CN114765827A - Safety protection method, device and system - Google Patents
Safety protection method, device and system Download PDFInfo
- Publication number
- CN114765827A CN114765827A CN202210021323.3A CN202210021323A CN114765827A CN 114765827 A CN114765827 A CN 114765827A CN 202210021323 A CN202210021323 A CN 202210021323A CN 114765827 A CN114765827 A CN 114765827A
- Authority
- CN
- China
- Prior art keywords
- amf
- user
- target
- request
- target amf
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 194
- 230000008569 process Effects 0.000 claims abstract description 46
- 230000006870 function Effects 0.000 claims description 79
- 238000004891 communication Methods 0.000 claims description 53
- 230000015654 memory Effects 0.000 claims description 41
- 238000007726 management method Methods 0.000 claims description 32
- 230000004044 response Effects 0.000 claims description 18
- 239000000284 extract Substances 0.000 claims description 5
- 238000013523 data management Methods 0.000 claims description 3
- 230000011664 signaling Effects 0.000 abstract description 12
- 230000000977 initiatory effect Effects 0.000 abstract description 5
- 238000012545 processing Methods 0.000 description 11
- 238000004422 calculation algorithm Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 5
- 238000010168 coupling process Methods 0.000 description 5
- 238000005859 coupling reaction Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002035 prolonged effect Effects 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0022—Control or signalling for completing the hand-off for data sessions of end-to-end connection for transferring data sessions between adjacent core network technologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/12—Reselecting a serving backbone network switching or routing node
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application discloses a method, a device and a system for safety protection. According to the scheme provided by the embodiment of the application, the target AMF receives a first request of the terminal from the initial AMF, the security context of the terminal and the user permanent identification of the terminal; and responding to the first request according to the received information or according to a local policy. The initial AMF acquires the security context of the terminal and the user permanent identification of the terminal through the authentication process, so that the target AMF can trust the information from the initial AMF; the target AMF can directly use the information received from the initial AMF to respond to the first request without initiating an authentication process to acquire a security context or a user permanent identifier, and similarly, the request for acquiring the context does not need to be sent, so that the signaling process of the target AMF after receiving the first request is effectively reduced, and the time delay required by the terminal to establish or update the connection with the target AMF is effectively shortened.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a method, an apparatus, and a system for security protection.
Background
The terminal may perform access and mobility management function (AMF) redirection during registration with the network. When the initial AMF receiving the terminal registration request cannot serve the terminal, the initial AMF may perform NAS redirection (NAS re route), that is, the initial AMF obtains information of a target AMF (target AMF) that can serve the user equipment, and sends a registration request message received from the terminal to the target AMF.
However, the current AMF redirection process has large signaling overhead and prolonged network access time.
Similarly, other core network elements that need to acquire the security context of the terminal may perform redirection or handover, and the redirection or handover process also has the problems of high signaling overhead and prolonged network access time.
Disclosure of Invention
The embodiment of the application provides a security protection method, device and system, which can reduce signaling interaction in the process of redirecting or switching a core network element, reduce signaling overhead and shorten network access delay.
In a first aspect, an embodiment of the present application provides a security protection method, including:
a target network element receives a first request of a terminal from an initial network element, a security context of the terminal and a user permanent identifier of the terminal;
the target network element responds to the first request.
The first request may be a registration request of the terminal.
The network element may be a mobility management network function, such as an AMF; the network element may also be a network element that is redirected or switched and needs to acquire a security context of the terminal or needs to establish a secure connection with the terminal. The initial network element is the first network element processing the first request, and the target network element is the network element providing service for the terminal after redirection or handover occurs. The initial network element and the target network element may be the same type of network element or may be different types of network elements capable of providing the same type of service for the terminal.
In one possible implementation, the first request includes a user temporary identification of the terminal.
The target network element responding to the first request may be understood as determining a user permanent identifier corresponding to the user temporary identifier of the terminal and a security context corresponding to the user temporary identifier, and may also be understood as determining that the user permanent identifier corresponding to the user temporary identifier of the terminal is the user permanent identifier received by the target network element and that the security context corresponding to the user temporary identifier is the security context received by the target network element.
In one possible implementation, the receiving, by the target network element, the first request from the terminal of the initial network element, the security context of the terminal, and the permanent identity of the user of the terminal includes: the target network element receives a first request of the terminal, a security context of the terminal, a user permanent identity of the terminal from the initial network element via a direct interface.
In one possible implementation, the receiving, by the target network element, the first request from the terminal of the initial network element, the security context of the terminal, and the permanent identity of the user of the terminal includes: the target network element receives a first request of a terminal from the access network equipment; the target network element receives from the core network element a user temporary identity of the terminal, a security context of the terminal, and a user permanent identity of the terminal.
In one possible implementation, the receiving, by the target network element, the first request from the terminal of the initial network element, the security context of the terminal, and the permanent identity of the user of the terminal includes: the target network element receives a first request of a terminal from the access network equipment; the target network element receives a first request from a terminal of the initial network element; responding to the first request, the target network element sends an acquisition request to the NF, wherein the acquisition request is used for requesting to acquire the security context and the user permanent identification corresponding to the terminal from the NF, and the acquisition request comprises the user temporary identification of the terminal; the target network element receives the user temporary identity of the terminal, the security context of the terminal, and the user permanent identity of the terminal from the core network element.
In a possible implementation manner, the responding, by the target network element, to the first request includes: the target network element uses the security context and the permanent identity of the user in response to the security context of the terminal and the permanent identity of the terminal.
In one possible implementation manner, the method further includes: the target network element does not initiate an authentication procedure. The target network element may determine not to initiate an authentication procedure according to the local policy.
In one possible implementation manner, the method further includes: the target network element does not send a request to obtain the context. The target network element may determine not to send the request to obtain the context according to the local policy. The request not to send the context may be a request not to send the context to the original network element. The context includes a security context.
In a possible implementation manner, the responding, by the target network element, to the first request includes: and responding to the security context of the terminal and the permanent identifier of the terminal, and not sending a request for acquiring the security context by the target network element.
In a possible implementation manner, the responding, by the target network element, to the first request includes: and responding to the security context of the terminal and the permanent identification of the terminal, and the target network element does not initiate an authentication process.
In a possible implementation manner, the responding, by the target network element, to the first request includes: and the target network element judges whether to use or trust the security context and/or the user permanent identification according to the local policy.
In a possible implementation manner, the responding, by the target network element, to the first request includes: and the target network element determines to use the security context and/or the user permanent identification according to the local policy.
In one possible implementation manner, the method further includes: the target network element does not initiate an authentication procedure.
In one possible implementation manner, the method further includes: the target network element does not send a request to obtain the context.
In a possible implementation manner, the responding, by the target network element, to the first request includes: and the target network element judges whether to initiate an authentication process or not according to the local strategy.
In a possible implementation manner, the responding, by the target network element, to the first request includes: and the target network element determines not to initiate an authentication process according to the local strategy.
In a possible implementation manner, the responding, by the target network element, to the first request includes: and the target network element judges whether to send a request for acquiring the context according to the local strategy.
In a possible implementation manner, the responding, by the target network element, to the first request includes: and the target network element determines not to send the request for acquiring the context according to the local policy. The request not to send the context may be a request not to send the context to the original network element. The context includes a security context.
