Search

KR-20260063419-A - APPARATUS AND METHOD FOR ACCESS STRATUM POLICY BASED ON ENCRYPTION

KR20260063419AKR 20260063419 AKR20260063419 AKR 20260063419AKR-20260063419-A

Abstract

The present disclosure relates to a 5G or 6G communication system for supporting higher data transmission rates than a 4G communication system such as LTE. More specifically, a method performed by a base station in a wireless communication system comprises: receiving terminal capability information related to the security performance of a terminal; receiving a security policy for communication related to a control plane (CP) from a core network, wherein the security policy indicates at least one of a first security procedure based on a first key used for integrity verification and a second key used for encryption, or a second security procedure based on a security key used in a method in which the integrity verification and the encryption are performed in an integrated manner; determining a security procedure applied to communication related to the CP based on the terminal capability information and the security policy; and activating the determined security procedure applied to communication related to the CP.

Inventors

  • 제동현
  • 김성환

Assignees

  • 삼성전자주식회사

Dates

Publication Date
20260507
Application Date
20241030

Claims (20)

  1. In a method performed by a base station in a wireless communication system, the method is, A step of receiving terminal capability information related to the security performance of the terminal; A step of receiving a security policy for communication related to the control plane (CP) from the core network, The above security policy directs at least one of a first security procedure based on a first key used for integrity verification and a second key used for encryption, or a second security procedure based on a security key used in a method in which the integrity verification and encryption are performed in an integrated manner; A step of determining a security procedure applied to communication related to the CP based on the terminal capability information and the security policy; and A method comprising the step of activating a security procedure applied to communication related to the above-determined CP.
  2. In Article 1, If the security procedure applied to communication related to the above-determined CP is the above-determined second security procedure, the step of activating the security procedure applied to communication related to the above-determined CP is, A step of transmitting to the terminal a security command message including information on an algorithm integrating integrity and encryption for the application of the second security procedure and an authentication tag; and The method includes the step of receiving a security completion message including the authentication tag from the terminal, Based on the above security command message, downlink protection of communication related to the above CP is initiated, and A method in which uplink protection of communication related to the CP is initiated based on the above security completion message.
  3. In claim 2, when the activation of the security procedure applied to the communication related to the determined CP is completed, the method, A step of receiving a security policy for communication related to a user plane (UP) from the above core network, The above security policy directs at least one of the above first security procedure or the above second security procedure; A step of determining a security procedure applied to communication related to the UP based on the terminal capability information and the security policy; and A method comprising the step of activating a security procedure applied to communication related to the above-determined UP.
  4. In Paragraph 3, If the security procedure applied to communication related to the above-determined UP is the above-determined second security procedure, the step of activating the security procedure applied to communication related to the above-determined UP is, A step of transmitting a radio resource control (RRC) reconfiguration message to the terminal, indicating an indicator for applying the second security procedure to each data radio bearer (DRB); and The method includes the step of receiving an RRC reconstruction completion message from the terminal, A method in which downlink protection of communication related to the above UP and uplink verification of communication related to the above UP are initiated.
  5. In Article 1, At least one of the integrity verification or the encryption in the first security procedure is performed by the CPU (central processing unit) of the base station, and A method in which the integrity and encryption in the above second security procedure are integrated is performed by the CPU or hardware accelerator of the base station.
  6. In a method performed by a terminal in a wireless communication system, the method is, A step of transmitting terminal capability information related to terminal security performance to a base station; and The method includes the step of activating a security procedure determined based on the above terminal capability information and a security policy for communication related to the control plane (CP), wherein A method in which the above security policy directs at least one of a first security procedure based on a first key used for integrity verification and a second key used for encryption, or a second security procedure based on a security key used in a method in which the integrity verification and encryption are performed in an integrated manner.
  7. In paragraph 6, If the security procedure applied to communication related to the above CP is the above second security procedure, the step of activating the security procedure applied to communication related to the above CP is, A step of receiving a security command message from the base station, the message including information on an algorithm integrating integrity and encryption for the application of the second security procedure and an authentication tag; and The method includes the step of transmitting a security completion message including the authentication tag to the base station, Based on the above security command message, downlink protection of communication related to the above CP is initiated, and A method in which uplink protection of communication related to the CP is initiated based on the above security completion message.
  8. In Paragraph 7, When the activation of the security procedure applied to the communication related to the above CP is completed, the above method, A step of determining a security procedure for communication related to the UP, determined based on the above terminal capability information and a security policy for communication related to the user plane (UP). The above security policy directs at least one of the above first security procedure or the above second security procedure; and A method comprising the step of activating a security procedure applied to communication related to the above UP.
  9. In paragraph 8, If the security procedure applied to communication related to the above UP is the above second security procedure, the step of activating the security procedure applied to communication related to the above UP is, A step of receiving a radio resource control (RRC) reconfiguration message from the base station containing an indicator for applying the second security procedure to each data radio bearer (DRB); and The method includes the step of transmitting an RRC reconfiguration completion message to the above base station, A method in which downlink protection of communication related to the above UP and uplink verification of communication related to the above UP are initiated.
  10. In the 6th, At least one of the integrity verification or the encryption in the first security procedure is performed by the CPU (central processing unit) of the base station, and A method in which the integrity and encryption in the above second security procedure are integrated is performed by the CPU or hardware accelerator of the base station.
  11. In a base station of a wireless communication system, the base station is, Transmitter/receiver; and It includes a controller connected to the above-mentioned transmitter and receiver, The above controller is, Receive terminal capability information related to the security performance of the terminal, and Receive a security policy for communication related to the control plane (CP) from the core network, and The above security policy directs at least one of a first security procedure based on a first key used for integrity verification and a second key used for encryption, or a second security procedure based on a security key used in a method in which the integrity verification and encryption are performed in an integrated manner. Based on the above terminal capability information and the above security policy, determine the security procedure applied to communication related to the above CP, and A base station configured to enable security procedures applied to communications related to the above-determined CP.
  12. In Article 11, If the security procedure applied to communication related to the above-determined CP is the above-determined second security procedure, in order to activate the security procedure applied to communication related to the above-determined CP, the controller, To the above terminal, a security command message including information on an algorithm integrating integrity and encryption for the application of the second security procedure and an authentication tag is transmitted, and The above terminal is configured to receive a security completion message including the authentication tag, Based on the above security command message, downlink protection of communication related to the above CP is initiated, and A base station in which uplink protection of communication related to the CP is initiated based on the above security completion message.
  13. In Article 12, When the activation of the security procedure applied to communication related to the above-determined CP is completed, the controller, Receive a security policy for communication related to the user plane (UP) from the above core network, and The above security policy directs at least one of the above first security procedure or the above second security procedure, and Based on the above terminal capability information and the above security policy, determine the security procedure applied to communication related to the above UP, and A base station further configured to enable security procedures applied to communications related to the above-determined UP.
  14. In Article 13, If the security procedure applied to communication related to the above-determined UP is the above-determined second security procedure, the controller, in order to activate the security procedure applied to communication related to the above-determined UP, To the above terminal, an RRC (radio resource control) reconfiguration message is transmitted to indicate the application of the second security procedure to each data radio bearer (DRB), and Further configured to receive an RRC reconfiguration completion message from the above terminal, A base station in which downlink protection of communication related to the above UP and uplink verification of communication related to the above UP are initiated.
  15. In Article 11, At least one of the integrity verification or the encryption in the first security procedure is performed by the CPU (central processing unit) of the base station, and The method of integrating the integrity and encryption in the second security procedure described above is performed by the CPU or hardware accelerator of the base station, base station
  16. In a wireless communication system, regarding a terminal, the terminal is, Transmitter/receiver; and It includes a controller connected to the above-mentioned transmitter and receiver, The above controller is, Transmit terminal capability information related to terminal security performance to the base station, and It is configured to activate a security procedure determined based on the above terminal capability information and a security policy for communication related to the control plane (CP), A terminal that directs at least one of a first security procedure based on a first key used for integrity verification and a second key used for encryption, or a second security procedure based on a security key used in a method in which the integrity verification and encryption are performed in an integrated manner.
  17. In Paragraph 16, If the security procedure applied to the communication related to the above CP is the second security procedure, the controller, in order to activate the security procedure applied to the communication related to the above CP, Receive a security command message from the base station containing information on an algorithm integrating integrity and encryption for the application of the second security procedure and an authentication tag, and The above base station is configured to transmit a security completion message including the authentication tag, wherein Based on the above security command message, downlink protection of communication related to the above CP is initiated, and A terminal in which uplink protection of communication related to the CP is initiated based on the above security completion message.
  18. In Paragraph 17, When the activation of the security procedure applied to the communication related to the above CP is completed, the controller, Determining a security procedure for communication related to the UP, determined based on the above terminal capability information and a security policy for communication related to the user plane (UP), and The above security policy directs at least one of the above first security procedure or the above second security procedure, and A method further configured to enable security procedures applied to communications related to the above UP.
  19. In Paragraph 18, If the security procedure applied to communication related to the above UP is the second security procedure, the controller, in order to activate the security procedure applied to communication related to the above UP, From the above base station, receive a radio resource control (RRC) reconfiguration message containing an indicator for applying the second security procedure to each data radio bearer (DRB), and It is configured to transmit an RRC reconfiguration completion message to the above base station, A terminal in which downlink protection of communication related to the above UP and uplink verification of communication related to the above UP are initiated.
  20. In the 16th, At least one of the integrity verification or the encryption in the first security procedure is performed by the CPU (central processing unit) of the base station, and A terminal in which the method of integrating the integrity and encryption in the second security procedure is performed by the CPU or hardware accelerator of the base station.

Description

Apparatus and Method for Access Stratum Security Policy Based on Encryption The present disclosure generally relates to wireless communication systems, and more specifically to methods and devices for managing security policies. Looking back at the evolution of wireless communication through successive generations, technologies have been developed primarily for human-oriented services, such as voice, multimedia, and data. Following the commercialization of 5G (5th Generation) communication systems, connected devices, which have been increasing explosively, are expected to be connected to communication networks. Examples of networked objects include vehicles, robots, drones, home appliances, displays, smart sensors installed in various infrastructures, construction machinery, and factory equipment. Mobile devices are expected to evolve into various form factors, such as augmented reality glasses, virtual reality headsets, and holographic devices. In the 6G (6th Generation) era, efforts are underway to develop improved 6G communication systems to connect hundreds of billions of devices and objects to provide diverse services. For this reason, 6G communication systems are being referred to as "beyond 5G" systems. In the 6G communication system predicted to be realized around 2030, the maximum transmission speed is tera (i.e., 1,000 gigabit) bps (bit per second), and the wireless latency is 100 microseconds (μsec). In other words, compared to the 5G communication system, the transmission speed in the 6G communication system is 50 times faster, and the wireless latency is reduced to one-tenth. To achieve such high data transmission speeds and ultra-low latency, 6G communication systems are being considered for implementation in the terahertz (THz) band (e.g., the 95 gigahertz (GHz) to 3 terahertz (3THz) band). Due to more severe path loss and atmospheric absorption phenomena compared to the millimeter wave (mmWave) band introduced in 5G, the importance of technologies capable of guaranteeing signal reach, or coverage, is expected to increase in the terahertz band. As key technologies to ensure coverage, new waveforms, beamforming, and multi-antenna transmission technologies such as massive Multiple-Input and Multiple-Output (MIMO), Full Dimensional MIMO (FD-MIMO), array antennas, and large-scale antennas, which are superior in terms of coverage compared to RF (Radio Frequency) devices, antennas, and OFDM (Orthogonal Frequency Division Multiplexing), must be developed. In addition, new technologies such as metamaterial-based lenses and antennas, high-dimensional spatial multiplexing technology using Orbital Angular Momentum (OAM), and Reconfigurable Intelligent Surface (RIS) are being discussed to improve the coverage of terahertz band signals. In addition, to improve frequency efficiency and system network, development is underway in 6G communication systems for full duplex technology, in which uplink and downlink simultaneously utilize the same frequency resources at the same time; network technology that integrates satellites and HAPS (High-Altitude Platform Stations); network structure innovation technology that supports mobile base stations and enables network operation optimization and automation; dynamic spectrum sharing technology through collision avoidance based on spectrum usage prediction; AI-based communication technology that utilizes AI (Artificial Intelligence) from the design stage and internalizes end-to-end AI support functions to realize system optimization; and next-generation distributed computing technology that realizes services of complexity exceeding the limits of terminal computing capabilities by utilizing ultra-high performance communication and computing resources (Mobile Edge Computing (MEC), cloud, etc.). In addition, attempts are continuing to further strengthen connectivity between devices, further optimize networks, promote the softwareization of network entities, and increase the openness of wireless communication through the design of new protocols to be used in 6G communication systems, the implementation of hardware-based security environments, the development of mechanisms for the safe utilization of data, and the development of technologies regarding privacy maintenance methods. Due to the research and development of such 6G communication systems, it is expected that a new dimension of hyper-connected experience will become possible through the hyper-connectivity of 6G communication systems, which encompasses not only connections between objects but also connections between people and objects. Specifically, it is projected that 6G communication systems will enable the provision of services such as truly immersive eXtended Reality (XR), high-fidelity mobile holograms, and digital replicas. Furthermore, services such as remote surgery, industrial automation, and emergency response, which are provided through 6G communication systems with enhanced security and reliability, wi