sub-layer of the upper layer needs to process data, and even triggers a re-establishment procedure of the upper layer.
In some embodiments, before sending the first MAC CE to the terminal, the method further includes a step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
The MAC layer may generate a security policy for the UE by using an AI algorithm according to a statistical feature of receiving and transmitting a UE packet, a feature of transmitting and receiving a service packet applied by the UE, a mobility feature of the UE, mobility and service features of other UEs in the cell, an occupation statistical feature of air interface resources (including power, time-frequency domain resources, and the like), and the like. Taking the characteristics of a data packet sent by UE as an example: the MAC of the base station records the packet size of the uplink data transmitted by the UE each time, and the frequency of transmitting the packet. And comparing the characteristics with a corresponding service model when the UE applies for establishing service, and judging whether the service is in an abnormal state or not if the deviation is higher than an expected threshold (a traditional threshold comparison algorithm) or through an AI algorithm (a nonlinear characteristic value analysis method). If N times of abnormal states occur in a certain time, the state of the UE is judged to have a safety problem, and the secret key needs to be updated.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured. The configuration can be carried out by RRC signaling of the network side, or the MAC of the network side can be defined by itself. Either user-level or bearer-level.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
The present embodiment defines a new MAC CE, i.e. the first MAC CE, which may be identified using LCID or using ellid.
If LCID is used, then a value of available LCID is selected to identify the MAC CE. As shown in table 1 below.
TABLE 1 Values of LCID for DL-SCH (logical channel identification value of downlink control channel)
Figure BDA0003396918830000121
Figure BDA0003396918830000131
Figure BDA0003396918830000141
Figure BDA0003396918830000151
If eclcid is used, then a value of eclcid available of 1 byte (one-oct eclcid) or 2 bytes (two-oct eclcid) is selected to identify the MAC CE. As shown in tables 2 and 3 below. The determination of the MAC CE type can be determined by a combination of LCID (extended eclpid value of value 33 or 34) and eclpid, as specified by the protocol.
TABLE 2 Values of two-octet eLCID for DL-SCH
Figure BDA0003396918830000161
TABLE 3 Values of one-octet eLCID for DL-SCH
Codepoint Index LCID values
XXX XXX Quick controlling of keys
0to 255 64to 319 reserved
As shown in table 4, the first MAC CE transmits a seed (the seed) for producing a key from which the receiving end produces a key for use.
TABLE 4 Table 4
Figure BDA0003396918830000162
The key seed is n bytes in length, n=1, 2,3, … …. The length of the key seed can be variable length, or can be Fixed length, and the key seed corresponds to the variable length MAC CE (Flexible MAC CE) and the Fixed length MAC CE (Fixed MAC CE); if the length of the first MAC CE is variable, the length of the key seed is variable; if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, long key seeds or short key seeds may be employed as desired for the encryption level.
The Key seed (the seed of Key) is an input to the Key generator, and by inputting the Key seed to the Key generator, a Key satisfying the requirement is generated.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
Calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
In the embodiment, the quick key replacement or updating of the MAC can be realized, and the safety of the system is enhanced; the method can realize the lossless transmission of the data packet, and if the MAC is reestablished, the MAC SDU is continuously transmitted, and the data packet which is transmitted to the edge from the cloud end does not need to be lost; the influence of the security key variation on data transmission is reduced by only reestablishing the MAC layers of the network side and the terminal.
The embodiment of the invention also provides a key updating method, which is executed by the terminal, as shown in fig. 3, and comprises the following steps:
step 201: receiving a first Media Access Control (MAC) control unit (CE) of network side equipment, wherein the first MAC CE comprises a key seed and feeds back a confirmation message to the network side equipment;
step 202: generating a first key according to the key seed;
step 203: and encrypting and/or decrypting the transmission data by using the first key.
In this embodiment, the network side device sends the first MAC CE to the terminal, where the first MAC CE includes a key seed, and then the network side device and the terminal may generate a first key according to the key seed, and encrypt and/or decrypt transmission data using the first key, so as to implement rapid key update by using the MAC.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message. After feeding back the ACK for the first MAC CE, the terminal side uses the new key (i.e., the first key) to decrypt or encrypt data after feeding back the air interface subframe of the ACK.