The initial network element obtains the security context of the terminal and the user permanent identification of the terminal through the authentication process, and the target network element can trust the information from the initial network element; the target network element can directly use the information to respond to the first request without initiating an authentication process to acquire a security context or a user permanent identifier, and similarly, the target network element does not need to send a request for acquiring the context, so that the signaling process of the target network element after receiving the first request is effectively reduced, and the time delay required by the terminal to establish or update the security connection with the target network element is effectively shortened.
The target network element obtains and uses the security context and the user permanent identification from the initial network element, so that the obtaining of the security context and the user permanent identification from the original network element can be avoided. The problem that after the security context between the initial network element and the terminal is updated, the target network element obtains the security context before updating from the original network element, and therefore communication cannot be successfully established with the terminal based on the security context is solved.
In a possible implementation manner, the responding, by the target network element, to the first request includes: and the target network element determines not to use the security context or the user permanent identification according to a local policy.
In one possible implementation manner, the method further includes: and the target network element initiates an authentication flow.
In one possible implementation, the target network element determines to initiate an authentication procedure according to a local policy.
Based on the above manner, the target network element does not need to initiate the authentication flow after receiving any first request, but only needs to initiate the authentication flow when the target network element determines that the authentication flow needs to be initiated according to the local policy. The method and the device ensure the safety of communication connection while reducing signaling overhead caused by unnecessary authentication processes.
In one possible implementation manner, the method further includes: the target network element receives the first indication information. The first indication information is used for indicating the forwarding of the first request through the initial network element.
The target network element responding to the first request includes: and the target network element determines the security context responding to the terminal and the permanent identification of the terminal according to the first indication information.
The target network element responding to the first request includes: and the target network element determines to judge according to the local strategy according to the first indication information.
In a possible implementation manner, the first indication information is generated by an initial network element and is forwarded to a target network element through access network equipment; or the first indication information is generated by the access network equipment and sent to the target network element.
In one possible implementation, the target network element extracts the user temporary identity from the first request.
In a possible implementation manner, the target network element uses the user temporary identifier of the terminal to index the security context of the terminal and the user permanent identifier of the terminal in the obtained security context and user permanent identifier.
In one possible implementation manner, the method further includes: and after the target network element acquires the user permanent identifier of the terminal, the target network element deletes the user temporary identifier of the terminal.
In a second aspect, an embodiment of the present application provides a security protection method, including:
the method comprises the steps that an initial access management function network element receives a first request of a terminal, wherein the first request comprises a user temporary identifier of the terminal;
the initial network element obtains the context of the terminal corresponding to the user temporary identifier and the user permanent identifier of the terminal;
the initial network element sends the first request to the target network element through the access network equipment;
and the initial network element sends the temporary user identification of the terminal, the permanent user identification of the terminal and the security context of the terminal to the first network element.
In one possible implementation manner, the method further includes: and the initial network element sends first indication information to the access network equipment, wherein the first indication information is used for indicating that the first request is forwarded by the initial network element.
In one possible implementation manner, the method further includes: and the initial network element extracts the user temporary identifier in the first request.
In a third aspect, an embodiment of the present application provides a security protection method, including:
a first network element acquires a user temporary identifier of a terminal, a user permanent identifier of the terminal and a security context of the terminal;
and the first network element sends the user temporary identifier, the user permanent identifier and the security context to a target access management function network element.
In one possible implementation manner, the method further includes: the first network element receives an acquisition request from a target network element, wherein the acquisition request comprises the user temporary identifier;
the first network element sending the user temporary identifier, the user permanent identifier and the security context to the target access management function network element includes: and responding to the acquisition request, and sending the user temporary identifier, the user permanent identifier corresponding to the user temporary identifier and the security context to a target network element by the first network element.
In a fourth aspect, embodiments of the present application provide a communication apparatus, including a processor and a memory, where the memory is used to store computer-executable instructions, and the processor is used to execute the computer-executable instructions stored in the memory, so that the apparatus executes the corresponding method according to the first aspect.
In a fifth aspect, embodiments of the present application provide a communication apparatus, including a processor and a memory, where the memory is used to store computer-executable instructions, and the processor is used to execute the computer-executable instructions stored in the memory, so that the apparatus executes the corresponding method according to the second aspect.
In a sixth aspect, embodiments of the present application provide a communication apparatus, including a processor and a memory, where the memory is used to store computer-executable instructions, and the processor is used to execute the computer-executable instructions stored in the memory, so that the apparatus executes the corresponding method according to the third aspect.
In a seventh aspect, an embodiment of the present application provides a communication apparatus, configured to implement the method of the first aspect. The communication device may implement the functionality of the target network element in the first aspect. The communication device comprises corresponding modules, units or means (means) for implementing the above method, and the modules, units or means can be implemented by hardware, software or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
In an eighth aspect, an embodiment of the present application provides a communication apparatus, configured to implement the method of the second aspect. The communication device may implement the functionality of the initial network element in the second aspect. The communication device comprises corresponding modules, units or means (means) for implementing the above method, and the modules, units or means can be implemented by hardware, software or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
In a ninth aspect, an embodiment of the present application provides a communication apparatus, configured to implement the method of the third aspect. The communication device may implement the functionality of the first network element in the second aspect. The communication device comprises corresponding modules, units or means (means) for implementing the above method, and the modules, units or means can be implemented by hardware, software or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
In a tenth aspect, embodiments of the present application provide a computer-readable storage medium for storing instructions that, when executed, cause a method according to any one of the first to third aspects to be implemented.
In an eleventh aspect, the present application provides a computer program product comprising instructions that, when executed, cause the method according to any one of the first to third aspects to be implemented.
In a twelfth aspect, an embodiment of the present application provides a communication system, which includes the apparatus in the fourth aspect or the seventh aspect, and the apparatus in the fifth aspect or the eighth aspect.
Optionally, the communication system further includes the apparatus of the sixth aspect or the ninth aspect.
Among them, the technical effects of the second to twelfth aspects can be seen in the advantageous effects of the first aspect.
Drawings
Fig. 1 is a schematic diagram of a communication system according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a security protection method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a registration method according to an embodiment of the present application;
fig. 4 is a schematic flow chart of another security protection method provided in the embodiment of the present application;
fig. 5 is a schematic flow chart of another security protection method provided in the embodiment of the present application;
FIG. 6 is a schematic flowchart of another security protection method provided in an embodiment of the present application;
fig. 7 is a schematic structural diagram of a communication device according to an embodiment of the present application.
Fig. 8 is a schematic structural diagram of another communication device according to an embodiment of the present application.
Detailed Description
Fig. 1 is a schematic diagram of a network architecture provided in an embodiment of the present application, where the respective parts involved in fig. 1 are as follows:
terminal equipment may also be referred to as User Equipment (UE), terminal, etc. A terminal device is a device with a wireless transceiving function, and can communicate with one or more Core Networks (CN) via AN access network device in a (radio) access network (R) AN. Can be deployed on land, including indoors or outdoors, hand-held, worn, or vehicle-mounted; can also be deployed on the water surface, such as a ship and the like; it may also be deployed in the air, such as on an airplane, balloon, or satellite, etc. The terminal device may be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiving function, a Virtual Reality (VR) terminal device, an Augmented Reality (AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in home (smart home), and so on.
