Abstract: A data transmission method includes calculating, by a user equipment (UE), a first message authentication code of first location privacy setting data, sending, by the UE, the first message authentication code and the first location privacy setting data to a data management network element, receiving, by the UE, a second message authentication code from the data management network element, calculating, by the UE, a third message authentication code of the first location privacy setting data, determining, by the UE, that the first location privacy setting data is not tampered with when the second message authentication code is the same as the third message authentication code.

Abstract: This application provides a key determining method, and a communication apparatus. The method is applied to a donor node central unit which contains a control plane entity and a user plane entity, and the method includes: deriving a first key based on a root key, an internet protocol (IP) address of a distributed unit of an integrated access and backhaul node, and a first IP address of the user plane entity; and sending a first message to the user plane entity, wherein the first message comprises the first key. According to this application, a user plane secure transmission channel may be established between the user plane entity and the distributed unit based on the first key.

Abstract: The present application discloses methods and apparatuses for tag management. In an example method, a first mobility management function receives a registration request message sent by an access network device. The registration request message requests to register a tag in a core network. The first mobility management function obtains identification information of a second mobility management function from a unified data management function based on the registration request message. The second mobility management function stores context information of the tag. The first mobility management function obtains the context information of the tag from the second mobility management function.

Abstract: Embodiments of a network selection method and a related apparatus are provided. In the method, an apparatus receives a broadcast message from a non-forbidden public land mobile network (PLMN) and a broadcast message from a forbidden PLMN. The broadcast message of the forbidden PLMN includes a disaster occurrence indication, and the disaster occurrence indication indicates that a disaster has occurred on the non-forbidden PLMN. The apparatus requests, based on the disaster occurrence indication, to register with the forbidden PLMN, when the apparatus fails to register with the non-forbidden PLMN. According to the foregoing method, the apparatus can select a network that ensures a normal service, and a service interruption to the apparatus caused by the disaster that occurs on the non-forbidden PLMN can be effectively reduced.

Abstract: This application provides a communication method, apparatus, and system. The method includes: A first node communicates with a first donor node by using a first key, where the first key includes a key used for communication over an air interface and/or a key 1 used for communication over an F1 interface. After the first node receives first information from the first donor node, the first node maintains the first key and a second key in response to the first information, where the second key includes a key used for communication over an air interface between the first node and a second donor node and/or a key 2 used for communication over the F1 interface.

Abstract: This application provides a method for controlling a connection between a terminal and a network, and an apparatus. The method includes: receiving, by a terminal, a packet filter; and discarding, by the terminal, an uplink data packet matching the packet filter. Based on this solution, a connection can be blocked near a source (that is, the connection is blocked from the terminal), to reduce traffic exchanged between the terminal and a user plane network element. Compared with an existing technical solution, the terminal implements traffic control to reduce a quantity of uplink data packets sent to the user plane network element, thereby reducing load of the user plane network element.

Abstract: Embodiments of this application provide a key update method and apparatus. The key update method includes: generating a second multicast transmission key, where the second multicast transmission key is an updated key of a first multicast transmission key; and sending a first message, where the first message includes the second multicast transmission key and a multicast group identifier, and the first message indicates to update a multicast transmission key corresponding to the multicast group identifier to the second multicast transmission key. The key update method and apparatus in embodiments of this application can meet a key update requirement in a multicast transmission service, to further protect business interests of a service provider and improve system security.

Abstract: A network access method includes receiving, by a terminal device, a broadcast message from an access network device. The broadcast message includes identification information of one or more closed access groups (CAGs) supported by a first cell and a first default network access indication, and the first default network access indication indicates that the first cell can be accessed in a default access manner. The method also includes, in response to determining a first closed access group (CAG) list does not include the identification information of the one or more CAGs supported by the first cell, accessing, by the terminal device, the first cell based on the first default network access indication. The first CAG list is stored in the terminal device, and the first CAG list includes identification information of a CAG that is allowed to be accessed.

Abstract: A key generation method and an apparatus are provided. One example key generation method includes the following steps: determining, by a communication apparatus, that a master base station or a secondary base station serves as an integrated access and backhaul (IAB) donor, wherein the master base station and the secondary base station are connected to an IAB node; and performing at least one of the following when the master base station serves as the IAB donor, generating, by the communication apparatus, an IAB key KIAB based on a master base station key; or when the secondary base station serves as the IAB donor, generating, by the communication apparatus, the IAB key KIAB based on a secondary base station key.

Abstract: Embodiments of this application provide a communication method and an apparatus, to ensure a multicast service data packet transmission security requirement. An access device may determine a user plane security active state of a multicast DRB in a PDU session, and indicate the user plane security active state of the multicast DRB to a terminal, where the user plane security active state includes whether integrity protection is activated and/or whether confidentiality protection is activated. In addition, the access device configures a multicast PDCP layer entity based on the user plane security active state of the DRB for transmitting multicast service data. The access device may further determine a user plane security active state of a unicast DRB, indicate the user plane security active state to the terminal, and modify a unicast PDCP layer entity.

Abstract: Embodiments of this application provide a key management method and a communication apparatus, and relate to the field of communication technologies, to securely transmit multicast service data, and prevent an unauthorized terminal device from obtaining the multicast service data. The method includes: A terminal device obtains a target key, where the target key includes at least one of a target multimedia broadcast/multicast service service key MSK, a first sub-key corresponding to the target MSK, or a second sub-key corresponding to the target MSK, the first sub-key is for confidentiality protection calculation, and the second sub-key is for integrity protection calculation. The terminal device receives target data from a multicast user-plane processing network element, where the target data is data on which security protection is performed. Then, the terminal device processes the target data by using the target key.

Abstract: This application provides a key management method, a device, and a system. The method includes: A terminal device sends a first application session establishment request message to a first application function network element, where the establishment request message carries identification information of a first key, and the first key is an authentication and key management for applications AKMA key. The terminal device receives a first authentication request message in a procedure of the re-authentication. The terminal device sends a response message for the first authentication request message in the procedure of the re-authentication. The terminal device receives a response message for the establishment request message. The terminal device derives a communication key between the terminal device and the first application function network element by using the first key.

Abstract: Embodiments of this disclosure provide a communication protection method and apparatus, a device, and a computer-readable medium. The communication protection method includes: A terminal device sends an application session establishment request message to a first application function network element (AF), where the application session establishment request message includes an AKMA key identifier; and the terminal device receives an application session establishment response message from the first AF, where the application session establishment response message includes a security activation indication. The security activation indication indicates whether to activate security protection on communication between the terminal device and a second AF, the security protection includes confidentiality protection and/or integrity protection performed based on a security key, and the security key is generated based on an AKMA key corresponding to the AKMA key identifier.

Abstract: This application provides a communication method, apparatus, and system. The method includes: After a second node sends first indication information to a first node by using a message that is not security protected, the first node may request an IAB donor node to verify whether the first indication information is trustworthy, so that the first node performs a subsequent operation based on a verification result of the IAB donor node. This can eliminate a security risk in a communication process, and help improve communication quality.

Abstract: A configuration data update method is provided. The method includes: When configuration data for a terminal apparatus is first configuration data, where the first configuration data includes a first restriction indication and an empty closed access group CAG list, the first restriction indication is used to indicate the terminal apparatus to access a network through a closed access group CAG, an access and mobility management function apparatus configures the terminal apparatus to be in a state in which the terminal apparatus is allowed to access the network not only through a CAG in the CAG list. When the configuration data for the terminal apparatus is updated to second configuration data, where a CAG list in the second configuration data is not empty or does not include the first restriction indication, the access and mobility management function apparatus sends the second configuration data to the terminal apparatus.

Abstract: Embodiments of this application relate to the field of communication technologies, and provide a data transmission method and an apparatus, to ensure security of radio capability information of a terminal in a transmission process. The method includes: A terminal performs NAS security protection on radio capability information based on a NAS security context before establishing an AS security context; then the terminal sends the NAS-security-protected radio capability information to a mobility management network element; and after receiving the NAS-security-protected radio capability information, the mobility management network element performs security deprotection on the NAS-security-protected radio capability information, to obtain and store the radio capability information of the terminal.

Abstract: This application relates to the field of communications technologies, and provides a communications method and apparatus, to reduce a data transmission latency between an IAB node and an IAB donor. The method includes: An IAB node receives an uplink data packet from a terminal; the IAB node determines a PDCP layer security status of the uplink data packet; the IAB node determines a target secure tunnel from a plurality of secure tunnels between the IAB node and an IAB donor based on the PDCP layer security status of the uplink data packet; and the IAB node sends the uplink data packet to the IAB donor through the target secure tunnel. This application is applicable to a data transmission process.

Abstract: Embodiments of this application provide a communication method and apparatus, and relate to the field of communications technologies, to lower a security risk posed by removal of a SIM card from a communications device, and improve security of a communications network. The communication method includes: determining, by the communications device, that the SIM card is removed; sending, by the communications device, alarm information to a network device, wherein the alarm information indicates that the SIM card in the communications device is removed, and security protection is performed on the alarm information based on security context stored in the communications device; and then deleting, by the communications device, the security context. This application is applicable to a procedure in which a communications device accesses a network.

Abstract: This application relates to the field of communications technologies, and discloses a method and apparatus. The method includes: A real base station receives a first uplink NAS message and an identifier of a first device. The real base station obtains a first hash value of first system information of a cell corresponding to the identifier of the first device. The real base station sends an N2 message to a core network device, where the N2 message includes the first uplink NAS message and the first hash value of the first system information. The core network device receives the N2 message from the real base station, and sends an integrity protected first downlink NAS message to a terminal, where the first downlink NAS message is forwarded by the real base station to the terminal, and the first downlink NAS message includes the first hash value of the first system information.

Abstract: Embodiments of this application provide a terminal device location determining method and a device. The method includes: obtaining location information reported by a terminal device and location information reported by a base station; determining location information of the terminal device based on the location information reported by the terminal device and the location information reported by the base station; and sending a positioning response to an application function entity or an external client by using a gateway mobile location center, where the positioning response includes the location information of the terminal device. According to the method provided in the embodiments of this application, whether a location of the terminal device is incorrect is determined by comparing the location information provided by the base station with the location information provided by the terminal device, so that positioning accuracy and reliability can be both considered.