Patent Application
20160044002
The present invention relates to the communications technologies, and in particular, to a data transmission method and apparatus.
With the wide application of smart terminals (Smart Phone) and Machine Type Communications (Machine Type Communications, MTC for short) devices, transmission of small data packets becomes increasingly frequent. For example, for a service such as email push (Email Push), instant messaging software MSN or QQ, and a virtual private network (Virtual Private Network, VPN for short) supported by a smart phone, within a period of time during which no service data takes place, to maintain a connection with a server, a keepalive (keep alive) message needs to be exchanged with the server, where the message is a small data packet; for another example, for a service such as smart meter reading, smart traffic, and smart medical care in a Machine to Machine (Machine to Machine, M2M for short) service supported by an MTC device, data transmitted in the service is also a small data packet. In a Universal Mobile Telecommunications System (Universal Mobile Telecommunication System, UMTS for short), user equipment (User Equipment, UE for short) that performs such a service is usually set to an idle mode, and once the UE has a small data packet that needs to be sent, a Radio Resource Control (Radio Resource Control, RRC for short) connection is then set up to send the small data packet.
However, an existing procedure of transmitting a small data packet is lengthy, resulting in a delay in data transmission and relatively low transmission efficiency.
Embodiments of the present invention provide a data transmission method and apparatus, so as to improve efficiency of transmitting a small data packet, and further provide a security mechanism to ensure security of transmitting the small data packet.
According to a first aspect, an embodiment of the present invention provides a data transmission method, including:
In a first possible implementation manner of the first aspect, the security parameter includes: a cipher key CK_small and/or an integrity protection key IK_small; and
According to the first possible implementation manner of the first aspect, in a second possible implementation manner, before the performing, by UE, security processing on a NAS PDU by using a security parameter and a security algorithm, the method further includes:
According to the second possible implementation manner of the first aspect, in a third possible implementation manner, the negotiating, by the UE, with the SGSN to determine the security parameter includes:
According to the third possible implementation manner of the first aspect, in a fourth possible implementation manner, the negotiating, by the UE with the SGSN by performing an AKA process to determine the security parameter includes:
According to the third possible implementation manner of the first aspect, in a fifth possible implementation manner, the negotiating, by the UE with the SGSN by performing an AKA process to determine the security parameter includes:
CK_small=HMAC-SHA-256(A1,A2,cipher label) (1)
IK_small=HMAC-SHA-256(A1,A2,integrity label) (2)
According to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner, the negotiating, by the UE, with the SGSN to determine the security parameter includes:
According to the first aspect or any one of the first to sixth possible implementation manners of the first aspect, in a seventh possible implementation manner, before the performing, by UE, security processing on a NAS PDU by using a security parameter and a security algorithm, the method further includes:
According to the seventh possible implementation manner of the first aspect, in an eighth possible implementation manner, the negotiating, by the UE, with the SGSN to determine the security algorithm includes:
According to the eighth possible implementation manner of the first aspect, in a ninth possible implementation manner, the negotiating, by the UE, with the SGSN by using a registration procedure of the UE to determine the security algorithm includes:
According to the seventh possible implementation manner of the first aspect, in a tenth possible implementation manner, the negotiating, by the UE, with the SGSN to determine the security algorithm includes:
According to the tenth possible implementation manner of the first aspect, in an eleventh possible implementation manner, the negotiating, by the UE, with the SGSN by using a procedure of an inter-SGSN handover of the UE to determine the security algorithm includes:
According to the seventh possible implementation manner of the first aspect, in a twelfth possible implementation manner, the negotiating, by the UE, with the SGSN to determine the security algorithm includes:
According to the twelfth possible implementation manner of the first aspect, in a thirteenth possible implementation manner,
According to the first aspect or any one of the first to thirteenth possible implementation manners of the first aspect, in a fourteenth possible implementation manner, the sending, by the UE, the NAS PDU to an SGSN includes:
According to the fourteenth possible implementation manner of the first aspect, in a fifteenth possible implementation manner, before the sending, by the UE, an RRC Connection Setup Complete message to the RNC, the method further includes:
According to the fourteenth or fifteenth possible implementation manner of the first aspect, in a sixteenth possible implementation manner, the RRC Connection Setup Complete message specifically includes: the NAS PDU and a key set identifier KSI, where the KSI is used for enabling the SGSN to search for security context for deciphering the NAS PDU.
According to the first aspect or any one of the first to sixth possible implementation manners of the first aspect, in a seventeenth possible implementation manner, before the performing, by UE, security processing on a NAS PDU by using a security parameter and a security algorithm, the method further includes:
According to the first aspect or any one of the first to the thirteenth and the seventeenth possible implementation manners of the first aspect, in an eighteenth possible implementation manner, the sending, by the UE, the NAS PDU to an SGSN includes:
According to the eighteenth possible implementation manner of the first aspect, in a nineteenth possible implementation manner, before the sending, by the UE, an RRC Connection Setup Complete message to the RNC, the method further includes:
According to the nineteenth possible implementation manner of the first aspect, in a twentieth possible implementation manner, before the receiving, by the UE, an RRC Connection Setup message sent by the RNC, the method further includes:
According to the nineteenth or twentieth possible implementation manner of the first aspect, in a twenty-first possible implementation manner,
According to the twenty-first possible implementation manner of the first aspect, in a twenty-second possible implementation manner,
According to the twenty-first possible implementation manner of the first aspect, in a twenty-third possible implementation manner,
According to the first aspect or any one of the first to sixth possible implementation manners of the first aspect, in a twenty-fourth possible implementation manner, before the performing, by UE, security processing on a NAS PDU by using a security parameter and a security algorithm, the method further includes:
According to the twenty-fourth possible implementation manner of the first aspect, in a twenty-fifth possible implementation manner,
According to the twenty-fourth possible implementation manner of the first aspect, in a twenty-sixth possible implementation manner, before the receiving, by the UE, an RRC Connection Setup message sent by the RNC, the method further includes:
According to a second aspect, an embodiment of the present invention provides a data transmission method, including:
In a first possible implementation manner of the second aspect, the security processing includes: security processing performed on the NAS PDU by using a security parameter and a security algorithm, where
According to the first possible implementation manner of the second aspect, in a second possible implementation manner, before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method further includes:
According to the first or second possible implementation manner of the second aspect, in a third possible implementation manner, before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method further includes:
According to the first or second possible implementation manner of the second aspect, in a fourth possible implementation manner, before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method further includes:
According to the second aspect or any one of the first to fourth possible implementation manners of the second aspect, in a fifth possible implementation manner, the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing includes:
According to the fifth possible implementation manner of the second aspect, in a sixth possible implementation manner,
According to the fifth or sixth possible implementation manner of the second aspect, in a seventh possible implementation manner, before the receiving, by the RNC, an RRC Connection Setup Complete message sent by the UE, the method further includes:
According to the first or second possible implementation manner of the second aspect, in an eighth possible implementation manner, before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method further includes:
According to the first to fourth and eighth possible implementation manners of the second aspect, in a ninth possible implementation manner, before the sending, by the RNC, the NAS PDU to an SGSN, the method further includes:
According to the ninth possible implementation manner of the second aspect, in a tenth possible implementation manner, before the deciphering, by the RNC, the NAS PDU, the method further includes:
According to the tenth possible implementation manner of the second aspect, in an eleventh possible implementation manner, the security parameter response message further includes: a security algorithm selected by the SGSN.
According to the tenth or eleventh possible implementation manner of the second aspect, in a twelfth possible implementation manner,
According to any one of the ninth to twelfth possible implementation manners of the second aspect, in a thirteenth possible implementation manner, before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method further includes:
According to the thirteenth possible implementation manner of the second aspect, in a fourteenth possible implementation manner, before the sending, by the RNC, an RRC Connection Setup message to the UE, the method further includes:
According to the thirteenth or fourteenth possible implementation manner of the second aspect, in a fifteenth possible implementation manner,
According to the fourteenth possible implementation manner of the second aspect, in a sixteenth possible implementation manner,
According to the thirteenth possible implementation manner of the second aspect, in a seventeenth possible implementation manner, before the sending, by the RNC, an RRC Connection Setup message to the UE, the method further includes:
According to the seventeenth possible implementation manner of the second aspect, in an eighteenth possible implementation manner, an RRC connection request message received by the RNC and sent by the UE further includes the security algorithm supported by the UE;
According to a third aspect, an embodiment of the present invention provides a data transmission method, including:
In a first possible implementation manner of the third aspect, the security parameter includes: a cipher key CK_small and/or an integrity protection key IK_small; and
According to the first possible implementation manner of the third aspect, in a second possible implementation manner, before the receiving, by an SGSN, a NAS PDU that is sent by UE and has undergone security processing performed by using a security algorithm and a security parameter, the method further includes:
According to the second possible implementation manner of the third aspect, in a third possible implementation manner, the negotiating, by the SGSN, with the UE to determine the security parameter includes:
According to the third possible implementation manner of the third aspect, in a fourth possible implementation manner, the negotiating, by the SGSN, with the UE by using an AKA process to determine the security parameter includes:
According to the third possible implementation manner of the third aspect, in a fifth possible implementation manner, the negotiating, by the SGSN, with the UE by using an AKA process to determine the security parameter includes:
CK_small=HMAC-SHA-256(A1,A2,cipher label) (1)
IK_small=HMAC-SHA-256(A1,A2,integrity label) (2)
According to the fifth possible implementation manner of the third aspect, in a sixth possible implementation manner, the negotiating, by the SGSN, with the UE to determine the security parameter includes:
According to the third aspect or the first to sixth possible implementation manners of the third aspect, in a seventh possible implementation manner, before the receiving, by an SGSN, a NAS PDU sent by an RNC, the method further includes:
According to the seventh possible implementation manner of the third aspect, in an eighth possible implementation manner, the negotiating, by the SGSN, with the UE to determine the security algorithm includes:
According to the eighth possible implementation manner of the third aspect, in a ninth possible implementation manner, the negotiating, by the SGSN, with the UE by using a registration procedure of the UE to determine the security algorithm includes:
According to the seventh possible implementation manner of the third aspect, in a tenth possible implementation manner, the negotiating, by the SGSN, with the UE to determine the security algorithm includes:
According to the tenth possible implementation manner of the third aspect, in an eleventh possible implementation manner, the negotiating, by the SGSN, with the UE by using a procedure of an inter-SGSN handover of the UE to determine the security algorithm includes:
According to the seventh possible implementation manner of the third aspect, in a twelfth possible implementation manner, the negotiating, by the SGSN, with the UE to determine the security algorithm includes:
According to the twelfth possible implementation manner of the third aspect, in a thirteenth possible implementation manner,
According to the third aspect or the first to thirteenth possible implementation manners of the third aspect, in a fourteenth possible implementation manner, the receiving, by an SGSN, a NAS PDU that is sent by UE and has undergone security processing performed by using a security algorithm and a security parameter includes:
According to the fourteenth possible implementation manner of the third aspect, in a fifteenth possible implementation manner,
According to the fifteenth possible implementation manner of the third aspect, in a sixteenth possible implementation manner, the message that is sent by the RNC and received by the SGSN and includes the NAS PDU further carries an anti-replay parameter; and
According to the third aspect or the first to thirteenth possible implementation manners of the third aspect, in a seventeenth possible implementation manner, the receiving, by an SGSN, a NAS PDU sent by an RNC includes:
According to the seventeenth possible implementation manner of the third aspect, in an eighteenth possible implementation manner, before the receiving, by an SGSN, a NAS PDU that is sent by UE and has undergone security processing performed by using a security algorithm and a security parameter, the method further includes:
According to the eighteenth possible implementation manner of the third aspect, in a nineteenth possible implementation manner, the security parameter response message sent by the SGSN to the RNC further includes: a security algorithm selected by the SGSN.
According to the eighteenth or nineteenth possible implementation manner of the third aspect, in a twentieth possible implementation manner,
According to the eighteenth possible implementation manner of the third aspect, in a twenty-first possible implementation manner,
According to a fourth aspect, an embodiment of the present invention provides a data transmission apparatus, including:
In a first possible implementation manner of the fourth aspect,
According to the first possible implementation manner of the fourth aspect, in a second possible implementation manner, the apparatus further includes:
According to the first or second possible implementation manner of the fourth aspect, in a third possible implementation manner, the apparatus further includes:
According to the fourth aspect or any one of the first to third possible implementation manners of the fourth aspect, in a fourth possible implementation manner, the sending module is specifically configured to:
According to the fourth possible implementation manner of the fourth aspect, in a fifth possible implementation manner, the sending module is further configured to:
According to the fourth aspect or any one of the first to fifth possible implementation manners of the fourth aspect, in a sixth possible implementation manner, the sending module is specifically configured to:
According to the sixth possible implementation manner of the fourth aspect, in a seventh possible implementation manner, the apparatus further includes:
According to the seventh possible implementation manner of the fourth aspect, in an eighth possible implementation manner,
According to the eighth possible implementation manner of the fourth aspect, in a ninth possible implementation manner, the anti-replay parameter includes: a start value Start and a fresh value Fresh; or, Count_C and/or Count_I generated according to a start value Start, and a fresh value Fresh; or, Count_C_small and/or Count_I_small dedicated to small data.
According to the fourth aspect or any one of the first to ninth possible implementation manners of the fourth aspect, in a tenth possible implementation manner, the parameter transfer module is further configured to:
According to the fourth aspect or any one of the first to fourth possible implementation manners of the fourth aspect, in a tenth possible implementation manner, the apparatus further includes:
According to a fifth aspect, an embodiment of the present invention provides a data transmission apparatus, including:
In a first possible implementation manner of the fifth aspect, the security processing includes: security processing performed on the NAS PDU by using a security parameter and a security algorithm, where
According to the first possible implementation manner of the fifth aspect, in a second possible implementation manner, the apparatus further includes:
According to the first or second possible implementation manner of the fifth aspect, in a third possible implementation manner, the negotiation module is further configured to:
According to the first or second possible implementation manner of the fifth aspect, in a fourth possible implementation manner, the negotiation module is further configured to:
According to the fifth aspect or any one of the first to fourth possible implementation manners of the fifth aspect, in a fifth possible implementation manner, the receiving module is specifically configured to:
According to the fifth possible implementation manner of the fifth aspect, in a sixth possible implementation manner,
According to the fifth possible implementation manner of the fifth aspect, in a seventh possible implementation manner, the apparatus further includes:
According to the first or second possible implementation manner of the fifth aspect, in an eighth possible implementation manner, the apparatus further includes:
According to the fifth aspect or any one of the first to fourth and the eighth possible implementation manners of the fifth aspect, in a ninth possible implementation manner, the apparatus further includes:
According to the ninth possible implementation manner of the fifth aspect, in a tenth possible implementation manner, the security parameter response message further includes: a security algorithm selected by the SGSN.
According to the ninth or tenth possible implementation manner of the fifth aspect, in an eleventh possible implementation manner,
According to the eleventh possible implementation manner of the fifth aspect, in a twelfth possible implementation manner, the negotiation module is further configured to:
According to a sixth aspect, an embodiment of the present invention provides a data transmission apparatus, including:
In a first possible implementation manner of the sixth aspect,
According to the first possible implementation manner of the sixth aspect, in a second possible implementation manner, the apparatus further includes:
According to the first or second possible implementation manner of the sixth aspect, in a third possible implementation manner, the apparatus further includes:
According to the sixth aspect or any one of the first to third possible implementation manners of the sixth aspect, in a fourth possible implementation manner, the receiving module is specifically configured to:
According to the sixth aspect or any one of the first to third possible implementation manners of the sixth aspect, in a fifth possible implementation manner, the receiving module is specifically configured to:
According to the fifth possible implementation manner of the sixth aspect, in a sixth possible implementation manner, the apparatus further includes: a parameter transfer module, configured to: before the NAS PDU that is sent by the UE and has undergone security processing performed by using the security algorithm and the security parameter is received, receive a security parameter acquisition request message sent by the RNC, where the security parameter acquisition request message includes a Key set identifier KSI of the UE and a small data indication; and
According to the fifth or sixth possible implementation manner of the sixth aspect, in a seventh possible implementation manner,
The embodiments of the present invention provide a data transmission method and apparatus, where a small data packet to be transmitted is encapsulated into a NAS PDU, security processing is performed on the NAS PDU by using a security parameter and a security algorithm, and then the NAS PDU is directly carried in a message of control plane signaling for transmission, so that a process of establishing a data transmission channel by using multiple pieces of user plane signaling can be omitted, thereby greatly simplifying a procedure of data transmission, improving efficiency of data transmission, and further ensuring transmission security of data.
To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the following clearly describes the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Apparently, the described embodiments are some but not all of the embodiments of the present invention. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts shall fall within the protection scope of the present invention.
“Small” in a small data packet in the embodiments of the present invention refers to a size of a data packet described from an application level, and the small data packet in the embodiments of the present invention is mainly about, for example, a data packet of an MTC device or keepalive information of a smart phone Smart Phone. For example, UE may determine, by using a threshold configured on a network side, whether a data packet that needs to be sent is a small data packet that meets a requirement of the present invention. When the network side indicates that a data packet smaller than 1000 bytes is a small data packet, if the UE sends a data packet smaller than 1000 bytes, a corresponding solution in the embodiments of the present invention is used.
Step 101: UE performs security processing on a NAS PDU by using a security parameter and a security algorithm, where data to be transmitted is encapsulated in the NAS PDU.
Step 102: The UE sends the NAS PDU to a serving SGSN by using an RNC.
In the prior art, a general process of data transmission is to establish a data transmission channel among a UE, an RNC, and an SGSN by using multiple pieces of signaling, and transmit data on the data transmission channel. However, in this embodiment of the present invention, in consideration of that data to be transmitted is a small data packet, the small data packet to be transmitted may be encapsulated into a NAS PDU, which may be directly carried in a message of control plane signaling for transmission.
In this embodiment, a small data packet to be transmitted is encapsulated into a NAS PDU, security processing is performed on the NAS PDU by using a security parameter and a security algorithm, and then the NAS PDU is directly carried in a message of control plane signaling for transmission, so that a process of establishing a data transmission channel by using multiple pieces of user plane signaling can be omitted, thereby greatly simplifying a procedure of data transmission, improving efficiency of data transmission, and further ensuring transmission security of data.
Further specifically, the security parameter may include: a cipher key CK_small and/or an integrity protection key IK_small; and
In an embodiment of the data transmission method of the present invention, before the performing, by UE, security processing on a NAS PDU by using a security parameter and a security algorithm, the method may further include:
Further specifically, the negotiating, by the UE, with the SGSN to determine the security parameter may include:
Further specifically, the negotiating, by the UE, with the SGSN by performing an AKA process to determine the security parameter may include:
Alternatively, the negotiating, by the UE, with the SGSN by performing an AKA process to determine the security parameter may include:
CK_small=HMAC-SHA-256(A1,A2,cipher label) (1)
IK_small=HMAC-SHA-256(A1,A2,integrity label) (2)
Alternatively, the negotiating, by the UE, with the SGSN to determine the security parameter may include:
In an embodiment of the data transmission method of the present invention, before the performing, by UE, security processing on a NAS PDU by using a security parameter and a security algorithm, the method may further include:
Further specifically, the negotiating, by the UE, with the SGSN to determine the security algorithm may include:
Further specifically, the negotiating, by the UE, with the SGSN by using a registration procedure of the UE to determine the security algorithm may include:
In actual implementation, a process of receiving, by the UE, an SMC message sent by the SGSN is that the SGSN sends an SMC message to the RNC, and then the RNC sends the SMC message to the UE.
Alternatively, the negotiating, by the UE, with the SGSN to determine the security algorithm may include:
Alternatively, the negotiating, by the UE, with the SGSN by using a procedure of an inter-SGSN handover of the UE to determine the security algorithm may include:
During actual implementation, a process of receiving, by the UE, a radio access network mobility information RAN Mobility information message sent by a target RNC in the inter-SGSN handover is that: the target SGSN selects a security algorithm, and then sends the security algorithm to the target RNC by using a relocation request Relocation Request, and the target RNC then transfers, by using the RAN Mobility information message, the security algorithm selected by the target SGSN to the UE.
Alternatively, the UE and the SGSN may use a security algorithm of a common service as a security algorithm of a small data service, that is, the negotiating, by the UE, with the SGSN to determine the security algorithm may include:
It should be noted that a service in the service request Service Request is a common service, for example, a short messaging service, a voice service, and a data service.
Further specifically, the negotiating, by the UE, with the SGSN by using a service request Service Request process of the UE to determine a security algorithm of a service may include:
A security algorithm of a common service is updated each time a service takes place, and therefore, when a security algorithm of a common service is used as a security algorithm of a small data service, update of the security algorithm of the common service is still used for update of a security algorithm.
Various specific methods for transmitting small data after negotiation of the security parameter and the security algorithm are described below.
In an implementation solution, deciphering of the NAS PDU is implemented by the SGSN.
Further, before the sending, by the UE, an RRC Connection Setup Complete message to the RNC, the method may further include:
Further, the RRC Connection Setup Complete message specifically includes: the NAS PDU and a key set identifier KSI, where the KSI is used for enabling the SGSN to search for security context for deciphering the NAS PDU.
In another implementation solution, deciphering of the NAS PDU is implemented by the RNC.
Before the performing, by UE, security processing on a NAS PDU by using a security parameter and a security algorithm, the method may further include:
Further, the sending, by the UE, the NAS PDU to an SGSN may include:
Further, before the sending, by the UE, an RRC Connection Setup Complete message to the RNC, the method may further include:
For example, in an embodiment of the data transmission method of the present invention, the UE generates Count_C and/or Count_I by using a start value Start saved in the UE, and Count_C and/or Count_I and a fresh value Fresh generated by the RNC are used as input parameters of a cipher algorithm and/or an integrity algorithm. Therefore, by using the foregoing method, the fresh value Fresh generated by the RNC may be transferred in the RRC Connection Setup message. After completing security processing on a NAS PDU, the UE may send the start value Start in use to the RNC, for example, send an RRC Connection Setup Complete message together with the NAS PDU that has undergone security processing, so that the RNC deciphers the NAS PDU.
Further, before the receiving, by the UE, an RRC Connection Setup message sent by the RNC, the method may further include:
Further, the performing, by UE, security processing on a NAS PDU by using a security parameter and a security algorithm may include:
Specifically, the anti-replay parameter may include: a start value Start and a fresh value Fresh; or, Count_C and/or Count_I generated according to a start value Start, and a fresh value Fresh; or, Count_C_small and/or Count_I_small dedicated to small data.
During specific implementation, the RRC Connection Setup Complete message sent by the UE to the RNC may carry a start value Start and a serial number (Serial Number, SN for short), and the RNC may generate Count_C and/or Count_I according to Start and SN; or Count_C and/or Count_I may also be directly carried in the RRC Connection Setup Complete message; or, Count_C_small and/or Count_I_small separately maintained for a small data service may be carried.
Further, the RRC connection request message sent by the UE to the RNC further carries a first random number Nonce_UE generated by the UE;
During transmission of small data between the UE and the RNC each time, a NAS PDU is separately enciphered and deciphered only once in both uplink and downlink, and therefore anti-replay protection can be achieved. During transmission of small data each time, both the UE and the RNC need to generate a new first random number Nonce_UE and a new second random number Nonce_RNC and send the random numbers to each other. For a solution in which deciphering of a NAS PDU is implemented by an SGSN, after the RNC receives the first random number Nonce_UE sent by the UE, Nonce_UE and Nonce_RNC may be carried in one message and sent to the SGSN. The message for sending Nonce_UE and Nonce_RNC may be, for example, an initial UE (Initial UE) message, or may also be another message.
In a solution in which deciphering of the NAS PDU is implemented by the RNC, in an embodiment, the UE and the RNC may negotiate the security algorithm.
Before the performing, by UE, security processing on a NAS PDU by using a security parameter and a security algorithm, the method may further include:
Further, the RRC Connection Setup message received by the UE may further include: the fresh value Fresh generated by the RNC and the security algorithm supported by the UE.
Further, before the receiving, by the UE, an RRC Connection Setup message sent by the RNC, the method may further include:
Step 201: An RNC receives a NAS PDU that is sent by UE and has undergone security processing, where data to be transmitted is encapsulated in the NAS PDU.
Step 202: The RNC sends the NAS PDU to an SGSN.
Specifically, in step 202, the RNC may skip processing on the NAS PDU and directly forward the received NAS PDU to the SGSN. In such a manner, the SGSN needs to decipher the NAS PDU, and therefore, an enciphering and deciphering function of the SGSN needs to be enhanced; the NAS PDU may also be deciphered and the NAS PDU obtained after the deciphering is then sent to the SGSN.
In this embodiment, an RNC receives, by using control plane signaling, a small data packet that is sent by UE and encapsulated into a NAS PDU and has undergone security processing, thereby greatly simplifying a procedure of data transmission, improving efficiency of data transmission, and further ensuring transmission security of data.
Specifically, the security processing may include: performing security processing on the NAS PDU by using a security parameter and a security algorithm, where
In an embodiment of the data transmission method of the present invention, before small data is transmitted, a security parameter may be negotiated first between the UE and the SGSN, so as to deter mine a security parameter for enciphering and deciphering in a transmission process, that is, a key. Specifically, before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method may further include:
Further, in an embodiment of the data transmission method of the present invention, before small data is transmitted, a security algorithm may be negotiated first between the UE and the SGSN, so as to determine a security algorithm in a transmission process, the security algorithm including an enciphering and deciphering algorithm UEA and/or an integrity protection algorithm UIA. Specifically, negotiation may be performed in a registration procedure of the UE, and before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method may further include:
Alternatively, negotiation may be performed in a procedure of an inter-SGSN handover of the UE, and specifically, before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method further includes:
In an embodiment, the enciphering and deciphering process is implemented by the SGSN, that is, an RNC receives a NAS PDU sent by a UE, and then directly forwards the NAS PDU to the SGSN; and the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing may include:
Specifically, the anti-replay parameter may include: a start value Start and a fresh value Fresh; or, Count_C and/or Count_I generated according to a start value Start, and a fresh value Fresh; or, Count_C_small and/or Count_I_small dedicated to small data.
Further, before the receiving, by the RNC, an RRC Connection Setup Complete message sent by the UE, the method may further include:
In another embodiment, the enciphering and deciphering process is implemented by the RNC, that is, after receiving a NAS PDU sent by a UE, an RNC first deciphers the NAS PDU and then sends the NAS PDU to the SGSN; and before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method may further include:
That is, before the sending, by the RNC, the NAS PDU to the SGSN, the method may further include:
Further specifically, before the deciphering, by the RNC, the NAS PDU, the method may further include:
If Count_C_small and/or Count_I_small separately maintained for a small data service is used in an anti-replay mechanism, the security parameter response message sent by the SGSN and received by the RNC needs to carry: a security parameter corresponding to the KSI and Count_C_small and/or Count_I_small dedicated to small data.
Specifically, the RNC may generate, according to Count_C_small and/or Count_I_small sent by the SGSN and in combination with an SN sent by the UE, Count_C_small and/or Count_C_small usable in current transmission, and decipher the NAS PDU by using Count_C_small and/or Count_I_small; moreover, after current transmission is complete, for example, after the sending, by the RNC, the NAS PDU to an SGSN, the method may further include: sending, by the RNC, the updated Count_C_small and/or Count_I_small dedicated to small data to the SGSN, so that the SGSN updates the Count_C_small and/or Count_I_small dedicated to small data.
In an embodiment, a preconfigured security algorithm may also be not used, and instead, for transmission each time, the UE negotiates a security algorithm with the RNC. Specifically, the security parameter response message may further include: a security algorithm selected by the SGSN.
During specific implementation, the security parameter acquisition request message may be an initial UE message, and the security parameter response message may be a command ID message or a Direct Transfer message, or,
Further, before the receiving, by an RNC, a NAS PDU that is sent by UE and has undergone security processing, the method may further include:
For example, in an embodiment of the data transmission method of the present invention, the UE generates Count_C and/or Count_I by using a start value Start saved in the UE, and Count_C and/or Count_I and a fresh value Fresh generated by the RNC are used as input parameters of a cipher algorithm and/or an integrity algorithm. Therefore, by using the foregoing method, the fresh value Fresh generated by the RNC may be transferred in the RRC Connection Setup message. After completing security processing on a NAS PDU, the UE may send the start value Start in use to the RNC, for example, send an RRC Connection Setup Complete message together with the NAS PDU that has undergone security processing, so that the RNC deciphers the NAS PDU.
Further, before the sending, by the RNC, an RRC Connection Setup message to the UE, the method may further include:
Further, the NAS PDU carried in the RRC Connection Setup Complete message is the NAS PDU that has undergone security processing performed by using the security algorithm, the security parameter, and an anti-replay parameter;
Specifically, the anti-replay parameter may include: a start value Start and a fresh value Fresh; or, Count_C and/or Count_I generated according to a start value Start, and a fresh value Fresh; or, Count_C_small and/or Count_I_small dedicated to small data.
Further, in the anti-replay mechanism, a first random number Nonce_UE and a second random number Nonce_RNC that are generated respectively by the UE and the RNC may be used as anti-replay parameters. Specifically, the RRC connection request message sent by the UE and received by the RNC may further carry the first random number Nonce_UE generated by the UE;
Further, before the sending, by the RNC, an RRC Connection Setup message to the UE, the method may further include:
During specific implementation, an RRC connection request message received by the RNC and sent by the UE may further include the security algorithm supported by the UE;
Step 301: An SGSN receives a NAS PDU sent by an RNC, where the NAS PDU is sent to the RNC by UE after the UE performs security processing on the NAS PDU by using a security algorithm and a security parameter.
Specifically, the NAS PDU received by the SGSN may have undergone deciphering by the RNC, or may also have not undergone deciphering by the RNC and instead is deciphered by the SGSN.
In this embodiment, an SGSN receives, by using control plane signaling, a NAS PDU that is from UE and forwarded by an RNC or is forwarded after deciphering by an RNC, and the NAS PDU is encapsulated with a small data packet and has undergone security processing, thereby greatly simplifying a procedure of data transmission, improving efficiency of data transmission, and further ensuring transmission security of data.
Specifically, the security parameter may include: a cipher key CK_small and/or an integrity protection key IK_small; and
In an embodiment of the data transmission method of the present invention, before the receiving, by an SGSN, a NAS PDU that is sent by UE and has undergone security processing performed by using a security algorithm and a security parameter, the method may further include:
Further specifically, the negotiating, by the SGSN, with the UE to determine the security parameter may include:
Further specifically, the negotiating, by the SGSN, with the UE by using an AKA process to determine the security parameter may include:
Alternatively, the negotiating, by the SGSN, with the UE by using an AKA process to determine the security parameter may include:
CK_small=HMAC-SHA-256(A1,A2,cipher label) (1)
IK_small=HMAC-SHA-256(A1,A2,integrity label) (2)
Alternatively, the negotiating, by the SGSN, with the UE to determine the security parameter may include:
In an embodiment of the data transmission method of the present invention, before the receiving, by an SGSN, a NAS PDU sent by an RNC, the method may further include:
Further specifically, the negotiating, by the SGSN, with the UE to determine the security algorithm may include:
Further specifically, the negotiating, by the SGSN, with the UE by using a registration procedure of the UE to determine the security algorithm may include:
In actual implementation, a process of receiving, by the UE, the SMC message sent by the SGSN is that the SGSN sends an SMC message to the RNC, and then the RNC sends the SMC message to the UE.
Alternatively, the negotiating, by the SGSN, with the UE to determine the security algorithm may include:
Alternatively, the negotiating, by the SGSN, with the UE by using a procedure of an inter-SGSN handover of the UE to determine the security algorithm may include:
Alternatively, the negotiating, by the SGSN, with the UE to determine the security algorithm may include:
It should be noted that a service in the service request Service Request is a common service, for example, a short messaging service, a voice service, and a data service.
Alternatively, the negotiating, by the SGSN, with the UE by using a service request Service Request process of the UE to determine a security algorithm of a service may include:
A security algorithm of a common service is updated each time a service takes place, and therefore, when a security algorithm of a common service is used as a security algorithm of a small data service, update of the security algorithm of the common service is still used for update of a security algorithm.
Various specific methods for transmitting small data after negotiation of the security parameter and the security algorithm are described below.
In an implementation solution, the receiving, by an SGSN, a NAS PDU that is sent by UE and has undergone security processing performed by using a security algorithm and a security parameter may include:
Further specifically, the message that is sent by the RNC and received by the SGSN and includes the NAS PDU further carries a key set identifier KSI, where the KSI is used for enabling the SGSN to search for security context for deciphering the NAS PDU; and
Further, the message that is sent by the RNC and received by the SGSN and includes the NAS PDU further carries an anti-replay parameter; and
In another implementation solution, deciphering of the NAS PDU is implemented by the RNC.
Specifically, the receiving, by an SGSN, a NAS PDU sent by an RNC may include:
In an implementation manner, before the receiving, by an SGSN, a NAS PDU that is sent by UE and has undergone security processing performed by using a security algorithm and a security parameter, the method may further include:
In an implementation manner, the security parameter response message sent by the SGSN to the RNC may further include: a security algorithm selected by the SGSN.
In an implementation manner, the security parameter response message sent by the SGSN to the RNC may further include: Count_C_small and/or Count_I_small dedicated to small data; and
In the foregoing implementation manner, for the anti-replay parameter, Count_C_small and/or Count_I_small dedicated to small data may be used, and the two parameters Count_C_small and Count_I_small may be used as start values of the anti-replay parameter and saved on the SGSN. Therefore, during transmission of small data each time, the RNC needs to acquire the two parameters from the SGSN, and in combination with an SN, an anti-replay parameter usable for current data transmission is generated. Moreover, after data transmission is complete, the anti-replay parameter generated the current time needs to be returned to the SGSN, so that the SGSN updates Count_C_small and Count_I_small.
During specific implementation, the security parameter acquisition request message may be an initial UE message, and the security parameter response message may be a command ID message or a Direct Transfer message, or,
The technical solutions of the data transmission method of the present invention are described in detail below by using several specific embodiments.
Step 401: UE negotiates with an SGSN to determine a security parameter.
Before step 401, the UE may acquire a transmission resource by using a random access process.
Step 402: The UE negotiates with the SGSN to determine a security algorithm.
Step 403: The UE performs security processing on a NAS PDU by using the security parameter and the security algorithm, where data to be transmitted is encapsulated in the NAS PDU.
Specifically, the UE may perform security processing on the NAS PDU by using a security parameter (for example, a key), a security algorithm, and an anti-replay parameter saved by the UE.
The anti-replay parameter is used for implementing an anti-replay function, and the anti-replay function may be implemented in the following three manners:
Manner 1: Count_C and Count_I that are generated by using the start value Start saved in the UE, and a fresh value Fresh generated by an RNC, are used as the anti-replay parameter. In such a manner, Fresh sent by the RNC needs to be received before the UE performs security processing, and the UE needs to send a start value Start for generating Count_C and Count_I to the RNC, or directly send values of Count_C and Count_I to the RNC, while the RNC needs to send Start and Fresh to the SGSN, or send values of Count_C and Count_I and Fresh to the SGSN, so that the SGSN deciphers the data to be transmitted. A specific manner of sending the anti-replay parameter may be arranged flexibly. For example, the UE may add a Start value or values of Count_C and Count_I to a message for sending data to be transmitted for simultaneous sending, or may also send a Start value or values of Count_C and Count_I by using another message.
Manner 2: Count_C_small and Count_I_small that are separately maintained for small data are used as the anti-replay parameter. In such a manner, the RNC does not need to generate a fresh value Fresh, the UE needs to send Count_C_small and Count_I_small to the RNC, and the RNC also needs to send Count_C_small and Count_I_small to the SGSN.
Manner 3: A manner of using a random number Nonce value as the anti-replay parameter may be used. Specifically, the UE may generate a first random number Nonce_UE, and may add Nonce_UE to RRC Connection Request or RRC Connection Setup Complete; the RNC may generate a second random number Nonce_RNC, and add Nonce_RNC to RRC Connection Setup. When the UE performs security processing on the NAS PDU, Nonce_UE and Nonce_RNC are used as the anti-replay parameter. In such a manner, after receiving Nonce_UE sent by the UE, the RNC needs to send Nonce_UE and Nonce_RNC to the SGSN, so that the SGSN deciphers the data to be transmitted. For example, Nonce_UE and Nonce_RNC may be sent by using an initial UE message (Initial UE Message), or may also be sent by using another message.
Step 404: The UE sends an RRC connection request message to an RNC, where the RRC connection request message includes a small data indication.
The small data indication is used for informing the RNC that current transmission involves a small data service.
After receiving the RRC connection request message, the RNC may skip transmitting state information of CELL_DCH to the UE, and may also skip sending a measurement control signal.
Step 405: The RNC sends a connection setup message to the UE.
It should be noted that no time order exists between step 403 and steps 404 and 405, and step 403 only needs to be performed before step 406, where an exemplary solution is that step 403 is performed between step 405 and step 406.
During specific implementation, if a manner of using Count_C and Count_I generated by a start value Start and Fresh generated by the RNC is used in an anti-replay mechanism, step 404 may further include a fresh value Fresh generated by the RNC, and in such a manner, step 403 needs to be executed after step 404.
Step 406: The UE sends an RRC Connection Setup Complete message to the RNC, where the RRC Connection Setup Complete message carries the NAS PDU.
Specifically, the NAS PDU carried in the RRC Connection Setup Complete message (RRC Connection Setup Complete) message has undergone security processing in step 403. The RRC Connection Setup Complete message may further include a key set identifier (Key Set Identifier, KSI for short), so that after the RNC sends the KSI to the SGSN, the SGSN searches for security context for deciphering the NAS PDU.
Generally, the RRC Connection Setup Complete message further includes a bearer ID Bearer ID, an SN, and a message authentication code-identity (Message Authentication Code-Integrity, MAC-I for short). The Bearer ID is used for enabling the SGSN to map small data to a corresponding Bearer. The SN may be lower 4 bits of the anti-replay parameter Count and is used for enabling the SGSN to estimate, according to an anti-replay parameter Count saved in the SGSN and the SN, a correct value of the anti-replay parameter Count; or, the UE may also directly add a value of an entire anti-replay parameter Count to the RRC Connection Setup Complete message.
During specific implementation, step 406 may further include a start value Start used for generating anti-replay parameters Count_C and Count_I by the UE.
Step 407: The RNC sends the NAS PDU to the SGSN.
The message that includes the NAS PDU and is sent by the RNC to the SGSN in Step 407 may further carry Start and Fresh.
Specifically, the RNC may send the NAS PDU to the SGSN by using an initial UE message (Initial UE Message).
The Initial UE Message may further include a KSI and an anti-replay parameter. For example, in a manner in which a random number Nonce value may be carried as an anti-replay parameter for an anti-replay mechanism, a first random number Nonce_UE and a second random number Nonce_RNC may be carried in the Initial UE Message.
Generally, the initial UE Message further includes the UE identifier of the UE, for example, a packet temporary mobile subscriber identity (Packet Temporary Mobile Subscriber Identity, P-TMSI for short), a Bearer ID, an SN, and a MAC-I.
Step 408: The SGSN deciphers the NAS PDU.
Specifically, the SGSN may verify the integrity of the message by using security context of corresponding UE small data, and decipher the NAS PDU. Next, the NAS PDU may be further sent to a corresponding application server by using a serving gateway (Service Gateway, SGW for short) or a packet data network gateway (Packet Data Network (PDN) Gateway, PGW for short).
Step 409: The SGSN sends a response message to the RNC.
Step 409 and subsequent step 410 are a group of optional steps, and only need to be executed when downlink response data exists or an acknowledgment (ACK) message needs to be returned.
Specifically, when a downlink response message exists, the SGSN may also perform security processing on the response message, and then may send the response message to the RNC by using a Direct Transfer (Direct Transfer) message.
Step 410: The RNC sends the response message to the UE.
Specifically, an RRC Connection Release (RRC Connection Release) message may be used to return the response message to the UE.
In this embodiment, UE performs security processing on a NAS PDU by using a predetermined security parameter and security algorithm, and sends the NAS PDU to an RNC by using an RRC Connection Setup Complete message, the RNC forwards the NAS PDU to an SGSN, and the SGSN performs deciphering, so as to complete transmission of small data, and ensure transmission security of small data.
In the foregoing embodiment, the negotiating, by UE, with an SGSN to determine a security parameter in step 401 may be: negotiating, by the UE, with the SGSN by performing an authentication and key agreement AKA process to determine the security parameter.
Further specifically, the UE negotiates with the SGSN by performing the AKA process to determine to use a cipher key CK in the AKA process as CK_small, and/or determine to use an integrity protection key IK in the AKA process as IK_small.
In the foregoing embodiment, the negotiating, by UE, with an SGSN to determine a security parameter in step 401 may further be:
CK_small=HMAC-SHA-256(A1,A2,cipher label) (1)
IK_small=HMAC-SHA-256(A1,A2,integrity label) (2)
During specific implementation, RAND may be a RAND value included in an authentication vector AV (Authentication Vector)=(RAND, XRES, CK, IK, AUTN) that is generated by a home environment (Home Environment, HE for short) or a home location register (Home location Register, HLR for short) when the UE and a network side perform the AKA process.
In the foregoing embodiment, the negotiating, by UE, with an SGSN to determine a security parameter in step 401 may further be:
Step 501: UE adds a security algorithm supported by the UE to a registration request message or a routing area update request message, and sends the registration request message or the routing area update request message to the SGSN.
The registration request Attach Request message or the routing area update request RAU Request message may further include a UE identifier, for example, a P-TMSI of the UE. The security algorithm supported by the UE is a UE small data security capability (UE small data security capability).
Step 502: The SGSN determines a security algorithm.
The security algorithm herein is a security algorithm of a small data service. Specifically, the SGSN may select, according to an algorithm priority list and the security algorithm supported by the UE, an optimal security algorithm as the security algorithm of the small data service, for example, a selected small data enciphering and deciphering algorithm selected UEA_small, or a selected small data integrity protection algorithm selected UIA_small.
Step 503: The SGSN sends an SMC message to an RNC, where the SMC message includes the security algorithm determined by the SGSN.
The SMC message sent by the SGSN to the RNC may further include the security algorithm supported by the UE.
Step 504: The RNC sends an SMC message to the UE, where the SMC message includes the security algorithm determined by the SGSN.
During specific implementation, the extended SMC message in the two steps may further include the security algorithm supported by the UE as reported by the UE, so as to acknowledge that the security algorithm is not changed.
Step 505: The UE acquires the security algorithm determined by the SGSN.
Specifically, the UE verifies the integrity of the SMC message, and saves the security algorithm, selected UEA_small or selected UIA_small, determined by the SGSN.
In this embodiment, UE negotiates with an SGSN by using a registration procedure to determine a security algorithm of a small data service.
In the foregoing embodiment, the SGSN sends, to the UE, the security algorithm determined by the SGSN, or may also send the security algorithm by using a registration accept Attach accept message or a routing area accept RAU accept message, where the registration accept Attach accept message or the routing area accept RAU accept message includes the security algorithm that is determined by the SGSN according to the security algorithm supported by the UE.
In a handover process, if the UE performs a handover in a same SGSN, the security algorithm is unchanged, and algorithm negotiation is not required; if the UE performs inter-SGSN handover (inter-SGSN relocation), an algorithm selected by a target SGSN may be sent to the UE by using a handover procedure signaling relocation request (Relocation Request) and radio access network mobility information (RAN Mobility information).
As shown in
Step 601: A source SGSN sends a forward relocation request message to a target SGSN, where the forward relocation request message includes a security algorithm supported by UE and a security parameter of the UE.
During specific implementation, the forward relocation request (Forward Relocation Request) message may further include: a security algorithm determined by the source SGSN.
Step 602: The target SGSN determines a security algorithm.
Specifically, the target SGSN may reselect, according to an algorithm priority list supported by the target SGSN, selected UEA_small and selected UIA_small of the target SGSN, and a security algorithm reselected by the target SGSN may be the same as or may also be different from the security algorithm determined by the source SGSN.
Step 603: The target SGSN sends a relocation request message to a target RNC, where the relocation request message includes the security algorithm determined by the target SGSN.
Step 604: The target RNC sends a radio access network mobility information message to the UE, where the radio access network mobility information message includes the security algorithm determined by the target SGSN.
In this embodiment, UE negotiates with an SGSN by using a procedure of an inter-SGSN handover to determine a security algorithm of a small data service.
Step 701: UE negotiates a security algorithm of a common service with an SGSN.
Step 702: The UE receives an SMC command message sent by an RNC, where the SMC command message carries the security algorithm of the common service.
Step 703: The UE uses the security algorithm of the common service as a security algorithm of a small data service, and saves the security algorithm.
The UE may update the security algorithm when receiving an SMC command message including a security algorithm of a new common service next time.
Step 704: The UE sends an SMC complete message to the RNC.
Step 705: The SGSN receives the SMC complete message sent by the RNC, where the SMC complete message carries the security algorithm of the service.
Step 706: The SGSN uses the security algorithm of the common service as the security algorithm of the small data service, and saves the security algorithm.
The SGSN may update the security algorithm when receiving an SMC complete message including a security algorithm of a new common service next time.
In this embodiment, the SGSN negotiates with the UE to determine to use the security algorithm of the service as the security algorithm.
Step 801: UE sends an RRC connection request message to an RNC, where the RRC connection request message includes a small data indication and a KSI.
The small data indication is used for informing the RNC that current transmission involves a small data service, and the KSI is used for enabling an SGSN to search for security context of small data to be transmitted.
Step 802: The RNC sends a message including the small data indication and the KSI to an SGSN.
Specifically, a message including the small data indication and the KSI may further include a UE identifier P-TMSI of the UE, which is used for acquiring a security parameter corresponding to the UE. The message may be an initial UE message, or an uplink information exchange request (Uplink Information Exchange Request) message, or may also be another message.
Step 803: The SGSN sends a message including a security parameter of the UE to the RNC.
Specifically, the SGSN may search, according to the KSI, for security parameters CK_small and IK_small corresponding to the UE, and then send the security parameters to the RNC. The security parameters may be sent to the RNC by using a Common ID (Common ID) message or a Direct Transfer (Direct Transfer) message, where the message may also be an uplink information exchange response (Uplink Information Exchange Response) message (which is used in pair with the uplink information exchange request message in step 802), or may also be another message.
Step 804: The RNC generates an integrity protection parameter Fresh value, and sends the Fresh value to the UE.
Specifically, the Fresh value may be sent by using an RRC Connection Setup message.
Step 805: The UE performs security processing on a NAS PDU.
Specifically, the UE may use the security parameters CK_small and IK_small, preset security algorithms selected UEA_small and selected UIA_small, and an anti-replay parameter to encipher a NAS PDU encapsulated with data to be transmitted.
The anti-replay parameter is to implement an anti-replay function, and the anti-replay function may be implemented in the following three manners:
Manner 1: Count_C and Count_I that are generated by using the start value Start saved in the UE, and a fresh value Fresh generated by an RNC, are used as the anti-replay parameter. In such a manner, Fresh sent by the RNC needs to be received before the UE performs security processing, and the UE needs to send a start value Start for generating Count_C and Count_I to the RNC, or directly send values of Count_C and Count_I to the RNC, while the RNC needs to send Start and Fresh to the SGSN, or send values of Count_C and Count_I and Fresh to the SGSN, so that the SGSN deciphers the data to be transmitted. A specific manner of sending the anti-replay parameter may be arranged flexibly. For example, the UE may add a Start value or values of Count_C and Count_I to a message for sending data to be transmitted for simultaneous sending, or may also send a Start value or values of Count_C and Count_I by using another message.
Manner 2: Count_C_small and Count_I_small that are separately maintained for small data are used as the anti-replay parameter. In such a manner, the RNC does not need to generate a fresh value Fresh, the UE needs to send Count_C_small and Count_I_small to the RNC, and after executing an enciphering and deciphering operation, the RNC also needs to send the updated Count_C_small and Count_I_small to the SGSN.
Manner 3: A manner of using a random number Nonce value as the anti-replay parameter may be used. Specifically, the UE may generate a first random number Nonce_UE, and may add Nonce_UE to RRC Connection Request or RRC Connection Setup Complete; the RNC may generate a second random number Nonce_RNC, and add Nonce_RNC to RRC Connection Setup. When the UE performs security processing on the NAS PDU, Nonce_UE and Nonce_RNC are used as the anti-replay parameter. In such a manner, after receiving Nonce_UE sent by the UE, the RNC may use Nonce_UE and Nonce_RNC as the anti-replay parameter to decipher the data to be transmitted.
In this embodiment, the anti-replay mechanism in Manner 1 is used as an example for description. When the anti-replay mechanisms in the rest two manners are used, the parameter that needs to be carried in each message is correspondingly changed according to a demand of each manner.
Moreover, the UE may further generate a MAC-I.
Step 806: The UE sends an RRC Connection Setup Complete message to the RNC, where the RRC Connection Setup Complete message includes the NAS PDU that has undergone security processing and a start value Start.
Specifically, the RRC Connection Setup Complete message may include a parameter needed for deciphering, for example, an anti-replay parameter, a Bearer ID, and a MAC-I.
Step 807: The RNC deciphers the NAS PDU.
Specifically, step 807 may further include performing an operation such as integrity check on the NAS PDU.
Step 808: The RNC sends the NAS PDU obtained after the deciphering to the SGSN.
Specifically, the RNC may send the NAS PDU by using a Direct Transfer (Direct Transfer) message, and the Direct Transfer message may further include a Bearer ID.
Step 809: The SGSN sends a response message to the RNC.
Step 809 and subsequent step 810 are a group of optional steps, and only need to be executed when downlink response data exists or an acknowledgment (ACK) message needs to be returned.
Specifically, when a downlink response message exists, the SGSN may send the downlink response message to the RNC by using a Direct Transfer message.
Step 810: The RNC performs security processing on the response message.
Specifically, a same security parameter may be used to perform security processing on the response message, or a specific security parameter may also be changed. If a specific security parameter is changed, for example, an anti-replay parameter is changed, the UE needs to be informed in a subsequent step.
Moreover, if an anti-replay parameter is used as an anti-replay parameter separately maintained for small data, and the anti-replay parameter is updated in step 810, the updated anti-replay parameter further needs to be returned to the SGSN, and a Direct Transfer (Direct Transfer) message may be used for transfer.
Step 811: The RNC sends the response message to the UE.
Specifically, an RRC Connection Release (RRC Connection Release) message may be used to return the response message to the UE.
In this embodiment, a procedure of transmitting small data in a scenario in which an RNC deciphers a small data packet is provided. UE performs security processing on data to be transmitted, and the RNC performs deciphering and sends the small data packet obtained after the deciphering to an SGSN, so as to complete transmission of small data, and ensure transmission security of small data.
In the foregoing embodiment, if an algorithm is not preconfigured on UE and an RNC, and instead the UE negotiates a security algorithm with an SGSN in a registration process, in step 803, the negotiated security algorithm may be carried in a message that is sent by the SGSN to the RNC and includes a security parameter of the UE.
Step 901: UE sends an RRC connection request message to an RNC, where the RRC connection request message includes a small data indication.
Step 902: The RNC generates an integrity protection parameter Fresh value, and sends the Fresh value to the UE.
Step 903: The UE performs security processing on a NAS PDU.
Step 904: The UE sends an RRC Connection Setup Complete message to the RNC, where the RRC Connection Setup Complete message includes the NAS PDU that has undergone security processing, a KSI, and a Start value.
It is only one implementation manner to place the KSI in the RRC Connection Setup Complete message in step 904 for transfer. The KSI may also be placed in the RRC connection request message in step 901 for transfer.
Step 905: The RNC sends a message including the small data indication and the KSI to the SGSN.
Step 906: The SGSN sends a message including a security parameter of the UE to the RNC.
Step 907: The RNC deciphers the NAS PDU.
Step 908: The RNC sends the NAS PDU obtained after the deciphering to the SGSN.
Step 909: The SGSN sends a response message to the RNC.
Step 910: The RNC performs security processing on the response message.
Step 911: The RNC sends the response message to the UE.
In this embodiment, a procedure of transmitting small data in a scenario in which an RNC deciphers a small data packet is provided. UE performs security processing on data to be transmitted, and the RNC performs deciphering and sends the small data packet obtained after the deciphering to an SGSN, so as to complete transmission of small data, and ensure transmission security of small data.
The foregoing embodiment is described by using an example of a manner in which for an anti-replay mechanism, Count_C and Count_I generated by using a start value Start saved in a UE, and a fresh value Fresh generated by an RNC, are used as an anti-replay parameter; for the anti-replay mechanism, in one manner, Count_C_small and Count_I_small that are separately maintained for small data may also be used as an anti-replay parameter, or, in another manner, a random number Nonce value may be used as an anti-replay parameter. When the anti-replay mechanism in the other two manners are used, the parameter that needs to be carried in each message is correspondingly changed according to a demand of each manner, and for a specific implementation manner, reference may be made to the description in Embodiment 5.
Step 1001: UE sends an RRC connection request message to an RNC, where the RRC connection request message includes a small data indication and a KSI, and further includes a security algorithm supported by the UE.
The small data indication is used for informing the RNC that current transmission involves a small data service, and the KSI is used for enabling the SGSN to search for security context of small data to be transmitted. The security algorithm supported by the UE may be indicated by using a UE small data security capability (UE small data security capability).
Step 1002: The RNC sends a message including the small data indication and the KSI to an SGSN.
Specifically, a message including the small data indication and the KSI may further include a UE identifier P-TMSI of the UE, which is used for acquiring a security parameter corresponding to the UE. The message may be an initial UE message, or an uplink information exchange request (Uplink Information Exchange Request) message, or may also be another message.
Step 1003: The SGSN sends a message including a security parameter of the UE and a security algorithm supported by the SGSN to the RNC.
Specifically, the SGSN may search, according to the KSI, for security parameters CK_small and IK_small corresponding to the UE, and then send the security parameters to the RNC. The security parameters may be sent to the RNC by using a Common ID (Common ID) message or a Direct Transfer (Direct Transfer) message, where the message may also be an uplink information exchange response (Uplink Information Exchange Response) message, (which is used in pair with the uplink information exchange request message in step 1002), or may also be another message. The message includes the security algorithm that is supported by the SGSN and is suitable for small data, a cipher algorithm (permitted UIA_small) of the small data, and an integrity protection algorithm (permitted UEA_small) for the small data.
Step 1004: The RNC determines a security algorithm of current transmission according to the security algorithm supported by the UE and the security algorithm supported by the SGSN, and generates a Fresh value.
The security algorithm of current transmission determined by the RNC may be marked as selected UEA_small and selected UIA_small.
Step 1005: The RNC sends an RRC Connection Setup message to the UE, where the RRC Connection Setup message includes the security algorithm of current transmission and the Fresh value.
Step 1006: The UE performs security processing on a NAS PDU.
Specifically, the UE may use the security parameters CK_small and IK_small, the security algorithms selected UEA_small and selected UIA_small determined by the RNC, and the anti-replay parameter to encipher the NAS PDU encapsulated with the data to be transmitted.
Specifically, the UE may use the security parameters CK_small and IK_small, preset security algorithms selected UEA_small and selected UIA_small, and the anti-replay parameter to encipher the NAS PDU encapsulated with the data to be transmitted.
Step 1007: The UE sends an RRC Connection Setup Complete message to the RNC, where the RRC Connection Setup Complete message includes the NAS PDU that has undergone security processing and a Start value.
Step 1008: The RNC deciphers the NAS PDU.
Specifically, step 1008 may further include performing an operation such as integrity check on the NAS PDU.
Step 1009: The RNC sends the NAS PDU obtained after the deciphering to the SGSN.
Specifically, the RNC may send the NAS PDU by using a Direct Transfer (Direct Transfer) message, and the Direct Transfer message may further include a Bearer ID.
Step 1010: The SGSN sends a response message to the RNC.
Step 1010 and subsequent step 1011 are a group of optional steps, and only need to be executed when downlink response data exists or an acknowledgment (ACK) message needs to be returned.
Specifically, when a downlink response message exists, the SGSN may send the downlink response message to the RNC by using a Direct Transfer message.
Step 1011: The RNC performs security processing on the response message.
Specifically, a same security parameter may be used to perform security processing on the response message, or a specific security parameter may also be changed. If a specific security parameter is changed, for example, an anti-replay parameter is changed, the UE needs to be informed in a subsequent step.
Step 1012: The RNC sends the response message obtained through security processing to the UE.
Specifically, an RRC Connection Release (RRC Connection Release) message may be used to return the response message to the UE.
This embodiment provides a procedure of transmitting small data in a scenario in which an RNC deciphers a small data packet and a security algorithm is negotiated each time a small data packet is transmitted. A security algorithm is negotiated in an RRC Connection Setup procedure, UE performs security processing on data to be transmitted, and the RNC performs deciphering and sends the small data packet obtained after the deciphering to an SGSN, so as to complete transmission of small data, and ensure transmission security of small data.
The foregoing embodiment is described by using an example of a manner in which for an anti-replay mechanism, Count_C and Count_I generated by using a start value Start saved in a UE, and a fresh value Fresh generated by an RNC, are used as an anti-replay parameter; for the anti-replay mechanism, in one manner, Count_C_small and Count_I_small that are separately maintained for small data may also be used as an anti-replay parameter, or, in another manner, a random number Nonce value may be used as an anti-replay parameter. When the anti-replay mechanism in the other two manners are used, the parameter that needs to be carried in each message is correspondingly changed according to a demand of each manner, and for a specific implementation manner, reference may be made to the description in Embodiment 5.
The apparatus in this embodiment may be configured to execute the technical solution of the method embodiment shown in
A technical effect of the apparatus in this embodiment is that, a small data packet to be transmitted is encapsulated into a NAS PDU, security processing is performed on the NAS PDU by using a security parameter and a security algorithm, and then the NAS PDU is directly carried in a message of control plane signaling for transmission, so that a process of establishing a data transmission channel by using multiple pieces of user plane signaling can be omitted, thereby greatly simplifying a procedure of data transmission, improving efficiency of data transmission, and further ensuring transmission security of data.
In the foregoing embodiment, further, the security parameter may include: a cipher key CK_small and/or an integrity protection key IK_small; and
The security parameter negotiation module 13 may be configured to: before security processing is performed on the NAS PDU by using the security parameter and the security algorithm, negotiate with the SGSN to determine the security parameter.
Further, the security parameter negotiation module 13 may be specifically configured to: negotiate with the SGSN by performing an authentication and key agreement AKA process to determine the security parameter.
Alternatively, the security parameter negotiation module 13 may be specifically configured to:
Further specifically, the security parameter negotiation module 13 is specifically configured to:
CK_small=HMAC-SHA-256(A1,A2,cipher label) (1)
IK_small=HMAC-SHA-256(A1,A2,integrity label) (2)
Alternatively, the security parameter negotiation module 13 may be specifically configured to:
Further, the apparatus in this embodiment may further include: a security algorithm negotiation module 14, where
Further, the security algorithm negotiation module 14 may be specifically configured to:
Specifically, the security algorithm negotiation module 14 may be specifically configured to:
Alternatively, the security algorithm negotiation module 14 may be specifically configured to:
Specifically, the security algorithm negotiation module 14 may be specifically configured to:
Alternatively, the security algorithm negotiation module 14 may be specifically configured to:
Specifically, the security algorithm negotiation module 14 may be specifically configured to:
Further, in this embodiment, the sending module 12 may be specifically configured to:
Further, the sending module 12 is further configured to:
Further, the RRC Connection Setup Complete message specifically includes: the NAS PDU and a key set identifier KSI, where the KSI is used for enabling the SGSN to search for security context for deciphering the NAS PDU.
The apparatus in this embodiment may be configured to execute the technical solution executed by the corresponding UE in the method embodiment shown in any one of
The configuration module 15 is configured to: before security processing is performed on the NAS PDU by using the security parameter and the security algorithm, configure a security algorithm same as a small data security algorithm on the RNC as the security algorithm.
Further, the sending module 12 is specifically configured to:
Further, the apparatus in this embodiment may further include:
Further, the parameter transfer module 16 is further configured to:
Further, the processing module is specifically configured to:
Further, the anti-replay parameter includes: a start value Start and a fresh value Fresh; or, Count_C and/or Count_I generated according to a start value Start, and a fresh value Fresh; or, Count_C_small and/or Count_I_small dedicated to small data.
Further, the RRC connection request message further carries a first random number Nonce_UE generated by the UE;
Further, to adapt to a scenario in which the UE negotiates a security algorithm with the RNC during transmission each time, the parameter transfer module 16 may be further configured to:
Further, the RRC Connection Setup message further includes: a fresh value Fresh generated by the RNC and a security algorithm supported by the UE.
Further, the parameter transfer module 16 is further configured to:
The apparatus in this embodiment may be configured to execute the technical solution executed by the corresponding UE in the method embodiment shown in any one of
The apparatus in this embodiment may be configured to execute the technical solution of the method embodiment shown in
A technical effect of the apparatus in this embodiment is that, an RNC receives, by using control plane signaling, a small data packet that is sent by UE and encapsulated into a NAS PDU and has undergone security processing, thereby greatly simplifying a procedure of data transmission, improving efficiency of data transmission, and further ensuring transmission security of data.
Further, the security processing may include: security processing performed on the NAS PDU by using a security parameter and a security algorithm, where
The negotiation module 23 may be configured to: before the NAS PDU that is sent by the UE and has undergone security processing is received, receive a security mode command SMC message sent by the SGSN, where the SMC message includes a random number Nonce generated by the SGSN; and
Further, the negotiation module 23 is further configured to:
Alternatively, the negotiation module 23 is further configured to:
Further, the receiving module 21 may be specifically configured to:
Further, the anti-replay parameter includes: a start value Start and a fresh value Fresh; or, Count_C and/or Count_I generated according to a start value Start, and a fresh value Fresh; or, Count_C_small and/or Count_I_small dedicated to small data.
Further, the apparatus in this embodiment may further include: a parameter transfer module 24.
The parameter transfer module 24 may be configured to: before the RRC Connection Setup Complete message sent by the UE is received, receive an RRC connection request message sent by the UE, where the RRC connection request message includes a small data indication.
Further, the apparatus may further include: a configuration module 25. The configuration module 25 is configured to: before the NAS PDU that is sent by the UE and has undergone security processing is received, configure a security algorithm same as a small data security algorithm of the UE as the security algorithm.
Further, the apparatus in this embodiment may further include: a processing module 26.
The processing module 26 is configured to: before the NAS PDU is sent to the SGSN, decipher the NAS PDU.
Further, the parameter transfer module 24 may be further configured to: before the NAS PDU is deciphered, send a security parameter acquisition request message to the SGSN, where the security parameter acquisition request message includes a key set identifier KSI of the UE, or, the security parameter acquisition request message includes a KSI of the UE and a small data indication; and
Further, the security parameter response message may further include: a security algorithm selected by the SGSN.
Further, the security parameter acquisition request message may be an initial UE message, and the security parameter response message may be a command ID message or a Direct Transfer message, or,
Further, the parameter transfer module 24 may be further configured to:
Further, the parameter transfer module 24 may be further configured to:
Further, the NAS PDU carried in the RRC Connection Setup Complete message is the NAS PDU that has undergone security processing performed by using the security algorithm, the security parameter, and an anti-replay parameter;
Further, the RRC connection request message further carries a first random number Nonce_UE generated by the UE;
Further, the negotiation module 23 is further configured to:
Further, the parameter transfer module 24 may be specifically configured to:
The apparatus in this embodiment may be configured to execute the technical solution executed by the corresponding UE in the method embodiment shown in any one of
The receiving module 31 may be configured to receive a non-access stratum protocol data unit NAS PDU sent by an RNC, where the NAS PDU is sent by user equipment UE to the RNC after the UE performs security processing on the NAS PDU by using a security algorithm and a security parameter.
The apparatus in this embodiment may be configured to execute the technical solution of the method embodiment shown in
A technical effect of the apparatus in this embodiment is that, an SGSN receives, by using control plane signaling, a NAS PDU that is from UE and is forwarded by an RNC or is forwarded by an RNC after deciphering by the RNC, the NAS PDU being encapsulated with a small data packet and having undergone security processing, thereby greatly simplifying a procedure of data transmission, improving efficiency of data transmission, and further ensuring transmission security of data.
In the foregoing embodiment, specifically, the security parameter includes: a cipher key CK_small and/or an integrity protection key IK_small; and
The security parameter negotiation module 32 may be configured to: before the NAS PDU that is sent by the UE and has undergone security processing performed by using the security algorithm and the security parameter is received, negotiate with the UE to determine the security parameter.
Further, the security parameter negotiation module 32 may be specifically configured to:
Further specifically, the security parameter negotiation module 32 may be specifically configured to:
Alternatively, the security parameter negotiation module 32 may be specifically configured to:
CK_small=HMAC-SHA-256(A1,A2,cipher label) (1)
IK_small=HMAC-SHA-256(A1,A2,integrity label) (2)
Alternatively, the security parameter negotiation module 32 may be specifically configured to:
Further, the apparatus in this embodiment may further include: a security algorithm negotiation module 33.
The security algorithm negotiation module 33 may be configured to: before the NAS PDU sent by the RNC is received, negotiate with the UE to determine the security algorithm.
Further, the security algorithm negotiation module 33 may be specifically configured to:
Further specifically, the security algorithm negotiation module 33 may be specifically configured to:
Alternatively, the security algorithm negotiation module 33 may be specifically configured to:
Specifically, the security algorithm negotiation module 33 may be specifically configured to:
Alternatively, the security algorithm negotiation module 33 may be specifically configured to:
Further specifically, the security algorithm negotiation module 33 may be specifically configured to:
Further, the receiving module 31 may be specifically configured to:
Further, the message that is sent by the RNC and received by the receiving module 31 and includes the NAS PDU further carries a key set identifier KSI, where the KSI is used for enabling the SGSN to search for security context for deciphering the NAS PDU; and
Further, the message that is sent by the RNC and received by the receiving module 31 and includes the NAS PDU further carries an anti-replay parameter; and
The apparatus in this embodiment may be configured to execute the technical solution executed by the corresponding SGSN in the method embodiment shown in any one of
Further, the security parameter response message sent by the parameter transfer module 35 to the RNC may further include: a security algorithm selected by the security algorithm negotiation module.
Further, the security parameter response message sent by the parameter transfer module 35 to the RNC may further include: Count_C_small and/or Count_I_small dedicated to small data; and
Further, the security parameter acquisition request message may be an initial UE message, and the security parameter response message may be a command ID message or a Direct Transfer message, or,
The apparatus in this embodiment may be configured to execute the technical solution executed by the corresponding SGSN in the method embodiment shown in any one of
It should be noted that in each embodiment of the present invention, forwarding of a base station NodeB may be used in interaction between UE and an RNC. In each embodiment of the present invention, the deciphering may include deciphering by using an enciphering and deciphering algorithm UEA, and may also include integrity check by using an integrity protection algorithm UIA.
In each embodiment of the present invention, in a process in which the UE encapsulates small data to be transmitted, the small data is not limited to being encapsulated into a NAS PDU, and may also be encapsulated into a high-level data packet. A format of encapsulation is not limited in the embodiments of the present invention, as long as data to be transmitted is encapsulated and encapsulated data may be transmitted by using a signaling message.
The SGSN in each embodiment of the present invention may also be replaced by another core network node. In each apparatus embodiment of the present invention, a data transmission apparatus that may be correspondingly installed on an SGSN may also be installed on another core network node to execute the data transmission method executed by the corresponding SGSN in the various method embodiments. Another core network node is, for example, a Gateway General Radio Packet Service Support Node GGSN (Gateway General Packet Radio Service Support Node, GGSN for short) or signaling gateway (Signal Gateway, SGW for short) or an application server.
A person of ordinary skill in the art may understand that all or some of the steps of the method embodiments may be implemented by a program instructing relevant hardware. The program may be stored in a computer readable storage medium. When the program runs, the steps of the method embodiments are performed. The foregoing storage medium includes: any medium that can store program code, such as a ROM, a RAM, a magnetic disk, or an optical disc.
Finally, it should be noted that the foregoing embodiments are merely intended for describing the technical solutions of the present invention, but not for limiting the present invention. Although the present invention is described in detail with reference to the foregoing embodiments, persons of ordinary skill in the art should understand that they may still make modifications to the technical solutions described in the foregoing embodiments or make equivalent replacements to some or all technical features thereof, without departing from the scope of the technical solutions of the embodiments of the present invention.
This application is a continuation of International Application No. PCT/CN2013/074324, filed on Apr. 17, 2013, which is hereby incorporated by reference in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/CN2013/074324 | Apr 2013 | US |
| Child | 14885235 | US |