The (radio) access network (R) AN is configured to provide a network access function for authorized user equipment in a specific area, and may use transmission tunnels with different qualities according to a level of the user equipment, a service requirement, and the like. For example, the (R) AN may manage radio resources, provide access services for the user equipment, and then complete forwarding of control information and/or data information between the user equipment and a Core Network (CN). The access network device in the embodiment of the present application is a device that provides a wireless communication function for a terminal device, and may also be referred to as a network device. For example, the access network device may include: next generation base station node (eNB) in 5G system, evolved node B (eNB) in Long Term Evolution (LTE), Radio Network Controller (RNC), Node B (NB), Base Station Controller (BSC), Base Transceiver Station (BTS), home base station (e.g., home evolved node B, or home node B, HNB), Base Band Unit (BBU), transmission point (TRP), Transmission Point (TP), small base station equipment (pico), mobile switching center (mobile switching center), or network equipment in future network, etc. It is understood that the embodiment of the present application does not limit the specific type of the access network device. In systems with different radio access technologies, the names of devices that function as access network devices may differ.
A User Plane Function (UPF) network function, which is used for packet routing and forwarding, quality of service (QoS) processing of user plane data, and the like.
A Data Network (DN) network function for providing a network for transmitting data.
An access and mobility management function (AMF) network function is mainly used for mobility management, access management, and the like, and may be used to implement other functions, such as functions of lawful interception and access authorization/authentication, in a Mobility Management Entity (MME) function, besides session management. It is understood that hereinafter referred to as AMF network function is AMF. In the embodiment of the present application, the AMF may include an initial AMF (initial AMF), a raw AMF (old AMF), and a target AMF (target AMF). For example, the initial AMF may be understood as the AMF that is the first one in the registration to process the UE registration request, the initial AMF is selected by the (R) AN, but the initial AMF may not necessarily serve the UE, the original AMF may be understood as the AMF that served the UE when the UE last registered to the network, and the target AMF may be understood as the AMF that served the UE after the UE is redirected. For example, the UE carries network slice selection information in the registration request message, and after the UE completes the registration request at the initial AMF, the initial AMF cannot serve the network slice and needs to be redirected to the target AMF to serve the UE.
A Network Slice Selection Function (NSSF) may be used to determine a network slice instance, select an AMF network function, and so on.
Network storage network functions, such as those including a Network Registration Function (NRF), may be used to maintain real-time information of all network function services in the network.
An authentication server function (AUSF) is used for authenticating services, generating keys to implement bidirectional authentication of user equipment, and supporting a unified authentication framework.
A Unified Data Management (UDM) network function, which may be used to handle user equipment identification, access authentication, registration, mobility management, etc. It is understood that the UDM network function is hereinafter referred to as UDM.
The mobility management network function in the embodiment of the present application may be the AMF network function shown in fig. 1, or may be another network function having the AMF network function in a future communication system. Alternatively, the mobility management network function in the present application may also be a Mobility Management Entity (MME) in Long Term Evolution (LTE), and the like.
For convenience of description, in the embodiment of the present application, a mobility management network function is described as an example of an AMF network function. Further, the AMF network function is abbreviated as AMF, and the terminal device is referred to as UE or terminal, that is, the AMF described later in this embodiment of the present application may be replaced by the mobility management network function, and the UE or terminal may be replaced by the terminal device.
The embodiment of the application takes redirection of a mobility management network function as an example, and introduces the security protection method provided by the application. The security protection method can also be suitable for switching of the functions of the mobility management network. It is to be understood that when other core network elements are redirected or handed over and the core network element needs to establish a secure connection with the terminal, the actions performed by the mobility management network function in the following method may be performed by the core network element instead.
It is to be understood that the terminology described above may have been used in different fields or different standards and that the terminology used herein is not intended to be limiting of the embodiments of the present application. The network function or function may be a network element in a hardware device, a software function running on dedicated hardware, or a virtualization function instantiated on a platform (e.g., a cloud platform).
Fig. 2 is a schematic flow chart of security protection. The method specifically comprises the following steps:
s210: the target AMF receives a first request from a terminal of the initial AMF, a security context of the terminal, and a user permanent identity of the terminal.
The first request comprises a user temporary identifier of the terminal. The user temporary identity may be a terminal generated temporary identity, such as a sui. The user temporary identifier may also be a temporary identifier, such as a GUTI, generated by the core network for the terminal, and the terminal acquires the temporary identifier from the core network.
The first request is used for requesting to establish a secure connection between the terminal and a core network, or the first request is used for requesting to establish a secure connection between the terminal and an AMF receiving the first request. Establishing the secure connection includes establishing a security context. The above-described establishment may also be replaced with an update.
The first request may be a registration request of the terminal for requesting registration of the terminal to the core network or to the AMF capable of serving the terminal. The first request may also be other requests of the terminal, such as a handover request.
The security context is used to describe information required to secure communications between the core network and the terminal. Optionally, the security context includes one or more of the following information: AMF secret key, AMF secret key identification, terminal security capability, encryption protection algorithm, integrity protection algorithm and NAS COUNT.
The security context of the terminal is the security context of the terminal that the initial AMF has acquired. And the initial AMF receives the first request from the terminal and initiates a main authentication process for the terminal, and the initial AMF acquires the security context of the terminal through the main authentication process. The initial AMF may perform encryption protection on information such as signaling sent to the terminal according to the security context.
In a first possible implementation manner, the first request of the terminal, the security context of the terminal, and the user permanent identifier of the terminal are carried in one message. It can be understood that, by acquiring the message, the target AMF may know that the security context and the user permanent identifier carried in the message correspond to the user temporary identifier in the first request. Optionally, the initial AMF sends the message to the target AMF over a direct interface.
In a second possible implementation manner, the first request of the terminal, the security context of the terminal, and the user permanent identifier of the terminal are respectively carried in different messages. Optionally, the security context or the user permanent identifier and the terminal identifier are carried in a message, so that the target AMF can know that the received security context and the user permanent identifier correspond to the terminal. Optionally, the terminal identifier may be the user temporary identifier, and the terminal identifier may be other information that enables the target AMF to identify the terminal, for example, session information or tunnel identifier information corresponding to the terminal.
Based on the second possible implementation manner, the initial AMF may send the user temporary identifier of the terminal, the security context of the terminal, and the user permanent identifier of the terminal to the target AMF through the core network element. Optionally, the initial AMF sends the first request of the terminal to the target AMF through the access network device.
The target AMF may extract the user temporary identification from the first request. The target AMF may use the user temporary identifier of the terminal to index or acquire the security context of the terminal and the user permanent identifier of the terminal in the acquired security context and user permanent identifier. Alternatively, the target AMF may request the NF for the security context of the terminal and the user permanent identity of the terminal using the user temporary identity.
The core network element may be a UDM, an NSSF, or another core network element capable of storing and forwarding the information. For ease of description, this core network element is referred to hereinafter as network function NF.
Optionally, after acquiring the temporary user identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal, the NF sends the acquired information to the target AMF. I.e. the NF pushes directly to the target AMF after acquiring the above information.
