阅读说明：本技术 一种秘钥信息处理方法和接入网络节点、终端设备 (Key information processing method, access network node and terminal equipment ) 是由 王淑坤 于 2019-01-29 设计创作，主要内容包括：本申请实施例公开了一种秘钥信息处理方法和接入网络节点、终端。所述方法包括：第一接入网络节点确定与第二接入网络节点相关的安全信息；所述第一接入网络节点为与终端连接的主节点；第二接入网络节点为与所述终端连接的辅节点；所述终端配置有一个所述第一接入网络节点和至少两个所述第二接入网络节点；所述第一接入网络节点基于所述安全信息和基础密钥确定第一加密密钥,发送所述第一加密密钥至所述第二接入网络节点；所述基础密钥为所述第一接入网络节点对应的密钥。(The embodiment of the application discloses a secret key information processing method, an access network node and a terminal. The method comprises the following steps: a first access network node determining security information relating to a second access network node; the first access network node is a main node connected with a terminal; the second access network node is an auxiliary node connected with the terminal; the terminal is configured with one said first access network node and at least two said second access network nodes; the first access network node determines a first encryption key based on the security information and a basic key, and sends the first encryption key to the second access network node; the basic key is a key corresponding to the first access network node.)

A method of key information processing, the method comprising:

a first access network node determining security information relating to a second access network node; the first access network node is a main node connected with a terminal; the second access network node is an auxiliary node connected with the terminal; the terminal is configured with the first access network node and at least two of the second access network nodes;

the first access network node determines a first encryption key based on the security information and/or a basic key, and sends the first encryption key to the second access network node; the basic key is a key corresponding to the first access network node; the first encryption key is associated with the second access network node.

The method of claim 1, wherein the security information comprises: a first secondary cell group count and/or a second access network node identification related to the second access network node; at least two of the at least two second access network nodes correspond to different second access network node identifications and/or first secondary cell group counts;

the first access network node determining a first encryption key based on the security information and/or a base key, comprising:

the first access network node determining a first encryption key based on at least one of the second access network node identification, a first secondary cell group count, and a base key; the first encryption key is a key corresponding to the second access network node.

The method of claim 2, wherein the method further comprises:

the first access network node allocates a corresponding first secondary cell group count to the second access network node; wherein starting values of first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.

The method of claim 3, wherein the first access network node allocating a corresponding first secondary cell group count for the second access network node, comprises:

the first access network node determines the value range of the first auxiliary cell group count corresponding to the second access network node based on the maximum value of the first auxiliary cell group count and the number of the second access network nodes, wherein the value ranges of the first auxiliary cell group count corresponding to at least two of the at least two second access network nodes are different;

and the first access network node determines the corresponding first auxiliary cell group count according to the value range of the first auxiliary cell group count corresponding to the second access network node.

The method of any of claims 1 to 4, wherein the method further comprises:

resetting the first secondary cell group count when the first access network node determines that the base key is changed.

The method of any of claims 1 to 4, wherein the method further comprises:

updating, by the first access network node, the first secondary cell group count when it is determined that a first update condition is satisfied and the base key is unchanged.

The method of claim 1, wherein the security information comprises: an auxiliary node group count and/or an auxiliary node group identification; the secondary node group identity corresponds to at least one second access network node in a secondary node group;

the first access network node determining a first encryption key based on the security information and/or a base key, comprising:

the first access network node determines a first encryption key based on at least one of the secondary node group identifier, the secondary node group count and a basic key; the first encryption key is a key corresponding to the auxiliary node group.

The method of claim 7, wherein the method further comprises:

resetting the secondary node group count when the first access network node determines that the base key is changed.

The method of claim 7, wherein the method further comprises:

and when the first access network node determines that the first updating condition is met and the basic key is not changed, updating the auxiliary node group count.

