The present disclosure relates to the technical field of communication security, and provides a data transmission method applicable to a control plane function entity, including: determining target user plane data which needs to be subjected to security protection between a target user equipment and a user plane function entity; and sending a notification message to a Radio Access Network function entity and the target user equipment, with the notification message configured to instruct that the security protection is performed on the target user plane data between the target user equipment and the user plane function entity. The present disclosure further provides a data transmission system, an electronic device, and a computer-readable storage medium.

Apparatuses, methods, and systems are disclosed for accessing an NPN using external credentials. One apparatus in a mobile communication network includes a processor and a transceiver that receives a registration request for a UE. Here, the UE does not have a subscription with the mobile communication network. The processor identifies a service provider of the UE and controls the transceiver to send an authentication message to an AAA server of the identified service provider. The processor receives an authentication response containing a master session key from the AAA server in response to successful authentication of the UE and derives a set of security keys (e.g., K.sub.AUSF, K.sub.SEAF) using the master session key.

Apparatuses, methods, and systems are disclosed for accessing an NPN using external credentials. One apparatus in a mobile communication network includes a processor and a transceiver that receives a registration request for a UE. Here, the UE does not have a subscription with the mobile communication network. The processor identifies a service provider of the UE and controls the transceiver to send an authentication message to an AAA server of the identified service provider. The processor receives an authentication response containing a master session key from the AAA server in response to successful authentication of the UE and derives a set of security keys (e.g., K.sub.AUSF, K.sub.SEAF) using the master session key.

According to an embodiment of a present disclosure, a method performed by AKMA anchor function (AAnF) in a wireless communication system is provided. The method may include: receiving, from an application function (AF), a message for requesting authentication and key management for applications (AKMA) application key for a user equipment (UE); checking whether the AAnF provides AKMA service to the AF based on a local policy; and based on a result of the checking, determining whether to derive the requested AKMA application key for the UE.

According to an embodiment of a present disclosure, a method performed by AKMA anchor function (AAnF) in a wireless communication system is provided. The method may include: receiving, from an application function (AF), a message for requesting authentication and key management for applications (AKMA) application key for a user equipment (UE); checking whether the AAnF provides AKMA service to the AF based on a local policy; and based on a result of the checking, determining whether to derive the requested AKMA application key for the UE.

A method and apparatus for data transfer in RRC_INACTIVE state is provided. Method for data transfer in RRC_INACTIVE state includes transmitting a UECapabilityInformation, receiving a RRCRelease, receiving a system information, initiating a second resume procedure and performing buffer status reporting based on a first information and a second information if second resume procedure is ongoing. The first information is predefined and the second information is included in the system information.

Provided is a method for changing, by a user equipment (UE), packet data convergence protocol (PDCP) version. The method may include: receiving a security mode command message, which includes a first security algorithm configuration for a PDCP of a first system and a second security algorithm configuration for a PDCP of a second system, from a base station (BS); deriving a first security key for the PDCP of the first system, based on the first security algorithm configuration; when the security mode command message passes an integrity protection check based on the first security key, changing the PDCP version from the PDCP of the first system to the PDCP of the second system; deriving a second security key for the PDCP of the second system, based on the second security algorithm configuration; and transmitting a security mode complete message, based on the second security key, to the BS.

Provided is a method for changing, by a user equipment (UE), packet data convergence protocol (PDCP) version. The method may include: receiving a security mode command message, which includes a first security algorithm configuration for a PDCP of a first system and a second security algorithm configuration for a PDCP of a second system, from a base station (BS); deriving a first security key for the PDCP of the first system, based on the first security algorithm configuration; when the security mode command message passes an integrity protection check based on the first security key, changing the PDCP version from the PDCP of the first system to the PDCP of the second system; deriving a second security key for the PDCP of the second system, based on the second security algorithm configuration; and transmitting a security mode complete message, based on the second security key, to the BS.

This application provides an RRC connection resume method and apparatus. In the method, when a terminal moves to a target base station, the target base station may reselect, based on a capability and a requirement of the target base station, a first encryption algorithm and a first integrity protection algorithm that are used when the target base station communicates with the terminal, and send the first encryption algorithm and the first integrity protection algorithm to the terminal. On one hand, a security algorithm used for communication between the terminal and the target base station is flexibly selected. On the other hand, because the base station connected to the terminal changes, communication security can be improved by using a new encryption algorithm and integrity protection algorithm.

This application provides an RRC connection resume method and apparatus. In the method, when a terminal moves to a target base station, the target base station may reselect, based on a capability and a requirement of the target base station, a first encryption algorithm and a first integrity protection algorithm that are used when the target base station communicates with the terminal, and send the first encryption algorithm and the first integrity protection algorithm to the terminal. On one hand, a security algorithm used for communication between the terminal and the target base station is flexibly selected. On the other hand, because the base station connected to the terminal changes, communication security can be improved by using a new encryption algorithm and integrity protection algorithm.