Optionally, the NF acquires the security context of the terminal and the user permanent identifier of the terminal, and sends the acquired information to the target AMF when receiving the acquisition request from the target AMF. The obtaining request includes a user temporary identifier, and the user temporary identifier is used for requesting the security context and the user permanent identifier corresponding to the terminal from the NF. For the target AMF: the target AMF receives the first request; responding to the first request, and sending the acquisition request to the NF by the target AMF; the target AMF receives the security context of the terminal and the user permanent identity of the terminal from the NF.
S220: the target AMF responds to the first request.
Illustratively, the response mode includes triggering the authentication process or not triggering the authentication process. When the authentication procedure is triggered, the target AMF may send an authentication request to the AUSF.
The target AMF may respond to the first request by any one of the following methods:
the first method is as follows: the target AMF uses the security context and the user permanent identity in response to the security context of the terminal and the permanent identity of the terminal.
Using a security context may be understood as securing the signaling, e.g. encryption or integrity protection, based on information in the security context. Using a security context may also be understood as sending signaling to the terminal that is secured according to information in the security context.
The use of the user permanent identifier may be understood as taking the user permanent identifier as a unique permanent identifier of the user in the core network, may be understood as performing charging according to the user permanent identifier, and may be understood as acquiring or implementing other services for the terminal according to the user permanent identifier.
The above-described use of the security context and the user permanent identity may be understood as trusting the security context and the user permanent identity received from the initial AMF. Thus, the target AMF may not trigger the authentication procedure and send the request for obtaining the context. For example, when the RR message is received by the target AMF and the message carries the SUCI, the target AMF may select not to trigger the authentication procedure.
Optionally, the first method further includes: the target AMF does not initiate the authentication procedure. It can be understood that after the target AMF obtains the security context and the user permanent identifier, it is no longer necessary to obtain the security context and the user permanent identifier of the terminal by initiating an authentication procedure.
Optionally, the first method further includes: the target AMF does not send a request to obtain the security context. For example, after the target AMF obtains the security context and the permanent user identifier, it is no longer necessary to send a request for obtaining the security context to the original AMF. The original AMF is used for serving the terminal, a security context of the terminal is established on the original AMF, and a user permanent identifier of the terminal is stored on the original AMF.
The second method comprises the following steps: and responding to the security context of the terminal and the permanent identification of the terminal, and not initiating an authentication process by the target AMF.
The third method comprises the following steps: the target AMF does not send a request for obtaining the security context in response to the security context of the terminal and the permanent identifier of the terminal.
The method is as follows: and the target AMF judges whether to use the security context or the user permanent identification according to a local policy.
Another expression of the fourth mode may be: and the target AMF judges whether to trust the security context and the user permanent identification received from the initial AMF according to the local policy.
The local policy is policy information configured locally by the target AMF or received from other core network elements. Exemplary local policies may include:
the target AMF trusts the initial AMF; or, the target AMF and the initial AMF are located in the same security domain; or,
the security requirement of the network slice where the target AMF provides service for the terminal is that the authentication process is not repeatedly initiated; or,
the security requirement of the network slice is that a request for obtaining the context is not sent to the original AMF; or,
the target AMF does not initiate an authentication process after acquiring the security context; or,
the target AMF does not send an acquire context request to the original AMF after acquiring the security context.
When the judgment is that: the fourth way may be replaced by the target AMF determining to use the security context or the user permanent identity according to a local policy.
When the judgment result is yes, the method further comprises the following steps: the target AMF does not initiate the authentication procedure.
When the judgment result is yes, the method further comprises the following steps: the target AMF does not send a request to get context.
The fifth mode is as follows: and the target AMF judges whether to initiate an authentication process or not according to the local strategy.
When the judgment result is not: and the fifth mode can be replaced by the target AMF determining not to initiate the authentication process according to the local strategy.
Mode five still includes: and the target AMF judges whether to send a request for acquiring the context according to the local policy.
The method six: and the target AMF judges whether to send a request for acquiring the context according to the local policy.
When the judgment result is not: the sixth method may be replaced by the target AMF determining not to send the request for obtaining the security context according to the local policy.
Mode six still includes: and the target AMF judges whether to initiate an authentication process or not according to the local strategy.
Based on the method shown in fig. 2, since the initial AMF obtains the security context of the terminal and the user permanent identifier of the terminal through the authentication procedure, the target AMF can trust the above information from the initial AMF; the target AMF can directly use the information to respond to the first request without initiating an authentication process to acquire a security context or a user permanent identifier, and similarly, the request for acquiring the context does not need to be sent, so that the signaling process of the target AMF after receiving the first request is effectively reduced, and the time delay required by the terminal to establish or update the connection with the target AMF is effectively shortened.
It can be understood that, when the security context of the terminal uses the user permanent identifier of the terminal as the identity identifier, the target AMF needs to obtain the user permanent identifier corresponding to the user temporary identifier after obtaining the user temporary identifier, and then can use the user permanent identifier to obtain the security context corresponding to the user permanent identifier from the NF. Based on the method shown in fig. 2, the security context of the terminal may be understood as using the user temporary identifier of the terminal as the identity identifier, so that the target AMF may directly use the user temporary identifier to obtain the corresponding security context. The process of the target AMF obtaining the security context is simplified.
It is to be appreciated that the target AMF obtains and uses the security context and the user permanent identification from the initial AMF, such that obtaining the security context and the user permanent identification from the original AMF can be avoided. After the initial AMF receives the first request, the security context between the initial AMF and the terminal may be updated, but the target AMF acquires the security context before updating from the original AMF, and cannot successfully establish communication with the terminal based on the security context. Based on the method shown in fig. 2, the target AMF acquires the security context from the initial AMF, so that it is ensured that the acquired security context is the security context updated by the initial AMF, and the problem that the target AMF and the terminal cannot establish communication successfully is avoided. Moreover, the target AMF can also avoid receiving the security context from multiple paths such as the original AMF and the initial AMF, thereby avoiding judging and selecting multiple security contexts. The processing logic of the target AMF to determine the security context of the terminal is simplified.
In the method shown in fig. 2, the target AMF may delete the user temporary identifier of the terminal after acquiring the user permanent identifier of the terminal. The target AMF may provide services for the terminal based on the user permanent identification of the terminal.
In the method shown in fig. 2, a fourth mode of S220: the target AMF determines whether to use the security context or the user permanent identifier according to a local policy, and further includes:
when the judgment result is not: the fourth way may be replaced by the target AMF determining not to use the security context or the user permanent identity according to a local policy.
Exemplary local policies at this time may include:
the target AMF does not trust the initial AMF; or,
the initial AMF should not know the AMF key used by the target AMF; or,
the target AMF needs to obtain an AMF key of the target AMF by using an authentication process; or,
the target AMF and the initial AMF are located in different security domains; or,
when the target AMF provides service for the terminal, the security requirement of the network slice is that an authentication process needs to be initiated repeatedly; or,
the security requirement of the network slice is that a request for obtaining the context needs to be sent to the original AMF; or,
the target AMF needs to initiate an authentication process after acquiring the security context; or,
the target AMF needs to send an acquire context request to the original AMF after acquiring the security context.