A method of key information processing, the method comprising:

a second access network node receives a first encryption key sent by a first access network node; the first encryption key is determined based on security information and/or a base key related to the second access network node; the first encryption key is associated with the second access network node; the first access network node is a main node connected with a terminal; the second access network node is an auxiliary node connected with the terminal; the terminal is configured with a first access network node and at least two second access network nodes;

the second access network node determines a second ciphering key for ciphering and integrity protection based on the first ciphering key.

The method of claim 10, wherein the first encryption key is determined based on at least one of a second access network identification corresponding to the second network node, a first secondary cell group count associated with the second access network node, and a base key, the first encryption key being a key corresponding to the second access network node; at least two of the at least two second access network nodes correspond to different second access network node identities and/or first secondary cell group counts.

The method of claim 11, wherein starting values of first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.

The method of claim 10, wherein the first encryption key is determined based on at least one of a servant node group identifier, a servant node group count, and a base key, the first encryption key being a key corresponding to a servant node group; the secondary node group identification corresponds to at least one second access network node in the secondary node group.

The method of claim 13, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.

The method of any of claims 10 to 14, wherein the second access network node determining a second encryption key based on the first encryption key comprises:

the second access network node determines a second ciphering key for ciphering and integrity protection based on the first ciphering key and an algorithm identification.

The method of claim 13, wherein the second access network node determining a second encryption key based on the first encryption key comprises:

determining, by a particular second access network node of the secondary group of nodes, a third encryption key based on at least one of the first encryption key, the second access network node identification, and a second secondary cell group count; the third encryption key is a key corresponding to a second access network node in the auxiliary node group;

the particular second access network node sending the third encryption key to other second access network nodes in the secondary node group other than the particular second access network node; the third encryption key is used for other second access network nodes in the secondary node group except the specific second access network node to determine a second encryption key for encryption and integrity protection based on the third encryption key and the algorithm identification;

the particular second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key and an algorithm identification.

The method of claim 13, wherein the second access network node determining a second encryption key based on the first encryption key comprises:

determining, by a particular second access network node of the secondary group of nodes, a third encryption key based on at least one of the first encryption key, the second access network node identification, and a second secondary cell group count; the third encryption key is a key corresponding to a second access network node in the auxiliary node group;

the particular second access network node sending the third encryption key to other second access network nodes in the secondary node group other than the particular second access network node; the third ciphering key is for a second access network node in the secondary cell group to determine a second ciphering key for ciphering and integrity protection based on the third ciphering key and an algorithm identification.

The method of claim 16 or 17, wherein the method further comprises:

resetting the second assisting cell group count when the particular second access network node determines a change in a base key used to determine the first encryption key and/or a change in a first encryption key corresponding to a assisting node group.

The method of claim 16 or 17, wherein the method further comprises:

updating the second secondary cell group count when the particular second access network node determines that a second update condition is satisfied and a base key used to determine the first encryption key is unchanged.

The method according to any of claims 16 to 19, wherein the particular second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.

The method of claim 20, wherein the functionality of the particular second access network device further comprises at least one of:

establishing a control plane connection with the first access network node;

for establishing a third signaling radio bearer SRB 3;

information for assigning the secondary node group; the information of the secondary node group comprises at least one of: the user plane carries DRB ID, service cell index, logic channel LC ID, measurement object ID and measurement report ID.

A method of key information processing, the method comprising:

the method comprises the steps that terminal equipment obtains first safety information distributed by a first access network node, and a first encryption key is determined based on the first safety information and/or a basic key; the basic key is a key corresponding to the first access network node; the first security information is related to a second access network node; the first encryption key is associated with the second access network node;

the terminal equipment obtains second safety information distributed by the second access network node, and determines a second encryption key for encryption and integrity protection based on the first encryption key and the second safety information; the second security information is related to a second access network node;

wherein the terminal is configured with a first access network node and at least two second access network nodes; the first access network node is a master node, and the second access network device is an auxiliary node.