In some embodiments, after receiving the first MAC CE of the network-side device, the method further includes:
and clearing all HARQ process sending caches.
In some embodiments, after receiving the first MAC CE of the network-side device, the method further includes:
for the transmission block which is not received correctly, feeding back a negative acknowledgement message to the network side equipment;
and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, encrypting and/or decrypting the transmitted data using the first key comprises:
reconstructing a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to an unsuccessfully transmitted transport block and a transport block transmitted for the first time; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the network side equipment.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, generating the first key from the key seed comprises:
inputting the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The key generator can be configured by the network side when the UE accesses the network, or can be pre-implanted into the terminal; the network side and the terminal side use the same or peer-to-peer key generators.
The embodiment of the invention also provides a key updating device which is applied to network side equipment, as shown in fig. 4, and comprises a transceiver 11 and a processor 12,
the transceiver 11 is configured to send a first medium access control MAC control element CE to a terminal, where the first MAC CE includes a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE;
the processor 12 is configured to generate a first key from the key seed, and to encrypt and/or decrypt transmission data using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor 12 is further configured to flush all HARQ process transmission buffers.
In some embodiments, the transceiver 11 is further configured to feed back a negative acknowledgement message to the terminal for an incorrectly received transport block; and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, the processor 12 is specifically configured to reconstruct a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to a transport block that needs to be retransmitted and is fed back to the terminal; encrypting the MAC PDU with the first key;
the transceiver 11 is configured to send the encrypted MAC PDU to the terminal.
In some embodiments, the processor 12 is further configured to determine whether setting the first key requires triggering an operation of an upper protocol layer; if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, the processor 12 is further configured to perform the step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
Judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
If the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
The embodiment of the invention also provides a key updating device which is applied to the terminal, as shown in fig. 4, and comprises a transceiver 11 and a processor 12,
the transceiver 11 is configured to receive a first medium access control MAC control element CE of a network side device, where the first MAC CE includes a key seed, and feed back a confirmation message to the network side device;
the processor 12 is configured to generate a first key from the key seed; and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor 12 is further configured to flush all HARQ process transmission buffers.
In some embodiments, the transceiver 11 is further configured to feed back a negative acknowledgement message to the network side device for an incorrectly received transport block; and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, the processor 12 is specifically configured to reconstruct, for an unsuccessfully transmitted transport block and a first transmitted transport block, a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to the transport block; encrypting the MAC PDU with the first key;
the transceiver 11 is configured to send the encrypted MAC PDU to the network side device.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, the processor 12 is specifically configured to input the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the invention also provides a key updating device, as shown in fig. 5, comprising a memory 21, a processor 22 and a computer program stored on the memory 21 and capable of running on the processor 22; the processor 22 implements the key update method described above when executing the program.
In some embodiments, the processor 22 is configured to send a first medium access control MAC control element CE to the terminal, where the first MAC CE includes a key seed for generating a first key; receiving a confirmation message fed back by the terminal aiming at the first MAC CE; generating a first key according to the key seed, and encrypting and/or decrypting transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor 22 is further configured to flush all HARQ process transmission buffers.
In some embodiments, the processor 22 is further configured to feed back a negative acknowledgement message to the terminal for an incorrectly received transport block; and for the successfully received transport block, feeding back an acknowledgement message to the terminal.
In some embodiments, the processor 22 is specifically configured to reconstruct a MAC protocol data unit PDU by using a MAC service data unit SDU corresponding to a transport block that needs to be retransmitted and is fed back to the terminal; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the terminal.
In some embodiments, the processor 22 is further configured to determine whether setting the first key requires triggering an operation of an upper protocol layer; if necessary, a first request is sent to the upper protocol layer, and the reestablishment process of the upper protocol layer is triggered.
In some embodiments, the processor 22 is further configured to perform the step of determining that the terminal needs to update the key, where determining that the terminal needs to update the key includes any one of:
judging that the secret key needs to be updated according to the result of detection, analysis and output of the MAC layer;
judging that the secret key needs to be updated according to the indication from the cloud;
and judging that the secret key needs to be updated according to a preset time period.
In some embodiments, the parameters utilized by the MAC layer for detection analysis include at least one of:
statistical characteristics of terminal data packet receiving and transmitting, characteristics of terminal application service data packet transmitting and receiving, mobility characteristics of terminals, mobility characteristics and service characteristics of other terminals in the cell, and air interface resource occupation statistical characteristics.
In some embodiments, the indication of the cloud comprises at least one of:
a key seed;
characteristics of the key seed, including timeliness and length;
the object or scene or service or functionality to which the first key applies.
In some embodiments, the preset time period is protocol defined or configured or preconfigured.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, if the first MAC CE is variable in length, the key seed is variable in length;
if the length of the first MAC CE is fixed, the length of the key seed is fixed.
In some embodiments, the key seed is generated in any of the following ways:
randomly generating;
generating according to the indication of the upper protocol layer;
generating bit strings with preset lengths in the identity of the terminal through a random function;
intercepting a preset bit string in a data packet needing encryption and generating the preset bit string through a random function;
calculating the characteristic value of the terminal, and generating by a random function after expanding or not expanding the length;
and generating by a random function after expanding or not expanding the length according to the position coordinates of the terminal moving track.
In some embodiments, the processor 22 is configured to receive a first MAC control element CE of a network side device, where the first MAC CE includes a key seed, and feed back an acknowledgement message to the network side device; generating a first key according to the key seed; and encrypting and/or decrypting the transmission data by using the first key.
In some embodiments, the effective time point of the first key is an air interface sending time point for feeding back the acknowledgement message.
In some embodiments, the processor 22 is further configured to flush all HARQ process transmission buffers.
In some embodiments, the processor 22 is further configured to feed back a negative acknowledgement message to the network side device for an incorrectly received transport block; and for the successfully received transmission block, feeding back an acknowledgement message to the network side equipment.
In some embodiments, the processor 22 is specifically configured to reconstruct, for an unsuccessfully transmitted transport block and a first transmitted transport block, a MAC protocol data unit PDU using a MAC service data unit SDU corresponding to the transport block; encrypting the MAC PDU with the first key; and sending the encrypted MAC PDU to the network side equipment.
In some embodiments, the first MAC CE is identified using a value of a logical channel identification LCID, or the first MAC CE is identified using a value of an enhanced logical channel identification eclcd.
In some embodiments, the processor 22 is specifically configured to input the key seed into a key generator to generate the first key.
In some embodiments, the key generator is configured to the terminal for the network side device, or is preconfigured in the terminal.
The embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the key updating method as described above.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices to be detected, or any other non-transmission medium which can be used to store information that can be accessed by a computing device to be detected. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.

Claims (25)

1.一种密钥更新方法,其特征在于,由网络侧设备执行,包括:1. A key update method, characterized in that it is performed by a network side device, comprising: 向终端发送第一媒体访问控制MAC控制单元CE,所述第一MAC CE包括密钥种子,用于产生第一密钥;Sending a first medium access control MAC control element CE to the terminal, the first MAC CE including a key seed for generating a first key; 接收所述终端针对所述第一MAC CE反馈的确认消息;receiving an acknowledgment message fed back by the terminal for the first MAC CE; 根据所述密钥种子产生第一密钥,利用所述第一密钥进行传输数据的加密和/或解密。A first key is generated according to the key seed, and the transmission data is encrypted and/or decrypted by using the first key. 2.根据权利要求1所述的密钥更新方法,其特征在于,所述第一密钥的生效时间点为反馈所述确认消息的空口发送时间点。2. The key update method according to claim 1, wherein the effective time point of the first key is the air interface sending time point when the confirmation message is fed back. 3.根据权利要求1所述的密钥更新方法,其特征在于,接收所述终端针对所述第一MACCE反馈的确认消息之后,所述方法还包括:3. The key update method according to claim 1, characterized in that, after receiving the confirmation message fed back by the terminal for the first MACCE, the method further comprises: 清空所有的混合自动重传请求HARQ进程发送缓存。Clear all hybrid automatic repeat request HARQ process sending buffers. 4.根据权利要求1所述的密钥更新方法,其特征在于,接收所述终端针对所述第一MACCE反馈的确认消息之后,所述方法还包括:4. The key update method according to claim 1, characterized in that, after receiving the confirmation message fed back by the terminal for the first MACCE, the method further comprises: 对于未正确接收的传输块,向终端反馈否认消息;Feedback a deny message to the terminal for a transport block not received correctly; 对于接收成功的传输块,向终端反馈确认消息。For a successfully received transport block, an acknowledgment message is fed back to the terminal. 5.根据权利要求1所述的密钥更新方法,其特征在于,利用所述第一密钥进行传输数据的加密和/或解密包括:5. The key update method according to claim 1, wherein the encryption and/or decryption of transmission data using the first key comprises: 对所述终端反馈的需要重传的传输块,利用所述传输块对应的MAC业务数据单元SDU重新组建MAC协议数据单元PDU;For the transport block fed back by the terminal that needs to be retransmitted, use the MAC service data unit SDU corresponding to the transport block to reconstruct the MAC protocol data unit PDU; 利用所述第一密钥对所述MAC PDU进行加密;encrypting the MAC PDU using the first key; 向所述终端发送加密后的所述MAC PDU。sending the encrypted MAC PDU to the terminal. 6.根据权利要求1所述的密钥更新方法,其特征在于,利用所述第一密钥进行传输数据的加密和/或解密之后,所述方法还包括:6. The key update method according to claim 1, wherein, after encrypting and/or decrypting transmission data using the first key, the method further comprises: 判断设置所述第一密钥是否需要触发上层协议层的操作;judging whether setting the first key needs to trigger the operation of the upper layer protocol layer; 如果需要,向上层协议层发送第一请求,触发上层协议层的重建立过程。If necessary, send a first request to the upper protocol layer to trigger the re-establishment process of the upper protocol layer. 7.根据权利要求1所述的密钥更新方法,其特征在于,向终端发送第一MAC CE之前,所述方法还包括判断终端需要更新密钥的步骤,判断终端需要更新密钥包括以下任一项:7. The key update method according to claim 1, wherein, before sending the first MAC CE to the terminal, the method also includes the step of judging that the terminal needs to update the key, and judging that the terminal needs to update the key includes any of the following one item: 根据MAC层的检测分析输出的结果判断需要更新密钥;According to the result of the detection and analysis output of the MAC layer, it is judged that the key needs to be updated; 根据来自云端的指示判断需要更新密钥;According to the instructions from the cloud, it is judged that the key needs to be updated; 根据预设的时间周期判断需要更新密钥。It is judged that the key needs to be updated according to the preset time period. 8.根据权利要求7所述的密钥更新方法,其特征在于,所述MAC层进行检测分析利用的参数包括以下至少一项:8. The key update method according to claim 7, wherein the parameters used by the MAC layer for detection and analysis include at least one of the following: 终端数据包接收和发送的统计特征、终端申请的业务数据包发送和接收的特征、终端的移动性特征、本小区其它终端的移动性特征和业务特征、空口资源占用统计特征。Statistical characteristics of terminal data packet reception and transmission, characteristics of service data packet transmission and reception applied by the terminal, terminal mobility characteristics, mobility characteristics and service characteristics of other terminals in the cell, and statistical characteristics of air interface resource occupation. 9.根据权利要求7所述的密钥更新方法,其特征在于,所述云端的指示包括以下至少一项:9. The key update method according to claim 7, wherein the cloud indication includes at least one of the following: 密钥种子;key seed; 密钥种子的特征,包括时效性和长度;The characteristics of the key seed, including timeliness and length; 第一密钥适用的对象或场景或业务或功能体。The object or scenario or service or function to which the first key is applicable. 10.根据权利要求7所述的密钥更新方法,其特征在于,所述预设的时间周期为协议定义的或配置的或预配置的。10. The key update method according to claim 7, wherein the preset time period is defined or configured or preconfigured by a protocol. 11.根据权利要求1所述的密钥更新方法,其特征在于,使用逻辑信道标识LCID的值标识所述第一MAC CE,或,使用增强逻辑信道标识eLCID的值标识所述第一MAC CE。11. The key update method according to claim 1, characterized in that, using the value of the logical channel identifier LCID to identify the first MAC CE, or using the value of the enhanced logical channel identifier eLCID to identify the first MAC CE . 12.根据权利要求1所述的密钥更新方法,其特征在于,12. The key update method according to claim 1, wherein: 若所述第一MAC CE的长度可变,则所述密钥种子的长度可变;If the length of the first MAC CE is variable, the length of the key seed is variable; 若所述第一MAC CE的长度固定,则所述密钥种子的长度固定。If the length of the first MAC CE is fixed, the length of the key seed is fixed. 13.根据权利要求1所述的密钥更新方法,其特征在于,所述密钥种子采用以下任一方式产生:13. The key update method according to claim 1, wherein the key seed is generated in any of the following ways: 随机产生;randomly generated; 根据上层协议层的指示产生;Generated according to the instructions of the upper protocol layer; 根据终端的身份标识中预设长度的比特串通过随机函数产生;According to the bit string of the preset length in the identity of the terminal, it is generated by a random function; 截取需要加密的数据包中的预设比特串通过随机函数产生;Intercept the preset bit string in the data packet that needs to be encrypted and generate it through a random function; 计算所述终端的特征值,扩充或不扩充长度后,通过随机函数产生;Calculating the characteristic value of the terminal, after expanding or not expanding the length, it is generated by a random function; 根据所述终端移动轨迹的位置坐标,扩充或不扩充长度后,通过随机函数产生。According to the position coordinates of the moving track of the terminal, after the length is expanded or not, it is generated by a random function. 14.一种密钥更新方法,其特征在于,由终端执行,包括:14. A key update method, characterized in that, executed by a terminal, comprising: 接收网络侧设备的第一媒体访问控制MAC控制单元CE,所述第一MAC CE包括密钥种子,向所述网络侧设备反馈确认消息;receiving a first media access control MAC control unit CE of a network side device, where the first MAC CE includes a key seed, and feeding back a confirmation message to the network side device; 根据所述密钥种子产生第一密钥;generating a first key according to the key seed; 利用所述第一密钥进行传输数据的加密和/或解密。Encryption and/or decryption of transmission data is performed using the first key. 15.根据权利要求14所述的密钥更新方法,其特征在于,所述第一密钥的生效时间点为反馈所述确认消息的空口发送时间点。15. The key update method according to claim 14, characterized in that, the effective time point of the first key is the air interface sending time point when the confirmation message is fed back. 16.根据权利要求14所述的密钥更新方法,其特征在于,接收网络侧设备的第一MAC CE之后,所述方法还包括:16. The key update method according to claim 14, characterized in that, after receiving the first MAC CE of the network side device, the method further comprises: 清空所有的混合自动重传请求HARQ进程发送缓存。Clear all hybrid automatic repeat request HARQ process sending buffers. 17.根据权利要求14所述的密钥更新方法,其特征在于,接收网络侧设备的第一MAC CE之后,所述方法还包括:17. The key update method according to claim 14, characterized in that, after receiving the first MAC CE of the network side device, the method further comprises: 对于未正确接收的传输块,向所述网络侧设备反馈否认消息;Feedback a acknowledgment message to the network side device for a transport block not received correctly; 对于接收成功的传输块,向所述网络侧设备反馈确认消息。Feedback an acknowledgment message to the network side device for a successfully received transport block. 18.根据权利要求14所述的密钥更新方法,其特征在于,利用所述第一密钥进行传输数据的加密和/或解密包括:18. The key update method according to claim 14, wherein the encryption and/or decryption of transmission data using the first key comprises: 对于未成功发送的传输块以及第一次发送的传输块,利用所述传输块对应的MAC业务数据单元SDU重新组建MAC协议数据单元PDU;利用所述第一密钥对所述MAC PDU进行加密;向所述网络侧设备发送加密后的所述MAC PDU。For an unsuccessfully sent transport block and a transport block sent for the first time, use the MAC service data unit SDU corresponding to the transport block to reconstruct a MAC protocol data unit PDU; use the first key to encrypt the MAC PDU ; Sending the encrypted MAC PDU to the network side device. 19.根据权利要求14所述的密钥更新方法,其特征在于,所述第一MAC CE使用逻辑信道标识LCID的值标识,或,所述第一MAC CE使用增强逻辑信道标识eLCID的值标识。19. The key update method according to claim 14, wherein the first MAC CE uses the value identification of the logical channel identification LCID, or the first MAC CE uses the value identification of the enhanced logical channel identification eLCID . 20.根据权利要求14所述的密钥更新方法,其特征在于,根据所述密钥种子产生第一密钥包括:20. The key update method according to claim 14, wherein generating the first key according to the key seed comprises: 将所述密钥种子输入密钥生成器,产生所述第一密钥。Input the key seed into a key generator to generate the first key. 21.根据权利要求20所述的密钥更新方法,其特征在于,所述密钥生成器为所述网络侧设备配置给所述终端,或,预先配置在所述终端中。21. The key update method according to claim 20, wherein the key generator is configured for the network side device to the terminal, or is pre-configured in the terminal. 22.一种密钥更新装置,其特征在于,应用于网络侧设备,包括收发机和处理器,22. A key update device, characterized in that it is applied to network side equipment, including a transceiver and a processor, 所述收发机用于向终端发送第一媒体访问控制MAC控制单元CE,所述第一MAC CE包括密钥种子,用于产生第一密钥;接收所述终端针对所述第一MAC CE反馈的确认消息;The transceiver is used to send a first medium access control MAC control unit CE to the terminal, the first MAC CE includes a key seed, and is used to generate a first key; receiving feedback from the terminal for the first MAC CE confirmation message; 所述处理器用于根据所述密钥种子产生第一密钥,利用所述第一密钥进行传输数据的加密和/或解密。The processor is configured to generate a first key according to the key seed, and use the first key to encrypt and/or decrypt transmission data. 23.一种密钥更新装置,其特征在于,应用于终端,包括收发机和处理器,23. A key update device, characterized in that it is applied to a terminal, including a transceiver and a processor, 所述收发机用于接收网络侧设备的第一媒体访问控制MAC控制单元CE,所述第一MACCE包括密钥种子,向所述网络侧设备反馈确认消息;The transceiver is used to receive a first medium access control MAC control unit CE of the network side device, the first MAC CE includes a key seed, and feeds back a confirmation message to the network side device; 所述处理器用于根据所述密钥种子产生第一密钥;利用所述第一密钥进行传输数据的加密和/或解密。The processor is configured to generate a first key according to the key seed; use the first key to encrypt and/or decrypt transmission data. 24.一种密钥更新装置,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序;其特征在于,所述处理器执行所述程序时实现如权利要求1-21中任一项所述的密钥更新方法。24. A key update device, comprising a memory, a processor, and a computer program stored on the memory and operable on the processor; it is characterized in that, when the processor executes the program, the The key update method described in any one of requirements 1-21. 25.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现如权利要求1-21中任一项所述的密钥更新方法中的步骤。25. A computer-readable storage medium, on which a computer program is stored, wherein when the program is executed by a processor, the steps in the key updating method according to any one of claims 1-21 are realized.
CN202111484386.4A 2021-12-07 2021-12-07 Key updating method and device Active CN116249105B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111484386.4A CN116249105B (en) 2021-12-07 2021-12-07 Key updating method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111484386.4A CN116249105B (en) 2021-12-07 2021-12-07 Key updating method and device

Publications (2)

Publication Number Publication Date
CN116249105A true CN116249105A (en) 2023-06-09
CN116249105B CN116249105B (en) 2026-01-30

Family

ID=86631789

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111484386.4A Active CN116249105B (en) 2021-12-07 2021-12-07 Key updating method and device

Country Status (1)

Country Link
CN (1) CN116249105B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024254871A1 (en) * 2023-06-16 2024-12-19 华为技术有限公司 Secure communication method and apparatus
WO2024254870A1 (en) * 2023-06-16 2024-12-19 华为技术有限公司 Communication method and apparatus
CN119276481A (en) * 2024-09-27 2025-01-07 中国移动通信有限公司研究院 A key filling method, related equipment, medium and product
CN120150938A (en) * 2025-03-07 2025-06-13 北京北斗弘鹏科技有限公司 A method and device for updating and transmitting keys between hardware devices based on network layer

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100092768A (en) * 2009-02-13 2010-08-23 삼성전자주식회사 Method for providing mac protocol for data communication security in wireless network communication
US20120177199A1 (en) * 2011-01-10 2012-07-12 Samsung Electronics., Ltd. Method and apparatus for encrypting short data in a wireless communication system
US20160021066A1 (en) * 2014-07-21 2016-01-21 Imagination Technologies Limited Encryption key updates in wireless communication systems
WO2017091959A1 (en) * 2015-11-30 2017-06-08 华为技术有限公司 Data transmission method, user equipment and network side device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100092768A (en) * 2009-02-13 2010-08-23 삼성전자주식회사 Method for providing mac protocol for data communication security in wireless network communication
US20120177199A1 (en) * 2011-01-10 2012-07-12 Samsung Electronics., Ltd. Method and apparatus for encrypting short data in a wireless communication system
US20160021066A1 (en) * 2014-07-21 2016-01-21 Imagination Technologies Limited Encryption key updates in wireless communication systems
WO2017091959A1 (en) * 2015-11-30 2017-06-08 华为技术有限公司 Data transmission method, user equipment and network side device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024254871A1 (en) * 2023-06-16 2024-12-19 华为技术有限公司 Secure communication method and apparatus
WO2024254870A1 (en) * 2023-06-16 2024-12-19 华为技术有限公司 Communication method and apparatus
CN119276481A (en) * 2024-09-27 2025-01-07 中国移动通信有限公司研究院 A key filling method, related equipment, medium and product
CN120150938A (en) * 2025-03-07 2025-06-13 北京北斗弘鹏科技有限公司 A method and device for updating and transmitting keys between hardware devices based on network layer

Also Published As

Publication number Publication date
CN116249105B (en) 2026-01-30

Similar Documents

Publication Publication Date Title
CN116249105B (en) Key updating method and device
US11546752B2 (en) System and method for user equipment identification and communications
US11722942B2 (en) Method and apparatus for controlling packet transmission
CN109417706B (en) Method and apparatus for storing contextual information in a mobile device
US10863356B2 (en) Communications method, apparatus, and system
US10897509B2 (en) Dynamic detection of inactive virtual private network clients
US8441974B2 (en) Method of providing multicast broadcast service
JP2007184938A (en) Method and apparatus of modifying integrity protection configuration of user end in wireless communications system
RU2008130047A (en) METHOD AND DEVICE FOR PERFORMANCE OF DATA PROTECTION AND AUTOMATIC REQUEST FOR REPEAT TRANSFER IN A WIRELESS COMMUNICATION SYSTEM
KR101461236B1 (en) How to authenticate an entity during a wireless call connection
KR20090032624A (en) Method and device for providing MAC frame which can be set in security in IEEE 802.15.4 network
CN103313393A (en) Method and apparatus for performing direct communication
CN117749355A (en) Communication method and related device
Du et al. Security enhancement for multicast over internet of things by dynamically constructed fountain codes
CN105074650A (en) Network supervised device-to-device communication
CN108430080A (en) A kind of information transferring method, radio reception device and terminal
WO2020191782A1 (en) Data transmission method and device
US20210282004A1 (en) Addressing system for a wireless communication network
Vučinić et al. Requirements for a Lightweight AKE for OSCORE
CN116615930A (en) Method for public key infrastructure-based authentication of access stratum considering handover in next generation wireless communication system
CN106936786A (en) A kind of data encryption and transmission method, base station and PDT terminals
US20240284172A1 (en) Secure communication method and related device
WO2025000304A1 (en) Communication method and devices
CN111756498B (en) Information transmission methods, devices, related equipment and storage media
WO2024254871A1 (en) Secure communication method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant