A method for processing a non-access stratum context is as follows: A terminal device sends a registration request message to a first public land mobile network PLMN. The terminal device receives a registration accept message from the first PLMN. When the terminal device deregisters from the first PLMN over a first access network, the terminal device stores, in a storage medium of the terminal device, a first PLMN identifier of the first PLMN and a first NAS security context established by the terminal device with the first PLMN. Embodiments of this application are used for a processing process of the non-access stratum context.

A method for processing a non-access stratum context is as follows: A terminal device sends a registration request message to a first public land mobile network PLMN. The terminal device receives a registration accept message from the first PLMN. When the terminal device deregisters from the first PLMN over a first access network, the terminal device stores, in a storage medium of the terminal device, a first PLMN identifier of the first PLMN and a first NAS security context established by the terminal device with the first PLMN. Embodiments of this application are used for a processing process of the non-access stratum context.

Embodiments herein provide a method and a UE for handling of integrity check failures of Packet Data Convergence Protocol (PDCP) Protocol Data Units (PDUs) in a wireless communication system. The method includes performing an integrity check at a PDCP layer on at least one Radio Bearer based on a Message Authentication Code-Integrity (MAC-I) of the PDCP PDU. The method includes determining a success of integrity check of the PDCP PDU or a failure of integrity check of the PDCP PDU received on the radio bearer. Further, the method includes discarding the PDCP PDU for which integrity is check failed. Furthermore, the method includes indicating a Radio Resource Control (RRC) layer about the integrity check failure on the at least one radio bearer in response to determining a trigger condition.

Embodiments herein provide a method and a UE for handling of integrity check failures of Packet Data Convergence Protocol (PDCP) Protocol Data Units (PDUs) in a wireless communication system. The method includes performing an integrity check at a PDCP layer on at least one Radio Bearer based on a Message Authentication Code-Integrity (MAC-I) of the PDCP PDU. The method includes determining a success of integrity check of the PDCP PDU or a failure of integrity check of the PDCP PDU received on the radio bearer. Further, the method includes discarding the PDCP PDU for which integrity is check failed. Furthermore, the method includes indicating a Radio Resource Control (RRC) layer about the integrity check failure on the at least one radio bearer in response to determining a trigger condition.

A security protection method and an apparatus to implement security protection for a plurality of non-access stratum (NAS) connection links. The method includes determining, by a terminal, a first parameter, where the first parameter is used to indicate an access technology used to transmit a non-access stratum NAS message. The terminal can support at least two access technologies, and can separately maintain a corresponding NAS COUNT for each of the at least two access technologies. The method further includes performing, by the terminal, security protection on the NAS message based on the first parameter, a NAS key, and a NAS COUNT corresponding to an access technology used to transmit the NAS message. This application is applicable to a process of performing security protection on a NAS message.

A security protection method and an apparatus to implement security protection for a plurality of non-access stratum (NAS) connection links. The method includes determining, by a terminal, a first parameter, where the first parameter is used to indicate an access technology used to transmit a non-access stratum NAS message. The terminal can support at least two access technologies, and can separately maintain a corresponding NAS COUNT for each of the at least two access technologies. The method further includes performing, by the terminal, security protection on the NAS message based on the first parameter, a NAS key, and a NAS COUNT corresponding to an access technology used to transmit the NAS message. This application is applicable to a process of performing security protection on a NAS message.

Provided is a method for changing, by a user equipment (UE), packet data convergence protocol (PDCP) version. The method may include: receiving a security mode command message, which includes a first security algorithm configuration for a PDCP of a first system and a second security algorithm configuration for a PDCP of a second system, from a base station (BS); deriving a first security key for the PDCP of the first system, based on the first security algorithm configuration; when the security mode command message passes an integrity protection check based on the first security key, changing the PDCP version from the PDCP of the first system to the PDCP of the second system; deriving a second security key for the PDCP of the second system, based on the second security algorithm configuration; and transmitting a security mode complete message, based on the second security key, to the BS.

Provided is a method for changing, by a user equipment (UE), packet data convergence protocol (PDCP) version. The method may include: receiving a security mode command message, which includes a first security algorithm configuration for a PDCP of a first system and a second security algorithm configuration for a PDCP of a second system, from a base station (BS); deriving a first security key for the PDCP of the first system, based on the first security algorithm configuration; when the security mode command message passes an integrity protection check based on the first security key, changing the PDCP version from the PDCP of the first system to the PDCP of the second system; deriving a second security key for the PDCP of the second system, based on the second security algorithm configuration; and transmitting a security mode complete message, based on the second security key, to the BS.

This application provides an RRC connection resume method and apparatus. In the method, when a terminal moves to a target base station, the target base station may reselect, based on a capability and a requirement of the target base station, a first encryption algorithm and a first integrity protection algorithm that are used when the target base station communicates with the terminal, and send the first encryption algorithm and the first integrity protection algorithm to the terminal. On one hand, a security algorithm used for communication between the terminal and the target base station is flexibly selected. On the other hand, because the base station connected to the terminal changes, communication security can be improved by using a new encryption algorithm and integrity protection algorithm.

This application provides an RRC connection resume method and apparatus. In the method, when a terminal moves to a target base station, the target base station may reselect, based on a capability and a requirement of the target base station, a first encryption algorithm and a first integrity protection algorithm that are used when the target base station communicates with the terminal, and send the first encryption algorithm and the first integrity protection algorithm to the terminal. On one hand, a security algorithm used for communication between the terminal and the target base station is flexibly selected. On the other hand, because the base station connected to the terminal changes, communication security can be improved by using a new encryption algorithm and integrity protection algorithm.