If not, the method further comprises the following steps: the target AMF initiates an authentication procedure. And the target AMF sends an authentication request to the AUSF, and the message carries the SUCI. The user permanent identification can be selected to replace the SUCI in the message, so that the calculation cost of the UDM for analyzing the SUCI is reduced.
Mode five in S220: the target AMF judges whether to initiate an authentication process according to the local strategy, and the method further comprises the following steps:
when the judgment is that: and the fifth mode can be replaced by the target AMF determining to initiate the authentication process according to the local strategy.
Based on the above manner, the target AMF does not need to initiate the authentication procedure after receiving any first request, and only needs to initiate the authentication procedure when the target AMF determines that the authentication procedure needs to be initiated according to the local policy. The method and the device ensure the safety of communication connection while reducing signaling overhead caused by unnecessary authentication processes.
In the method shown in fig. 2, S210 further includes:
the target AMF receives indication information #1, wherein the indication information #1 is used for indicating that the first request is forwarded by the initial AMF, or indicating that the security context of the terminal and the user permanent identity of the terminal received from the initial AMF are acquired by the initial AMF through an authentication procedure, or indicating redirection, or indicating that the security context of the terminal is generated, or indicating that the target AMF acquires the security context from an NF, or indicating that the target AMF skips the authentication procedure, or indicating that the target AMF skips requesting the context from the original AMF, or indicating that the initial AMF and the terminal perform security interaction of NAS messages, or indicating that the initial AMF and the terminal establish the security context, or indicating that the initial AMF and the UE successfully perform master authentication.
Alternatively, the indication information #1 may be carried in a message with the first request. After receiving the message, the target AMF learns that the indication information #1 is applied to the first request. Optionally, the indication information #1 and the first request are respectively carried in different messages, and the indication information #1 and the terminal identifier are sent to the target AMF together.
Optionally, the indication information #1 may be embodied by the following way for example:
a) an explicit indication. For example, a parameter #1, or the value of a specific field in a parameter, or a cell structure, to indicate the indication information.
b) Implicit indication: for example: the combination of the complete registration request message, the mobility management context of the terminal, the security context of the terminal, and the user permanent identifier of the terminal can be understood as the indication information # 1; alternatively, the NSSF carried in the message provides information indicating that NAS route due to slicing has occurred. The target AMF receives the routing information of the NF from the initial AMF or the information acquired by the initial AMF from the NSSF, and the routing information or the information acquired from the NSSF may be understood as the indication information # 1.
Optionally, the step S220 further includes: the target AMF determines a security context corresponding to the terminal and a permanent identity of the terminal according to the indication information # 1.
Optionally, the step S220 further includes: and the target AMF determines to judge according to the local strategy according to the indication information # 1.
Optionally, in the fourth to sixth modes of S220, the target AMF may be judged according to the local policy and may be replaced by the target AMF according to the indication information # 1; alternatively, the target AMF may be determined according to the local policy instead of the indication information # 1.
Next, a specific process for implementing the method shown in fig. 2 will be described based on the network architecture shown in fig. 1.
Fig. 3 is a schematic diagram illustrating a procedure for registering a terminal with a core network. The method specifically comprises the following steps:
s301: the UE sends a Registration Request (RR) message to an initial amf (initial amf), where the RR message includes a subscriber hidden identifier (SUCI).
For example, if there is no non-access stratum (NAS) security context in the UE, the RR message includes SUCI and plaintext IEs. The plaintext IEs does not include network slice selection assistance information (requested nsai) requested by the UE.
It should be understood that, in the embodiments of the present application, the UE sends the RR message to the initial AMF, which means that the UE sends the RR message to the (R) AN, and then the (R) AN sends the RR message to the initial AMF, since the (R) AN plays a role of transparent transmission in this step, it may be directly described in the embodiments and/or in the drawings that the UE sends the RR message to the initial AMF for simplicity of description.
S302: the initial AMF initiates a primary authentication flow.
The initial AMF initiates a main authentication procedure to perform authentication and key agreement, and obtains the NAS security context of the UE and a user permanent identifier (SUPI) of the UE.
S303: the initial AMF sends a non-access stratum security mode command (NAS SMC) message to the UE, wherein the NAS SMC message can be used for establishing NAS security context between the UE and the initial AMF, and the NAS SMC message has integrity protection.
Optionally, the NAS SMC message may include indication information for instructing the UE to send a complete initial NAS message.
S304: and the UE receives the NAS SMC message and verifies the integrity of the NAS SMC message. And if the verification is successful, sending a non access stratum security mode complete (NAS SMP) message to the initial AMF. The initial AMF receives the NAS SMP message.
If the UE receives the indication information indicating that the UE sends the complete initial NAS message in the NAS SMC message, the UE carries the complete initial NAS message (i.e., RR message) in the NAS SMP message, and the complete RR message includes the requested NSSAI.
After the UE and the initial AMF successfully complete the NAS security mode control procedure (i.e., S303 and S304), the NAS security context is established between the UE and the initial AMF.
S305: the initial AMF determines to perform NAS redirection (otherwise known as NAS route).
It should be understood that NAS redirection, AMF redirection, and NAS retrace, NAS route represent the same flow in this application.
Optionally, in case the initial AMF cannot serve some or all of the requested S-NSSAIs (S) in the NSSAI, the initial AMF calls a service operation #1 provided by the NSSF (e.g., called NSSF _ NSSelection _ Get service operation). The NSSF returns a Response (e.g., called NSSF _ NSSelection _ Get Response) in Response to service operation #1, and carries in the Response either the AMF set (AMF set) of the serviceable NSSAI or the address list of the AMF.
In the case where the initial AMF does not have the address of the target AMF, the initial AMF calls a service operation #2 of the NRF (referred to as NRF _ NFDiscovery _ Request service operation), which is used to acquire the address of the target AMF. The NRF sends a response of the service operation #2 including the address of the target AMF.
In the embodiment of the present application, invoking a certain service operation provided by a certain network function may also be understood as requesting the certain service operation provided by the network function. Receiving a call of the certain service operation may also be understood as receiving a request of the certain service operation.
Based on the above registration procedure shown in fig. 3, various methods for establishing NAS secure connection between the target AMF and the UE will be described below.
Fig. 4 illustrates a method for establishing NAS secure connection between a target AMF and a terminal. The method specifically comprises the following steps:
s401: the original AMF calls a service operation #3 (called as naf _ Communication _ N1MessgeNotify service operation) provided by the target AMF, and the RR message, the NAS security context, and the SUPI are carried in the service operation # 3.
S402: the target AMF responds to the RR message.
Specifically, reference may be made to the content of S220, which is not described herein again.
Fig. 5 shows another method for establishing NAS secure connection between the target AMF and the terminal. The method specifically comprises the following steps:
s501: the initial AMF sends a redirect NAS message to the (R) AN.
The redirect NAS message includes the RR message described above.
Optionally, the redirected NAS message further includes indication information # 1.
The indication information #1 may specifically refer to the indication information #1 involved in the method shown in fig. 2. Optionally, the redirected NAS message includes the AMF set or the address list of the AMF acquired by the initial AMF from the NSSF in S305, where the AMF set or the address list of the AMF may be understood as the indication # 1.
S502: the initial AMF sends SUCI, NAS security context, and SUPI to the NF.
It is understood that the SUCI, NAS security context, and SUPI have an associative relationship.
Optionally, the SUCI, NAS security context, and SUPI are carried in the same message.
Optionally, the NAS security context and the SUPI are carried in different messages, respectively. The NAS security context or SUPI needs to be carried in the same message as the sui, respectively.
The NF determines that the above terminal identity, NAS security context, and SUPI are associated with each other.
Taking NF as UDM as an example, a service on UDM may be defined, for example, the service name is UDM UE context update service, and the input includes: sui, NAS security context, SUPI, target AMF routing information. And (3) outputting: none.
Optionally, the target AMF routing information is used to address the target AMF. The target AMF routing information may be obtained from the initial AMF.
The timing relationship between S501 and S502 is not limited.
S503: the (R) AN transmits the above RR message and indication information #1 to the target AMF.
The indication information #1 may be received from the initial AMF in S501, or may be generated by the (R) AN.
S504: the NF sends SUCI, NAS security context, and SUPI to the target AMF. The timing relationship between S503 and S504 is not limited.
S505: the target AMF responds to the RR message.
Taking NF as UDM as an example, a service on UDM may be defined, for example, the service name is UDM _ AMF UE context update service, and the input includes: SUCI, NAS Security context, SUPI, target AMF routing information. And (3) outputting: none. It is understood that the service is directed to UDM and AMF, and the service exemplarily provided in S502 is directed to UDM and UE.
Specifically, reference may be made to the content of S220, which is not described herein again.
Fig. 6 illustrates another method for the target AMF to establish the NAS secure connection with the terminal. The method specifically comprises the following steps:
s601: the initial AMF sends a redirect NAS message to the (R) AN.
Specifically, reference may be made to the content of S501, which is not described herein again.
S602: the initial AMF sends SUCI, NAS security context, and SUPI to the NF.
Specifically, reference may be made to the content of S502, which is not described herein again.
The timing relationship between S601 and S602 is not limited.
S603: the (R) AN transmits the above RR message and the indication information #1 to the target AMF.
Specifically, reference may be made to the content of S503, which is not described herein again.
S604: in response to the RR message described above, the target AMF sends a request #1 to the NF.
This request #1 is used to request the NF to obtain the NAS security context and user permanent identity described above.
The request #1 includes SUCI.
Optionally, the target AMF extracts the SUCI from the registration request message.
S605: the NF sends the NAS security context, and the SUPI, to the target AMF.
The NF may query the NAS security context and SUPI corresponding to the sui from the sui in the send request # 1.
Optionally, the NF sends suii, NAS security context, and SUPI to the target AMF.
It is to be understood that, when the information sent by the NF to the target AMF does not include sui, the NF may carry the NAS security context and SUPI in the response message of the request #1, so that the target AMF knows that the NAS security context and SUPI correspond to the sui. S606: the target AMF responds to the RR message.
Specifically, reference may be made to the content of S220, which is not described herein again.
Optionally, in the registration process shown in fig. 3, when the UE has registered to the network and the UE and the original AMF establish the NAS security context, the RR message in S310 may include the 5G-GUTI, the clear IEs, and a NAS container (NAS container). The NAS container may include a requested NSSAI therein. The UE integrity protects the RR message based on the existing NAS security context.
When the initial AMF receives the RR message including the 5G-GUTI, the following steps are further included between S301 and S302:
301 a: the initial AMF invokes a first service operation (e.g., referred to as a Namf _ Communication _ UEContextTransfer service operation) provided by the original AMF (old AMF), which may be used to request the context of the UE. The Namf _ Communication _ UEContextTransfer includes the RR message received by the initial AMF.
301 b: and the original AMF responds to the service operation and verifies the integrity of the RR message included in the received service operation request. And under the condition that the integrity of the RR message is verified successfully, the original AMF sends Namf _ Communication _ UEContextTransfer Response (such as a Response called as a first service operation) to the initial AMF, wherein the Response carries a UE context, and the UE context comprises a security context of the UE.
Optionally, the security context of the UE includes any one or more of the following:
AMF key (K)AMF) Key set identifier (ngKSI) in 5G;
a downlink NAS count (downlink NAS count) and an uplink NAS count (uplink NAS count);
a security algorithm; the safety algorithm comprises an integrity protection algorithm and an encryption algorithm which are selected for the original AMF and used between the UE and the safety algorithm;
UE security capabilities (UE security capabilities), i.e. a set of identifiers of the ciphering algorithm and the integrity protection algorithm implemented on the UE;
level KAMFA derived indication (keyamfhderivitionind indication), which may be transmitted as information outside the security context; the KeyAMFHDURIONInd indication is used to indicate KAMFIs passed through a horizontal KAMFDerived and generated.
Optionally, the initial AMF may determine whether to perform level K according to local policyAMFAnd (4) performing deducing. If the initial AMF performs level K according to the local policyAMFDerivation, then new KAMFWith K received from the original AMFAMFDifferent. Similarly, the initial AMF may update other parameters in the security context described above according to local policies.
Based on S301a and S301b, the SUCI may be replaced with 5G-GUTI in the methods shown in fig. 4 to 6. Furthermore, it can be understood that, if the security context of the UE is updated by the initial AMF in S301b, in the method shown in fig. 4 to 6, the security context obtained from the initial AMF refers to the security context after the initial AMF is updated.
It will be appreciated that whether the initial AMF or NF sends the level K to the target AMF or notAMFThe derived indication, or other indication information indicating that the security context has changed, may be used by the target AMF to respond to the received first request according to the description of S220. For example, the target AMF receives or does not receiveWith received level KAMFWhen deriving the indication, the target AMF uses the security context received from the initial AMF without requesting and acquiring the security context from the original AMF.
It is to be understood that each network element or network function, such as the initial AMF, the target AMF, the original AMF, etc., includes a corresponding hardware structure and/or software module for performing each function in order to implement the above functions. Those of skill in the art would appreciate that the various illustrative components and method steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, functional modules may be divided according to the above method examples for each network element or network function, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be implemented in the form of hardware, and can also be implemented in the form of a software functional module.
Fig. 7 shows a communication device 70 according to an embodiment of the present application. As an example, the communication device 70 may be a mobility management network function; the communication device 70 may also be an access network device, as an example; the communication device 70 may also be an NF, as an example. That is, the communication device may be a related device involved in implementing the security protection methods shown in fig. 2-6. Optionally, the device may also be a system-on-a-chip. In the embodiment of the present application, the chip system may be formed by a chip, and may also include a chip and other discrete devices. The apparatus 70 includes at least one processor 720 for implementing the functions of the relevant network elements or network functions in the methods provided by the embodiments of the present application. As an example, the apparatus 70 may also include a transceiver 710. In embodiments of the present application, a transceiver may be used to communicate with other devices over a transmission medium.
Optionally, the apparatus 70 may also include at least one memory 730 for storing program instructions and/or data. Memory 730 is coupled to processor 720. The coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in an electrical, mechanical or other form, which is used for information interaction between the devices, units or modules. Processor 720 may cooperate with memory 730. Processor 720 may execute program instructions stored in memory 730. At least one of the at least one memory may be included in the processor.
It is understood that, in different network elements or network functional entities, there may be no memory included, and therefore, the embodiment of the present application does not limit whether the apparatus for registering includes a memory or not.
The specific connection medium among the transceiver 710, the processor 720 and the memory 730 is not limited in the embodiments of the present application. In the embodiment of the present application, the memory 730, the processor 720 and the transceiver 710 are connected by a bus 740 in fig. 7, the bus is represented by a thick line in fig. 7, and the connection manner between other components is merely illustrative and not limited. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.
Optionally, when the communication device 70 is an access network device, the processor may include a baseband processor and a Central Processing Unit (CPU), the baseband processor is mainly used to process a communication protocol and communication data, and the CPU is mainly used to control the whole device, execute a software program, and process data of the software program.
Alternatively, when the communication device 70 is a mobility management network function or NF, the processor may also be a Network Processor (NP) or a combination of CPU and NP.
The processor may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. The memory may include volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SLDRAM, and direct rambus RAM (DR RAM), among others.
The embodiment of the present application further provides a computer storage medium, where the computer storage medium may store a program, and the program includes some or all of the steps of any one of the registration methods described in the above method embodiments when executed.
Fig. 8 shows a communication device 80 according to an embodiment of the present application. As an example, the communication device 80 may be a mobility management network function; the communication device 80 may also be an access network device, as an example; the communication device 80 may also be an NF, as an example. That is, the communication device may be a related device involved in implementing the security protection method shown in fig. 2-6. Optionally, the device may also be a system-on-a-chip. In the embodiment of the present application, the chip system may be formed by a chip, and may also include a chip and other discrete devices. The device 80 performs the division of the functional units for the communication device in the above method embodiments, for example, each functional unit may be divided corresponding to each function, or two or more units may be integrated into one processing module. The integrated unit can be realized in a form of hardware or a form of a software functional module. It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
The communication device 80 may comprise a processing unit 801 and a transceiving unit 802.
Optionally, the processing unit 801 is specifically configured to: a function of responding to the first request in S220, S402, S505, S606.
Optionally, the transceiver unit 802 is specifically configured to: the functions involved in fig. 2-6 are for transmitting and receiving information.
Specifically, the functions/implementation procedures of the transceiving unit 802 and the processing unit 801 in fig. 8 may be implemented by the processor 710 in the communication device 70 shown in fig. 7 calling a computer executing instruction stored in the memory 730. Alternatively, the function/implementation procedure of the processing unit 801 in fig. 8 may be implemented by the processor 710 in the communication device 70 shown in fig. 7 calling a computer executing instruction stored in the memory 730, and the function/implementation procedure of the transceiver unit 802 in fig. 8 may be implemented by the transceiver 710 in the communication device 70 shown in fig. 7.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of some interfaces, devices or units, and may be an electric or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable memory. Based on such understanding, the technical solutions of the present application, in essence or part of the technical solutions contributing to the prior art, or all or part of the technical solutions, can be embodied in the form of a software product, which is stored in a memory and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned memory comprises: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and various media capable of storing program codes.
Those skilled in the art will appreciate that all or part of the steps of the methods of the above embodiments may be implemented by a program, which is stored in a computer-readable memory, the memory including: flash Memory disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The terms "first," "second," "third," and "fourth," etc. in the description and claims of this application and in the accompanying drawings are used for distinguishing between different elements and not for describing a particular sequential order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein may be combined with other embodiments.
"plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
Claims (39)
1. A method for safety protection is characterized in that,
a target Access Management Function (AMF) receives a registration request from an initial AMF, wherein the registration request comprises a first user temporary identifier;
the target AMF receives first information from an initial AMF through a first network element, wherein the first information comprises a user temporary identifier, a user permanent identifier corresponding to the user temporary identifier and a security context corresponding to the user temporary identifier;
and the target AMF determines a first user permanent identifier corresponding to the first user temporary identifier and a first security context corresponding to the first user temporary identifier according to the first information.
2. The method of claim 1, wherein the target AMF determining, according to the first information, a first user permanent identifier corresponding to the first user temporary identifier and a first security context corresponding to the first user temporary identifier comprises:
the target AMF indexes the first permanent identification and the first security context using the first user temporary identification in the first information.
3. The method of claim 2, further comprising:
and the destination AMF acquires the first user temporary identification from the registration request.
4. The method of any of claims 1-3, further comprising: the target AMF receives first indication information, and the first indication information is used for indicating the forwarding of the registration request through the initial AMF.
5. The method of claim 4, wherein the target AMF determining, according to the first information, a first permanent user identity corresponding to the first temporary user identity and a first security context corresponding to the first temporary user identity comprises:
in response to the first indication information, the target AMF determines the first user permanent identifier and the first security context according to the first information.
6. The method of claim 4 or 5, the first indication information being generated by the initial AMF and sent to the target AMF by an access network device; or, the first indication information is generated by the access network device and sent to the target AMF.
7. The method according to any of claims 1-6, wherein the target access management function, AMF, receiving the registration request comprises:
the target AMF receives the registration request message from the initial AMF through an access network device.
8. The method of any of claims 1-7, further comprising:
in response to the registration request, the target AMF sends a request message to the first network element, where the request message includes the first subscriber temporary identifier, and the request message is used to request to obtain the first security context and the first subscriber permanent identifier.
9. The method of any of claims 1-8, further comprising:
and the target AMF determines not to initiate an authentication process aiming at the terminal according to a local strategy.
10. The method according to any one of claims 1-9, further comprising:
and the target AMF determines not to send a request for obtaining the context to the original AMF according to the local policy.
11. The method of claim 9 or 10, the local policy comprising:
the target AMF trusts the initial AMF; or,
the target AMF and the initial AMF are located in the same security domain; or,
the security requirement of the first network slice is that the authentication process is not repeatedly initiated; the target AMF provides service for the terminal in the first network slice; or,
the security requirement of the first network slice is that a request for obtaining the context is not sent to the original AMF; or,
the target AMF does not initiate an authentication process after acquiring the security context; or,
the target AMF does not send an acquire context request to the original AMF after acquiring the security context.
12. The method of any of claims 1-11, after the target AMF determines the first user permanent identity, further comprising:
and the target AMF deletes the first user temporary identification.
13. The method according to any of claims 1-12, wherein said temporary user identification comprises: the user hides the identity SUCI or the globally unique temporary identity GUTI.
14. The method according to any of claims 1-13, wherein the first network element is a unified data management, UDM, or a network slice selection function, NSSF.
15. A method of security protection, characterized in that,
a target Access Management Function (AMF) receives a registration request, wherein the registration request comprises a user temporary identifier;
in response to the registration request, the target AMF sends an acquisition request to a first network element, where the acquisition request includes the user temporary identifier, and the acquisition request is used to request to acquire a user permanent identifier corresponding to the user temporary identifier and a security context corresponding to the user temporary identifier;
the target AMF receives the user permanent identification and the security context from the initial AMF through a first network element;
and the target AMF determines the user permanent identifier corresponding to the user temporary identifier and the security context corresponding to the user temporary identifier according to the first information.
16. The method according to claim 15, the target access management function, AMF, receiving a registration request comprising:
the target AMF receives a registration request from the initial AMF through an access network device.
17. The method of claim 15 or 16, further comprising: the target AMF receives first indication information, and the first indication information is used for indicating the forwarding of the registration request through the initial AMF.