The method of claim 22, wherein the first security information comprises; a first secondary cell group count and/or a second access network node identification related to the second access network node; at least two of the at least two second access network nodes correspond to different second access network node identifications and/or first secondary cell group counts;

the determining a first encryption key based on the first security information and/or a base key comprises: determining a first encryption key based on at least one of the second access network node identification, a first secondary cell group count, and a base key; the first encryption key is a key corresponding to the second access network node.

The method of claim 23, wherein the obtaining, by the terminal device, first security information assigned by the first access network node comprises:

the terminal equipment obtains a first auxiliary cell group count distributed by a first access network node; wherein starting values of first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.

The method of any of claims 22 to 24, wherein the method further comprises: and when the terminal equipment determines that a first updating condition is met and the basic key is not changed, updating the first auxiliary cell group count.

The method of claim 22, wherein the at least two second access network nodes are divided into at least one secondary node group.

The method of claim 26, wherein the first security information comprises; an auxiliary node group count and/or an auxiliary node group identification; the secondary node group identity corresponds to at least one second access network node in a secondary node group;

the determining a first encryption key based on the security information and/or a base key comprises: determining a first encryption key based on at least one of the secondary node group identification, the secondary node group count and a base key; the first encryption key is a key corresponding to the auxiliary node group.

The method of claim 27, wherein the first encryption key is a key corresponding to at least one second access network node in a secondary node group.

The method of claim 27 or 28, wherein the method further comprises:

and when the terminal equipment determines that a first updating condition is met and the basic key is not changed, updating the auxiliary node group count.

The method of any of claims 22 to 29, wherein the second security information comprises an algorithm identification corresponding to a second access network node;

said determining keys for ciphering and integrity protection based on said first ciphering key and said second security information comprising:

a second encryption key is determined based on the first encryption key and an algorithm identification corresponding to a second access network node.

The method of claim 26, 27 or 29, wherein the obtaining by the terminal device of the second security information allocated by the second access network node comprises:

the terminal equipment obtains an algorithm identifier distributed by a second access network node in the auxiliary node group; and obtaining a second secondary cell group count and/or a second access network node identification allocated by a specific second access network node in the secondary node group;

said determining keys for ciphering and integrity protection based on said first ciphering key and said second security information comprising:

determining a third encryption key based on at least one of the first encryption key, the second access network node identification, and a second assisting cell group count, the third encryption key being a key corresponding to a second access network node in the assisting node group other than the specific second access network node;

determining second encryption keys corresponding to the other second access network nodes based on the third encryption key and the algorithm identifications corresponding to the other second access network nodes;

and determining a second encryption key corresponding to the specific second access network node based on the first encryption key and the algorithm identifier corresponding to the specific second access network node.

The method of claim 26, 27 or 29, wherein the obtaining by the terminal device of the second security information allocated by the second access network node comprises:

the terminal equipment obtains an algorithm identifier distributed by a second access network node in the auxiliary node group; and obtaining a second secondary cell group count and/or a second access network node identification allocated by a specific second access network node in the secondary node group;

said determining keys for ciphering and integrity protection based on said first ciphering key and said second security information comprising:

determining a third encryption key based on at least one of the first encryption key, the second access network node identification, and a second secondary cell group count; the third encryption key is a key corresponding to at least one second access network node in the auxiliary node group;

and determining a second encryption key corresponding to the second access network node based on the third encryption key and the algorithm identification corresponding to the second access network node.

The method according to claim 31 or 32, wherein the particular second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.

The method of claim 33, wherein the functionality of the particular second access network device further comprises at least one of:

establishing a control plane connection with the first access network node;

for establishing a third signaling radio bearer SRB 3;

information for assigning the secondary node group; the information of the secondary node group comprises at least one of: the user plane carries DRB ID, service cell index, logic channel LC ID, measurement object ID and measurement report ID.

The method of claim 31 or 32, wherein the method further comprises:

and when the terminal equipment determines that a second updating condition is met and a basic key for determining the first encryption key is unchanged, updating the second auxiliary cell group count.

A first access network node, the node comprising: the device comprises a first determining unit, a second determining unit and a first communication unit; wherein the content of the first and second substances,

the first determining unit is configured to determine security information related to a second access network node;

the second determination unit is configured to determine a first encryption key based on the security information and/or a base key; the basic key is a key corresponding to the first access network node; the first encryption key is associated with the second access network node;

the first communication unit is configured to send the first encryption key to the second access network node;

the first access network node is a main node connected with a terminal; the second access network node is an auxiliary node connected with the terminal; the terminal is configured with the first access network node and at least two of the second access network nodes.

The node of claim 36, wherein the security information comprises; a first secondary cell group count and/or a second access network node identification related to the second access network node; at least two of the at least two second access network nodes correspond to different second access network node identifications and/or first secondary cell group counts;

the second determining unit is configured to determine the first encryption key based on at least one of the second access network node identification, the first secondary cell group count and the base key; the first encryption key is a key corresponding to the second access network node.

The node of claim 37, wherein the first determining unit is further configured to allocate a corresponding first secondary cell group count for the second access network node; wherein starting values of first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.

The node according to claim 38, wherein the first determining unit is configured to determine a range of values of the first secondary cell group count corresponding to the second access network node based on a maximum value of the first secondary cell group count and the number of the second access network nodes, the range of values of the first secondary cell group count corresponding to at least two of the at least two second access network nodes being different; and determining the corresponding first auxiliary cell group count according to the value range of the first auxiliary cell group count corresponding to the second access network node.

The node of any of claims 36 to 39, wherein the node further comprises a first resetting unit configured to reset the first secondary cell group count upon determining that the base key is changed.

The node of any of claims 36 to 39, wherein the node further comprises a first update unit configured to update the first secondary cell group count when it is determined that a first update condition is met and the base key is unchanged.

The node of claim 36, wherein the security information comprises: an auxiliary node group count and/or an auxiliary node group identification; the secondary node group identity corresponds to at least one second access network node in a secondary node group;

the second determining unit is configured to determine the first encryption key based on at least one of the information of the slave node group identifier, the slave node group count, and the base key; the first encryption key is a key corresponding to the auxiliary node group.

The node of claim 42, wherein the node further comprises a first resetting unit configured to reset the secondary node group count upon determining that the base key changed.

The node of claim 42, wherein the node further comprises a first updating unit configured to update the secondary node group count when it is determined that a first update condition is satisfied and the base key is unchanged.

A second access network node, the node comprising: a second communication unit and a third determination unit; wherein the content of the first and second substances,

the second communication unit is configured to receive a first encryption key sent by the first access network node; the first encryption key is determined based on security information and/or a base key related to the second access network node; the first encryption key is associated with the second access network node;

the third determination unit is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key;

the first access network node is a main node connected with a terminal; the second access network node is an auxiliary node connected with the terminal; the terminal is configured with a first access network node and at least two second access network nodes.

The node of claim 45, wherein the first encryption key is determined based on at least one of a second access network identification corresponding to the second network node, a first secondary cell group count associated with the second access network node, and a base key, the first encryption key being a key corresponding to the second access network node; at least two of the at least two second access network nodes correspond to different second access network node identities and/or first secondary cell group counts.

The node of claim 46, wherein the starting values of the first secondary cell group counts for at least two of the at least two second access network nodes are different.

The node of claim 45, wherein the first encryption key is determined based on at least one of a servant node group identifier, a servant node group count, and a base key, the first encryption key being a key corresponding to a servant node group; the secondary node group identification corresponds to at least one second access network node in the secondary node group.

The node of claim 48, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.

The node according to any of claims 45 to 49, wherein the third determining unit is configured to determine a second ciphering key for ciphering and integrity protection based on the first ciphering key and an algorithm identification.

The node of claim 48, wherein the second access network node is a particular second access network node in a secondary node group,

the third determining unit is configured to determine a third ciphering key based on at least one of the first ciphering key, the second access network node identification, and a second secondary cell group count; the third encryption key is a key corresponding to a second access network node in the auxiliary node group; further configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and an algorithm identification;

the second communication unit is further configured to send the third encryption key to other second access network nodes in the secondary node group except the specific second access network node; the third encryption key is used for determining a second encryption key for encryption and integrity protection based on the third encryption key and an algorithm identification for other second access network nodes in the secondary node group except the specific second access network node.

The node of claim 48, wherein the second access network node is a particular second access network node in a secondary node group,

the third determining unit is configured to determine a third ciphering key based on at least one of the first ciphering key, the second access network node identification, and a second secondary cell group count; the third encryption key is a key corresponding to at least one second access network node in the auxiliary node group;

the second communication unit is further configured to send the third encryption key to other second access network nodes in the secondary node group except the specific second access network node; the third ciphering key is for a second access network node in the secondary cell group to determine a second ciphering key for ciphering and integrity protection based on the third ciphering key and an algorithm identification.

The node of claim 51 or 52, wherein the node further comprises a second resetting unit configured to reset the second secondary cell group count upon determining a change in a base key used to determine the first encryption key and/or a change in a first encryption key corresponding to a secondary node group.

The node of claim 51 or 52, wherein the node further comprises a second updating unit configured to update the second secondary cell group count upon determining that a second update condition is satisfied and that a base key used to determine the first encryption key is unchanged.

The node of any of claims 51 to 54, wherein the particular second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the subordinate secondary node group to which it belongs.

The node of claim 55, wherein the functionality of the particular second access network device further comprises at least one of:

establishing a control plane connection with the first access network node;

for establishing a third signaling radio bearer SRB 3;

information for assigning the secondary node group; the information of the secondary node group comprises at least one of: the user plane carries DRB ID, service cell index, logic channel LC ID, measurement object ID and measurement report ID.

A terminal device, the terminal device comprising: a third communication unit and a fourth determination unit; wherein the content of the first and second substances,

the third communication unit is configured to obtain first security information allocated by the first access network node; the first security information is related to a second access network node; further configured to obtain second security information allocated by the second access network node; the second security information is related to a second access network node;

the fourth determination unit is configured to determine a first encryption key based on the first security information and/or a base key; the basic key is a key corresponding to the first access network node; the first encryption key is associated with the second access network node; further configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the second security information;

wherein the terminal is configured with a first access network node and at least two second access network nodes.

The terminal device of claim 57, wherein the first security information comprises; a first secondary cell group count and/or a second access network node identification related to the second access network node; at least two of the at least two second access network nodes correspond to different second access network node identifications and/or first secondary cell group counts;

the fourth determining unit is configured to determine the first encryption key based on at least one of the second access network node identification, the first secondary cell group count and a base key; the first encryption key is a key corresponding to the second access network node.

The terminal device of claim 58, wherein the third communication unit is configured to obtain a first secondary cell group count assigned by the first access network node; wherein starting values of first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.

The terminal device of any of claims 57 to 59, wherein the terminal device further comprises a third updating unit configured to update the first secondary cell group count when it is determined that a first update condition is met and the base key is unchanged.

The terminal device of claim 57, wherein the at least two second access network nodes are divided into at least one secondary node group.

The terminal device of claim 61, wherein the first security information comprises; an auxiliary node group count and/or an auxiliary node group identification; the secondary node group identity corresponds to at least one second access network node in a secondary node group;

the fourth determining unit is configured to determine the first encryption key based on at least one of the information of the slave node group identifier, the slave node group count, and the base key; the first encryption key is a key corresponding to the auxiliary node group.

The terminal device of claim 62, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.

The terminal device according to claim 62 or 63, wherein the terminal device further comprises a third updating unit configured to update the secondary node group count when it is determined that the first updating condition is satisfied and the base key is not changed.

The terminal device of any one of claims 57 to 64, wherein the second security information comprises an algorithm identity corresponding to a second access network node;

the fourth determining unit is configured to determine a second encryption key based on the first encryption key and an algorithm identification corresponding to a second access network node.

The terminal device of claim 61, 62, or 64,

the third communication unit is configured to obtain an algorithm identifier allocated to a second access network node in the auxiliary node group; and obtaining a second secondary cell group count and/or a second access network node identification allocated by a specific second access network node in the secondary node group;

the fourth determining unit is configured to determine a third encryption key based on at least one of the first encryption key, the second access network node identifier, and a second slave cell group count, where the third encryption key is a key corresponding to a second access network node in the slave node group other than the specific second access network node; determining second encryption keys corresponding to the other second access network nodes based on the third encryption key and the algorithm identifications corresponding to the other second access network nodes; and determining a second encryption key corresponding to the specific second access network node based on the first encryption key and the algorithm identifier corresponding to the specific second access network node.

The terminal device of claim 61, 62, or 64,

the third communication unit is configured to obtain an algorithm identifier allocated to a second access network node in the auxiliary node group; and obtaining a second secondary cell group count and/or a second access network node identification allocated by a specific second access network node in the secondary node group;

the fourth determining unit is configured to determine a third ciphering key based on at least one of the first ciphering key, the second access network node identification, and a second secondary cell group count; the third encryption key is a key corresponding to a second access network node in the auxiliary node group; and determining a second encryption key corresponding to the second access network node based on the third encryption key and the algorithm identification corresponding to the second access network node.

The terminal device of claim 66 or 67, wherein the particular second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the subordinate secondary node group to which it belongs.

The terminal device of claim 68, wherein the functionality of the particular second access network device further comprises at least one of:

establishing a control plane connection with the first access network node;

for establishing a third signaling radio bearer SRB 3;

information for assigning the secondary node group; the information of the secondary node group comprises at least one of: the user plane carries DRB ID, service cell index, logic channel LC ID, measurement object ID and measurement report ID.

The terminal device of claim 66 or 67, wherein the terminal device further comprises a third updating unit configured to update the second secondary cell group count when it is determined that a second update condition is satisfied and a base key used for determining the first encryption key is unchanged.

A terminal device, comprising: a processor and a memory for storing a computer program, the processor being configured to invoke and execute the computer program stored in the memory to perform the method of any of claims 22 to 35.

An access network node, comprising: a processor and a memory for storing a computer program, the processor for invoking and executing the computer program stored in the memory, performing the method of any one of claims 1 to 9; alternatively, the processor is configured to invoke and execute a computer program stored in the memory, to perform the method of any of claims 10 to 21.

A chip, comprising: a processor for calling and running a computer program from a memory so that a device on which the chip is installed performs the method of any one of claims 1 to 9; or causing a device on which the chip is mounted to perform the method of any of claims 10 to 21; or causing a device on which the chip is mounted to perform the method of any of claims 22 to 35.

A computer-readable storage medium storing a computer program for causing a computer to perform the method of any one of claims 1 to 9; alternatively, the computer program causes a computer to perform the method of any one of claims 10 to 21; alternatively, the computer program causes a computer to perform the method of any of claims 22 to 35.

A computer program product comprising computer program instructions for causing a computer to perform the method of any one of claims 1 to 9; alternatively, the computer program instructions cause a computer to perform the method of any one of claims 10 to 21; alternatively, the computer program instructions cause a computer to perform the method of any of claims 22 to 35.

A computer program for causing a computer to perform the method of any one of claims 1 to 9; alternatively, the computer program causes a computer to perform the method of any one of claims 10 to 21; alternatively, the computer program causes a computer to perform the method of any of claims 22 to 35.