18. The method of claim 17, the first indication information generated by the initial AMF and sent to the access network device.
19. The method according to claim 17 or 18, wherein the target AMF determining, according to the first information, the user permanent identifier corresponding to the user temporary identifier and the security context corresponding to the user temporary identifier includes:
in response to the first indication information, the target AMF determines the user permanent identity and the security context according to the first information.
20. The method according to any of claims 15-19, further comprising:
and the target AMF acquires the user temporary identification from the registration request.
21. The method according to any of claims 15-20, further comprising:
and the target AMF determines not to initiate an authentication process aiming at the terminal according to a local strategy.
22. The method according to any one of claims 15-21, further comprising:
and the target AMF determines not to send a request for obtaining the context to the original AMF according to the local policy.
23. The method of claim 21 or 22, the local policy comprising:
the target AMF trusts the initial AMF; or,
the target AMF and the initial AMF are located in the same security domain; or,
the security requirement of the first network slice is that the authentication process is not repeatedly initiated; the target AMF provides service for the terminal in the first network slice; or,
the security requirement of the first network slice is that a request for obtaining context is not sent to the original AMF; or,
the target AMF does not initiate an authentication process after acquiring the security context; or,
the target AMF does not send an acquire context request to the original AMF after acquiring the security context.
24. The method of any of claims 15-23, further comprising, after the target AMF determines the permanent identity of the user:
and the target AMF deletes the user temporary identification.
25. The method according to any of claims 15-24, wherein said temporary user identification comprises: the user hides the identity SUCI or the globally unique temporary identity GUTI.
26. The method according to claims 15-25, wherein the first network element is a unified data management, UDM, or a network slice selection function, NSSF.
27. A method of security protection, characterized in that,
a target Access Management Function (AMF) receives first information from an initial AMF, wherein the first information comprises a registration request, a user permanent identifier and a security context, and the registration request comprises a user temporary identifier;
and responding to the first information, and the target AMF judges whether to initiate an authentication process or not according to a local strategy.
28. The method according to claim 27, the target access management function, AMF, receiving the first information comprising:
the target AMF receives the first information from the initial AMF through a direct interface.
29. The method according to claim 27 or 28, wherein the target AMF determining whether to initiate an authentication procedure according to the local policy comprises:
and the target AMF determines not to initiate an authentication process aiming at the terminal according to a local strategy.
30. The method according to any of claims 27-29, further comprising:
and the target AMF determines not to send a request for obtaining the context to the original AMF according to the local policy.
31. The method of claim 29 or 30, the local policy comprising:
the target AMF trusts the initial AMF; or,
the target AMF and the initial AMF are located in the same security domain; or,
the security requirement of the first network slice is that the authentication process is not repeatedly initiated; the target AMF provides service for the terminal in the first network slice; or,
the security requirement of the first network slice is that a request for obtaining context is not sent to the original AMF; or,
the target AMF does not initiate an authentication process after acquiring the security context; or,
the target AMF does not send an acquire context request to the original AMF after acquiring the security context.
32. The method of any of claims 27-31, further comprising, after the target AMF determines the permanent identity of the user:
and the target AMF deletes the user temporary identification.
33. The method according to any of claims 27-32, wherein said temporary user identification comprises: the user hides the identity SUCI or the globally unique temporary identity GUTI.
34. A method of security protection, characterized in that,
receiving a registration request of a terminal by an initial Access Management Function (AMF), wherein the registration request comprises a user temporary identifier;
the initial AMF acquires a security context and a user permanent identifier of the terminal corresponding to the user temporary identifier;
the initial AMF sends the registration request to a target AMF through access network equipment;
and the initial AMF sends the user temporary identification, the user permanent identification and the security context of the terminal to a first network element.
35. The method of claim 34, further comprising: the initial AMF sends first indication information to the access network equipment, wherein the first indication information is used for indicating the registration request to be forwarded through the initial AMF.
36. The method according to claim 33 or 34, further comprising, after the initial AMF obtains the permanent identity of the user:
the initial AMF extracts the user temporary identity in the registration request.
37. A method for safety protection is characterized in that,
a first network element acquires a user temporary identifier, a user permanent identifier corresponding to the user temporary identifier and a security context corresponding to the user temporary identifier;
and the first network element sends the user temporary identifier, the user permanent identifier and the security context to a target access management function AMF.
38. The method of claim 1, further comprising:
the first network element receives a request message from the target AMF, wherein the request message comprises the user temporary identifier;
the sending, by the first network element, the user temporary identifier, the user permanent identifier, and the security context to a target access management function AMF includes:
and responding to the request message, the first network element sends the user temporary identifier, the user permanent identifier corresponding to the user temporary identifier and the security context to the target AMF.
39. A communications apparatus comprising a processor and a memory, the memory for storing computer-executable instructions, the processor for executing the computer-executable instructions stored by the memory to cause the apparatus to perform the method of any of claims 1-38.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2022/071229 WO2022148469A1 (en) | 2021-01-11 | 2022-01-11 | Security protection method, apparatus and system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2021100333230 | 2021-01-11 | ||
CN202110033323 | 2021-01-11 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114765827A true CN114765827A (en) | 2022-07-19 |
Family
ID=82365024
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210021323.3A Pending CN114765827A (en) | 2021-01-11 | 2022-01-10 | Safety protection method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114765827A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024169565A1 (en) * | 2023-02-13 | 2024-08-22 | 华为技术有限公司 | Communication method and communication apparatus |
-
2022
- 2022-01-10 CN CN202210021323.3A patent/CN114765827A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024169565A1 (en) * | 2023-02-13 | 2024-08-22 | 华为技术有限公司 | Communication method and communication apparatus |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11737045B2 (en) | Connection processing method and apparatus in multi-access scenario | |
US10728757B2 (en) | Security implementation method, related apparatus, and system | |
CN110419205B (en) | Method for integrity protection of user plane data | |
US20210204194A1 (en) | Network element selection method and apparatus | |
US10454686B2 (en) | Method, apparatus, and system for providing encryption or integrity protection in a wireless network | |
US11871223B2 (en) | Authentication method and apparatus and device | |
WO2019062996A1 (en) | Method, apparatus, and system for security protection | |
WO2021047454A1 (en) | Location information acquisition method, location service configuration method, and communication device | |
KR101460766B1 (en) | Security setting system and the control method for using clurster function in Wireless network system | |
WO2020056433A2 (en) | SECURE COMMUNICATION OF RADIO RESOURCE CONTROL (RRC) REQUEST OVER SIGNAL RADIO BEARER ZERO (SRBo) | |
CN113676904B (en) | Slice authentication method and device | |
CN114765827A (en) | Safety protection method, device and system | |
WO2024067619A1 (en) | Communication method and communication apparatus | |
WO2022148469A1 (en) | Security protection method, apparatus and system | |
CN111465060A (en) | Method, device and system for determining security protection mode | |
WO2021073382A1 (en) | Registration method and apparatus | |
CN115884153A (en) | Communication method and device | |
CN113904781B (en) | Slice authentication method and system | |
CN115915114A (en) | Registration method and device | |
CN116074828A (en) | Method and device for managing security context | |
CN117062055A (en) | Security protection method and communication device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |